Consider a few personnel incidents that made the news in the last few years :
If you examine these cases and the vast number of computer security violations committed over the past few decades, you will find one common characteristic: 100% of them were caused by people. Break-ins were caused by people. Computer viruses were written by people. Passwords were stolen by people. Clearly, without people, we wouldn't have computer security problems! However, because we continue to have people involved with computers, we need to be concerned with personnel security. "Personnel security" is everything involving employees : hiring them, training them, monitoring their behavior, and, sometimes, handling their departure . Statistics show that the most common perpetrators of significant computer crime in some contexts are those people who have legitimate access now, or who have recently had access; some studies show that over 80% of incidents are caused by these individuals. Thus, managing personnel with privileged access is an important part of a good security plan. People are involved in computer security problems in two ways. Some people unwittingly aid in the commission of security incidents by failing to follow proper procedures, by forgetting security considerations, and by not understanding what they are doing. Other people knowingly violate controls and procedures to cause or aid an incident. As we have noted earlier, the people who knowingly contribute to your security problems are most often your own users (or recent users): they are the ones who know the controls, and know what information of value may be present. You are likely to encounter both kinds of individuals in the course of administering a Unix system. The controls and mechanisms involved in personnel security are many and varied. Discussions of all of them could fill an entire book, so we'll simply summarize some of the major considerations. |