Insider Threats
1. Edition March 2018
176 Pages, Hardcover
Wiley & Sons Ltd
ISBN:
978-1-84821-972-4
John Wiley & Sons
Further versions
An information system may be regarded as an organized set of resources, both technological and human. Security should take this specificity into consideration in order to ensure an overall security of information systems. The security of information systems is usually tackled in a technological perspective. This book proposes to focus not only on information systems' security in a technological perspective, but also in a human, managerial and organizational perspective.
List of Figures ix
List of Scenarios xiii
Preface xv
Introduction xix
Part 1. Information Systems: Technologies and People 1
Chapter 1. Components with Known Purposes: Technologies 3
1.1. Up to the end of the 19th Century: decreasing transmission time 4
1.2. From the end of the 19th Century: decreasing processing time 14
1.3. From the end of the 20th Century: facing massification 21
Chapter 2. Components with Interpretive Aspects: People 25
2.1. Tacit knowing or, how do we know? 26
2.1.1. The existence of tacit knowledge 26
2.1.2. Sense-giving and sense-reading: knowledge is tacit 27
2.2. The interpretative framework, the filter through which we create our knowledge 31
2.2.1. A tool for tacit knowing 31
2.2.2. The different types of interpretative frameworks 34
2.2.3. The commensurability of interpretative frameworks 37
2.3. The concept of incommensurability 38
2.3.1. From partial communication to incommensurability 39
2.3.2. Language - linking words to nature 41
2.3.3. Revolution - changing the meaning of words 44
2.4. Mental models, representations of reality 46
2.4.1. Incomplete representations 47
2.4.2. Cognitive representations 49
2.4.3. Shared mental models 50
2.4.4. Explaining mental models 51
Part 2. The Insider Threat 59
Chapter 3. The Three Categories of Insider Threats 61
Chapter 4. Unintentional 69
4.1. The quality of the stolen information 73
4.2. The case of apparently insignificant information that has hidden value 74
4.3. The case of information that can simply be asked for 78
4.4. The case of the information that will help you 81
Chapter 5. Intentional and Non-Malicious 83
5.1. Conflict between productivity and security 85
5.2. Workarounds, a factor for innovation or risk 88
5.2.1. Workarounds are an innovation 89
5.2.2. Workarounds are a risk 89
5.3. On non-malicious violations 90
5.3.1. Intentional behavior 91
5.3.2. Personal benefit without malicious intent 91
5.3.3. Voluntary breaking of the rules 92
5.3.4. Possible damage or risk to security 92
Chapter 6. Intentional and Malicious 95
6.1. The information is known; why not exploit it? 96
6.2. Organizational environment and cognitive processes of committing the act 99
6.2.1. For the organization, deterrence prevents maliciousness 100
6.2.2. For the employee, moral disengagement justifies maliciousness 103
6.3. Ease of deterrence 105
Conclusion 111
Bibliography 117
Index 127
List of Scenarios xiii
Preface xv
Introduction xix
Part 1. Information Systems: Technologies and People 1
Chapter 1. Components with Known Purposes: Technologies 3
1.1. Up to the end of the 19th Century: decreasing transmission time 4
1.2. From the end of the 19th Century: decreasing processing time 14
1.3. From the end of the 20th Century: facing massification 21
Chapter 2. Components with Interpretive Aspects: People 25
2.1. Tacit knowing or, how do we know? 26
2.1.1. The existence of tacit knowledge 26
2.1.2. Sense-giving and sense-reading: knowledge is tacit 27
2.2. The interpretative framework, the filter through which we create our knowledge 31
2.2.1. A tool for tacit knowing 31
2.2.2. The different types of interpretative frameworks 34
2.2.3. The commensurability of interpretative frameworks 37
2.3. The concept of incommensurability 38
2.3.1. From partial communication to incommensurability 39
2.3.2. Language - linking words to nature 41
2.3.3. Revolution - changing the meaning of words 44
2.4. Mental models, representations of reality 46
2.4.1. Incomplete representations 47
2.4.2. Cognitive representations 49
2.4.3. Shared mental models 50
2.4.4. Explaining mental models 51
Part 2. The Insider Threat 59
Chapter 3. The Three Categories of Insider Threats 61
Chapter 4. Unintentional 69
4.1. The quality of the stolen information 73
4.2. The case of apparently insignificant information that has hidden value 74
4.3. The case of information that can simply be asked for 78
4.4. The case of the information that will help you 81
Chapter 5. Intentional and Non-Malicious 83
5.1. Conflict between productivity and security 85
5.2. Workarounds, a factor for innovation or risk 88
5.2.1. Workarounds are an innovation 89
5.2.2. Workarounds are a risk 89
5.3. On non-malicious violations 90
5.3.1. Intentional behavior 91
5.3.2. Personal benefit without malicious intent 91
5.3.3. Voluntary breaking of the rules 92
5.3.4. Possible damage or risk to security 92
Chapter 6. Intentional and Malicious 95
6.1. The information is known; why not exploit it? 96
6.2. Organizational environment and cognitive processes of committing the act 99
6.2.1. For the organization, deterrence prevents maliciousness 100
6.2.2. For the employee, moral disengagement justifies maliciousness 103
6.3. Ease of deterrence 105
Conclusion 111
Bibliography 117
Index 127
Dr. Pierre-Emmanuel Arduin, Associate Professor, Université Paris-Dauphine, France.
Cédric Campo-Paysaa, Security Consultant.
Cédric Campo-Paysaa, Security Consultant.
