The growing reliance on technological infrastructures has made organizations increasingly vulnerable to threats from trusted employees, former employees, current or former contractors, and clients. Recent research indicates that successful defense from these threats depends on both technical and behavioral controls. In this paper, we report on our work to identify seemingly reasonable organizational actions that may inadvertently lead to increased risk exposure. We also consider how potential internal attackers may be encouraged or discouraged by monitoring the organization’s responses to probes of its firm’s security systems.
Two interwoven work products are presented: A case study that presents a particular type of insider threat–long-term fraud–and a simulation model that supports the case, the underlying dynamic theory, and examination of policy options. The case and model combine to produce a motivating and useful exercise that illustrates the problems of insider cyber-threats. This material has been used in teaching of insider threat issues with satisfactory results.