[Note: edited on 4/18 to fix ridiculous basic math error]
Today, I came across two different surveys about insider threats. What was interesting to me is that the data was similar, but the conclusions reached were almost polar opposites. I’ll highlight them to you in the order that I discovered them.
The first one comes ultimately from a survey conducted by LogRhythm, but I came across it by way of coverage in CSO. Check out the coverage in that venue [underlining mine]:
Although insider threats to data security remain a serious problem, the word apparently hasn’t made it up the corporate food chain in the UK. Survey results released recently by the UK office of network security provider LogRhythm, headquartered in Boulder, Colo., found that nearly half (44 percent) the 1,000 employers polled said they trusted their employees not to access confidential documents or steal data from them.
Since 44% did trust employees, the implication has to be that 56% did not so trust — in other words (paraphrasing) that they viewed employees as risky. The conclusion drawn from this in the associated analysis is that this number is too low: that organizations are overly complacent about employee behavior because they have this “high” level of trust. Now hold that thought for a moment.
The second piece comes from a survey from AlgoSec (warning:PDF) although I came across it by way of HelpNet. From the latter [underlining mine]:
The greatest risk is from within – Two-thirds of respondents (64.5 percent) rated insiders as the greatest security risk. Roughly the same proportion of respondents (66 percent) expressed concern that allowing employees to “bring your own device” increased the risk of security breaches.
Paraphrasing, ~65% viewed insiders as risky (in fact, the greatest risk). The conclusion in the associated analysis is that, “Insider threats are the greatest concern…” and that organizations are (and should be) on the verge of near panic about it.
The difference between these two data points is ~11%… and the questions asked were similar. That’s actually pretty interesting and increases the overall confidence in the accuracy of the data point. But the conclusion? Conclusion A is that “employers are in denial”; conclusion B is that it’s the “greatest concern.” It can’t be both – at least not without some qualification of the exact dynamic so that we can understand why it’s possible for it to be both.
Look, my point isn’t to “do down” any of this work. In point of fact, any reliable data (no matter the source) is good data in my opinion and both of these reports are interesting, informative, and useful barometers of something going on in industry. But in terms of the purpose that we put that data to, I do think it’s healthy to be critical in how we view it. Why? Because how we digest, interpret, and reconcile the data with preconceived views can mean the difference between “true” and “false” – or between what might otherwise seem like polar opposites.
Image source: warmnotes.com
<The views presented are my own and do not necessarily reflect those of my employer.>