In 1971, the cartoonist Walt Kelly unknowingly defined the insider threat with his famous Pogo cartoon:
We have met the enemy and he is us.
The Insider Threat
Since there have been people on the earth, there have been insiders. Insiders come in several flavors:
Recently I did a Blab session (turned into a podcast) with IBM – Big Blue. We discussed the insider threat and covered computer access, physical access, how to detect and respond, training, who should be involved in an insider case and more.
For your listening convenience, here’s the link. It’s about an hour long, but really digs into what you should look for, from hiring to firing.
If you would rather see my bright, smiling face, the actual Blab session is available below.
We live in converged worlds – online, offline and the real world. Each world, each domain, has its own unique aspects that make detecting, preventing and responding to an insider threat or attack challenging.
When it’s a knowledge-based attack, e.g. something I know that others know (like the layout of the nuclear plant), anyone with the information can be compromised. I know you want to trust them, but trust is not a control.
Trust is not a control.
Every person convicted of selling our secrets to our enemies was trusted at one point. In a prior life as a detective – trained in behavioral analysis interviewing – it only made sense for highly skilled crimefighters to interview all police applicants before they went to the polygraph.
My record remains intact. No applicant polygraph ever discovered more information or admissions against interest than what I did in the interview.
Accuracy of Interviewing
In 1994, the NSA published a study that evaluated 60 taped interviews and interrogations. A key finding:
Results revealed that, excluding inconclusive decisions, evaluators’ average accuracy was 91 percent on truthful suspects…
That 91% is more accurate than a polygraph. If you have the opportunity, I highly recommend attending one of the courses from John E. Reid and Associates. There are courses for law enforcement and the private sector.
I had the honor of being Reid’s first outside instructor, and taught at the NSA. So when someone says to me they’re willing to take a polygraph, I just smile and tell them “I am a polygraph.”
Interviewing – your first line of defense against the insider threat.