This week I attended a Dagstuhl Seminar on Organizational Processes for Supporting Sustainable Security. This seminar at Schloss Dagstuhl was the third in a series on ‘Insider Threats’. The “insider threat” is cited in many studies as the most serious security problem threatening the sustainability of an organization’s security policy. Insiders have legitimate “inside” knowledge of, access to, and/or trust from an organization and its systems, and thus many traditional protection and detection approaches fail. The previous two seminars in 2008 and 2010 concluded that it is becoming increasingly more difficult to define exactly what an insider threat is. And the question was asked whether in the era of massive, “always-on” network connectivity, the notion of “insider” is redundant in terms of system and organizational design. The concept of insider loses its meaning when organisational structures change dynamically (staff mobility, outsourcing, etc.) and the definition therefore needs to evolve and keep pace with the changing environment.
Although tackling the insider threat relies partly on computer science-based security solutions, it is clear that insider threats to computer systems involve more than just computers (people!). That is why the organisers chose to make this third seminar more explicitly multi-disciplinary than the previous ones, including in that way more ideas and experts from outside of computer science. This approach proved fruitful and allowed us to focus on considering processes and procedures that would actually work in the real world (sustainable, usable, etc.) .
The three-day meeting started off with some provocations. Debi Ashenden (Cranfield University, UK) introduced a scenario on the military, describing how young soldiers pose insider threats by using social media while in a war zone. By often unwittingly over-sharing personal information or location information, soldiers can compromise their missions. Another provocation, introduced by Trish Williams (Edith Cowan University, Australia), focused on health care, pointing out that there is an explosion of mobile health (mHealth) and BYOD (Bring Your Own Device) which results in a blurring of healthcare devices and software, and has an impact on the insider threat.
During the seminar there were several break-out sessions in which the participants chose one of the provocations and brainstormed about how organisational processes could be designed to be resilient and sustainable from a security perspective. The technical people contributed engineering and computer science perspectives on resilience and sustainability while at the same time social scientists reflected on those concepts from a human-centred perspective. Besides having these multi-disciplinary activities (with lots of coloured markers, large sheets of paper, sticky notes, drawings and even an empty chocolate wrapper which symbolised something I can’t quite remember…) there were also interesting presentations. Hopefully the three intense days will result in some tangible outcomes. There are ideas for a book and some form of knowledge exchange on different research methodologies (yet to be decided). I am for one, definitely looking forward to taking this further!
