per occurrence? Financial institutions, for example, are required to report such information, but very few others do. In recent years, however, the opportunities for profit through attacks on information systems seem to have proliferated. Participants emphasized that more investigation is needed before meaningful answers to this sort of question will be possible.

A suggestion was made to examine case law in areas such as fraud or other classes of misbehavior that are similar to or include insider attacks on information systems. The challenge here is that, for reasons ranging from settlements out of court to unverifiability, the data is not always readily available or accessible. Further, there are, in fact, reasons not to make that data available on the part of those who have been compromised. Even military base commanders may not generally report their insider problems, for example. Banks also are loathe to disclose insider security breaches for obvious reasons. Information Sharing and Analysis Centers (ISACs)2 (the Financial Services ISAC3 is an example of one) may prove helpful in gathering and exchanging information.

Within the DOD and other parts of the government that relate to national security, psychophysiology detection (polygraph) is reportedly one of the best investigative tools. It does have limitations, however. The accuracy of the screening exam is around 84%. In addition, polygraph exams can only provide information on events that have taken place in the past; they are unable to provide information about intent. Further, there is a limited number of polygraph examiners, which makes widespread use of this tool within the DOD infeasible. More generally, use of the polygraph test is not accepted in the corporate world.

These and other observations led some at the meeting to put forth an argument that focusing on the individual rather than the act itself is problematic in both the government and in the private sector. Spies, broadly speaking, have always existed and it is highly unlikely that means for detecting potential spies will be developed; therefore barriers to particular acts are necessary instead. Others suggested that learning to infer behavior and intent from usage signatures could be very powerful, although it is not clear how to achieve that at this point. Furthermore, any such techniques inevitably run the risk of incorrectly labeling problematic behavior acceptable, or, arguably worse, determining benign usage signatures to be indicative of inappropriate behavior or intent.

Management Issues

The structure of the workplace today produces challenges for managers who are attempting to minimize risks and maintain system security. One observation made was the need for better training and security awareness education. This could be especially helpful in the case of the unwitting insider or the incompetent user. An effort on the part of management to find ways to motivate people not to do ‘bad things’ might also be


An ISAC is a private sector entity that facilitates the collecting and sharing of incident and response information among its members as well as information exchange between government and the private sector. ISACs were promoted by the Critical Infrastructure Assurance Office ( in response to the President’s Commission on Critical Infrastructure Protection’s 1997 report Critical Foundations: Protecting America’s Infrastructures (


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement