How can organizations mitigate the risks posed by unintentional insiders who, by mistake or through social engineering, compromise sensitive information? The strategy requires a combination of technical and non-technical solutions, says researcher Randy Trzeciak.

In the case of social engineering, organizations can introduce technical controls that could help minimize the impact of, for example, an employee clicking on a phishing e-mail and allowing malware onto the network, says Trzeciak, senior member of the technical staff at the CERT Insider Threat Center within the Software Engineering Institute at Carnegie Mellon University.

"But also it could be in the form of security awareness training, training your employees, contractors and subcontractors on what could be a suspicious e-mail and what you should do if you encounter or are presented with a suspicious e-mail," Trzeciak says in an interview with Information Security Media Group [transcript below].

For more than a decade, researchers have studied the impact of malicious insiders. The unintentional insider threat has only recently come under scrutiny. According to the Insider Threat Center, the unintentional insider threat is defined as:

"A current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization's information or information systems."

"Most people don't intend to disclose information," Trzeciak says.

Still, organizations can have measures in place to ensure employee mistakes don't become a larger problem.

In the case of an employee taking a laptop out of the organization, if it gets lost or stolen, the organization can minimize the impact by having controls such as full-disk encryption in place so the information on the device can't be compromised, Trzeciak says.

In an interview on this latest insider fraud research, Trzeciak discusses:

Fundamental technology controls to mitigate insider risks; Results of a new international insider threat study; Best practices in identifying and responding to insider threats.

Trzeciak heads a team focusing on insider threat research; threat analysis and modeling; assessments; and training. He has more than 20 years' experience in software engineering; database design, development, and maintenance; project management; and information security. He also is an adjunct professor at Carnegie Mellon's Heinz College, Graduate School of Information Systems and Management. Trzeciak holds an MS in Management from the University of Maryland and a BS in Management Information Systems and a BA in Business Administration from Geneva College.

Edward Snowden and Insider Threats

TOM FIELD: Everybody has been talking about the insider threat since the development of the Edward Snowden situation. From your perspective, what attention has this brought to the topic you've been researching for so long?

RANDY TRZECIAK: Anytime there's a high-profile case involving matters of security and national security, you tend to expect increased awareness in terms of identifying what the threat is and what the impact to the organization is as it relates to what particularly this insider or another insider did or did not do as it relates to a case.

As we've done research over the years, we've found that many of the incidents are handled internally by organizations and really don't involve law enforcement. But on occasion, when there has been significant impact to organizations that do involve law enforcement, many times those are picked up and reported through the media.

In terms of increased awareness, it's certainly something that does provide some value from organizations due to the other organizations that are impacted. But also, from an organization's standpoint, they should really be concerned about protecting their assets, critical information, critical technologies, facilities, people and they need to protect it from a number of threats, which would include insider threats but also external threats as well.

Unintentional Insider Threats