ISSO Must Understand Threat Agents Motive-Rationalization-Opportunity


ISSO Must Understand Threat Agents' Motive-Rationalization-Opportunity

Professor Jones pointed out that motivation and opportunities play a major role in manmade threats. The topic of threat agents can be discussed and written about for volumes; however, the above provides the ISSO at least an overview of the topic. In order for the ISSO to be able to mount an adequate, cost-effective defense of company information and systems, the ISSO must understand all the threats against the company systems. Furthermore, the ISSO must also understand the minds of these miscreants. One must understand as much as possible how they think and why they act and react as they do. Remember that first and foremost it is the human factor involved in all these threats, and it is the human miscreants whom the ISSO must understand. This can not be overemphasized, especially since it is precisely the human factor and how the miscreants think that is usually lacking in the ISSO's quest to build a successful CIAPP.

The ISSO, though required to be knowledgeable in international politics, business, marketing, finance, managing, leadership, auditing, high technology, social science, psychology, and the like, must also have a good working knowledge of criminology. Being an ISSO is a very challenging job, and to be successful, one must have much more than just a background and experience in high technology. In fact, that is one of the major problems with many ISSOs. Their backgrounds are usually planted firmly in high technology, and they seek high-technology solutions to the InfoSec problems when in fact many are rooted more in the human factors associated with the threat agents.

Understanding the human factors is at least if not more important than understanding when and how to install information and systems protection mechanisms, such as a firewall.

The ISSO must first of all understand the threats and then use a holistic, systematic approach to finding a solution to mitigate the threats. Some threats may be completely eliminated; some may be mitigated to provide for the least amount of risk; while others—well, the ISSO can only hope and pray that the company systems will not be threatened by them. It seems that there are always some of those threats around.

According to the Association of Certified Fraud Examiners and members of the criminology profession, there are three requirements that are present when considering the human threat agent. They are the same regardless of the type of attack to be launched. The three requirements are:

  • Motive: If one is not motivated to commit an attack on a system, one will not attack; therefore, one is not a threat.

  • Rationalization: One must be able to rationalize the attack. For example, many devoutly religious people have committed crimes. If they were that religious, how could they do so when they also believe that they will go to hell and suffer eternal damnation for their crimes? They must rationalize in their minds that what they were to do was not in violation of God's law, or that God would forgive them. If they could not rationalize or justify it to themselves, they would not commit the crime. The rationalization need not be logical or make any sense to anyone else, but the attacker must believe it.

  • Opportunity: The other part of this triad is opportunity. If one were motivated and could rationalize an attack, but knew there was no opportunity to successfully commit that attack or to commit that crime without getting caught, one won't commit the crime.

When discussing this triad, it is important to remember that as human beings we all would probably commit a crime under the "right" circumstances. An internal employee of the company may be a model employee; however, if the employee's circumstances changed for the worse, elements of the triad would come into play and an employee once not considered a threat becomes a threat. For example:

Suppose you had a family with kids growing up and getting ready for college; you had a mortgage, car payments, and the normal other bills; you had worked for a company for about 25 years; and you were about 54 years old. You were called into the boss's office one Friday and told that the company was downsizing and they were terminating your employment. However, because the company was terminating over 500 people, the federal law (in the U.S.) required that you be given 60 days' notice.

You knew that you would have difficulty finding another job, especially at your age, and besides, your skills were somewhat outdated, not in great demand. You didn't know how you would make it. You knew that the college money for the kids would have to be used to survive. You also knew that you'd have to sell one car, as you couldn't afford two. You were also concerned about other finances. In other words, in about 60 days, you knew that your entire world would be turned upside-down, and you didn't know how you would survive. Gloomy enough for you? It happens every day. Sometimes thousands of times!

For most people that would be enough to start them thinking somewhat negatively about the place where they work and the managers, company president, etc. However, to really push you over the edge, let's say the next morning you get up for work and read in the business section of the paper that company you work for was having greater sales than ever and had posted record profits. You read on to learn that because of that, the company president was getting a $2.5 million bonus and the executive managers were getting $1 million each for saving the company so much money over the years and for increasing sales and profits.

You are now motivated to get what you can from that company in the next 60 days. You deserve it. You gave them your "blood, sweat and tears" for 25 years, and they are where they are today partly because of you. And what did they give you? The boot! So now, you have the motive and the rationalization. Some people use violence, such as a post office worker who kills a manager who yelled at him. Others use fraud, theft, and whatever opportunity gives them; still others steal and sell sensitive company information and destroy or modify company information and systems.

The triad "bar" for some is higher than for others. However, it is now a matter of survival, a basic and extremely strong human trait. You and your family must survive. You are not about to have your house repossessed, as well as your car, and become one of the homeless out there. Add to that a little revenge, frustration, and hostility at not being able to find another job as day 60 approaches.

Yes, we all have our limits. As an ISSO, keep the triad in mind as you build the CIAPP. The culture and atmosphere of a company is important to know, and as the ISSO, you must be tuned into the changes caused by downsizing, restructuring, and the like, as they often create additional threat agents.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net