2003 IMTA Proceedings - International Military Testing Association

CHARACTERIZING INFORMATION SYSTEMS INSIDER
OFFENDERS
Lynn F. Fischer
Defense Personnel Security Research Center
Introduction
The development of a database to track trends and common characteristics of
information systems insider offenses in the Department of Defense has been underway at
PERSEREC for over 3 years. An early analysis of data drawn from the Insider Events
Database was presented to IMTA at the Edinburgh meeting in 2000. Since then
additional information has been obtained from the investigative agencies of the military
services and we can more clearly define common characteristics and motivations of
offenders as well as the types of offenses they commit against defense systems. Insiders
are defined here as individuals holding a position of trust and given authorized access to a
defense information system. As military services throughout the world are increasingly
dependent on computer systems, internal networks, and the Internet, it is probable that
scenarios such as those described in this report will be repeated in the military
organizations of other countries.
While many approaches to detecting and preventing cyber-offenses committed by
insiders focus on technical countermeasures, we at PERSEREC are persuaded that the
insider threat is essentially a trust-betrayal issue. That is, the insider threat is a human
problem related to the selection and monitoring of persons who have use of or
administrative control of our critical networks. Another important factor working against
misuse or abuse of systems must be adequate security education. We have found that
many offenders did not know or had not been informed of what was unacceptable
behavior and what its consequences are for the integrity and operability of their systems.
Who Are the People Doing This and Why Do They Do It?
Based on a review of over 80 insider events in the database of different
magnitudes of seriousness, most offenses were committed by younger service members
or by information technology (IT) professionals under contract to a defense facility.
Forty-seven percent were attributed to misuse by uniformed service members. Of 33
events for which the rank of the offender is known, 22 involved junior enlisted personnel,
nine were committed by non-commissioned officers, and two by commissioned officers.
With few exceptions, the service members, whether IT professionals or not, knew a great
deal more about computer systems than was required by their job. Several engaged in
hacking or computer-related private enterprise from home during off-duty hours.
This paper reviews several significant findings or generalizations, based on data
available to date, that are emerging from the analysis. However, a much better
understanding of situational factors, motivations, and contributing causes can be gained
from in-depth case studies of those events that resulted in significant consequences for
the organization. Therefore, each of the general observations will be illustrated by a case
study that demonstrates the importance of situational factors at the place of employment,
interpersonal and social interrelationships (often hostile and vindictive), and the attitudes
of the offenders. The following observations are clearly emerging from the data acquired
from sources of record to date.
289
45 th Annual Conference of the International Military Testing Association
Pensacola, Florida, 3-6 November 2003