MANAGING RISK IN A DISTRIBUTED ENVIRONMENT

1
MANAGING RISK IN A DISTRIBUTED ENVIRONMENT

• THE CULTURE OF RISK, DIMINISHED LOYALTY AND THE
  DANGEROUS INSIDER

Jerrold M. Post, MD Political Psychology
Associates, LTD American Association of
Occupational Psychiatrists April 2010
2
THE CHALLENGER AND COLUMBIA DISASTERS

• Columbia, January 2003
• Engineers raised concern about damage from pieces
  of foam striking wing, request telescope or
  satellite photos
• Managers deride and ignore request - I wont be
  a Chicken Little Its a dead issue
• Challenger, October 1986
• Unseasonably cold-Engineers raise safety concern
  about O-rings for launch below 53 degrees F.,
  recommend cancel launch
• Managers override-criticize engineers for not
  being team players

3
Challenger and Columbia Disasters

• In both cases, Management under gun to succeed
  for financial and program support-delay would
  have raised questions
• In both cases, ad hominem attacks on
  engineers-mind guards prevented consideration
  and evaluation of concerns
• In both cases, safety culture had eroded to risk
  culture. Instead of having to prove it was safe,
  had to prove it was dangerous.

4
WHOM DOES THE ORGANIZATION REWARD?

• Is it the bold entrepreneur wiling to take risks
  for the organization, not intimidated by the
  hand-wringing worry warts?
• NOTE SEMANTICSLets reword.
• Is it the reckless headstrong individual willing
  to put organizational equities at risk, or the
  prudent manager who judiciously weighs gains
  against risks in making balanced decisions?

5
EROSION OF VALUES IN GOVERNMENT AND CORPORATE
CULTURES

• Prudent management has eroded to risk culture
• Think derivatives, credit default swaps
• This tendency magnified in distributed decision
  environment
• When organization makes exceptions to its policy,
  the policy has changed. It is not what is said
  but what is done.

6
Examples of Policy Changes

• IT consulting firm, partners tell subordinates
  they need to know the bid of their rival. Break
  in to hotel room. One partner fired, the other
  reprimanded-He was a star rain maker.
• Partner overrides policy of doing background
  check on all employees-needed skills of new hire.
  No adverse credit information indeed no credit
  information! Initiated major computer fraud as
  soon as on board. Had been released from jail for
  computer fraud the day before.

7
Psychological Qualities of the Dangerous
InsiderLessons Learned from The Anatomy of
Treason

• Soviet acronym MISE
• Money
• Ideology
• Sex
• Ego
• And the greatest of these is ego!

8
Vulnerability of Narcissistic Individuals

• Individuals who are highly self-absorbed and
  consider themselves entitled to special
  consideration have an insatiable appetite for
  recognition and success
• Even when by external criteria doing very well,
  they may feel dissatisfied
• But when they are blocked in their careers and
  are embedded in unrewarding marriages, can
  collect injustices and be motivated to strike
  back
• Pattern of split loyalties
• Implications for employees in multinational firms

9
Generational Pathways of Treason
Thus, the two patterns of particular interest are
loyalty to dissidence and dissidence to loyalty.
10
The Life Cycle and Treason

• Between ages 35 and 45, everyone goes through a
  period of psychological re-evaluation when they
  realize that youth is at an end the mid-life
  transition
• Feelings of marital and job dissatisfaction peak
  at this time individuals who are blocked in
  their careers and in unrewarding marriages are
  especially vulnerable
• Some need to regain their sense of competence by
  striking back
• Nearly all of the major traitors were impelled to
  act during the mid-life crisis

11
The Dangerous IT Insider

• Two year study for DOD/ C3I
• Risk of computer crime by dangerous IT insider
  (2.7 million each) greatly exceeds that from
  outside hackers-(57 thousand each.)
• Dangers of loss of availability, reputation,
  sensitive and/or proprietary data
• Evidence of foreign corporate targeting of US
  industry
• Significant problems with prevention, detection,
  management

12
Definition of Research Subject

• The CITI
• Critical
• Information
• Technology
• Insider

Information Technology Specialist who designs,
maintains or manages critical information
technologies
13

14
Computers dont kill information systems
15
Employment Contexts

• INSIDER/OUTSIDER IS A FALSE DICHOTOMY

16
Insider Employment Contexts

• Employees
• Contractors and Consultants
• Partners, Customers
• Temps
• Short-Term
• Long-Term
• Former Employees
• About to become Former Employees

17
PARADOX

• THE LESS LOYALTY EXPECTED, THE LESS ATTENTION TO
  SECURITY!

18
A Typology of Malicious Acts

• Abuse/Fraud
• Extortion
• Sabotage
• Espionage

19
Psychological Characteristic of IT Specialists in
General
20
Introversion

• Psychological studies of computer professionals
  indicate overwhelmingly represented by introverts
• Introverts prefer the internal world of ideas to
  the outer world of people
• Introverts tend to internalize stress and express
  themselves on-line--gtmanagement challenge

21
Characteristics of the Vulnerable CITI
22
Social and Personal Frustrations

• History of significant frustrations relating to
  family, peers and coworkers
• Report preferring the predictability and
  structure of work with computers
• Propensity for anger toward authority
• Revenge Syndrome

23
Computer Dependency

• On-line activity significantly interferes with,
  or replaces direct social and professional
  interactions
• Prefer virtual world to real world
• On-line relationships may constitute an avenue
  for influence, recruitment or manipulation

24
Ethical Flexibility

• Survey research reveals 6-7 approval for
  hacking, espionage and sabotage
• If it isnt tied down its mine to play with
• Notion that computer is a toy, data is not real
• The consequences do not seem serious

25
Reduced Loyalty

• Organizational loyalty challenged by high degrees
  of turnover
• HHS study on insider computer fraud found
  perpetrators identified more with programming
  than their employers

26
Entitlement

• Belief that one is special and owed corresponding
  recognition, privilege or exceptions--often
  re-enforced by employers
• Grandiosity covers fragile ego
• Prone to anger and revenge when specialness not
  recognized

27
Lack of Empathy

• Disregard for the impact of their actions on
  others, or inability to appreciate these effects

28
(No Transcript)
29
Critical Path to Insider Acts
30
Major Stressors

• Personal stressors
• Divorce
• Financial difficulties
• Professional stressors
• Transfers
• Supervision organizational changes
• Technological changes w/personnel effects

31
Person-Situation Interaction
Personal Stressors
Major Act
Vulnerable CITI
Mounting Stress and Frustration
Professional Stressors
32
Person-Situation Interaction
33
Perpetrator Typology

• Explorer
• Hacker
• Golden Parachuter
• Exception
• Proprietor

• Good Samaritan
• Machiavellian
• Career Thief
• Mole

34
Explorer

• Motivated by curiosity
• Rarely damages
• Tests abilities
• unauthorized access to learn more
• lacks good judgement re unmarked files
• often picked-up by sysadmin but no policy so no
  consequences
• Programmed Learning Case

35
Hacker

• Prior history of hacking
• Needs to challenge system and authority
• Derives significant self-esteem from victories
• Generally not destructive but may need to leave
  mark
• Hacks to show-off, impress peers
• More dangerous if part of hacker peer group

36
Hacker Subtype Golden Parachuters

• Insert logic bombs or other system booby traps,
  which they are uniquely qualified to diffuse, in
  exchange for a generous consulting fee or
  severance package.
• Rarely reported
• Often more cost effective for company to pay off
  the employee
• Subcontractor writing code

37
Good Samaritan

• Hacks episodically to fulfill duties more
  effectively or responsibly
• Doesnt see violation
• Ends justify means
• May show-off, save-the-day
• hack system to fix it in emergency situation
• copy files to save time
• Makes great rationale testing security

38
Machiavellian

• Covertly hacks to advance career, increase
  status, damage rival, establish future business
• consultant steals proprietary data
• subordinate frames boss
• employees destroy rival groups network card
• time bomb to establish consulting job
• program outages to facilitate travel

39
Case Example

• Civilian Govt. programmer
• EEOC Complaint against supervisor
• Whistleblower
• Negative performance evaluation by supervisor
• Tried unsuccessfully to rectify negative
  performance evals through channels--mounting
  frustration
• Transferred, only negative performance
  evaluations forwarded by supervisor
• Seeks revenge against supervisor by remotely
  taking down Govt. database

40
Career Thief

• Computer is tool for criminal scheme
• Pure anti-social version vs. disgruntled mixed
  breed
• HHS report on fraud by computer specialists
• lack of loyalty to employer
• greater identification with profession
• Embezzlement at Wells Fargo

41
Mole

• Joins organization to commit espionage for the
  benefit of a company or foreign government
• Different from Avengers, who commit espionage out
  of revenge
• Reuters/Bloomberg

42
Exception

• View themselves as special, deserving of
  extraordinary recognition
• Consider themselves above the rules
• Often deflect blame to others
• Have a grandiose view of their importance beneath
  fragile self-esteem
• Act in retaliation for real or perceived wrong
• Motivation is revenge
• Associated with termination, demotion, assignment
  changes, perceived setbacks
• Any group subject to disgruntlement

43
Exception Subtype Proprietor

• Feels he owns system
• Entitled to special privileges
• Hacks to protect control of system
• Hacks to deter rivals
• May create problems only he can solve
• Financial Sysadmin
• Plant Engineer
• Intellectual Property

44
Case Study The Proprietor

• Well paid systems administrator
• Personality Traits-Proprietor
• Entitlement
• Manipulative
• Devaluing of others
• Padded OT
• New supervisor
• Cut-back to PT
• Disables Servers

45
Eleven Months Prior to Event

• The company undertakes a corporate reorganization
  plan and a new, female technology manager is
  hired to supervise the network project.
• Subject immediately has difficulty with the new
  supervisor(gender, ethnicity issues).
• Supervisor believes subject is inflating his
  billable hours.

46
Six Months Prior to Event

• Subject is informed that his contract would not
  be renewed after May because he was too
  expensive, and was complimented for excellent
  work to date.
• He expresses the belief that the company has no
  employees capable of managing his complex
  computer network.

47
Three Months Prior to Event

• Complains to new supervisor who has instructed
  him to train replacements that replacements do
  not have the skills necessary replace him and
  refuses to give them access to the system.
• Supervisor e-mails him You seem to have
  developed a personal attachment to the servers.
  These servers belong to the company--not to you.

48
Email 1 April

• (Refuses to train backup) His experience was
  ZERO. He does not know ANYTHING about ...our
  reporting tools.
• Until you fire me or I quit, I have to take
  orders from youUntil he is a trained expert, I
  wont give him access...If you order me to give
  him root access, then you have to permanently
  relieve me of my duties on that machine. I cant
  be a garbage cleaner if someone screws up.I
  wont compromise on that.

49
Email 2 July

• Whether or not you continue me here after next
  month (consulting, full-time, or part-time), you
  can always count on me for quick response to any
  questions, concerns, or production problems with
  the system. As always, youll always get the most
  cost-effective, and productive solution from me.

50
Email 3 July

• I would be honored to work until last week of
  August.
• As John may have told you, there are a lot of
  things which at times get flaky with the system
  front-end and back-end. Two week extension wont
  be enough time for me to look into everything for
  such a critical and complex system.
• Thanks for all your trust in me.

51
The Event

• On last day of work, subject disables the
  computer networks two fileservers.
• Company executives implore subject to help them
  fix the problems, but he refuses.
• Independent consulting firm hired to investigate
  problems, discovers sabotage.
• Timing deception to cover plotting.

52
Covert vs. Overt Hostility in Email Prior to
Attack
Three Months Prior
Three Months Prior
Two Weeks Prior
Attack
53
IT Personnel Security Implications

• Redesign the hiring process
• Improve monitoring, detection and management
• Information security policies
• Specialized employee support services

• IT Personnel Security Audit complement to
  traditional technical audits

54
Implications

• Revise Screening, Selection--incorporate on-line
  behavior
• Improved management of CITIs
• Revise Termination Procedures Computer Ethics
  Policies Practices
• Innovative approached to managing at-risk CITIs
• Add Human Factors to Information Security Audit

55
Information Security
Technical Security
Personnel Security


56
The Dangerous IT Insider

• Net increasingly porous
• Most computer crime perpetrators loyal at hire
• Requires IT personnel security audit to
  complement IT technological security audit IT
  security is a human problem too
• Review background check procedures
• Management
• Ethics policy and enforcement
• Termination

57
Degradation of Loyalty

• Increasing outsourcing of IT function, as well as
  security and HR
• Microsoft, PRC, Taiwan
• How can one expect equal loyalty from temps and
  contractors?
• Major RIF by IBM in 1993 of 85,000 eroded social
  contract between corporation and employees
• Increasingly IT workers self-oriented
  entrepreneurs, knowledge workers to be
  exploited

58
Virtual Management

• Problem with declining loyalty magnified by
• management by e-mail, virtual management
• Including foreign workers
• No face-too-face contact
• For multinationals, potential conflict of
  loyalty between nation and corporation

59
Dangers of Distributed, Decntralized Management

• In distributed environment, with increasing
  tendency to delegate responsibility to local
  organization, leadership may lose sight of what
  is happening and lose control
• One unit can endanger, indeed destroy, overall
  organization
• Enron, Arthur Andersen Houston offices

60
Implications

• In this era of distributed decision making,
  increasing hazard of risk culture
• The porosity of the information highway in
  conjunction with the loss of boundaries between
  insiders and outsiders provides an environment of
  increasing risk.
• Technological means can not solve these human
  problems.
• The erosion in loyalty and hence trust that has
  progressively occurred between employer and
  knowledge workers requires equal attention to
  personnel security and focused management.

61
Requirement for Balanced Leadership

• This requires increased attention to human
  processes, to focus on managerial leadership.
• The requirement to verify in the distributed
  environment is not a luxury, but a requirement.
• Abdication of central control and actions of a
  distributed unit can endanger the entire
  organization.

62
IMPLICATIONS

• Risk cultures do not develop overnight, any more
  than disgruntled workers become disloyal
  overnight.
• The distributed system is intensifying the
  attenuation of loyalty, which in turn is
  compounded by virtual management.
• Hazard of reacting to excesses of the risk
  culture with over-reaction of excessive caution
  and risk avoidance.