Speakers
Synopsis
Insider threats are a significant and growing risk to public and private sector organisations. They are also among the more difficult cybersecurity risks to address effectively. The breadth of threat types includes IT sabotage, IP theft, fraud, foreign espionage, and unintentional insider threats. In each case, human intentions, actions, and imperfections are central to the act.
Insider threats bring the human dimension of cybersecurity risk to the forefront of mitigation strategies. Incidents can be intentional or unintentional. They can include current or former employees, contractors, and business partners who leverage their sanctioned access privileges to an organisation’s networks, systems, or data to intentionally compromise the confidentiality, integrity, or availability of the organisation's information technology assets or the information itself.
Insider threat programs designed to detect and prevent such risks remain focused on preventing malicious activity with typical control interventions, including access controls, monitoring, auditing, behavioural analytics, and AI to predict and detect abnormal behaviour.
The presentation will examine why addressing the ‘negative problem’ of attempting to contain the costs of human imperfections with theories based on homogenous human behaviour driven by self-interest is the wrong place to start in understanding and addressing insider threats.
The audience will be invited to consider how we have been conditioned to frame the problem of insider threats and, more generally, other information security-related risks through micro-events.
We understand and identify the risk through specific incidents such as cyber-attacks, privacy breaches, and the potential of malicious insiders. While these events help connect leaders and employees to the potential and consequences of insider threats, they limit our strategic perspective to the context of those incidents and not human psychology and behaviour.
How we think about insider threats constrains and limits our thinking about them and the mitigations we implement. We need to step back from the level of ‘incidents’ or ‘potential incidents’ to examine the risk and potential mitigations from a human and organisational perspective.
This presentation offers a perspective on better aligning the theory and practice of insider threat. It provides a richer and more realistic understanding of human behaviour and traces that understanding through five principles that should guide the design of insider threat risk mitigation. It concludes with a framework and examples of an integrated approach to mitigation that avoids the ‘negative problem’ of the ‘human as the enemy within’.
