Topic: Employees as a major source of IT Security Threat



     We all depend on Information Technology Systems in our daily lives, telephone systems, cable systems, electrical power grid, much of our transportation and delivery systems, and almost every other element of our National Information Infrastructure (Cohen 57).  The dependencies we once had on other people and ourselves shift toward dependencies on these new technologies (p.18), as Frederick B. Cohen says in his book “Protection and security on the information superhighway”.  Businesses use a lot of this information technology to handle all the work they have to do.  Computers now play an important role in every type of business.  As we continue to barrel through the information age, it is hard to imagine conducting business without computers. Each day, millions of people working in offices and homes around the world depend on computer technology to do their jobs efficiently and economically (12).

 Information technology has produced substantial benefits for all of us.  However this benefits lies disadvantages that computers and computer systems are vulnerable to all manner of misuse.  The consequences of such misuse may be very serious (Hollinger 348). Computers, which are part of this technology, have little or no protection, and interconnected computers are generally wide open to accidental or malicious disruption. In addition, these computers have a vast of important and delicate information that cannot be shared to anyone, so companies must protect their businesses from intruders.

Nowadays organizations have to protect their businesses from many people who can cause them to have millionaire looses.  For example, vendors and businesses associates seeking leverage, hackers or crackers seeking a thrill, cyberpyrates seeking profits and information, employees seeking knowledge and power, ex-employees seeking revenge or competitors seeking to destroy them (information technology Security Solutions (Klein 1).  For these and many other reasons they should be in alert of anything that can happen within their organizations 24 hours a day, because it is better to prevent than to lament. 

Employees are the ones who have legal access to all this information, and it is easier for them to obtain secure information.  There is a “Computer Crime and Security Survey" done yearly by the United States FBI and Computer Security Institute.  This is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad.  This survey is based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.  The CSI Director has declared that "Over its seven-year life span, the survey has told a compelling story, threat from inside the organization is far greater than the threat from outside the organization.” (CSI 1).  To reinforce this The U. S. Chamber of Commerce calculates that one-third of all business failures result from employee dishonesty (Kelly 1).  Disruption is commonly caused by insiders, and it is real difficult to differentiate between accidental and intentional disruption in this context (Cohen 57).  Incidents include everything from virus outbreaks, browsing inappropriate pages using company computers, committing fraud or cracking corporate computer systems from the inside (Ward 1).



There are two classes of computer criminals in any business: Outsiders and Insiders. Insiders typically exceed authorized access while committing a computer related crime, while outsiders obtained purely unauthorized access.  The insiders/outsiders distinction is relevant because the person’s method of entry and type of misuse will often determine whether the law will come into place (Hollinger 350).  Usually, companies put more attention and effort in developing security control for external threats, theft, and attacks only, while in the inside nothing has been implemented.  This means that they are protecting their companies too much from the outsiders forgetting almost completely from the insiders, who can turn out to be their worst enemies.  A reason for this is because they might trust their employees more than any other person from the outside.  From one point of view it is reasonable to think that way, just by looking at statistics found in this survey, “Forty percent of the respondents detected system penetration from the outside” (CSI 1).  Many people might say that outsiders are the ones who want to destroy their records or steal valuable information.  But lets think about it, insiders already have the information on hand, and we do not know who might betray the organization. Employees are the ones who can give outsiders access to this information, or even get it for their personal use or advantage.  Businesses may assume that they are their best allied when in fact they can be their worst enemies.  The most costly sources of insider attack seem to be executives, people that use application programs, programmers, and other employees (Cohen 57).  According to Fred Avolio, in his article called “When Access Control Goes Bad”, he says that “we can break down the problem into three areas.  First, while we may have fairly good external controls, our internal data access controls are usually poor to nonexistent.  Too often we rely on physical access control only.  Second, and again, while our external network gateways and systems (web servers, mail gateways, and firewalls) are usually closely watched, inside machines often are not. Finally, we may run intrusion detection on our service networks (DMZs) looking for suspicious activities, but may not be as thorough on the inside (Avolio 1).

Now, there is a type of insider who is called “proprietor.”  According to Eric D. Shawn, a “proprietor” is “a person who has grown so attached to his information technology system that he feels like he personally owns it and would do anything to defend his control over it  (Shaw 1).  This type of employees can cause harm to the entire company and we must know how to identity them.  There are several characteristics and signs to identify a proprietor (see table 1).



There are four broad categories of computer crime that insiders can use: Sabotage, theft of services, property crimes, and financial crimes. A sabotage is a crime that goes against the computer hardware and software causing extensive damage.  For example, a dissatisfied employee can walk through a data storage area with an electromagnet, erasing valuable company records.  Theft of services are when employees gain unauthorized access to a time-sharing system that does not require regular changing of access codes.  Property crimes involve theft of computer equipment itself.  Also, they can create dummy account causing orders to an accomplice outside the organization. Financial Crimes are considered one of the most serious crimes, in terms of monetary loss.  A common method involves checks, an employee familiar with a firms operations can cause multiple checks to be made out to the same person, or juggling confidential information within a computer, both personal and corporate, to alter it (Ermann 346-340)



When employees are detected misusing information they should be penalized for doing so.  Employers can take several actions as dismissal, if it is to serious they can take the case to court or they can fire them.  The issue here, is which of these actions they should take or if anything similar should be done about it.

There are several risks of firing an employee who is stealing or misusing information.  That risk is worst if that employee is a proprietor, since firing him/her can cause harm to the company.  Companies might not find adequate replacement, the person can withhold information vital to transition, they can start a sabotage, espionage, or cause a loss of intellectual property before or after departure, or it can cause a loss of other vital staff. Sometimes it is better to investigate that person’s life and try to find out what is the problem with them.  Maybe like this, the situation can be solved in a way that can help the company and the employee.  According to Shawn, in the article “The Insider Problem To Fire, or Not to Fire?”, the challenge in dealing with proprietors, is developing a sufficient understanding of the employee and his/her organization to chart a course of action that can resolve a difficult situation without causing a major disruption to operations and security (Shawn 2).

     Another solution is to have more control on the secure information.  …After we categorize the data and systems on our network, we can assign the proper access based on job responsibility and the “need to know.”  Rather than an “all or nothing” access scheme, individuals are granted access to only what they need to access (Avolio).




There are three central goals in computer security : Confidentiality which means the protection of data so that is not disclosed in an unauthorized fashion.  Integrity meaning protection against unauthorized modifications of data and availability or the protection from unauthorized attempts to withhold information or computer resources. (Escamilla 5).  In order for companies to remain in business, they should secure their information technology possessions assets (klein 1). Frederick B. Cohen affirms that it is prudent to take additional measures to prevent, detect, and respond to insider attack (Cohen 57). They should carefully adapt security awareness programs among the most important prevention, monitoring and detection tools available (Shaw art.2,3). IBM suggests creating  security and privacy blueprint developing policies procedures and penalties in advance to reduce threats and risk. Actively check security and privacy controls, including mechanisms used by hardware and software systems, networks, databases, and human resource systems (Strothman 1).

Eventhough employees might seem honest, it is better for businesses to monitor their employees, this way they can see if there is something strange going on, or if they are looking to information that they are not supposed to.  When there is evidence of a misconduct or misuse of information, monitoring or investigation of this situation should be followed. Also, they should monitor computers by installing different software to detect any strange behavior employees might have.***

There is a big problem trying to find anomalies or strange behaviors, since many times employees have the right to look to this information, and there is nothing abnormal apparently going on. For these reasons, businesses can configure a network-based intrusion detection system to look for anomalous behavior.  Another choice is to install a Host-based intrusion detection that can look for suspicious or unauthorized access activity (Avolio 2).

 Also, to reduce the risks and costs** associated with the electronic storage of proprietary and confidential data, supervisors and peers must be trained to be alert to new types of at-risk characteristics and behaviors linked to insider alienation (Shaw art.2,3). Businesses can hire different IT security professionals.  This professionals can actually educated their clients to be proactive instead of reactive and to recognize the signature of security threats when they can occur* (Klein).  Some of these organizations are Computer Security Institute (CSI) and Information Technology Security Solutions (CSI, klein).


























2.Cohen, Frederick. (1995). Protection and Security on the Information Superhighway.   Integre Technical Publishing Co., Inc.


3.Escamilla, Terry. (1998). Intrusion Detection. New York, NY: John Wiley & Sons Inc.


4.Ermann, M. David, et. al.  (1990).  Computers, Ethics, and Society.   Oxford University Press, Inc.


5.Hollinger, Richard. (1997). Crime, Deviance and the Computer.  Vermont: Darmouth Publishing Company 


6.Kelly Michael.



7.Klein, John.


8.Shaw, Eric. (2000).



9.Shaw, Eric (2001).



10.Strothman, Jim.


11.Ward, Mark.(2002).



12. Carbons to Computers.