Abril Ruelas













Summer 10 Week


Dr.Udo and Dr. Kirs

University of Texas at El Paso


Employees as a major source of IT Security Threat






            Global information and communication networks are now an integral part of the way in which modern governments, businesses, education and economies operate (Hamin 2000).  As Frederick B. Cohen says in his book “Protection and security on the information superhighway”, businesses use a lot of this information technology to handle all the work they have to do.  For example, telephones, computer terminals, electronic and voice mail, fax machines, and the Internet (Cohen 1995).  Information technology has produced substantial benefits for all of us. However, the increasing dependence upon the new information and communication technologies by many organizations is not without its price; they have become more exposed and vulnerable to an expanding array of computer security risks or harm and inevitably to various kinds of computer misuse (Hamin 2000).  Computers, which are part of this technology, have little or no protection, and interconnected computers are generally wide open to accidental or malicious disruption. In addition, these computers have a vast of important and confidential information that cannot be shared to anyone, so companies must protect their businesses from intruders.  

Fraud hits all industries and companies of all sizes (Genn 2001).  For these and many other reasons they should be in alert of anything that can happen within their organizations 24 hours a day. Organizations have to protect their businesses from many people who can cause them to have millionaire looses.  For example, vendors and businesses associates seeking leverage, hackers or crackers seeking a thrill, cyberpyrates seeking profits and information, employees seeking knowledge and power, ex-employees seeking revenge or competitors seeking to destroy them (information technology Security Solutions) (Klein ).  The issues concerning computer misuse have, in the main, tended to concentrate upon the increasing threats from outside the organization, whilst largely ignoring the threats posed to the organization by the insider (Hamin 2000).  Although in the past much concern has been devoted to penetrations and other misuse by outsiders, insider threats have long represented serious problems in government and private computer-communication systems.  However, until recently, the risks have gone largely ignored by system developers, application purveyors, and indeed governments (Neumann 1999). 

There is a “Computer Crime and Security Survey" done yearly by the United States FBI and Computer Security Institute.  This is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad.  This survey is based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.  The CSI Director has declared that "Over its seven-year life span, the survey has told a compelling story; threat from inside the organization is far greater than the threat from outside the organization.” (Power 2002).

Disruption is commonly caused by insiders, and it is real difficult to differentiate between accidental and intentional disruption in this context (Cohen 1995).  Incidents include everything from virus outbreaks, browsing inappropriate pages using company computers, committing fraud or cracking corporate computer systems from the inside (Ward 2002).    There should be various technical, procedural, and normative controls to prevent illegal and malicious acts from taking place. Ultimately a good balance between various kinds of controls would help instituting a cost-effective means to make both accidental and intentional misconduct difficult (Dhillon 2001). 


Outsider vs. Insiders

There are two classes of computer criminals in any business: Outsiders and Insiders (Hollinger 1997). An insider is someone who has been granted privileges authorizing use of a particular system or facility (Neumann 1999). However, the term ‘insiders’ might encompass a broader category of persons covering those with legitimate access to the computer systems but who use those systems for wrongful purposes or when they have exceeded their legitimate level or degree of authority within the
systems.  They include not only employees (current, former or temporary) of the computer owner but also persons with authorized access to another system to which that system is connected and persons providing software (e.g. suppliers) and maintenance services to the systems (e.g. consultant or independent contractors) (Hamin 2000).

Despite the increase in the threat to computer systems from external hackers, particularly via the Internet, insiders provide the other likely source of threat, which suggest that there is a general trend of increasing in harm both from outside of an organization as well as from within (Hamin 2000). Insiders typically exceed authorized access while committing a computer related crime, while outsiders obtained purely unauthorized access.  The insiders/outsiders distinction is relevant because the person’s method of entry and type of misuse will often determine whether the law will come into place (Hollinger 1997).

Usually, companies put more attention and effort in developing security control for external threats, theft, and attacks only, while in the inside nothing has been implemented.  This means that they are protecting their companies too much from the outsiders forgetting almost completely from the insiders.  A reason for this is because they might trust their employees more than any other person from the outside. Companies might say that outsiders are the ones who want to destroy their records or steal valuable information.  But we should think about it, insiders already have the information on hand, and we do not know who might betray the organization. As insiders, they are in an advantageous position as they may be familiar with the operation of the employers' computer systems thus making it easier for them to misuse the systems, or they may uncover certain flaws in the computer systems or gaps in the controls which monitor their activities (Hamin 2000).

They are the employees who, either out of carelessness or malice, leave digital assets open to exploitation (Chen 2002). Employees are the ones who can give outsiders access to this information, or even get it for their personal use or advantage.  The most costly sources of insider attack seem to be executives, people that use application programs, programmers, and other employees (Cohen 1995).  According to Fred Avolio, in his article called “When Access Control Goes Bad”, he says that “we can break down the problem into three areas.  First, while we may have fairly good external controls, our internal data access controls are usually poor to nonexistent.  Too often we rely on physical access control only.  Second, and again, while our external network gateways and systems (web servers, mail gateways, and firewalls) are usually closely watched, inside machines often are not. Finally, we may run intrusion detection on our service networks (DMZs) looking for suspicious activities, but may not be as thorough on the inside (Avolio 2001).

An insider can be called a “proprietor.”  According to Eric D. Shawn, a “proprietor” is “a person who has grown so attached to his information technology system that he feels like he personally owns it and would do anything to defend his control over it  (Shaw 2001).  These type of employees can cause harm to the entire company and we must know how to identity them.  There are several characteristics and signs to identify a proprietor (see table 1).


Employees and Computer Crimes

There are four broad categories of computer crime that insiders can use: Sabotage, theft of services, property crimes, and financial crimes.  Sabotage, this type of computer crime is usually, though not exclusively, directed against the computer hardware and software causing extensive damage.  For example, a fired employee can walk through a data storage area with an electromagnet, erasing valuable company records.  Theft of services are when employees gain unauthorized access to a time-sharing system that does not require regular changing of access codes.  Property crimes involve theft of computer equipment itself (Ermann 1990). Stolen merchandise being debited from computerized inventory records, payments authorized to fictitious vendors, and salary checks mailed to nonexistent employees..(Harper 1998). Financial Crimes are considered one of the most serious crimes, in terms of monetary loss.  A common method involves checks, an employee familiar with a firms operations can cause multiple checks to be made out to the same person, or juggling confidential information within a computer, both personal and corporate, to alter it (Ermann 1990).  Other cyber crimes include data “diddling” (false data entry), virus attacks and password “sniffing” (automated guessing of phone numbers, user IDs and passwords) (Trembly 1999).

There are many cases where insiders through the past years have been a major source of IT security threat, and they have caused many companies to go bankrupt or have millionaire looses. (See table 2).  With the expanding array of content on the Internet, the temptation to spend time surfing becomes ever stronger for employees . . . employees’ use of chatrooms, newsgroups and company e-mail during working hours could expose a company to liability under a defamation claim… Employees using the company’s systems could also compromise the company’s proprietary information and trade secrets and permit computer viruses to invade and destroy the computer system, costing millions of dollars in lost productivity (Zall 2001).

It is easier for computers to get infected with viruses if employees are not cautious, or if they willingly spread the viruses to their businesses computers.  By definition, a virus is a piece of code that is loaded onto your computer and runs without your consent. They go by names like Melissa, LoveLetter, Gokar Worm, Disemboweler and Klez.  While some viruses are benign, others can be quite nasty, destroying your computer's hard drive, erasing everything on it.  At present time, there are more than 30,000 known strains of computer viruses (Little 2002).    Almost as big a problem as viruses themselves are virus hoaxes. A virus hoax is typically a “chain letter” e-mail that encourages you to forward the message on to all of your contacts (Little 2002).

Companies should be prepared to prevent catastrophic results, and should always be looking for any strange symptoms.  Also, they should invest in some virus detection software (Little 2002). Businesses need to know as much as possible about abuse and misuse of computers to effectively protect their information.


Handling Employee Threat

The first action that should be taken to prevent from an employee threat should begin before hiring an employee by doing a background check of that person. When employees are hired companies should make sure that new employees understand all the policies regarding security issues in the company. If employees are detected misusing information they should be penalized for doing so.  Employers can take several actions as dismissal, if it is too serious they can fire them, or they can take the case to court.  Let us take a closer look at these issues.


Background Check

Whether employees are hired or promoted for a job should depend on the information gathered by the employer in a background check. Employers should use it to verify the accuracy of information provided by jobseekers. Background reports may also uncover information left out of the application or interview.  Today, more employers are being sued for "negligent hiring" for not checking carefully enough into the background of a potential employee . . . That is one reason more background checks are being conducted.  The "information age" also accounts for the increase in background checks-the availability of computer databases containing millions of records of personal data. As the cost of searching these sources drops, employers are finding it more feasible to conduct background checks (Privacy Rights Clearinghouse 2000).



It is very important to be proactive and protect your company with a direct IT policy (Tarabulski 2001). The majority of businesses do not have adequate processes in place to manage risk to operating systems.  And they do not have IT policies in place to protect themselves from errant and devious employees (Tarabulski 2001). As Mr. Ehrenreich said in the article, “Cyber Crime means billions of looses”, Countermeasures to stem possible attacks start with establishing policies about who has access to what information.  There should be specific language in the employee handbook regarding software piracy and other security issues.  He also recommended periodic password changes for employees (Trembly 1999).  Companies should create security and privacy policies procedures and penalties in advance to reduce threats and risk.


Firing an Employee

There are several risks of firing an employee who is stealing or misusing information.  That risk is worst if that employee is a proprietor as described above, since firing him/her can cause harm to the company.  Companies might not find adequate replacement, the person can withhold information vital to transition, they can start sabotage, espionage, or cause a loss of intellectual property before or after departure, or it can cause a loss of other vital staff. Sometimes it is better to investigate that person’s life and try to find out what is the problem with them.  Maybe like this, the situation can be solved in a way that can help the company and the employee (Shaw 2001).  According to Shaw, in the article “The Insider Problem To Fire, or Not to Fire?”, the challenge in dealing with proprietors, is developing a sufficient understanding of the employee and his/her organization to chart a course of action that can resolve a difficult situation without causing a major disruption to operations and security (Shaw 2001).

If the employee is terminated, you should immediately change all passwords, check the former employee’s recent log files to determine their administrative activities and also take a great pain to safeguard those files from tapering (Harper 1998).  Another solution is to have more control on the secure information . . . After we categorize the data and systems on our network, we can assign the proper access based on job responsibility and the “need to know.”  Rather than an “all or nothing” access scheme, individuals are granted access to only what they need to access (Avolio 2001).


Taking the Case to Court

            Sometimes it is necessary to take the case to court.  According to Genestski, a former prosecutor for the U.S. Department of justice, when you go to court to prosecute a case of insider abuse, it is important to be able to point to clear policies when the court asks how you normally handle these cases. In all cases of alleged insider wrong doing, the linchpin of determining criminal liability is whether the activity in question was authorized.  Therefore, policies need to be created that spell out specific terms of acceptable use of company systems and security requirements for employees, customers and even contract workers. (Verton 2001).

There are cases when organizations do not want to take these types criminal cases to court for several reasons.  The problem of ascertainment of insider threats could be due to the unawareness of the organization of any compromise on their system or their reluctance to admit that they have been a victim of insider attack, or reluctance to report known breaches for various reasons. One of these reasons is the corporate fear that negative publicity of insider misuse might impact on their commercial reputation or market share.  On the other hand, organizations might favor civil remedies rather than criminal prosecutions or they might find it easier to claim for looses from such misuse through insurance or by simply passing the costs directly to their customers (Hamin 2000).


The Law and the Internet

Employees can commit many security threats trough the use of the Internet.  For this reason both the federal government and all 50 states have enacted laws which make it a crime to misuse or tamper with computer systems.  It makes little difference under the statutes whether an employee has authorization to access a system.  Both federal and state computer crime laws provide for criminal sanctions against any individual that alters, destroys, or otherwise abuses a computer system.  These laws will come into play if the employee were to:


Ø            Gain unauthorized access to financial, medical, or personnel records, stored in a computer system.

Ø            Make use of the Internet as a vehicle in furtherance of an unlawful act; authorized access would not constitute a valid defence.

Ø            Employ the Internet to transmit programs, data, codes or commands, with the objective of damaging or impeding the operations of a computer system. 

Ø            Transmit data, codes, or programs over the Internet for the purpose of modifying or deleting financial or medical data. 

Ø            Knowingly and with the intent to defraud, use the Internet to traffic in computer passwords and credit card numbers. 


Under the existing computer crime legislation, any individual or business that falls victim to Internet related abuse can sue both the culprit employee and his/her employer.  Ignorance by the employer is not a suitable defence.  The employer will have to demonstrate that it took adequate steps to prevent these abuses (written policies on proper employee use of the Internet (Bequai  1998).  As in other cases, policies should be enforced to clarify the actions that can be taken with the employee in case they misuse the Internet. (See table 3).


Information Technology Security Solutions

 There are three central goals in computer security:

Confidentiality. Protection of data so that is not disclosed in an unauthorized    fashion. 

Integrity. Protection against unauthorized modifications to data.  

Availability.  Protection from unauthorized attempts to withhold information or computer resources. (Escamilla 1998).


 In order for companies to remain in business, they should secure their information technology possessions assets (Klein ). Frederick B. Cohen affirms that it is prudent to take additional measures to prevent, detect, and respond to insider attack (Cohen 1995). Some managers are tackling this threat by requiring firewalls on all desktops and laptops computers, both inside and outside the corporate LAN (Radcliff 2001).  Companies can implement careful employee screenings, . . . test systems regularly and conduct surprise audits. Letting staffers know that prevention is in place can discourage employee fraud (Genn 2001).


Employee Monitoring

Even though employees might seem honest, it is better for businesses to monitor them, this way they can see if there is something strange going on, or if insiders are looking to information that they are not supposed to.  Monitoring employee behavior is important for determining how well its workers are conforming to the desired ‘code of conduct’, and to deal with any deviations before they become serious (Dhillon 2001).  When there is evidence of a misconduct or misuse of information, monitoring or investigation of this situation should be followed. Visible cameras in place, even those that are inoperative, can be deterrent enough to prevent theft of actual goods (Genn 2001). 


Computer Monitoring

Another way to keep track of what employees are doing is to monitor computers, by installing different software to detect any strange behavior employees might have. Owners can monitor computer usage as well and utilize firewalls to limit access (Genn 2001).  As mentioned in the article “Employee Monitoring: Is there Privacy in the Workplace”, there are several types of computer monitoring.  Employers can use computer software that enables them to see what is on the screen or stored in the employees’ computer terminals and hard disks (Privacy Rights Clearinghouse 2001). Such programs allow owners to know who is using a program and when (Genn 2001). People involved in intensive word-processing and data entry jobs may be subject to keystroke monitoring.  Such systems tell the manager how many keystrokes per hour each employee is performing, . . .and they can see if they are above or below the standard number of keystrokes expected.  Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal (Privacy Rights Clearinghouse 2001).


Intrusion Detection Systems

There is a big problem trying to find anomalies or strange behaviors, since many times employees have the right to look to this information, and there is nothing abnormal apparently going on (Avolio 2001).  For these reasons, businesses can install different software or systems to monitor or detect intrusion.  

There are intrusion detection systems that are usually classified as host-based or network-based. Host-based systems base their decisions on information obtained from a single host (usually audit trails), while network–based systems obtain data by monitoring the traffic in the network to which the hosts are connected (Kerschbaud 2002).  A network-based intrusion detection system can be used to look for anomalous behavior.  A Host-based intrusion detection can look for suspicious or unauthorized access activity (Avolio 2001).  Both host-based and network-based data collections have been widely used in intrusion detection systems.

 In recent year, an increasing number of intrusion detection systems have started to use both host-based and network-based components in an attempt to obtain the most complete view of the hosts being monitored (Kerschbaud 2002).   They are host-based monitoring methods.  These systems are external and internal sensors.  An external sensor is piece of software that observes a component (hardware or software) in a host and reports data usable by an intrusion detection system, and that is implemented by code separate from that component.  The difference from an internal sensor is that it is implemented by code incorporated into that component (Kerschbaud 2002).  


Employee Training

 Also, to reduce the risks and costs associated with the electronic storage of proprietary and confidential data, supervisors and peers must be trained to be alert to new types of at-risk characteristics and behaviors linked to insider alienation (Shaw 2000). Businesses can hire different IT security professionals.  These professionals can actually educate their clients to be proactive instead of reactive and to recognize the signature of security threats when they can occur (Klein).  Some of these organizations are Computer Security Institute (CSI), The Computer emergency Response team, and the The Information Security Systems Securiity Assn (Harper 1999).  Security experts say that companies should take the measures to guard against the internal threat to sensitive systems (Verton 2001). (See table 4).



            Companies depend on Information Technology to handle their business efficiently.   Along with this new technology come new security issues, since it is easier for employees to misuse this technology.  Employee threat is greater from the inside than threat from the outside, and organizations should try not to ignore it, but to minimize it. This insider misconduct can be intentional or accidental, but since it is not easy to distinguish, its better to take action before anything can happen. Employees can turn to be a company’s worst enemy and betray the organization leaving the organization with millionaire losses.   For business to stop this threat they need to take a combination of steps, since doing only one will not be enough.   For example, businesses need to adopt internal controls and new policies for computer and Internet usage.  Also, they need to enforce these policies regarding any misuse of computer information so employees would not take advantage of them.  Businesses need to be constantly looking for any type of attack, take action with employees who break the rules, monitor employees and computers, and install new internal security software.   By using all these methods, businesses will be in alert and, in many cases, they will be proactive and take action before they can have an attack.  Hopefully, adopting these recommendations would help many of these companies overcome the insider’s fraud. 






Table 1




1.      Feels he "owns" the system

2.      Feels entitled to special privileges & exceptions to the rules

3.      Won't delegate any vital responsibilities

4.      Encourages customer dependency on him only

5.      Denies others information and access, and refuses to document vital codes and processes

6.      Fights when his control is threatened, including making threats of violence

7.      Encourages "us vs. them" culture with staff

8.      Contributes to staff turnover by hindering others' upward mobility



1.      "Co-dependency"

2.      Supervisor's dependency on employee has increased to point where the supervisor is largely ignorant of technical aspects of the employee's area

3.      Employee regularly forces supervisor to consider exceptions to policies and practices on his behalf

4.      Employee ignores supervisor's directives without significant consequences

5.      Employee makes supervisor feels impotent

6.      Supervisor feels constrained by employee's allies

7.        Supervisor has no "backup" should employee stop producing








Table 2

Insider-Damage Assessment
A chronology of high-profile internal IT security breaches:

*1985 A brokerage firm clerk alters computer records and changes the ownership and price of 1,700 shares of Loren Industries stock.

*1989 A former employee of Southeastern Color Lithographers Inc. destroys billing and account information worth $400,000.

*1996 A computer operator at Reuters Group PLC in
Hong Kong sabotages the dealing systems for five investment-bank clients.

*1997 A temporary employee working as a computer technician at Forbes magazine is charged with crashing the company's network and causing more than $100,000 in damage.

*1998 A disgruntled programmer at defense contractor Omega Engineering Corp. sets off a digital bomb, destroying $10 million in data.

*2001 Robert Hanssen, a career FBI agent with access to counter intelligence databases, is charged with spying for
Russia since 1985.
~~~~~~~~By Dan Verton




Table 3   (Bequai 1998)


Enforcement of Policies (Internet)


v     Written Warnings- these should be issued to any employee who violate company policies governing use of the Internet.  Repeat offenders should be dealt with sternly.

v     Discharge- the more serious abuses, call for immediate discharge.  Anything short of that , could expose the employer to legal sanction.

v     Restitution- An employee who causes his/her employer any financial injury, should be required to make restitution.  Such actions will serve to demonstrate to the authorities and the courts, that the employer is serious in its effort to curb abuses of the Internet.



















Table 4

Measures to guard against the internal threat to sensitive systems:

* Develop training and education programs for all employees.
* Conduct background investigations on employees and contractors who have access to sensitive systems.
* Classify corporate information, and control employees' access based on their need to know or role.
* Segment networks, where possible.
* Deploy monitoring tools with automated alert mechanisms.
* Demand that trading partners and service providers inform you of the security protections in place at their facilities.
* Control physical access to buildings and offices; automate the logging of physical access and integrate it with network-access

By Dan Verton











Avolio,Fred.“When Access Goes Bad,” July 2001, p.1.


Bequai, August. “Employee Abuses in Cyberspace: Management’s Legal Quagmire,” Computers and Security, 1998, Vol. 17 Issue 8, p.667.--


Chen, Anne. “Watching your back”, eWeek Vol.19 no3, Jan 2002, p.37-8.


Cohen, Frederick. (1995). “Protection and Security on the Information Superhighway,” Integre Technical Publishing Co., Inc. p.18, 57.



Dhillon, Gurpreet, Steve Moores. “Computer Crimes:  Theorizing About the Enemy Within,” Computer and Security, Vol.20, No.8, p.715.


Escamilla, Terry. (1998). “Intrusion Detection, Network Security Beyond the Firewall,” New York, NY: John Wiley & Sons, Inc, p.5.


Ermann, M. David, et. al.  (1990). “Computers, Ethics, and Society,” New York, Oxford University Press, Inc. p.346-340.


Genn, Adina. “Stay Alert to Prevent Inside Job,” Long Island Business,News A21 48, no.52 Dec. 2001, p. A21.



Hamin, Zaiton. “Insider Cyber-threats: Problems and Perspectives,” International Review of Law, Computers & Technology, Mar2000, Vol.14 Issue 1, p105-113. --


Harper, Doug. “Is Your Technology Secure?,” Industrial Distribution V.87 no4, May 1998, p.96.


Hollinger, Richard. (1997). “Crime, Deviance and the Computer,”  Vermont: Dartmouth Publishing Company. P.350.


Kerschbaum, Florian. “Using internal sensors and embedded detectors for intrusion detection,” Journal of Computer Security, 2002, Vol.10 Issue ½, p.23.


Klein, John. Corporate Technologies, AVICOM Company,


Little,  Matthew. “Virus,” Products Finishing, Jun 2002, Vol. 66 Issue 9, p10. --


Newmann, Peter G. “Risks of Insiders,” Communication of the ACM, Dec 1999, Vol.42 Issue 12, p.160 --


Power, Richard. “Computer Security Issues and Trends,” 2002 CSI/FBI Computer Crime and Security  Survey, Vol. Vlll, No.1,  Spring 2002.



Privacy Rights Clearinghouse. “Employee Monitoring: Is there Privacy in the Workplace,” April 2001,



Privacy Rights Clearinghouse. “Employment Background Checks: A Jobseeker's Guide,” August 2000,



Radcliff, Deborah. “Firewalls Reach Out”, Computerworld ( Vol )64-65 35, no. 13, Mar 2001, p.64.



Shaw, Eric. “Managing the Threat from Within”, Information Security, July 2000



Shaw, Eric.“The Insider Problem, to Fire or Not to Fire?,”  Information Security, Jan. 2001,


Tarabulski, Noelle. “Security Alert”, Professional Builder, Vol.66 Issue 4, Apr. 2001,

    p.221, 3p, 1c.


Trembly,Ara.  “Cyber crime means billions in losses,”  National Underwriter

    (Life/Health/Financial Services), Vol.103 n27. July, 1999, p.37.


Verton, Dan. “Analysts: Insiders May Pose Security Threat,” Computerworld, Vol.35 Issue 42, Oct.2001,  p6, 3/4p.


Verton, Dan.  “Experts, users strategize on security at crime summit,” Computerworld 20 35, no.11, Mar 2001, p.20.


Ward, Mark. “Employees seen as computers saboteurs,” BBC News Online technology Correspondent, April 2002, p.1.



Zall, Milton. “Do you know how your employees are using your computers?”, Office Solutions V.18 no3, Mar 2001, p.38-41.