In general, all of these crimes involve another category of UIL as well. It can be physical, computer usage, user error, and so on. UIL in the criminal category has specific consideration in how you potentially stop the attack from reaching the user and how to mitigate the loss resulting from the crime.
For example, if you know criminals may attempt to steal equipment from traveling employees, you can perform awareness campaigns to ensure that users know how to best protect the equipment during travel. If you assume that at least one user will inevitably fail to protect the equipment, you know to encrypt devices and enable remote data deletion capabilities, also known as wiping. You may also provide the employee with travel equipment that stores only the data needed during the trip. Acknowledging that crime is a possibility allows you to prepare countermeasures that might not otherwise be considered.
All organizations have exposure to varying levels of criminal activity. If you consider how to mitigate UIL from any perspective, you can solve most of the problems, as users still have to initiate the loss. Then you can focus on addressing the finer points.
A couple of types of crime that warrant additional scrutiny are user malice, which is generally an internal attack, and social engineering, which is commonly an external attack. The following sections will examine these types of crime more closely.
User Malice
Malice is the intent to cause loss to an organization. User malice can take many forms. Sometimes it simply involves theft for personal gain. This theft can be money, physical equipment, data, other valuables, and so on.
Other times people are motivated to cause loss out of revenge for a variety of perceived wrongs. Many organizations are notorious for poor working conditions or their general mistreatment of employees, and it is inevitable that some employees may act out. In these instances, the people might commit theft, destroy property or data, or sabotage the organization's processes or reputation to reduce sales, productivity, or efficiency.
According to Dr. Martha Stout in her book, The Sociopath Next Door (Harmony, 2006), sociopaths make up approximately 4 percent of the population. The FBI estimates that an additional 1 percent of the population will become psychopaths (see www.leb.fbi.gov/articles/featured-articles/psychopathy-an-important-forensic-concept-for-the-21st-century
). Combined, this means that 5 percent of the population might do harm if given the opportunity. This can take the form of the previously discussed personal gain or revenge. However, some of these people sometimes just create damage for their personal entertainment.
Frequently, malicious users may work with outsiders. Malicious users can solicit the support from the outsiders to assist with their acts. Alternatively, they can facilitate the crimes of outsiders who approach them. There are a variety of reasons for both scenarios. Whatever the scenario, it is important that you acknowledge it as a possibility.
NOTE Not all user malice comes from greed or hostility. Some users are coerced or manipulated by outside parties. Others find themselves in a desperate financial situation and perform actions that they normally wouldn't. It is important to recognize that it isn't only disgruntled users who can become malicious users.
Malice has caused loss across every industry, so it is important to recognize that UIL may not always be the result of some type of unintentional action. There is frequently a focus on awareness to stop unintentional UIL, but any security or loss mitigation program that does not also consider and mitigate actions due to intentional UIL will fail. Even though an aware user might be one of your best defenses, an aware user can also be your worst enemy if their intent is to use their awareness against you.
Social Engineering
Social engineering is the broad category of attacks typically associated with the computer security field. However, social engineering can take a variety of forms and can be used to facilitate other crimes beyond just computer-based ones. Social engineering can be defined as manipulating an individual to take an action they would not normally take. In the computer field, it is essentially any nontechnical attack to gain access to a computer.
People perceive social engineering as tricking someone into providing them with information or access. In many common scenarios, that is an accurate working definition. This can be achieved through telephone calls, emails, in-person interactions, online chat systems, and so on.
Other forms of social engineering include people essentially sneaking into locations. Dumpster diving, where you literally go through the trash to find useful information, can be considered a form of social engineering. Some people don construction hard hats and reflective vests or utility worker uniforms and walk into a facility. Other people check doors and gates to see if they are locked. Still others try to follow people into facilities through tailgating.
While these tactics can be used to obtain computer access, clearly they can be used for a variety of other types of crimes. A company once tasked us to perform a social engineering simulation to see how outsiders can gain access to a building, because there had been a tragic workplace shooting, where a man had snuck into the building and shot his ex-wife. These things unfortunately can happen.
From a computer attack perspective, social engineering frequently takes the form of phishing, where someone sends a message attempting to get a user to download malware or to disclose login credentials or other useful information.
Sometimes criminals, frustrated with failing to technically hack an organization, will resort to pretext telephone calls attempting to get users to disclose usernames and passwords. Pretext phone calls are also used for a variety of other nefarious purposes to support crimes, such as trying to defraud people for money with fake Microsoft support, claiming the people owe taxes and immediate payment is required, and false claims of needing medical insurance information from the elderly.
Another form of social engineering involves criminals creating USB drives loaded with malware. They place the USB drives in the vicinity of the target and hope that someone from the targeted organization will plug one of them into a computer inside the company. Clearly, this is a hit or miss type of social engineering, but if successful, it can be a very fruitful attack.
The takeaway from our discussion of social engineering is that while insiders may not intend to be malicious, they can be exploited by a malicious outsiders who can obtain insider-level access, both physically and technically. This has to be a critical consideration for any UIL mitigation strategy.
User Error
User error is a commonality within most of the other categories in this chapter. Some errors are more consequential than others. Some errors cause loss of life, which is sometimes the case in medical procedures and diagnoses. Other errors cause large losses of money. Many errors cause inconvenience. Some errors have no consequence at all.
In the other categories within this chapter, we assume error to be induced in part by other factors, such as confusing interfaces. In this section, we focus primarily on error due to carelessness or accidents. Users are human beings, and the fact is that they sometimes just make mistakes.
Many people who are overworked, underpaid, or otherwise not treated well are less motivated to avoid making errors. Other people may be distracted for a variety of reasons such as personal issues, medical conditions, lack of sleep, drug use, or similar issues. Sometimes, even good people can feel apathetic, overwhelmed, or pressured. All of this is to be expected. While you hope carelessness is not the norm, its gravity is more dire in some situations than others. Ideally, culture should help to assist in creating more attentiveness in situations where people have to perform at higher levels. Even in less critical situations, you can try to prevent carelessness as much as possible.
We classify accidents as being different than carelessness because even the best people in the best situations will make an error. For example, many users have experienced accidentally deleting a message instead of forwarding