Understanding the Threat of Insider Misuse

Insider misuse is not necessarily malicious behavior. Individuals misusing the organization’s computing resources are for the most part not doing so with the intent to harm the organization. They may just be attempting to “get the job done.” For example, an employee may use his personal laptop to bring work home over the weekend in spite of the organization’s ban on use of personal computing devices for business purposes. Insider misuse does not need to be malicious to pose a threat to the organization.

This according to the Computer Economics study Insider Misuse of Computing Resources, which analyzes 14 forms of insider misuse in detail. The study shows a number of ways that violation of an organization’s acceptable use policy may result in harm. Making insiders aware of these threats is an important part of mitigating the risk of insider misuse as we discuss later in the full study.

Asister report, Malicious Insider Threats, addresses threats where the insider intends to harm the organization or acts in a purposeful way that threatens the organization’s interests. There is sometimes a fine line between malicious intent and mere misuse. For example, an employee downloading music or video files to a desktop computer would not usually be doing so with intent to harm the organization. But if the files being downloading are pirated, the employee is putting the organization at risk.

Furthermore, if the employee is using a peer-to-peer file-sharing program to download music, his behavior could inadvertently give outsiders access to confidential files on the computer. The employee may not intend to harm the organization, but his actions put the organization at risk.

Nevertheless, we find it useful to separate threats from insider misuse from threats by insiders with malicious intent. Furthermore, many of the countermeasures against insider misuse are also useful to counter malicious insiders.

How Serious Is It?

Before delving into our analysis of each threat, it is useful to examine them in total. For this analysis, we look at all types of insider misuse and rank them according to the perceived seriousness of each threat. In our survey, we asked respondents to rate the “seriousness” of each category of insider misuse as no threat, a minor threat, moderate threat, or major threat. We recognize that the word seriousness has no formal definition in risk management. Typically, risk management professionals quantify risks by their “severity” (potential harm) and the “likelihood” of experiencing an incident within a given time frame.

However, because many forms of insider misuse are not readily quantifiable, we use the word “seriousness” to gauge how concerned IT security professionals are with each threat. We believe the seriousness level provides a useful measure of the perceived importance of each threat, while being mindful that perception and reality are not always consistent.

In assessing the seriousness of each category, we asked respondents to consider all forms of potential damage to the organization, such as effect on system availability or integrity, network performance, legal liability, disclosure of confidential information, loss of worker productivity, and damage to the organization’s reputation. In addition, we asked respondents to evaluate these threats without consideration of any countermeasures their organizations were taking to deter misuse.

Interestingly, the 14 categories of insider misuse fall into two distinct groups. The first eight categories form one group, where at least 40% of our respondents view each as a major threat. The first group includes:

  • Unauthorized copying of files to portable storage devices;

  • Downloading unauthorized software;

  • Use of unauthorized P2P file-sharing programs;

  • Remote access programs;

  • Rogue wireless access points;

  • Unauthorized modems;

  • Downloading of unauthorized media; and

  • Use of personal computing devices for business purposes.

What do these forms of misuse have in common? They all pose a threat primarily in terms of loss of information, security breaches, and legal liability. For example, unauthorized copying of files is a threat as it may lead to loss of confidential information. An employee using his own laptop for business purposes may inadvertently take confidential information home at night or retain this information when he leaves the organization. Downloading unauthorized software or using P2P programs may introduce malware into the organization, leading to theft of information or loss of system availability. It is not difficult to envision the seriousness of the threats that these forms of misuse pose to the organization.