Ira Winkler - You CAN Stop Stupid

The Pentagon renovations were specifically designed to prevent hostile attacks, but they also prepared for other forms of physical damage. Similarly, other building construction often takes into account fire and earthquake protection.

People often think of planning for physical loss in terms of their own immediate organization, but it extends beyond that. If a cloud computer center isn't adequately air-conditioned, the servers can be damaged, affecting an organization's data. To prevent that type of loss, the organization needs to consider not only their own immediate physical assets but those of users in partner organizations as well.

Huge, dramatic losses get a lot of attention, but seemingly small losses accumulate quickly and can be even more damaging. This is what we refer to as “death by 1,000 cuts.” With death by 1,000 cuts, small, inconsequential losses can add up to significant losses. International grocery chains operate on a tiny profit margin. Their meat, produce, deli, and dairy products are highly perishable and have a limited shelf life. Those are physical assets, and any increase in their loss can drastically damage the company's profit. To safeguard that product against loss, many factors need to be considered such as proper training of employees on stock rotation and inventory control, regular maintenance of refrigeration units, and partnering with vendors that will provide the freshest, most reliable product possible.

If an organization has a fleet of delivery trucks, those trucks age. If you don't regularly change the oil, you replace expensive engine parts more quickly. If you don't occasionally balance and rotate the tires, they wear unevenly, and you buy expensive truck tires more often. When equipment wears out and needs to be replaced, that is still a physical loss, and it can be planned for and minimized.

Also consider that people exist physically and thus, are themselves physical resources. If an organization has a high turnover rate, they enter into a constant cycle of acquiring and training new employees. Even if employee retention isn't a problem, it is important to maintain the condition of your people just as you do any other physical resource. For example, one study found that 98 percent of medical residents made a medical error in large part because of the lack of sleep incurred by their required and strenuous schedules (see journalofethics.ama-assn.org/article/after-apology-coping-and-recovery-after-errors/2011-09). Organizations that use trucks or airplanes perform oil changes, tire inflation, and other routine maintenance on their vehicles to keep them working efficiently as physical components in the system. Similarly, regularly addressing the processes, culture, and training maintains an organization's physical users to maximize their efficiency and effectiveness, thereby reducing loss.

To properly mitigate a physical loss, you need to consider what physically exists and how to best safeguard it. Often, this needs to be done in conjunction with addressing other categories that contribute to loss as well, such as training, processes, culture, and so on.

Criminal acts are unfortunately a part of business operations that need to be accounted for. There are many types of crime that affect an organization. Some crimes are the theft of equipment. Others involve embezzlement of money. Still others include a robbery of an employee traveling for work or a robbery intended to steal company assets. Whatever the type of crime, it should be something to account for in your risk reduction programs.

Some users can be malicious and have clear intent to cause loss, while others are normal users who simply want to perform their ordinary functions. Regardless, both are frequently a conduit for crime. The studies cited in Chapter 1, “Failure: The Most Common Option,” indicate that in the majority of significant computer-related losses, users were the primary attack vector. This impacts the tactics you need to use to mitigate the threats.

From a more comprehensive perspective, crime impacts a variety of operations. Disrupted supply chains, depending on their nature and scope, can cause operations to cease. Theft of funds can cripple an organization's cash flow, which can cause an organization to go bankrupt. Data theft involving intellectual property cause organizations to go out of business, particularly when it enables competitors to make the same products at significantly cheaper prices. Data theft involving personally identifiable information (PII) can cause significant fines and embarrassment for an organization.

In general, all of these crimes involve another category of UIL as well. It can be physical, computer usage, user error, and so on. UIL in the criminal category has specific consideration in how you potentially stop the attack from reaching the user and how to mitigate the loss resulting from the crime.

For example, if you know criminals may attempt to steal equipment from traveling employees, you can perform awareness campaigns to ensure that users know how to best protect the equipment during travel. If you assume that at least one user will inevitably fail to protect the equipment, you know to encrypt devices and enable remote data deletion capabilities, also known as wiping . You may also provide the employee with travel equipment that stores only the data needed during the trip. Acknowledging that crime is a possibility allows you to prepare countermeasures that might not otherwise be considered.

All organizations have exposure to varying levels of criminal activity. If you consider how to mitigate UIL from any perspective, you can solve most of the problems, as users still have to initiate the loss. Then you can focus on addressing the finer points.

A couple of types of crime that warrant additional scrutiny are user malice, which is generally an internal attack, and social engineering, which is commonly an external attack. The following sections will examine these types of crime more closely.

Malice is the intent to cause loss to an organization. User malice can take many forms. Sometimes it simply involves theft for personal gain. This theft can be money, physical equipment, data, other valuables, and so on.

Other times people are motivated to cause loss out of revenge for a variety of perceived wrongs. Many organizations are notorious for poor working conditions or their general mistreatment of employees, and it is inevitable that some employees may act out. In these instances, the people might commit theft, destroy property or data, or sabotage the organization's processes or reputation to reduce sales, productivity, or efficiency.

According to Dr. Martha Stout in her book, The Sociopath Next Door (Harmony, 2006), sociopaths make up approximately 4 percent of the population. The FBI estimates that an additional 1 percent of the population will become psychopaths (see www.leb.fbi.gov/articles/featured-articles/psychopathy-an-important-forensic-concept-for-the-21st-century). Combined, this means that 5 percent of the population might do harm if given the opportunity. This can take the form of the previously discussed personal gain or revenge. However, some of these people sometimes just create damage for their personal entertainment.

Frequently, malicious users may work with outsiders. Malicious users can solicit the support from the outsiders to assist with their acts. Alternatively, they can facilitate the crimes of outsiders who approach them. There are a variety of reasons for both scenarios. Whatever the scenario, it is important that you acknowledge it as a possibility.

NOTENot all user malice comes from greed or hostility. Some users are coerced or manipulated by outside parties. Others find themselves in a desperate financial situation and perform actions that they normally wouldn't. It is important to recognize that it isn't only disgruntled users who can become malicious users.