This according to the Computer Economics study Insider Misuse of Computing Resources, which analyzes 14 forms of insider misuse in detail. The study shows a number of ways that violation of an organizations acceptable use policy may result in harm. Making insiders aware of these threats is an important part of mitigating the risk of insider misuse as we discuss later in the full study.
A sister report, Malicious Insider Threats, addresses threats where the insider intends to harm the organization or acts in a purposeful way that threatens the organizations interests. There is sometimes a fine line between malicious intent and mere misuse. For example, an employee downloading music or video files to a desktop computer would not usually be doing so with intent to harm the organization. But if the files being downloading are pirated, the employee is putting the organization at risk.
Nevertheless, we find it useful to separate threats from insider misuse from threats by insiders with malicious intent. Furthermore, many of the countermeasures against insider misuse are also useful to counter malicious insiders.
How Serious Is It?
Before delving into our analysis of each threat, it is useful to examine them in total. For this analysis, we look at all types of insider misuse and rank them according to the perceived seriousness of each threat. In our survey, we asked respondents to rate the seriousness of each category of insider misuse as no threat, a minor threat, moderate threat, or major threat. We recognize that the word seriousness has no formal definition in risk management. Typically, risk management professionals quantify risks by their severity (potential harm) and the likelihood of experiencing an incident within a given time frame.
However, because many forms of insider misuse are not readily quantifiable, we use the word seriousness to gauge how concerned IT security professionals are with each threat. We believe the seriousness level provides a useful measure of the perceived importance of each threat, while being mindful that perception and reality are not always consistent.
In assessing the seriousness of each category, we asked respondents to consider all forms of potential damage to the organization, such as effect on system availability or integrity, network performance, legal liability, disclosure of confidential information, loss of worker productivity, and damage to the organization's reputation. In addition, we asked respondents to evaluate these threats without consideration of any countermeasures their organizations were taking to deter misuse.
Interestingly, the 14 categories of insider misuse fall into two distinct groups. The first eight categories form one group, where at least 40% of our respondents view each as a major threat. The first group includes:
Downloading unauthorized software;
Use of unauthorized P2P file-sharing programs;
Remote access programs;
Rogue wireless access points;
Downloading of unauthorized media; and
Use of personal computing devices for business purposes.
What do these forms of misuse have in common? They all pose a threat primarily in terms of loss of information, security breaches, and legal liability. For example, unauthorized copying of files is a threat as it may lead to loss of confidential information. An employee using his own laptop for business purposes may inadvertently take confidential information home at night or retain this information when he leaves the organization. Downloading unauthorized software or using P2P programs may introduce malware into the organization, leading to theft of information or loss of system availability. It is not difficult to envision the seriousness of the threats that these forms of misuse pose to the organization.