Intent

There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.

“Whether the threats are accidental or deliberate, the costs are still the same.”

I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)

“Malware and spyware attacks are another example of the risk of good employees doing bad things.”

I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting NYTimes.com a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.

Under “Key Findings”

"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'

So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

Policy and Ethics

The excellent Grits for Breakfast posted several stories of alleged misbehavior at the Bexar County probation office, including a link to the following story from the San Antonio Current. The following passage caught my attention:

According to former Bexar County probation IT Director Natalie Bynum, [Director of Operations] Cline kept a list of known and suspected union members she wanted out of the department. To weed them out and quash the union, she had Bynum meet her repeatedly during and after work to comb through employee email accounts.

“She wanted their computers monitored in order to find out if they were doing any union activities while on the job, also to see what was going on with the union,” said Bynum, who now lives in Arizona and spoke with the Current by phone. “We’d go to the bar and then we’d go back to work afterwards. It would be just us in the office, often-time.”

Bynum, a close confidant of Cline’s during her tenure, says she was motivated by curiosity since she was “not allowed” to speak with known members of the Central Texas Association of Public Employees, a division of the United Steelworkers. Cline and Bynum’s alleged searches weren’t limited to the “five to 10” employees targeted by Cline, either. Bynum told the Current this week that Cline also regularly tapped into her boss’s account to see if Fitzgerald was talking about her.

In most workplaces, this sort of activity may not be illegal, and is probably not even against policy. Still, I sense some ethical boundary is crossed when you start reading your boss' e-mail. Am I alone? On what grounds could the e-mail administrator deny an "authorized" request for reading e-mail, other than his/her own sense of ethical obligation?