The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and difficult trade-offs. Some who don’t think it is straightforward. Let’s unpack it.
As the name implies, these people go bad over time before perpetrating usually small then progressively large malicious actions. They can get caught by detecting some “disturbance in the force” (h/t @taylopet for this phrase in this context).
As the name implies, these can happen without warning and without pre-signaling. As they say in the trade, “if you hear the boom they’ve already missed you.”
- reducing access to what is reasonable for the role
- further redesigning the role to need less privileges
- adding separation of duties or multi-party control
- adding circuit breakers to reduce scale of potential damage
- adding temporal breakers to delay invocation of activities (time to reverse) or time between progressions of activities (time to intervene)
- prohibit direct change to environments and use policy control to mediate change