Positive Incentives for Reducing Insider Threat
November 2017 • Podcast
Andrew Moore and Daniel Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat.
“You go back a few years, and cybersecurity was almost all about external threats: people on the outside, external to an organization, getting in. It is still a problem, but as the external defenses for organizations get better and better, what is the avenue in? It is harder and harder to get through their boundary defenses. So, what do you do? Well, you look for that insider. The insider is an employee within an organization that has authorized access already. They are in there, and if you can get them to do what you need to do, from the adversary’s perspective, then that is the easiest route in. So insider threat is becoming more prevalent over time.”
Software Engineering Institute
In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor and constrain employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In this podcast, Andrew Moore and Dan Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that considers the impact of organizational behavior on insider motivations. In particular, positive incentives can complement traditional practices for insider threat defense in a way that can improve employee worklife as well as more effectively reduce insider risk.
About the Speaker
Andrew P. Moore is lead researcher at the CERT National Insider Threat Center at the Software Engineering Institute of Carnegie Mellon University. He previously worked at the Center for High Assurance Computing Systems of the U.S. Naval Research Laboratory. He has more than 30 years of experience developing, applying, and transitioning mission-critical technology and tools. He has published two book chapters and a wide variety of technical journal and conference papers, and a book that was inducted into the Cybersecurity Canon in 2014. His research interests include software engineering and cybersecurity-related modeling and analysis, IT management control analysis, survivable systems engineering, formal assurance techniques, and security risk management. He received a master’s degree in computer science from Duke University, a bachelor’s degree in mathematics from the College of Wooster, and a graduate certificate in modeling and simulation from Worcester Polytechnic Institute.
Dan Bauer joined the SEI in 2015 and has more than 20 years of human resource experience with a variety of organizations, most recently at CMU’s School of Computer Science and RAND Corporation. He has held a number of human resource leadership positions in departments that provided services in the areas of compensation, diversity, employee relations, recruiting, talent management, federal compliance, succession planning and more. He holds SPHR, SHRM-SCP and HCS certifications in human resources, a bachelor of arts in psychology from Westminster College, and a master of arts in psychology from Slippery Rock University. He has taken courses in the Master of Public Management program at Carnegie Mellon University and is a member or leader in several professional and community boards and organizations.