The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

Abstract

Insider threats to organizational information security are widely viewedas an important concern, but little is understood as to the pattern oftheir occurrence. We outline an argument for explaining what originallysurprised us: that many practitioners report that their organizationstake basic steps to prevent insider attacks, but do not attempt toaddress more serious attacks. We suggest that an understanding of thetrue cost of additional policies to control insider threats, and thedynamic nature of potential insider threats together help explain whythis observed behavior is economically rational. This conclusion alsosuggests that further work needs to be done to understand how better tochange underlying motivations of insiders, rather than simply focus oncontrolling and monitoring their behavior.