Insider Threats: The Discipline of Trust in the Digital Age

Author: Steve Durbin, Managing Director, Information Security Forum

“There’s an app for that.”

Apple’s ubiquitous tagline-turned-punchline is still going strong, 6 years after its debut. As our lives are increasingly driven and enhanced by digital tools of all kinds, the humorous irony resonates: we can’t actually control everything from our smartphones. One of the thorniest issues facing security professionals is a perfect case in point: we can’t rely on technology to keep our technology and data safe from our employees’ bad habits, gullibility, laziness, or malfeasance.

Trust? There’s no app for that.

Increased Exposure from Insiders

Numerous factors are increasing organizations’ exposure to threats posed by insiders, and technical controls are limited. To combat these threats, organizations must invest in a deeper understanding of trust, and work to improve the trustworthiness of insiders.

The insider threat has intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers.

While estimates vary, Information Security Forum analysis of the 2015 Verizon Data Breach Investigation Report has found that up to 54 percent of incidents reported in 2014 were a direct result of insider behavior. Leading organizations across all sectors are looking for ways to address the evolving insider threat. Leaders who ignore or encourage inappropriate insider behavior should expect financial, reputational or legal consequences.

How do organizations determine who is trustworthy enough to be let inside – then build and maintain loyalty with a transient workforce? How do organizations manage risk while minimizing costs related to vetting, security checks, and identity and access management?

Most research on the insider threat focuses on malicious behavior. However, the threat is considerably broader. Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. Chief Information Security Officers (CISOs) who limit their thinking to malicious insiders may be gravely miscalculating the risk.

Insiders Can Be Complicit

Insiders can unknowingly facilitate the actions of malicious outsiders. By responding to phishing emails, for example, insiders can enable external attacks to succeed where they might otherwise fail. I remember reading that one organization tested their employees by sending 150,000 fake phishing emails and nearly 50 percent of recipients clicked on the link within an hour. The USPS provides another cautionary tale: after being hacked via phishing in September 2014, the Inspector General tested security policy compliance by sending a bogus phishing email to a sample population of postal workers—25 percent of the recipients clicked on the link in the faked email, and less than 10 percent reported the suspicious email as required.

Insiders can also intentionally assist external attackers. According to Charles Hecker and Eben Kaplan, there have been instances where “seasonal, temporary or part-time workers used their short-term access to company systems and processes to assist outside actors in perpetrating substantial frauds. Once safely on the outside, their inside knowledge helps them manipulate their former co-workers and their former employer’s fraud prevention measures.

Insider Threat Becomes Insider Risk

With a few notable exceptions, the impact from information being compromised is comparable, irrespective of whether the insiders act maliciously, negligently or accidentally. In contrast, the likelihood can vary considerably, and depends on the complexity of people, including their motives, loyalties, ideologies and relationships with organizations.

To understand the risk posed by insiders, organizations must understand both the impact and likelihood of insider threat-driven incidents. In other words, ask yourself what happens when employees break trust, and what’s the empirical probability such incidents will occur in your organization?

Trust Sits at the Epicenter of Insider Risk

Workers need privileges to perform their roles responsibly. A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.

Privileges should be accompanied by technical and management controls, which are designed to limit risk. Access to payroll data is restricted to authorised individuals and strategic segregation of duties can ensure that sums are valid before being paid, reducing the likelihood of fraudulent payments.

There are limitations to these controls, so privileges always come with some degree of trust. Organizations are trusting that a payroll manager will not divulge salary data maliciously, negligently store it in an unauthorised cloud, or accidentally email it to a list of inappropriate recipients.

Organizations recognize that they need to trust insiders to behave appropriately. Workers undergo background checks before starting, and may earn greater trust as their service and seniority increases. Organizations also require professional certifications for certain roles and provide training courses to equip their people with knowledge and skills the need to remain trustworthy and develop strong security habits.

Organizations’ reliance on trust as a control has increased dramatically with advances in information technology and changing work environments. More and more people are being given long-term access to organizations’ critical systems – while there are more short-term contractors and, according to Carl Colwill, it is “now more normal for staff to move between organizations and regions on a regular basis.”

How many organizations truly understand the aggregate risk from the trust they put in their people, from system administrators to everyone who is given a laptop or allowed to use their smartphones and tablets at work?

Understanding Insider Risk

ISF Member organizations are adept at estimating impact, supported by tools including the Business Impact Assessment and Business Impact Reference Table highlighted in the ISF Information Risk Assessment Methodology 2 (IRAM2).

Likelihood is more difficult to determine. The likelihood of an insider threat being realized can be thought of as the likelihood that an insider will behave in a way that does not uphold the trust placed in them. Numerous factors influence whether or not trust will be upheld. Previous ISF research on insider threats described a useful model to examine what happens when people have motive, opportunity and means. These ideas can be extended by considering how trust plays a role in each type of risky behavior.


For malicious incidents, the breach of trust is often clear, as it was when an employee kept sensitive proprietary information after termination and provided it to a competitor where he became a paid consultant.

Whistleblowing is related; however, the intent tends to be based on ideologies or morals. For example, Edward Snowden, who gathered and leaked classified documents on government surveillance, asserts that he acted out of loyalty to defend the US constitution from illegal acts, not out of malice toward his organization.


Negligent behaviors often occur when people look for ways to work around policies they feel hinder their ability to carry out their responsibilities. Insiders are expected to follow policy, but may also receive contradictory instructions, such as the need to meet a deadline or financial target.

Most workers recognize the importance of compliance and have a general awareness of security risks. Unfortunately, their workarounds can be less secure than they realise. One worker justified violating policy and using unencrypted USB drives because they are easier to obtain and use than encrypted ones. He mistakenly believed that security could be preserved by simply deleting files after use.

Lack of oversight can rise to the level of a negligent insider risk, such as when a scandal uncovers that board members had no knowledge of widespread illegal or risky activities.


A large majority of ISF Members have said that accidents were more common and of greater concern than malicious acts. Accidents also form a significant portion of information security incidents included in Verizon’s 2015 Data Breaches Incident report.

  • More than 100,000 incidents are grouped into nine basic patterns, the largest of which is miscellaneous errors at just under 30 percent.
  • Three of the top four categories of miscellaneous errors are accidental behaviours, including misdelivery, publishing error and disposal error.

Accidents can have significant consequences; one organization was fined £120,000 after 11 unencrypted emails containing sensitive childcare information were sent to the wrong address.

Recommendations for Managing Insider Risk

Managing risk posed by the insider threat should extend across all three types of risky behaviour: malicious, negligent and accidental. Once the risk is assessed, immediate results can come from applying technical and management controls, and from aligning roles, responsibilities and privileges throughout the employment life cycle.

But that alone is not enough. Organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs.

Embrace a Deeper Understanding of Trust

The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.

Leading organizations can combat the insider threat by implementing the recommendations I’ve referenced above. Start by assessing insider risk. For immediate results, implement technical and management controls, and align roles, responsibilities and privileges throughout the employment life cycle.

Recognize that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld. Remaining purposefully engaged with employees through ongoing oversight and training can help management detect risky activity before it’s too late.

Finally, embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organization worthy of trust in return.

About the Author

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appledata breachmaliciousthreat intelligenceUSPS

More about AppleC2ExposureGartnerKaplanVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Durbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place