Software Engineering Institute

For several months, beginning in the fall of 1996, two credit union employees worked together to alter credit reports in exchange for financial payment. As part of their normal responsibilities, the employees were permitted to alter credit reports based on updated information the company received. However, the employees intentionally misused their authorized access to remove negative credit indicators and add fictitious indicators of positive credit to specific credit histories in exchange for money. The total amount of fraud loss from their activities exceeded $215,000. The risk exposure to the credit union was incalculable.

From 1997 until his detection in early 2002, a foreign currency trader with an investment bank used a range of tactics, including changing data in various trading systems, so it appeared he was one of the bank’s star producers. In actuality, he lost the bank over $600 million.

In March 2002, a “logic bomb” deleted 10 billion files in the computer systems of an international financial services company. The incident affected over 1300 of the company’s servers throughout the United States. The company sustained losses of approximately $3 million, the amount required to repair damage and reconstruct deleted files. Investigations by law enforcement professionals and computer forensic professionals revealed the logic bomb had been planted by a disgruntled employee who had recently quit the company because of a dispute over the amount of his annual bonus.

These incidents were all committed by “insiders”: individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Efforts to estimate how often companies face attacks from within are difficult to make. Many believe that insider attacks are under-reported to law enforcement agencies or prosecutors. Companies may fear the negative publicity or increased liability that may arise as a result of the incidents. Or, they may believe that the harm suffered would not be sufficient to warrant criminal charges.

Statistics vary regarding the prevalence of cases perpetrated by insiders compared to those perpetrated by individuals external to the targeted organizations. Nevertheless, insiders pose a substantial threat by virtue of their knowledge of and access to their employers’ systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means.

Previous efforts have been made to study insider incidents, including workshops to develop a foundation of knowledge on insider threats; annual surveys of organizations on the number of insider incidents they have experienced in a given year; and, in-depth case studies of information technology insiders. However, these studies have focused on convenience samples and more narrow areas of industry. Additionally, other efforts have not examined the incidents from both behavioral and technical perspectives simultaneously. These gaps in the literature have made it difficult for organizations to develop a more comprehensive understanding of the insider threat and address the issue from an approach that draws upon human resources, corporate security, and information security perspectives.

The Secret Service National Threat Assessment Center (NTAC) and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute (CERT/CC) joined efforts to conduct a unique study of insider incidents, the Insider Threat Study (ITS), examining each case from a behavioral and a technical perspective. This effort was made possible, in part, through funding by the Department of Homeland Security, Office of Science and Technology, which provided financial support for the study in fiscal years 2003 and 2004. Section 1 of this report presents an overview of the ITS, including its background, scope, and study methods. Section 2 reports the findings and implications specific to research conducted on insider threat in the banking and finance sector.