Air Force Institute of Technology Air Force Institute of Technology I n t e g r i t y - S e r v i c e - E x c e l l e n c e Outsourcing Information Technology and the Outsourcing Information Technology and the Insider Threat Insider Threat 1 Lt Valerie L. Caruso 20 March 2003 COMMITTEE Dr. Gregg Gunsch – Advisor Major Mark Ward – Member Dr. Lynn Fischer – Member SPONSOR Defense Personnel Security Research Center (PERSEREC) 99 Pacific Street, Bldg 455-E Monterey, CA 93940 Masters’ Thesis defense originally presented by V. Caruso Presented at the CERIAS 4 th Annual IA Symposium by Dr. Gregg Gunsch, 8 April 2003
Transcript
1
Air Force Institute of TechnologyAir Force Institute of Technology
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Outsourcing Information Technology and the Outsourcing Information Technology and the Insider ThreatInsider Threat
1 Lt Valerie L. Caruso20 March 2003
COMMITTEEDr. Gregg Gunsch – AdvisorMajor Mark Ward – MemberDr. Lynn Fischer – Member
SPONSORDefense Personnel Security Research Center
(PERSEREC) 99 Pacific Street, Bldg 455-E
Monterey, CA 93940
Masters’ Thesis defense originally presented by V. Caruso
Presented at the CERIAS 4th Annual IA Symposium byDr. Gregg Gunsch, 8 April 2003
2
Overview
• Background• Problem Statement• Literature Review• Research Question • Methodology• Analysis• Implications• Limitations and Future Research• Conclusion
3
Background
“DoD’s strength is our use of information technology; our weakness is our use of information technology.”
- The Honorable Arthur L. Money
• IT is essential to all aspects of society, industry, and national defense (Magklaras and Funell, 2002)
• Information Technology (IT) outsourcing is increasing (Clark et al., 1995; Klepperand Jones, 1998; Sherwood, 1997; Sambamurthy and Zmud, 2000)
• Insiders with access to critical information and systems could devastate an organization (Denning, 1999; Shaw et al., 2000; Vatis, 2002)
The genesis of this research is based on our society’s increasing dependence on information technology.
Coupled by an increasing trend to outsource IT, especially in the DoD, it is possible we are creating security vulnerabilities in our critical systems by increasing access..
These vulnerabilities can be exploited by the insider that has access, authorized or unauthorized, creating an opportunity for a threat from malicious or disgruntled individuals that could be detrimental to our critical infrastructure.
4
Insider Threat
• Insiders are those in trusted positions with greatest access to information (Denning, 1999)
• “Malicious insiders are the greatest threat to our critical national infrastructures. Insiders armed with specialized knowledge of systems and privileged access are capable of doing great harm. The tragedy of September 11, 2001 illustrates that terrorists live and operate within the United States, obtaining specialized skills with deadly intentions."
- Michael A. Vatis,Director of the Institute for Security Technology Studies (ISTS), Dartmouth College, former Director of National Infrastructure Protection Center (NIPC)
According to Denning, by having the greatest access to information, insiders are able to more easily exploit information resources for personal gain, sabotage computer systems for revenge, or unintentionally reveal secrets to contractors, partners, customers, or outsiders requesting information.
This makes them the greatest threat to information resources.
5
Problem Statement
• IT outsourcing is increasing, and reports of insider threat incidents are increasing
• Has outsourcing and/or use of commercial services in AF information technology contributed to a rise in insider threat-based security incidents?
The increase in outsourced IT increases access to IT systems.
My research is based on the concept of outsourcing trends and their effects on the perceived increasing insider threat.
6
Summary of Current Knowledge
• Outsourcing Theory and IT (Cheon et al.,1995)
• Psychological Studies (Shaw et al.,1998)
• Socio-Economic Conditions (Heuer, 2001)
• Systemic
Limited peer reviewed literature addressing the topic of the insider threat to outsourced IT.-Cheon, Grover, and Teng – major contributors to tying IT outsourcing to formal theory, specifically IT. Recognize that each outsourcing situation is different and must have a blend of economic and resource-based strategies – contingency theory.
-Shaw, Ruby, and Post’s work was relevant to this research as they performed studies on actual Government insider cases. Developed working IT employee profile
-Heuer’s research on the insiders and espionage cases, along with the social and economic forces in play. Foreign influence and global economic and social trends, such as increasing anti-American sentiment impacts to IT business
-DoD unique studies, testimonies, and instances make up this body ofliterature
7
Summary of Current Knowledge
• Outsourcing Theory (Cheon et al., 1995)• Economic Theories
• Transaction Cost Theory (TCT)• Agency Cost Theory (ACT)
• Strategic Management Theories• Resource Based Theory (RBT)• Resource Dependency Theory (RDT)
I began with literature on outsourcing theory – essentially, “Why do we outsource IT, and how do we go about making those decisions”. I found literature examining the facets of outsourcing IT from Economic and Strategic management perspectives.Economic –Transaction Cost Theory (balancing production costs with the costs of transactions with another service provider). Transaction costs include costs of market research, writing the contract, negotiating specified outcomes and risk aversion. Agency Cost Theory – Relationship-based, considers costs of relationships with vendors, such as relationship-building for new contracts, bonding, contract monitoring, bonuses, litigationStrategic Management –Resource Based Theory – Addresses resource gaps in technology, skills, capabilities to be filled by othersResource Dependency Theory – Edicts that all agencies are dependant on other agencies for something.
8
Summary of Current Knowledge• Psychological Studies
• Personality Traits (Shaw et al., 1998, 1999)• Study of insider behavior
Focused on IT systems• Profile of IT professional
IntroversionNarcissismEthical Flexibility
• Loyalty Intent to stay/perceived status (Hodson and
Sullivan, 1985)Contractors and commitment (Millward and
Brewerton, 1999)
Personality profile of IT professionals, based on concurrence of earlier psychological studies and work done for the government under Political Psychology Associates, Ltd:
Introverson – primary traitrelate better to computers than peopleinterpersonal social frustrations
Narcissism – feeling gifted or specialprone to seeking revenge if not treated as soexample – Brian Regan case
Ethical Flexibility – due to IT culture, decreased ethical constraints among younger and younger computer professionals
Hodson and Sullivan – intended continuance and perceived job status determine employee loyalty
Transactional – short term employees, or emotionally detached, self-interested employee not integrated into shop– less likely to be committed to organization
DownsizingOutsourcingTrends in short term vs. long term hiring
Internationalization½ doctoral degrees in physics, chemistry, computer science awarded to non-us-born students1/3 engineers in Silicon valley foreign born
Conflicting loyalties – global business trends take information into more countries conducting intelligence ops against US
Off-shore contractsForeign-owned US companies awarded highly sensitive or classified contracts for software development and communications systems (WWMCCS as an example – GAO 1996 report).
Loyalty – sociological determinants and trends
Downsizing and outsourcing to adapt to rapid tech change and global economic trends have affected motivation for espionage
10
Summary of Current Knowledge• Systemic
• 1985 – DOD Security Review Commission addresses policy for civilian contractor security violators
• 1995 – Intelligence Authorization Act mandated annual reports to congress on Foreign Economic Collection and Industrial Espionage
• 1996 – Espionage FBI/ASIS report - 74% of intellectual property losses from employees, former employees, contractors, etc.
• 1998 – GAO identified Information Systems as a new high-risk resource
•Systemic review of how the DoD has progressively addressed security issues and trends to modern day recognition of insider threat.1985 - recommendations on ensuring contractors were properly cleared, that clearances were justified using contract numbers, request for proposal (RFP) numbers, re-justified as required, or expired Also in 1996 – Acknowledged Internet Dependency and Associated Hazards - the focus of DoD computer system attacks was a growing threat from external sources, such as hackers. The report acknowledged, “that because the U.S. economy, society, and military rely increasingly on a high performance networked information infrastructure, this infrastructure presents a set of attractive strategic targets for opponents who posses information warfare capabilities”1998 – GAO acknowledged government’s increased dependency on
computers, and serious deficit in protecting them.
11
Summary of Current Knowledge• Systemic (cont)
• 1998 – National Infrastructure Protection Center (NIPC) established
• 2000 – Insider Threat Integrated Process Team (OASD/C3I)
• 2001 – OMB Reports Six Common Security Weaknesses –
Issue #5 specific to Federal IT contracted functions
• 2003 – FBI testimony in War on Terrorism – R&D contracts supporting ongoing operations and war-making capabilities constitute highest risk to countering terrorism threat
•1998 -PDDs 62 and 63 recognized telecommunications systems as major infrastructure component and resulting threats from rapid technological development and interconnected systems.•1999 - Michael Vatis testified defined “disgruntled insider” being “a principal source of computer crimes”•2000 - IPT addresses the concern of insider threat activity that exists in the DOD NEED FOR DATABASE, METRICS for monitoring threat2001 - Government-wide security problems; number 5 - Inspector General (IG) reports indicated weaknesses in the DOD's contracting efforts to include “…no security controls in contracts or no verification that contractors fulfill any requirements that may be in place •2003 - Robert Mueller, III’s statement before the Senate Select Committee on Intelligence on War on Terrorism:The government currently supports research and development in a large number of agencies, in a great many locations, many of which involve the use of thousands of government contractors.
• Unclassified systems – no solid background screening procedures
• Contractor misconduct
• Suspension and debarment procedures investigated for top 43 government contractors (1990-2002)
– $3.4 billion in fines, penalties, settlements
– 28 criminal violations
– 4/10 top contractors – repeat criminal convictions
– 1 suspension – 5 days
Other issues - Personnel Screening
Many organizations within the critical infrastructure but outside the intelligence community have little control over the pre-employment procedures and hiring practices utilized by the contractor or consulting group. (Shaw et al., 1998, p. 5)
Contractor Misconduct (Project on Government Oversight)
“The federal government continues to do business with companies that repeatedly violate laws and regulations, despite rules specifying that ‘Purchases will be made from, and contracts shall be awarded to, responsible contractors only. To be determined responsible, a prospective contractor must have a satisfactory record of integrity and business ethics’ (Federal Acquisition Regulation (FAR) 9.103(a))”(POGO, 2002, p.4).
“only one has been suspended or debarred from doing business with the government. This suspension action, against General Electric's Aircraft Division, lasted only five days after they pled guilty to diverting millions of dollars from the U.S. Foreign Military Aid Program to finance the sale of F-16 engines to Israel” (POGO, 2002, p. 1). "wrongdoing associated with foreign military sales of radar systems to Egypt ... ."
13
Methodology
• Original Study• Proposed quantitative analysis of outsourced functions and
insider threat cases
• Data was severely limited or not available• Few cases, only computer crime data
• Investigative agencies do believe insider threat is a problem, but data is not indicative
Percentages of bases outsourced over time
# of cases of insider intrusions over same time period,
Looking for statistically significant indicators
Faced with no statistical data, the Timeliness and relevance of topic led to research of qualitative methods to address the topic.
14
Methodology
• Grounded Theory• New phenomenon, complex social relationships
• Inductive
• Qualitative
• Theory development
• All is data
• “Generate theory that accounts for a pattern of behavior which is relevant and problematic for those involved.” (Strauss, 1987; Glaser, 1992)
Theory development is the main thrust of grounded theory. However, it is not specific in its methodologyOr technique. All is considered data, as there is no commitment for “specific kinds of data or lines of research”.
15
Methodology
• Core Category - Insider threat to outsourced IT – central phenomenon
• Categories - Classifications of sampled literature and concepts
• Integration of literature related to Core Category
• Properties - Observed elements, features of Categories –
• Conceptual Density - Demonstrated multiple interrelationships between Categories and Properties
• Resulted in emergence of categories and restatement of research question …
Theory is developed by capturing the concepts and their relationships that characterize the complex social phenomenon of insider threat.
Core Category – “The central phenomenon around which all the other categories are integrated” (Strauss and Corbin, 1990, p. 116)
Category – “Stands by itself as a conceptual element of a theory” (Glaser and Strauss, 1967, p. 36). “A classification of concepts” (Strauss and Corbin, 1990, p. 61). Insider Human Threat to Outsourced IT
Property – “Conceptual aspect or element of a category” (Glaser and Strauss, 1967, p. 36). “The most concrete feature of something (idea, thing, person, event, activity, relation) that can be conceptualized, which will allow the order of specificity required by the analyst for purposes of his or her research”(Strauss, 1987, p. 21).
Conceptual Density – “The multiplicity of categories and properties and their relationships” (Strauss, 1987, p. 21)
16
Research Question
If there is little to no reliable statistical data, how is it the threat from the insider is thought to be increasing?
17
Methodology
• Insider Human Threat to Outsourced IT• Related Categories
• Outsourcing Theory and Principles (w/r/t IT)
• Psychological Conditions
• Socio-Economic Conditions
• Systemic Conditions
Y
G
O
B
First, categories emerged, which I organized into classifications previously mentioned.
Insider threat is a widespread, socially complex phenomenon
Theory of IT Outsourcing – Costs vs Risks seems to be common threat among these properties
Such as : Transactions (exchange of goods/services) are evaluated for economic efficiency Determines most efficient contract (behavior oriented – delegates some decision-making authority to the contractor) (Cheon, et al., 1995)Uncertainty due to government policies, economic climate, technological change influence agency costs (Cheon, et al., 1995)Agency Costs, Uncertainty, Rapid Technological Change, Economic TrendsUncertainty conditions (unpredictable market, technological, economic trends, contractual complexity, quality of outputs) increase transaction costs (Cheon, et al., 1995) Uncertainty, Technological Culture, Economic Trends, Transaction Costs, Contract Complexity/LengthInfrequency of contracting due to initial building of relationships with new contractors increase transaction costs (Cheon, et al., 1995)Transaction Costs, Contract Complexity/LengthImplies more likely (and natural) opportunistic behavior on the part of the vendor, thus increasing transaction costs (monitoring behavior) (Clark et al., 1995; Jurison, 1995)Opportunistic Behavior, Transaction Costs
19
Psychological Properties
• Personality Traits • Length of Employment • Interpersonal Social
Preconditions for insider crime: opportunity, motive, character weaknesses, triggers (Heuer, 2001) Preconditions for insider betrayal influenced by changes in social and economic conditions in US and relations w/ rest of the world (Heuer, 2001) Opportunity,Social and Economic Trends, InternationalizationPresence of a subgroup of computer professionals and computer science students whose entry into computer field was motivated, in part, by frustrations getting along with others (Shaw et al., 1998) Interpersonal Social Frustrations, Personality Traits, Technological CultureInsider betrayal may be expression of power, influence, revenge; motivation includes emotional needs and not always money. (Heuer, 2001) Emotional Needs, Power, Revenge, Personality TraitsLoyalty adversely affected by economic changes devaluing long-term employee-employer relationship (Heuer, 2001) Loyalty, Economic Trends, Employment Conditions/RelationshipsIllegal behavior often rationalized by feelings of entitlement to better treatment from employer. (Heuer, 2001) Entitlement, Employment Conditions/Relationships, Personality TraitsCases reveal complex issues of loyalty in an international environment (Shaw et al., 1998) Loyalty, Internationalization, Ethical FlexibilityDynamic interaction between vulnerable information technology professional (w/ personality characteristics of introversion, etc.) and organization and personal environment causes potential trigger of dangerous insider behavior. (Shaw et al., 1998) Personality Traits, Employment Conditions/Relationships, TriggersPersonality and cultural characteristics of destructive insider behavior: Introversion, computer dependency, history or personal/social frustrations (anger toward authority), ethical flexibility, mixed sense of loyalty, entitlement, lack of empathy. (Shaw et al., 1998) Personality Traits, Interpersonal Social Frustrations, Ethical Flexibility, Loyalty, Computer Dependency
Societal trends toward ethical flexibility found by researcher to be result of lack of specific computer-related ethical training and lack of regulations w/in organizations = lax employee ethical attitudes. Societal trends of cross-generational ethical flexibility found by researchers to be result of lack of ethical training in schools and at home by parents (Shaw et al., 1998) Social Trends, Ethical FlexibilityCurrent controversy over H1B visas, raising of cap, unemploymentamong citizens in high-tech fields, uncounted/ untracked laid-off H1B foreigners remain in country (Swartz, 2001) Internationalization, Technological Culture, Social Trends, Economic Trends, Ethical FlexibilityComputer industry implicated in erosion of ethical standards (software restrictions, hiring of former hackers). (Shaw et al., 1998) Ethical Flexibility, Technological CultureProfessional employees tend to be more committed to their profession and its values than to their employers (Mueller and Wallace, 1992) Loyalty, Employment Conditions/Relationships, Opportunistic BehaviorInflux of H1B workers (capped at 115K/year) divided as follows: 54% Systems Analysts/Programmers; 5% other IT fields; 5% engineering, 36% other. (Ruber, 2000)
21
Systemic Properties
• Access • IT Culture • Personnel Security Practices • Loyalty • Ethical Flexibility • Internationalization• Social Trends • Outsourcing Trends• Employment Conditions/Relationships • Uncertainty • Economic Trends • Management Practices • Computer Dependency• Information Distribution
Major investments are devoted to technology to detect and prevent external intrusions; human problem is often not as significantlyexplored. (Shaw et al., 1998) Information Systems are most vulnerable to those who know system best (insiders) due to unbalanced approach to system security (Shaw et al., 1998) Access, Technological Culture, Personnel Security PracticesBackground investigations are often higher priority for staff employees than contractors, consultants, or temporary workers whose roles are more transient and are not vetted in organization. (Shaw et al., 1998)Cases reveal complex issues of loyalty in an international environment (Shaw et al., 1998) Loyalty, Ethical Flexibility, InternationalizationIncreased dependence on information systems (Shaw et al., 1998; Zaiton, 2000; Magklaras and Furnell, 2002) Computer Dependency, Technological Culture, Social TrendsTwo related trends in information systems contribute to increased vulnerabilities over last decade: consolidation and elimination of need-to-know principle (increased information sharing). (Shaw et al., 1998) Information Distribution, Access, Technological Culture
22
Category/Property Matrix
Category Property Outsourcing
Socio-Economic Psychological Systemic
IT Culture X X X XEmployment Conditions X X X XEconomic Trends X X X XInternationalization X X XEthical Flexibility X X XLoyalty X X XSocial Trends X X XComputer Dependency X X XOpportunistic Behavior X X XTechnological Trends X XCosts X X
23
Category/Property Matrix
Category Property Outsourcing
Socio-Economic Psychological Systemic
Information Distribution X XOutsourcing Trends X XUncertainy X XContract Complexity XResource Gaps XMeasured Outcomes XResource Dependency XCore Competencies XRisk XDisaster Recovery XOrganizational Culture X
• Preconditions to insider threat environment and cultural influences• Overarching role in scope and severity of threats to information over
time• Cultural shifts are catalysts to how much damage insiders are able to
inflict on information, systems, organizations, and people
Antecedents to Outsourcing of IT and Insider Threat Information Technology Culture Employment Conditions/Relationships Economic Trends
IT culture has brought with it in the last decade an entirely new category of careers, literature, professional organizations, educational and degree programs, as well as its own vocabulary. It has also brought with it its very own flavor of crime and rogue or deviant behavior. Economic trends of Internet shopping, banking, financing, investing, and trading have opened opportunities for extraordinary numbers of identity theft cases.
Unstable relationships in organizations have resulted in vengeful hacking behavior, intrusions, malicious codes and sabotage, denial of service attacks, and intellectual property theft. Interpersonal work conflicts are settled by wreaking havoc on core assets – information.
Contract Complexity/Length – The more complicated the contract, the higher the agency costs for litigation, negotiating, and monitoring. Length involves relationship building with new contractorsMeasured Outcomes factors that require specific results from a contractor, such as producing a certain quantity or processing a minimum number of jobs. Measured outcomes also require more stringent contract requirements and may drive up the cost of negotiating, writing, and monitoring the contract, in order to maintain control over the process ---------------------------------------------------------------------------------------------------------------------------------------Resource Gaps - Deficiencies in technological capabilities, assets, or skill sets are addressed under the Resource Based Theory (RBT) of outsourcing. Resource Dependency - Outsourcing is a strategy used to access technologies, services, or other resources not intrinsically available to the organizationCore Competencies - IT not often seen as a core competency; a function viewed as imitable by others (Cheon). Information riding IT systems, trade secrets or other proprietary information could be viewed high-value information to the firm that gives it competitive edge – if kept secret (Mata and Fuerst, 1995). National Security = centers of gravity in network centric environment. Risk - inherent in outsourcing,l loss of control, security, flexibility. Resources- allocated to avoid over-investing “in certain measures to stem certain risks while paying inadequate attention to others” (Rumsfeld, 2002, p.23). This is “Institutional Risk”, which Secretary Rumsfeld states is a result of “factors affecting the ability to develop management practices and controls that use resources efficiently and promote the effective operation of the Defense establishment” (2002, p.23). “Operational Risk”, results from “becoming too dependent on a vendor for mission critical services; being unable to determine the quality of the service; …having a vendor fail to provide adequate level of services” -Directly related to the DoD’s ability to carry out mission objectives if a vendor is not performing as required. Disaster Recovery Jurison - outsourced IT function doesn’t work out, could be “very costly and difficult to bring the work back into the firm”. Fink - need to “ensure continuity of business activities - identifying threats, devising counter-measures, having procedures in place to overcome disasters should they occur”Org Culture Organizations withComplex social structure will find natural resistance to change, costly to change (outsourcing IT). - Social complexities of organizations with strong cultures, effects of outsourcing on employee morale can be negative (Kliem)due to expected layoffs or displacement of IT talent to the vendor (Antonucci). Employees become concerned management is concerned only for organization and not employees, resulting in a less trusting environment. Outsourcing IT often “fraught with emotional arguments, difficult questions and complex links with many organizational processes” (Clark).
27
Psychological Conditions
• Personality Traits• Emotional Needs/Power/Revenge• Opportunity/Motive• Triggers• Interpersonal Social Frustrations• Length of Employment
Triggers - Another precondition, besides opportunity and motive, for insider crimes (Heuer). Compounded by personality traits, triggers are simply the event that causes an employee to cross the line into undesired insider behavior. Individuals displaying the character disorders or personality traits discussed above may have a tendency toward betrayal, “triggered by some event in the individual’s personal or professional life that pushes stress beyond that person’s breaking point ----------------------------------------------------Personality Traits - A blend of personality traits considered “direct implications for risk…” (Shaw) focused on an individual’s being more in tune with computers than people - Unable to successfully resolve issues in the work place, easilyfrustrated, and in spite of low self-esteem, and are narcissistic or view themselves as “special and owed corresponding recognition, privilege, or exception” (Shaw). These characteristics seen as risks: corresponding quickness to disappointment ,anger, manifestation of negative feelings in the form of computer-based actions such as e-mails, or even attacks.Emotional Needs/Power/Revenge – Disgruntled employees, present or past, - There are many cases where an insider uses the power of system access and known vulnerabilities to “get back” at losing a contract or getting laid off. Installing backdoors, Trojan horses, and logic bombs, as well as deleting files, are all methods of using the power of insider knowledge for revenge Opportunity for betrayal by an insider has increased with easier access to information in an interconnected environment; with that opportunity comes temptation (Heuer, 2001). Easier to access data, easier to transmit it without detection. Dr. Heuer also point out increased opportunity for foreign contacts due to industry trends: …where personnel involved in sensitive military R&D and production are increasingly in official business contact with their counterparts in foreign countriesthat are conducting espionage against the United States. The line between military and non-military, and between classified technology and unclassified technology sold to foreign countries, is increasingly blurred. Motive- also a precondition for negative insider behavior. Motivations can be intrinsic, (emotional) toward goals of increased self-esteem, financial, or a combination of both (Heuer), such as events in the work place resulting in “disgruntled employees who are angry about lay-offs, transfers, and other perceived grievances” (Shaw). Non-malicious insider behavior -curiosity, where the intruder was granted unnecessary access( “explorers”). Also narcissism- feel they are gifted or special, similar to the character trait of narcissism mentioned earlier; this motivational type is termed “exception” (Shaw). Interpersonal Social Frustrations - computer professionals have a tendency to replace human relationships with computers (Shaw et al. 1999). Social frustrations also manifest themselves in hatred for authority and vengeful behaviors. Also found a significant population who chose the computer science profession as a result of their inability to relate to other people (1998).Length of Employment -Due to transient nature “a lesser degree of loyalty to the firm or agency is anticipated” (Shaw) from short-term employees, such as contractors or subcontractors. The longer an employee stays/ intends to stay with an organization the more loyalty has a tendency to increase (Mueller and Wallace, 1992).
28
Socio-Economic Conditions
• Anti-American Sentiment
Believed to be increasing globally, possibly due to internationalization and the modern geographically immune nature of information, the business community is more prolific than ever in a global setting. As a result of “internationalization of many high technology fields, combined with the increased number and variety of countries conducting intelligence operations against the United States loyalty of Americans and Non-Americans is becoming blurred.
According the 2002 Pew report, science and technological advances are admired by world majorities (with the exception of Russia); however, there is an overwhelming rejection of “the wide diffusion of American ideas and customs” (p.63). Americans continue to believe the rest of the world welcomes our cultural influences, and that we are benefactors to the world. The global opinion is not conducive to “the spread of American influence and often say the U.S. creates more problems than it solves” (p. 70).
Personnel Security Practices - especially important when considering outsourcing IT systems, given the potential threat posed by those armed with critical system knowledge. It is important to know who is using, managing, operating, and maintaining IT.
Access - It is more difficult to control access to data that rides on public infrastructure, or that is accessed by more people due tooutsourcing. Modern day protection “focuses on protecting information systems and data from accidental or intentional unauthorized access, disclosure, modification, or destruction” (Loch, 1992, p. 173). Public key infrastructure, for example, is a modern method of controlling access that only allows certain actions to be performed by a key holder.
Management Practices - management must also implement prescribed security procedures, enforce controls, and efficiently deal with breaches.Firing people also has its security concerns. Individuals who know they are targets for outsourced or downsized functions are sometimes apt to sabotage data or delete records, install logic bombs, or trap doors in the systems they can access from outside the company.
30
Relationship between Psychological, Socio-Economic, and Systemic Conditions
• IT Culture • Employment Conditions/Relationships• Economic Trends• Personnel Security Practices • Outsourcing Trends• Access • Uncertainty • Management Practices • Information Distribution
• IT Culture • Employment Conditions/Relationships• Economic Trends• Outsourcing Trends • Technological Trends• Opportunistic Behavior • Anti-American Sentiment • Information Distribution
Internationalization – a term referencing the global economy and business market activity.. No clear borders between countries in the interconnected global environment. U.S. businesses have established offices globally, and other countries have brought their companies to the U.S. Influx of H1B visa workers and students. Computer Dependency-Entire societies have become dependent on the information that can be rapidly accessed by even more rapidly advancing technology, people have become dependent on computers in a psychological regard as well as cultural. Studies focusing on insiders and IT have shown computer dependency as a personality trait common among deviant insiders. Computer dependent persons turn to computers to fill social needs not being met by relationships with people. Ethical Flexibility-As a result of a computer dependent society, it is possible that it is becoming more difficult for many people to realize the overall impact of their keyboard strokes or mouse clicks. This type of ethical flexibility with respect to the computer work environment as well as cross-generational lack of training and guidance in schools and at home by parents (1998). - High-tech workers have expressed concern that job security is at risk, fearing displacement due to influxes of H-1B visa Loyalty- Employee loyalty has been examined in this research not only from the individual psychological perspective and the IT personality profiling but also from the perspective of contracted employment. Conditions in the social and organizational environments in the workplace can determine loyalty an employee may have for his employer. The effects of short-term employment contracts can logically have an effect on loyalty when an individual is not integrally identified with the organization Social Trends-Social situations in other countries have driven Indians and Chinese (among others) to the United States to pursue education and employment under the H1B visa program. However, in a post “September 11th” environment especially, H1B visa holders have become the victims of “threatening notes, demanding that Indian workers ‘go home’” (Swartz, 2001).
31
Relationship between Outsourcing, Psychological, and Socio-Economic Conditions
Tenet of outsourcing theory –“assumption that agents, acting in their own self-interest, are subject to opportunistic behaviour” (Jurison, 1995, p. 241)It is this property, driven possibly by employment or Socio-Economic conditions that ties the psychology of the computer-dependent, ethically flexible, and possibly vengeful or narcissistic to the outsourcing risk.
32
Relationship between Outsourcing and Psychological Conditions
• IT Culture • Employment Conditions/Relationships• Economic Trends• Personality Traits • Length of Employment • Interpersonal Social Frustrations • Triggers • Opportunity/Motive • Emotional Needs/Power/Revenge• Social Trends • Loyalty • Opportunistic Behavior• Computer Dependency• Ethical Flexibility• Internationalization
•Transaction Costs
•Agency Costs
Transactional relationship, often short term, may generate a less relationship-based commitment from contractors(Millward and Brewerton)
In building that relationship, and attempting to obtain a contract that specifies the desired outcomes and behaviors, the agency costs that are accumulated in the negotiating, litigating, and monitoring of the contract, can increase as the contract becomes more complex. In order to keep certain personality traits of high tech workers (narcissism, or vengeful actions upon contract completion or discontinuance) from manifesting into dangerous insider behavior, contracts should be heavy on relationship building – higher agency costs…
33
Relationship between Outsourcing and Socio-Economic Conditions
• IT Culture Internationalization • Employment Conditions/Relationships• Economic Trends• Ethical Flexibility • Social Trends • Loyalty • Outsourcing Trends • Information Distribution• Opportunistic Behavior• Computer Dependency • Anti-American Sentiment
•Technological Trends
Rapid development of technology is an obvious driver in outsourcing. Operating, training, and maintenance costs to keep up with IT trends have given organizations economic and strategic reasons to leave IT to the people who specialize in IT
IT “one of the most outsourced services” often due to “…shortage of skilled IT staff within most organizations, an inability to cover a rapidly expanding field adequately and the lack of flexibility which can result from over-investment in a particular technology”(Domberger, et al., 2000, p. 107).
IT trends have made information a global commodity, fostering socio-economic effects of overseas employment, local downsizing, and outsourcing (Heuer, 2001). Other socio-economic outgrowths of IT trends include: the H1B visa program that allows 115,000 people a year from other countries to apply for highly skilled positions in the United States (Swartz, 2001); and growing trends in offshore contracts with software and hardware companies (Keeler, 1997).
34
Relationship between Socio-Economic and Systemic Conditions
Outsourcing Trends –IT one of most outsourced services; economic and strategic option to keep abreast of technological trends Within the federal government, IT service contracts alone “have increased from $3.7 billion in fiscal year 1990 to about $13.4 billion in FY 2000” (GAO, 2002).Information Distribution –Information is becoming harder to control due to technological trends (Heuer, 2001) and trends toward information sharing (Shaw et al., 1998) is also a reality. “Previous use of safes and locked doors to secure information, now it can be accessed by large #s of people with no need to know”.Peter Drucker, in his book Post Capitalist Society, describes information as boundless on a geographic basis, “knowing no country” (1994, p. 143) and that once the information is out, it is impossible to regain control of it.Drucker also points out that countries all over the world are finding high tech ways to access programming (radio, television, or movie), sometimes forbidden by their governments. Other societies base their opinions on Americans, their values, and lifestyle on the limited programs they can access even if it presents a “distorted” presentation of American culture (1994)
35
Relationship between Outsourcing and Systemic Conditions
• IT Culture • Employment Conditions/Relationships • Economic Trends• Access • Personnel Security Practices • Loyalty • Ethical Flexibility • Internationalization• Social Trends • Management Practices • Computer Dependency • Outsourcing Trends• Information Distribution
•Uncertainty
Uncertainty – Many dimensions –Employees are not sure if their future with an organization is securedue to downsizing and outsourcing trends in the IT environment,Such displacement = bad morale, causing talented staff to fear for employment security” (Antonucci). Organizational - Uncertainty can often be injected in the work environment through outsourcing arrangements that leave management and employees feeling loss of control and flexibility of their IT programs and people In the IT community, subcontracting practices, unknown to management can “cause problems, including viruses brought in by subcontractors, poor communications, high costs and low-quality service” (LIU case example)
Bounded Rationality - Jurison makes the connection of uncertainty to risk in the decision to outsource IT, as management can never entirely predict all of the outcomes and that “humans are unable to foresee the complexities and contingencies in contractual relationships and consequently can only achieve incomplete contracts” (1995, p. 241).
36
Category and Property Relationships
Antecedents to Outsource IT and Insider ThreatIT CultureEmployment Conditions/RelationshipsEconomic Trends
The final model proposed here shows all four originating categories related to insider threat to outsourced information technology. The properties that have emerged from the data, literature, testimony, proceedings, and cases studied show relationships between the categories, giving the model its conceptual density.
37
Category and Property Relationships
Antecedents to Outsourcing of IT and Insider Threat Information Technology Culture Employment Conditions/Relationships Economic Trends
Psychological ConditionsPersonality TraitsInterpersonal Social FrustrationsLength of Employment Opportunity/MotiveEmotional Needs/Power/RevengeTriggers
Fully instantiated model showing all properties - shows the final model as emergent from the categories and properties.
The theory generated by the concepts and relationships the model that construes the complex phenomenon of the insider threat, the core focus of this research.
This model presents not only a theory on insider threat dynamics but presents a case for future monitoring of outsourced IT situations. Indicators of where potential vulnerabilities lie, while a multifaceted problem, all point to toward workplace controls in security, personnel (contractor and subcontractor) screening, and enforcing of access controls.
38
Observations
1. IT outsourcing strategies using economic- and resource-based theory inject greater uncertainty in the organizational environment by downplaying human factors shaped by IT culture, thus increasing potential for insider threat.
2. Psychological aspects, such as typical IT professional personality traits of today's IT employees and employee loyalty issues are major contributing factors to the potential of insider threat.
3. Social indicators such as increased foreign influence and growing anti-American sentiment worldwide potentially increase insider threat risk.
4. Systemic factors such as outsourcing trends and personnel security practices increase potential for insider threats.
Suggested relationships within the model between categories and properties emerged – these can be hypotheses to be tested -
1. The “hard” line of business (profit) is often the first consideration – could counterbalance security, and increase potential for adverse insider behavior. Suggest testing this as a hypothesis by examining social theories (Social contract, social exchange, and political power)
2. More attention to the human aspects of not just outsourcing, but IT culture. Effects of IT culture manifested in forms of personality traits (introversion, narcissism.) Decreasing loyalty can result from IT culture as well as outsourcing conditions and social and economic trends. Suggest testing to find most statistically significant factor affecting loyalty, IT (contractors and staff).
3. Internationalization, and anti-American sentiment both appear to be social trends. Suggest study of impact of internationalization on outsourcing, or vice versa, and possible relationship to increasing anti-American sentiment – possible determine technological threats.
4. Address mitigation of risks as more outsiders becoming insiders –OASD/C3I looking at profiling and computer patterns, however, integration of policy studies and security practices to screen potential threats BEFORE people touch the keyboard.
39
Model Focus and Theory
Antecedents to Outsourcing of IT and Insider Threat Information Technology Culture Employment Conditions/Relationships Economic Trends
Psychological ConditionsPersonality TraitsInterpersonal Social FrustrationsLength of Employment Opportunity/MotiveEmotional Needs/Power/RevengeTriggers
Psychological ConditionsPersonality TraitsInterpersonal Social FrustrationsLength of Employment Opportunity/MotiveEmotional Needs/Power/RevengeTriggers
The theory generated here is that Over time, as the scope of IT increases, thereby increases the potential for vulnerabilities,Increasing opportunities to exploit these vulnerabilities, therefore increasing potential of insider threat.
Resulting from more outsiders being made insiders, increased technological trends, social and economic trends demand culture and Psyche try to keep up. Costs will increase, as will opportunities for opportunistic behavior. Global boundaries will increase in their ability to spread cultural influence, positive or negative, accurate or inaccurate due to distribution of information.
As outsourcing IT increases, and the US continues to be at risk for cyber (and other) terrorism, the need to protect our critical information systems and infrastructure, and knowing who is accessing our systems is also increasing, I believe, to a critical degree.
40
Implications
• Raise the awareness of the insider threat phenomenon as it relates to outsourcing of information technology-based systems
• Provides comprehensive, full scale perspective of insider threatto outsourced IT
• Provides model for examining complexities of insider threat as a response to environmental factors
• Encourage development of more comprehensive operational and personnel security programs
• Ensure appropriate consideration to potential national security risks involved with contracting out modern government information-based systems.
1. Socially complex phenomenon – not a computer problem –people problem
2. Not just from the computer keyboard, but the model shows how people get into the system in the first place.
3. Environmental factors being trends – social, economic, technological, outsourcing
4. Review security and personnel policies regarding IT systems and access.
5. International and off-shore contracting solutions – may not be wise for US government systems. While talented, may induce threats.
41
Limitations and Future Research• Limitations
• Data availability – insider threat databases• New research area – no formal theory• Tracking of insider incidents not common metric
• Additional research will allow for greater conceptual density
• Suggestions for future research• Modify model
• Legal, social, other constructs• Empirically test model against cases
• Test observations – hypotheses• Uncertainty - Social theories and human factors in outsourced IT• Loyalty in outsourcing and IT culture• Outsourced IT - increasing internationalization and anti-American sentiment• Examine outsourcing trends and associated security policies and practices
1. No formal established theory or common data sources
2. The grounded theory methodology insists continuous cross-connecting of ideas until the model is essentially saturated to achieve pure conceptual density
3. Legal Construct – laws, codes, policies, directives, which may help or hamper ability to detect and minimize threat
Social theories – social exchange, social contract, political power – get a better idea of human effects of outsourcing
Empirically test – more relationships
4. Observations mentioned earlier, can be tested as hypotheses to establish relationships
42
Conclusion
The model represents theory generated by observed patterns of behavior, which indicates the insider threat is increasing, and will continue to do so, as outsourced IT increases.
This presents a case for continued study of this phenomenon and collection of insider threat data.
In conclusion, the model presented here today represents a theory generated by observed trends and patterns of behavior.
The theory that there is reason to believe that increased IT outsourcing is contributing to increased insider threat incidents presents a case for future data gathering, metrics, and trend analysis.
Conceptual density of this model can be further achieved, however, by continuing to cross-connect the concepts of this model to gain more insight into the insider threat for predictive purposes. For example, there may be denser cross-connections between the properties of risk, uncertainty, and information distribution to the Psychological category that could be explored.
From this more categories and properties may emerge, giving a better psychological profiling tool for detecting insider behavior as a result of organizational risk-taking.
. This is beyond the scope of this research, but may be helpful in future endeavors.
45
Model Concepts Author Model Construct
Anderson et al. (2000)
Wood (2000)
Schultz (2002)
Magklaras and Furnell (2002)
Environment Organizational Culture X Role (w/in organization) X People Knowledge X X X Motivation X X Behavior X (X) (X) X Tactics X Verbal Behavior X Preparatory Behavior X Personality Traits X Deliberate Markers X Meaningful Errors X Skills X Risk X Correlated Usage Patterns X Tools Software X (X) Hardware X X Cost Benefits X Networks X X Computer Environment X Privileges X X Access X X Process (X) X Data (X) X Content (user’s file entries) (X) X Intrusion Monitoring System X
