Editor's note: This is part three of a series on insider threat behavior. Part one examines patterns of insider...
threats and IT sabotage, while part two looks at the precursors and warning signs for such security incidents.
The CERT Coordination Center defines insider theft of intellectual property as "an insider's use of information technology to steal proprietary information from the organization," while intellectual property is defined as "intangible assets created and owned by an organization that are critical to achieving its mission."
Examples of intellectual property that may be targeted include software code, business plans and product designs.
In the previous article on information technology sabotage, the point was made that understanding an insider threat requires an understanding of what motivates people to behave the way they do, either positively or negatively. With regard to the theft of intellectual property, the insider generally does not steal the data in order to sell it, but for business advantages, such as taking it to a new job or using it to set up a competing company.
A special case of motivation is when the insider engages in intellectual property theft as part of an economic or industrial espionage program that is led by a foreign government or other organization. In order to avoid the cost and time of developing intellectual property, the insider sees stealing it from an organization that has already borne those costs as the more viable option.
When this occurs, insiders usually have a stronger attachment to the foreign government or organization, which leads to a greater sense of loyalty to their foreign beneficiaries rather than to their employer or host country.
Regardless of their motivation, insiders that commit intellectual property theft are generally employees that have access to intellectual property, such as engineer scientists, programmers or salespeople. Given that these insiders have authorized access to the intellectual property -- or perhaps are the creators of the intellectual property -- it can be very difficult to detect their malicious behavior.
In any discussion about behavior and behavioral characteristics, it is important to remind ourselves why we are looking to discover characteristics of insider theft of intellectual property. Detecting some of these characteristics does not mean that a malicious insider has been detected -- an understanding of these characteristics cannot be used to trap employees.
It can be used as input into a risk-based analysis of job positions at risk for intellectual property theft, to help understand the organizational elements that influence insiders to carry out theft and, most importantly, to develop and implement protection and mitigation strategies to protect an organization from malicious insider attacks.
Patterns in insider intellectual property theft
CERT/CC has worked on insider threats since 2002 and has since developed two models of IP theft: the entitled independent and the ambitious leader. Let's use the entitled independent as an example.
This is an insider who feels entitled to take intellectual property because they worked on it as an employee. The entitled independent insider has a personal predisposition that results in a sense of ownership and entitlement to information that they worked on and that they feel is their property -- they are unable to see that their work is a part of a team effort that belongs to their employer.
The sense of insider entitlement is intertwined with employee contribution, meaning that the greater the contribution, the greater the employee's feelings of entitlement. These entitlement feelings may also be amplified in the insider's mind if they perceive their contribution to be exceptionally important; for example, working on a flagship product.
The entitled independent may also experience job dissatisfaction that intensifies the feeling of entitlement. Job dissatisfaction and employee disgruntlement are similar to job satisfaction issues seen in insiders who perform IT sabotage. This behavior includes:
- dissatisfaction with compensation, promotions, benefits, bonuses and relocation;
- mergers and acquisitions;
- conflicts with supervisors and co-workers;
- layoffs; and
- disagreement over who owns intellectual
Job satisfaction issues frequently motivate insiders to look for new jobs, where one-third used the stolen intellectual property to get a new job and another third stole intellectual property just in case. For the entitled independent, issues of an inappropriate sense of entitlement mixed with job dissatisfaction and a desire to leave the organization may lead to an insider leaving with stolen intellectual property.
What to do?
Understanding that stolen intellectual property tends to be property that insiders have developed or contributed to is important when developing a strategy to protect it. A successful strategy should be able to:
- Identify critical intellectual property assets.
- Identify insiders who have worked on said assets -- either now or in the past -- as they are high-risk insiders.
- Review access controls that protect intellectual property to identify insiders that no longer need access, such as people who have moved on to other projects or left the organization.
- Create policies regarding access to critical intellectual property, including a periodic review of access privileges.
- Create procedures that automatically disable access to intellectual property when employee roles change.
- Consider temporarily disabling access to intellectual property when insiders travel outside of the country, take a leave of absence or go on vacation.