Insider Threats E-Book

Table of Contents

Cover

Title

Copyright

List of Figures

List of Scenarios

Preface

Introduction

PART 1: Information Systems: Technologies and People

1 Components with Known Purposes: Technologies

1.1. Up to the end of the 19th Century: decreasing transmission time

1.2. From the end of the 19th Century: decreasing processing time

1.3. From the end of the 20th Century: facing massification

2 Components with Interpretive Aspects: People

2.1. Tacit knowing or, how do we know?

2.2. The interpretative framework, the filter through which we create our knowledge

2.3. The concept of incommensurability

2.4. Mental models, representations of reality

PART 2: The Insider Threat

3 The Three Categories of Insider Threats

4 Unintentional

4.1. The quality of the stolen information

4.2. The case of apparently insignificant information that has hidden value

4.3. The case of information that can simply be asked for

4.4. The case of the information that will help you

5 Intentional and Non-Malicious

5.1. Conflict between productivity and security

5.2. Workarounds, a factor for innovation or risk

5.3. On non-malicious violations

6 Intentional and Malicious

6.1. The information is known; why not exploit it?

6.2. Organizational environment and cognitive processes of committing the act

6.3. Ease of deterrence

Conclusion

Bibliography

Index

End User License Agreement

List of Tables

1 Components with Known Purposes: Technologies

Table 1.1. Polybius’ code

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

ii

iii

iv

v

ix

x

xi

xii

xiii

xv

xvi

xvii

xix

xx

xxi

xxii

xxiii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

59

61

62

63

64

65

66

67

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

131

G1

G2

G3

G4

G5

G6

G7

G8

e1

Being simple is complicated

(Être simple, c’est compliqué)

Advances in Information Systems Set

coordinated by Camille Rosenthal-Sabroux

Volume 10

Insider Threats

First published 2018 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd

27-37 St George’s Road

London SW19 4EU

UK

www.iste.co.uk

John Wiley & Sons, Inc.

111 River Street

Hoboken, NJ 07030

USA

www.wiley.com

© ISTE Ltd 2018

The rights of Pierre-Emmanuel Arduin to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2017963958

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

ISBN 978-1-84821-972-4

List of Scenarios

Scenario 4.1. What is your employee number?

Scenario 4.2. Are you there?

Scenario 4.3. Set it on the doorstep, thank you

Scenario 4.4. It’s for the vice-president

Scenario 6.1. The Post-it in the transfer room

Preface

Information is the basis of all interactions between two beings endowed with intelligence: from chemical variations between cells to the exchange of electronic signals between machines, information has been exchanged since the beginning of time. An attentive reader will question whether cells and machines are really endowed with intelligence, but what is intelligence if not our capacity to link ideas with each other? The word “intelligence” is in fact made up of the Latin suffix inter- meaning “between” and the stem ligare meaning “to link”. Information and intelligence thus seem to converge toward this idea of linking, for any kind of being, through exchange of information, or ideas, through intelligence.

Language follows this path and so does writing: both support the exchange of information in an information system. An information system can be seen as a group of digital and human resources organized in order to process, spread and store information [REI 02]. In Europe, the Church had a strong hold on writing but, due to increasing commercial activity during the 11th and 12th Centuries, writing became more widely established and was integrated into the management of businesses and the sharing of information as a source of knowledge. In the 15th Century, Gutenberg sped up the diffusion of information by inventing the printing press. This first breakthrough was followed, at the end of the 19th Century, by another innovation when Hollerith, with the Tabulating Machine Company, did not speed up the diffusion but rather the processing of information. In order to help with the census of the U.S. population in 1890, he proposed coding information regarding each U.S. citizen on punch cards before processing them (Figure 1). Thus, information becoming processed automatically lead to the birth of computer science. At the beginning of the 20th Century, the Tabulating Machine Company became the International Business Machines Corporation: IBM.

Figure 1.A Hollerith punch card in 1890 (source: The Library of Congress, American Memory)

The massive computerization of information systems during the second half of the 20th Century led the countries engaged in this process to reflect on the ethics and security of these systems. Indeed, Hollerith’s tabulating machines would have allowed the Nazi regime to take an inventory of thousands of people and thus facilitate their deportation. In 1974 in France, the Système Automatisé pour les Fichiers Administratifs and Répertoire des Individus (SAFARI) project aroused strong emotions among the public when the Ministry of the Interior wanted to create a centralized database of the population with all administration and banking files. In response to this controversial initiative, the French Data Protection Authority (CNIL) was created in 1978 in order to define a framework for computer science to be “in the service of each citizen” and so that it “undermines neither human identity, nor human rights, neither private life, nor individual or public freedoms” [RÉP 78]. In the United States, the construction of models allowing designers to gain “trust” has even been tried [TCS 85]. The General Data Protection Regulation (GDPR) of 2016 is also a regulation and control initiative concerning the use of personal data.

For some people, computer science can represent a flaw in the security of information systems insofar as it processes information automatically. In addition, the security of information systems has often been looked at by focusing on artifacts, computer science and technologies. This book is meant to be timeless, just as relevant to the 19th Century as to the 21st Century; its ambition is to change this paradigm and take an interest in the security of information systems by considering individuals as components in their own right. Indeed, they are susceptible, just like a computer or any artifact, to constitute an insider threat to the information system’s security.

Pierre-Emmanuel ARDUINJanuary 2018

Introduction

Computing is not what it was in 1974, or even in 2006. Information systems within organizations are largely supported by underlying computer systems, whose security can be rigorously ensured through procedures, fragments of code and infrastructures.