When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt
60 percent of the incidents involved organizational mismanagement
as a way to question my assertion that insiders account for fewer intrusions than outsiders.
At the outset let me repeat how my favorite Kennedy School of Government professor, Phil Zelikow, would address this issue. He would say, “That’s an empirical question.” Exactly — if we had the right data we could know if insiders or outsiders cause more intrusions. I would argue that projects like the Month of 0wned Corporations give plenty of data supporting my external hypothesis, but let’s take a look at what the Howard/Erickson paper actually says.
I think Richard’s analysis (“Exaggerated Insider Threats“) is spot on, and I admit to slightly twisting Howard and Erickson’s words a little to make a point. Security is all about the empirical questions. Answering them involves having data, having collection methodologies, and having conversations and debates about their validity. As I say in the PDF version of the talk:
We can use data to answer questions, like what fraction of incidents are
caused by insiders? This has long been contentious, but if we can agree
on what an incident is, what an insider is, and what cause is, we can
One question for Richard. You write:
In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in “organizational ineptitude” rather than dedicated insiders out to do the company intentional harm.
Why should I care about motives? Shouldn’t I be first focused on the insider/outsider question, then on the methodology, and only then on the motives?