Management awareness paper on insider threat metrics
How do you measure 'insider threats' in your organization? If your answer is "We don't!", then I have to wonder how you are managing insider threats.
Without suitable metrics, how do you figure out how much of a problem you might have from employees, contractors, consultants, temps and interns? How do you determine where best to spend your security budget? How do you persuade management to loosen the purse strings sufficiently to address the risks? I guess you guess!
The discussion paper breaks down 'insider threat' into chunks that can be measured sensibly. The main divide falls between deliberate attacks (such as frauds by insiders) and accidents (such as mistakenly overwriting the entire production database - don't laugh, it happened to me 25 years ago and the nightmare still haunts me today!).
The paper picks up on one of the most productive sources of information security metrics: the IT Help/Service Desk's problem and incident management process. Most mid-to-large organizations these days route employee queries and problem reports through a centralized helpdesk function that acts as a clearing house, offering first-line support and routing unresolved calls to the appropriate resolving agencies for specialist help. A valuable core part of their role is to ask questions and record information about calls in the ticketing system, tracking the calls through to completion. The system, then, is a goldmine of information about queries, problems, events, incidents and other issues, including "near misses" (assuming the organization is sufficiently clued-up to encourage workers to report close-shaves as well as actual incidents).
If this is all Greek to you, find a spare hour or two to speak to a helpdesk supervisor about the call-ticketing system, about how calls are categorized and recorded, and how to squeeze suitable reports out of the system ... but, before you get completely carried away on a wave of enthusiasm, planning how to use all that sexy statistical and textual information, think very carefully about what you are doing. The availability of information is not, in fact, the main concern when designing security metrics. A far more important issue is to figure out what you want to know, what questions need to be answered. Conceiving questions that fit the available answers is putting the cart before the horse.