UNDER CONSTRUCTION |
dictionary-term
IT Sabotage
Sabotage
Cyber-sabotage may designate two distinct classes of object:
The risk of cyber-sabotage,
An unsuccessful attempt
A cyber-sabotage incident.
A cyber-sabotage incident is a specialized form of insider threat incident (e.g.: sabotage represented 27% of insider attacks in Randazzo et al., 2005). Its distinctive characteristics are:
It is caused by an insider threat actor, called the saboteur.
The saboteur has the deliberate intention to cause harm to the organization business operations, data, or information system / network. Randazzo et al., 2005 Causing harm may not be the only motive (financial gain being a common distinct objective), but causing harm must be an important objective of the inside attacker to qualify as a sabotage, if not the primary objective. https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1628996151/Moore%2Bet%2Bal.%2B2008
IT is instrumental in the incident’s sequence of events.
When successful, the incident effectively causes harm to the organization.
Cyber-sabotage incidents - as for insider threat incidents in general - tend to be underreported to authorities by organizations because organizations have strong incentives to limit reputation harm by avoiding publicity on the event and chances of obtaining reparation are low (Randazzo et al., 2005). For these reasons, statistics should be considered from a critical perspective. Statistics provided in this article are extracted from the studies referenced in the bibliographic section. These studies have several limitations (geographic location, underreporting, etc.). The statistics in this article are provided in parenthesis with the mention “e.g.” to stress these limitations. |
Most saboteurs had personal predispositions Moore et al., 2008, including:
|
|
|
For general insider attacks, the insider’s planning behavior is noticeable in a number of cases (e.g.: 31% in Randazzo et al., 2005). More specifically for IT saboteurs, behavioral incidents seem to come to the attention of supervisors or co-workers before the sabotage takes place in a high number of cases (97% in Moore et al., 2008). Such incidents comprise:
|
Most often, technical precursors took place before the sabotage (87% in Moore et al., 2008), such as:
|
|
|
|
Building organizational resiliency against IT sabotage requires the recognition by management of the insider threat and a multi-disciplinary approach. The following countermeasures may contribute to the mitigation of IT sabotages Moore et al., 2008:
|
The Time-bomb with money motivation case Randazzo et al., 2005
The sys engineer case Randazzo et al., 2005
The insider IT sabotage training (fictional) case Moore et al., 2008
Entourage and possibility of early detection:
19% were perceived as disgruntled employees before the incident. concerning behavior reported to the supervisor, incl. complaining about salary, outburst at coworkers, isolaiton from coworkers (27%) ( Randazzo et al., 2005)
Distinguished characteristics of incidents:
A minority of incidents (e.g. 26%), the perpertrator used someone else’s identity (Randazzo et al., 2005)
Eve was enraged when, following her cloud migration project’s failure, her manager Bob told her she would receive a disciplinary sanction for her poor performance. Filled with bitterness, she coded a time bomb to wreck havoc on the corporate IT network. At that moment she didn’t realize that this cyber-sabotage would lead her to serve 3 years sentence in prison.
Insider Threat Hyperonym
IP Theft Co-hyponym
Logic Bomb Hyponym
https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1628996151/Moore%2Bet%2Bal.%2B2008