Book Review: Insider Threats
Insider Threats. Edited by Matthew Bunn and Scott D. Sagan. Cornell University Press; cornellpress.cornell.edu; 216 pages; $89.95.
A collection of essays and case studies that originated in two workshops sponsored by the Global Nuclear Future Project of the American Academy of Arts and Sciences in 2011 and 2014, Insider Threats focuses on protecting the nuclear industry—but its lessons apply across many sectors.
The case studies are fascinating. A chapter devoted to the Fort Hood terrorist attack shows how changes in mission and procedures allowed information about the perpetrator to slip through the cracks. Instead of capturing warning signals, the systems scattered them.
Similar lessons were learned from the post–9/11 anthrax attacks in the United States. The author says that the suspect gained access to anthrax through “a complicated mix of evolving regulations, organizational culture, red flags ignored, and happenstance.”
A real strength of this book is its root-cause analysis approach. Blame is rarely laid at the feet of incompetent people, but assigned to other factors like the unintended consequences of organizational design and known psychological tendencies.
The last chapter brings together all the lessons learned and cites 10 worst practices. For example, number seven is: “forget that insiders may know about security measures and how to work around them.” This chapter will be the most valuable to security practitioners because it offers a roadmap towards building an insider threat mitigation plan.
Insider Threats is well-written, even literary. Its chief lesson: organizations are rarely designed to catch the insider, and much work needs to be done to protect them.
Reviewer: Ross Johnson, CPP, is the senior manager of security and contingency planning for Capital Power, and infrastructure advisor for Awz Ventures. He previously worked as the security supervisor for an offshore oil drilling company in the Gulf of Mexico and overseas. Johnson is the author of Antiterrorism and Threat Response: Planning and Implementation.