Internal Security Threats

Marcus K. Rogers, Purdue University

Introduction

Operational Definition

Extent of the Problem

Characteristics and Motivations

Insider Typology

Disgruntled Employees

Hackers

Criminals

Spies

Terrorists

Factors and Causes

Business Culture

Transient Workforce

Society

Mitigation

Operational and Administrative

Environmental and Physical

Technical and Logical

Education, Training, and Awareness

Conclusion

Glossary

Cross References

References

INTRODUCTION

The threat of attacks on the information systems of businesses and institutions has become such a persistent issue that we have almost come to accept it as part of doing business in the new digital age (Carnegie-Mellon, 2004; Conte, 2003). Granted, risk has always been inherent in any business enterprise. What is unusual is the defeatist attitude that has emerged that assumes we cannot do anything about information security threats or, more precisely, risks. We have been led to believe that the most serious threat comes from the stereotypical young socially dysfunctional male sitting in front of the family computer until the wee hours of the morning wrecking havoc on governments and the corporate world¹ (Denning, 1999; Rogers & Ogloff, 2003). The media also paint a dismal picture regarding the current state of information security preparedness. Vendors bombard us with marketing perpetuating the myth that we are helpless at the hands of these marauders—unless, of course, we buy their product. It is no wonder we ...