Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.
REPORT DATE
SEP 20052
PrefaceThis report provides an overview and analysis of 10 insider events that occurred prior to 2003 in infrastructure industries. It concludes with a set of observations that have clear implications for policies and management practices in government and industry. The 10 full case studies, authored by Eric D. Shaw, Ph.D., Consulting & Clinical Psychology, Ltd., are contained in another report that was issued as For Official Use Only in order to respect the confidentiality of private sector companies that were victimized by the offenders. These cases represent attacks against information systems that are essential for the functioning of national critical infrastructure industries.The threat to organizations in this category is obviously a Department of Defense (DoD) concern; however, insider attacks, not unlike those described here, have also occurred in military departments and Defense agencies. PERSEREC has been tracking events on the government side over the past 3 years and has a growing database of information on trust betrayal involving information systems. A subsequent summary of findings that pertain specifically to the Defense community will be issued at a later date. In the interim, case study work of the type and quality seen here is proving to be invaluable to our understanding of this behavior and of mitigating factors that we would recommend to minimize Defense systems vulnerabilities.The significance of the analysis of these events extends beyond a concern with the vulnerability of critical information technology (IT) systems. This is an attempt to understand one manifestation of the much larger insider threat to the DoD and the United States. Other dimensions of this threat include insider espionage-concerning which PERSERC has had a long-term research interest-and the insider threat associated with international terrorism that is only now emerging. These threats all stem from human problems and vulnerabilities that might be addressed in time to prevent damage or loss by an effective personnel security system working in harmony with employee assistance programs. For this reason, we are particularly interested in implications that focus on preemployment screening, m...