Publication details

Home Publications Publication details

Malicious or misinformed? Exploring a contributor to the insider threat
Furnell SM
Computer Fraud & Security, September, pp8-12, 2006

It was once stated that one of the biggest obstacles that organizations may face in trying to achieve security is overcoming the problems posed by “unalert, uninterested, lax, ignorant, uncaring end users”. Indeed, it is undisputable and widely recognized that many of the threats facing organizations can originate from their own staff, and related discussions are always quick to recognise that these can result from both deliberate misuse and accidental errors. However, it is also relevant to acknowledge the potential for inadvertent misuse, in which employees' unawareness of security principles and organizational policies can lead them to do the wrong thing out of ignorance rather than intent. In all cases there are things that organizations can do to mitigate the risks, but it is possibly this last category in which they are directly answerable for any problems. Indeed, in many cases, the ignorance of staff may be directly linked to the negligence of their employers to address their security needs. With this in mind, the basis of this discussion is to examine whether organizations' own inattention to people-related security controls is serving to exacerbate the insider threats that they face. This lack of attention is manifested in terms of failing to put staff on the right track in terms of their security-related behaviours, as well as not doing enough to monitor for the potential problems that they cause.

Furnell SM