Insider Threat:

Protecting the Enterprise from
Sabotage, Spying, and Theft

Authors: Dr Eric Cole & Sandra Ring

ISBN: 1-59749-048-2

Publisher: Syngress (2006)

397 pages

Price: ~^US$28 from Amazon

Executive summary

Despite the promise, this book does not do justice to such an important topic. The naive writing style and lack of unique, meaty content detract from the value.

Coverage

The book covers a fairly broad range of insider threats, sometimes too broad - for example, slipping into outsider threats on occasion. The case studies are drawn from a variety of public- and private-sector organizations in various sectors of the economy. A reasonable but incomplete selection of controls against insider threats are mentioned. However, the book’s overriding concern is theft of intellectual property which is not the only type of insider threat. Sabotage and problems caused accidentally by employees are barely even mentioned if at all.

Depth

Despite being nearly 400 pages long, the book really doesn’t go much below the surface of the subject. Coverage of the technical controls is particularly lightweight, and the procedural controls are not much better.

Structure

Other than the gross structure (Introduction - Case studies - Controls), there is no discernible flow or ‘story’ to the book - simply a mish-mash of topics in each chapter that leaves this reader bewildered.

A fairly random assortment of information about insider threats and countermeasures is thrown loosely together in the first chapter. Chapter 2 attempts to get ‘behind the crime’ but the techniques discussed are naive in the extreme (e.g. watermarking to prevent extraction of information - hardly even a speed hump on the road to industrial espionage!).

Chapters 3 through 7, the entire center of the book with around 200 pages, consists of an extensive collection of ‘case studies’, most if not all of which have been trawled from public sources on the Web. Many scenarios are basically similar and add little to the discussion. The ‘analysis’ is fairly superficial and mostly self -evident. Generally speaking, the reader would be better informed by an hour’s Googling and a bit of contemplation. [Contrast this with Ira Winkler’s use of real-life examples to illustrate Spies Among Us - each story carefully selected, well presented and insightfully analyzed.]

The final part of the book includes a chapter on profiling which repeats an earlier curiosity - a distinction between “high end “ and “low end” insiders that is never really explained. The last two chapters contain another assortment of controls, once again with no obvious sequence and repetitious (e.g. security policies, training and awareness are duplicated in chapters 9 and 10).

Writing style and readability

If I were to guess the reading and writing age of the author and/or the target audience for most (though not all) chapters, I’d say mid-teens. The sentence construction and grammar are generally so poor that the style soon becomes seriously distracting. The author is repetitive and labors practically every point. Here’s a single albeit fairly lengthy example, a complete paragraph from the introduction to chapter 8 “Profiles of the Insider Threat”:

“While a dose of healthy paranoia is a good thing, you have to strike a balance between trusting everyone and trusting no one. Too much of either will cause problems and lead to unsuccessful organizations and business relationships. If you never trust anyone, from a personal standpoint you will never fully get to enjoy what life has to offer. From a business standpoint you will often frustrate and annoy your employees because they will not be given the additional responsible they deserve because you do not trust them. From a personal sanity standpoint you will never feel empowered enough to ever delegate any work and will feel stressed and burnt out from matters that others could easily handle for you. This is often the reason that really smart, intelligent people make such poor managers: they are afraid to delegate. They do not trust than anyone can do the job as well as them or they do not want to give away the control of information. Knowledge is power but only if you share it in a selective manner. Not willing to trust anyone else with the information will actually decrease the value of the data because no one else can use it to make effective decisions. On the other hand, not properly controlling it and giving it away to everyone has its own series of problems.”

Conclusion

For the book as a whole, I’d rate it two stars out of five, maybe three if I were feeling less cynical but just one star or less for the editor and publisher who singularly failed to turn the manuscript into a best-seller.