Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Insider threat mitigation and detection: A model for committing fraud

Risk managers should know in order to commit fraud, or any other improper action, an attacker needs access, knowledge/ability and intent.

This article can also be found in the Premium Editorial Download: Information Security magazine: How to be successful with your security steering committee

On almost any given day you can find a news story about an employee who has gone bad and committed fraud or damaged...

an organization. Insider threat is a timeless problem. It's always been there and it always will be there. Why? Because companies need to trust their employees in order to stay in business.

The most widely accepted model for explaining why people commit fraud is the fraud triangle created by noted criminologist and sociologist Dr. Donald Cressey in the early 1950s. According to Cressey, three factors must be present at the same time in order for someone to commit a security breach: pressure or motivation, rationalization and opportunity.

Today's electronic society has changed this model. In Cressey's time the incentive was mostly financial, but now there are many other reasons why a person may bypass security or commit fraud. In the early days of IT, hackers wanted fame or were just curious to see if they could pull off an exploit. These days the motive may be revenge against the company or an employee, which is not financially related. Pressure to get the job done no matter what may also cause someone to skirt security.

Therefore, I postulate that there is a new fraud model to consider. To commit fraud, or any other improper action, a person needs the following three elements: access, knowledge/ability and intent.

Access: Physical or logical ability to enter, touch or reach a resource. In computers, this is often controlled by network rules, access control lists (ACLs) and a user ID and password.

Knowledge/Ability: Familiarity or experience with an object or resource. This means knowing what to do after accessing the resource.

Intent: The purpose or an anticipated outcome that guides a person's planned actions; knowingly causing damage to the resource.

Here's an example of how these elements fit together. Suppose I have a logon ID and password to our mainframe computer, therefore I have access. Not only that, but I am given full administrator rights to it. The problem is I'm a neophyte on the mainframe-I barely know how to log on. Plus, I like my organization and don't want to cause it harm. Therefore, I'm missing two of the three requirements for fraud: knowledge and intent. Even though I have access, there is little risk of my causing intentional harm.

Access and knowledge are the elements most under our control (it's impossible to audit intent). If you can reduce a user's access/authority or increase the controls (which requires the attacker have more knowledge), then you reduce the risk. You must also ascertain what is required for the exploit.Many vulnerabilities require uber-hacker abilities to exploit them, like freezing the memory chips to bypass disk encryption. However, while only a minute percentage of people can normally exploit such vulnerabilities, there are increasingly more script kiddie tools available to reduce the knowledge level required.

Insider threat mitigation: Fraud detection model
Keeping the new fraud model in mind, an organization can prevent fraud by having the following processes in place:
* Separation of duties
* Background checks, including a financial records check
* Job rotation/cross-training
* Protecting and limiting access to administrator accounts
* Role-based access control (RBAC)

By considering the access, knowledge and intent required to compromise a system, you can make more intelligent risk decisions. Furthermore, using these concepts promotes the proper balance of security within an organization, thereby reducing costs while improving security.


This was last published in January 2009

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.