In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor and constrain employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In this podcast, Andrew Moore and Dan Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that considers the impact of organizational behavior on insider motivations. In particular, positive incentives can complement traditional practices for insider threat defense in a way that can improve employee worklife as well as more effectively reduce insider risk.
Andrew P. Moore is lead researcher at the CERT National Insider Threat Center at the Software Engineering Institute of Carnegie Mellon University. He previously worked at the Center for High Assurance Computing Systems of the U.S. Naval Research Laboratory. He has more than 30 years of experience developing, applying, and transitioning mission-critical technology and tools. He has published two book chapters and a wide variety of technical journal and conference papers, and a book that was inducted into the Cybersecurity Canon in 2014. His research interests include software engineering and cybersecurity-related modeling and analysis, IT management control analysis, survivable systems engineering, formal assurance techniques, and security risk management. He received a master’s degree in computer science from Duke University, a bachelor’s degree in mathematics from the College of Wooster, and a graduate certificate in modeling and simulation from Worcester Polytechnic Institute.
Dan Bauer joined the SEI in 2015 and has more than 20 years of human resource experience with a variety of organizations, most recently at CMU’s School of Computer Science and RAND Corporation. He has held a number of human resource leadership positions in departments that provided services in the areas of compensation, diversity, employee relations, recruiting, talent management, federal compliance, succession planning and more. He holds SPHR, SHRM-SCP and HCS certifications in human resources, a bachelor of arts in psychology from Westminster College, and a master of arts in psychology from Slippery Rock University. He has taken courses in the Master of Public Management program at Carnegie Mellon University and is a member or leader in several professional and community boards and organizations.