Friday, May 17, 2019

Risk Management without Threat Reports

The insider threat by the very concept is a difficult threat to face. As professionals operating in a National Industrial Security Program Operating Manual environment, we pay homage to these deviant but trusted employees without really addressing the issue. Of course we conduct the required insider threat program training, document it, and report the existence of our insider threat programs as required. In other words, it is easy to recognize the existence of the potential of an insider threat. We can even assign an impact level should we have an insider that goes to the dark side, but few can go beyond the recognition to implementing preventative measures.

What if you can’t identify a threat, do you still have a risk?
Insider threat programs and training requirements spend much effort on convincing that the insider threat is “real” and that if activated, they can cause a level of “damage” to national security, depending on the level of classified information exploited.  However, the mitigations are not well discussed. Many are looking for a level of threat assessment required prior to assigning a risk rating. It’s the old, Likelihood / Feasibility x Impact / Severity = risk (L x I =R or F x S =R) formula so often used. This is typically derived from an identified threat associated with the feasibility or likelihood part of the formula. However, the danger occurs with not having a smoking gun or specifically identified threat; which, we usually don’t. For example, if we don’t have any indication of employee x as going rogue, we have no threat report or adverse information on an employee, then we don’t have countermeasures to implement. In this case, well-meaning security managers may not see the need of applying countermeasures.

This is what the continuous evaluation process should expose. However, the logic would have you remove the threat that the evaluation process revealed. The truth may very well be, if you had a credible threat or report on your cleared employees, the mitigation would be to fire them or separate them from the classified work. Thus you get rid of the risk and no longer have a threat.

Let’s propose another way to perform risk management.

What if there was no smoking gun? What if you had no threat report? What’s the next step?
One solution is to assume a threat. Consider Manning and Snowden. Both are poster models for the insider threat; trusted cleared employees, one military and one contractor. Both performed their missions successfully and were probably rewarded for great work. However they exfiltrated classified information without anyone’s knowledge until the damage was done. By then it was too late.

Many who perform risk assessments absolutely capture the impact of how the insider can damage the mission of the organization as well as national security.  Without an actual threat report from a credible source, they are still able to consider that a threat may exist from the inside and assign a risk level. We can see this application of notional threat applied often with loss prevention disciplines in major corporations, banks, casinos, and stores. Even though most employees are honest and hardworking, some may be rogue. 

These risk managers are not tasked to identify which employees will go bad, they are only tasked with how to make it harder for rogue employees to steal. They employ mitigations such as audits, security cameras, anomaly searches and high tech solutions to catch thieves in the act.

How can this be applied by Security Managers?
Security managers can make it more difficult for an insider to sabotage a program or steal classified information using the following steps:
  •        Determine what high value items exist: classified information, personal identifiable information, technical data, proprietary data, etc.
  •       Determine where high value items exist: security container (s), location in building, in computers, in warehouse, etc.
  •       Identify who has access to the high value items by name and location
  •       Use technology or locking devices to prevent access to unauthorized persons: GSA Security container, high security locks, password protection, segregated networks, segregated computers and hard drives.
  •       Control access to printers, faxes and computers. System administrators, ISSMs, ISSOs and others can use technology to limit downloads, print jobs, copying and etc. Technology can monitor and approve who conducts these tasks, time of day, and amount of data transferred.
  •       Require permission to access high value items: An employee’s use of information technology should be treated as a privilege, approved, monitored, audited, by and authority and violations reported.

The traditional risk model includes identifying a threat. Many who use the traditional risk model find themselves inadequately protecting high value information because there has not been a history of adverse activity and they have not identified adverse activity from trusted employees. However a good risk assessment assumes that a threat exists, working to ensure authorized employees operate only as permitted. 

If you would like more information on insider threat training, just visit

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: