In
this thread I questioned the idea that 80% of computer attacks are from internal sources and asked if there was a reliable source for this oft-repeated claim.

If you include accidental actions that result in a breach of security (e.g. user clicking on .exe attachment in email) then the 80% figure is easy to justify; but I always got the impression the claim was that 80% of attacks originated from inside the perimeter, rather than 80% were allowed to succeed by the carelessness/poor education of people inside the perimeter.

This is quite important because one of the questions when securing environments of any size is to what extent you trust your users and administrators. Most organisations end up giving a lot of trust to a lot of internal people, simply because it's easier.

If most attacks originate from inside the organisation then minimising that trust is a sensible policy. Sure, you need to educate people too, but educating criminals won't do much to stop them committing crimes : if they know more about your security setup it might even help them.

If insiders are merely unwitting dupes who permit external attacks, or accidentally break things, then education and training might be more appropriate. You'll want to use compartmentalisation as well, but you'd probably put more emphasis on education; especially as compartmentalisation of administrators is complex, expensive and can increase downtime (e.g. the right person isn't around to fix a problem).

So, which is it and what does the 80% figure really mean?

I have come across one firm bit of evidence which, whilst only indirect, does support the 80% figure as attacks originating inside. It applies to banks (i.e. large organisations where there is something worth stealing) and it relates to financial crime in general rather than computer crime.

The source is Ross Anderson's book "Security Engineering" (section 9.2.3).
(Original source : D. Sherwin, "Fraud - the Unmanaged Risk", in Financial Crime Review v1 no. 1 (Fall 2000), pp67-69).

Can anyone else point me in the direction of hard information on this subject?

I scanned a few from http://www.google.com/search?q=stati...insider+attack . Look at http://www.dciseries.com/documentati...ttacks_wp.pdf, http://www.systemdynamics.org/conf20...APERS/294.pdf, http://www.computercops.biz/article1507.html, http://www.chi-publishing.com/portal...Editorial.pdf, http://www.certconf.org/presentations/2003/Wed/WM3.pdf , they include some leads too. The two main problems are insider attacks going undetected and companies not exactly willing to submit 'em anyway.

Thanks for the links. I've had a look at all of them and there's some very interesting stuff there - the last link is especially good.

On the issue of the proportion of insider attacks, I couldn't find any first-hand figures, but did find a number of figures quoted, including :

- InterGov : Insiders commit 80% of computer and inernet related crime, average loss of $110,000 per incident.
- Gartner : Insiders commit 70% of cyber attacks, cost $20,000 or more per incident.
- E. Eugene Schultz : Proportion of insider attacks is probably overrated (original 80% figure comes from 17 year-old FBI report, somewhat out of date now). However, still high.
- Pricewaterhouse Coopers and Computer Security Institute : 70-80% of attacks from insiders.
- Meta Group/IDC - 51% of attacks from insiders.

The message seems to be that whilst there is little agreement (probably due to differing methods of asking - e.g. do you include confirmed attacks or guess at the total of all attacks), insider "attacks" either accidental or on purpose, make up a high proportion of total attacks and any large organisation should not ignore it.