Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

People as Threats

The following is a list of people who commit acts of harm against organizations, listed in order of increasing resources and technology sophistication:

  • Hacker – These are the “script kiddies” or unsophisticated hackers with limited computer expertise and resources. They exploit vulnerabilities using publicly available tools (e.g., exploits, scripts). Their motivation tends more towards curiosity and boosting their ego, as opposed to a truly malicious desire to do significant harm.
  • Criminal – A person with extensive experience in technology or social engineering who intends to cause direct harm to an organization. A serious hacker may use some publicly available tools for scanning, but tends to use underground tools or develop new exploits. Hackers typically focus on identity theft tools used to defraud Internet users or the development of sophisticated scripts disrupt computers and Web sites.
People Risk
  • Employee – Employees continue to be the principle threat in operational risk, since they already are authorized to access the organization's systems and information and have a detailed knowledge of a business' systems, technologies, and security procedures. It is important to note that there are two types of employee threat sources:
    • Inattentive Employee – These are poorly trained and supervised employees or employees that are over worked or stressed. They tend to make a grater number of mistakes in their work, mistakes that occasionally lead to security breaches.
    • Disgruntled Employee – These are employees with “nothing to lose” - employees who need to finance a drug dependency, who are fed up with work and are looking for an excuse to disrupt management or who become involved with friends and relatives willing to conspire to defraud the company.

    Note, the organization should also assess the threat from agents such as vendors, outside law firms and accountants, and other persons who, like employees, are authorized to access the business' information.

  • Organized Groups – These are political activists, terrorists, government agencies, competitors, organized crime, and foreign governments. These groups pose the highest threat level to the company, since they can apply more resources and technology expertise.