From Insider Threats to Business Processes that are
Secure-by-Design
Dieter Gollmann
Hamburg University of Technology
Hamburg, Germany
diego@tu-harburg.deeshaw@msn.com
Abstract
We argue that insider threat is a placeholder term that accompanies
the transition from securing IT
infrastructures to securing the socio-technical systems
made possible by these IT infrastructures.
The term insider in its literal interpretation loses
meaning in a context where there are no stable perimeters
one can refer to. Business practices such as outsourcing,
employing temporary contractors, and
the very use of IT, have removed security perimeters in
the search for short-term efficiency gains,
which may result in mid-term losses due to increased
vulnerabilities.
We conclude that securing socio-technical systems calls
for the design of organisational (business) processes
that remain viable once inside information about their
implementation becomes available
to potential attackers rather than for the deployment of
secure IT infrastructures.
Keywords: Insider threats, business process, IT security
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 3, No. 1/2, pp. 4-12, March 2012 [pdf]