From Insider Threats to Business Processes that are Secure-by-Design

 

Dieter Gollmann

 

Hamburg University of Technology

Hamburg, Germany

diego@tu-harburg.deeshaw@msn.com

 

Abstract

 

We argue that insider threat is a placeholder term that accompanies the transition from securing IT

infrastructures to securing the socio-technical systems made possible by these IT infrastructures.

The term insider in its literal interpretation loses meaning in a context where there are no stable perimeters

one can refer to. Business practices such as outsourcing, employing temporary contractors, and

the very use of IT, have removed security perimeters in the search for short-term efficiency gains,

which may result in mid-term losses due to increased vulnerabilities.

We conclude that securing socio-technical systems calls for the design of organisational (business) processes

that remain viable once inside information about their implementation becomes available

to potential attackers rather than for the deployment of secure IT infrastructures.

 

Keywords: Insider threats, business process, IT security

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 3, No. 1/2, pp. 4-12, March 2012 [pdf]