The real insider threat
Despite what you may have heard, the insider threat is probably not the greatest threat to your organization. The most detailed study of the insider threat is probably the one performed at Carnegie Mellon University at the CERT Coordination Center. In 2002, the Insider Threat Study was started jointly by CERT and the U.S. Secret Service National Threat Assessment Center, the goal of which was a careful and systematic study of insider threats. One source of the data that this joint operation uses is the annual E-Crime Watch Survey.
Since 2004, the E-Crime Watch Survey has been jointly run by CERT, the U.S. Secret Service and CSO Magazine, and it provides a good summary of the state of information security threats. The results of this survey concerning the relative frequency of insider and outsider attacks are shown below in Figure 1. Note that in the years 2004 and 2005, survey participants were not given the choice to indicate that they did not know the source of attacks on their networks. It appears that the incidents that were later classified as coming from an unknown source may have actually been earlier classified as coming from outsiders, but there’s no way to be sure.
Figure 1: Data from the E-Crime Watch Survey from 2004 through 2007.
Other studies have found similar results. The 2007 CSI Computer Crime and Security Survey is the latest in a series of 12 annual studies of the state of information security. In each of the years that this study has been conducted, it has never found the insider threat to be greater that the outsider threat, and the 2007 report even comments on this:
"A great deal is made of the insider threat, particularly by vendors selling solutions to stop insider security infractions. It’s certainly true that some insiders are particularly well-placed to do enormous damage to an organization, but this survey’s respondents seem to indicate that talk of the prevalence of insider criminals may be overblown."
It’s unlikely that the mistaken belief that insider attacks are more numerous than those from outside will disappear any time soon. But it might make sense to not base your purchasing decisions on one of the legends of information security that refuses to die. There are certainly some cases where the risk from insider attacks is so serious that it justifies either technology or other controls to limit the exposure to damage from it. These cases are probably the exception rather than the rule. In most cases there are probably better uses for your security budget.