The Human Threat
When discussing risk management, there are generally accepted two realms of threat: man-made and natural. Natural of course being fire, flood, tornado, and the like. Man-made threats are anything involving the actions of humans, intentional or not, malicious or not. To state that an organizations employees pose significant information security risks is a bold statement, but the industry experts agree. According to Michael DuBose, former head of the cyber-crimes division of the U.S. Department of Justice, employees pose the greatest risk to an organizations data. According to the Verizon Data Breach Report from 2013, 14% of breaches stemmed from an organizations employees. According to the 2013 Ponemon Data Breach study, human errors and system problems caused two-thirds of data breaches in 2012.
The chart on the right shows the hierarchy of human threat categories. In the realm of Human Threat, there are two categories of threat: Malicious and Non-Malicious. Malicious threats may come from insiders or outsiders. Non-Malicious human threats manifest as the result of human error, unclear policies and procedures, inadequate training and the like.
Threat Category - Malicious
Monthly we see articles in the news, not just information security blogs, but mainstream media reporting on disruption, damage, and data theft caused by humans. There are many motivating factors for malicious threats, including hackers, cyber-criminals and data theft, bored aspiring hackers (script kiddies) testing the waters of the dark world of hacking, hacktivists disrupting operations for political reasons, and even disgruntled employees seeking to cause mayhem or obtain revenge for some imagined wrong-doing.
The majority of malicious actions against an organization are perpetrated by persons who have never been affiliated with the organization. While the volume of attacks are high (port scans, SQL injection attempts, phishing emails) the risk is reduced significantly by defensive measures (email firewalls, intrusion prevention systems, proper patch management policies and procedures).
Indirectly proportional to the outsiders threat, malicious actions committed by insiders tend to be very low in volume yet with a very high success rate. Insiders are typically trusted, vetted individuals that the organization has chosen to grant access to systems and resources to perform their job role. Because of these permissions, insiders have direct capability to cause damage to the organization by corrupting data, disabling services, laundering monies, abusing resources, theft, whistle-blowing, and more. While a small amount of employees may have had ill intentions when applying for a job with the organization, the majority of insider threats have had life altering occurrences that lead them astray. For example, a financially distraught employee at an R&D firm may receive an offer from a competitor to sell information, or an employee may develop an addiction or greed and embezzle funds or commit insider-trading crimes.
Threat Category - Non-Malicious
Information Security Practitioners may become jaded, and look for malice when breaches
of confidentiality, integrity, and availability occur by human actions. The truth
is, however, that many times these breaches are the result of accidental actions,
unforeseen consequences, or misunderstandings. Examples of non-malicious incidents
include laptops stolen from cars, operator errors resulting in the deletion or corruption
of database records, even accidentally forwarding confidential data via email to the