Computer attacks are a people problem. Computers do not attack other computers. Granted, insecure software and careless network designs often make the criminal's job easier, but behind every break-in, a human finger is pressing a key. So it stands to reason that to prevent computer crime, you must first identify the probable computer criminal ° and the likely suspect is not your stereotypical hacker.

Rather than the Hollywood version of a computer criminal, experts say an attacker is more likely to be that guy off to the side, over there in the cubicle, the disheveled loner who packs a brown bag lunch or eats by himself in the cafeteria, the one who's always muttering to himself. He may be perfectly harmless, but you never know. He may also be seething, furious, miserable that some clueless suck-up ° maybe even you ° has been promoted over him. He's in a white-hot rage against the unfeeling, megalithic company that pays his salary.

Savvy shrinks

In a paper published in the July issue of Information Security magazine three experts in psychological profiling offer case histories of malcontented insiders who attacked their companies through their computer systems. Eric Shaw, managing partner of Political Psychology Associates/Information Security in Washington, D.C., is a clinical psychologist with several years specializing in profiling of individuals and groups for the CIA. Dr. Jerrold Post, a principal in the same firm, is a psychiatrist and founder of the CIA's Center for the Analysis of Personality and Political Behavior, now at George Washington University. Kevin Ruby is a research analyst specializing in group terrorism dynamics.

They tell, for example, of the systems administrator at a hospital who, hearing a rumor that she might be fired, encrypted all patient records. She blackmailed her way to a comfortable severance package with no prosecution. Presto! ° files decrypted. And then there was the case of a praise-starved systems administrator who created computer outages that only his "brilliance" could cure.

What distinguishes the work of Post, Ruby and Shaw is their subtle understanding of insiders and their capacity to do far more damage than any pimple-faced computer kid ever dreamed possible. Insiders, the authors say, are typically introverts who seldom bring attention to themselves. They "prefer to work independently, tend to resist authority and worry less about the opinions and agendas of others."

They are also "more likely to become stressed and disgruntled at work, and, when this happens, less likely to handle the resulting emotional effects in a constructive manner."

Portraits of bad guys

The authors, to their credit, are able to distinguish important, though often subtle differences among these insiders. They offer this taxonomy of perpetrators:

Explorers and Samaritans are people who like to probe and poke the system ° and perhaps discover and fix flaws.

Hackers ("cracker" would have been the more accurate word to have chosen) penetrate a system just because they can. A subclass in this group, the authors write, is Golden Parachuters ° those who set traps or logic bombs and defuse them in exchange for severance pay.

Machiavellians engage in sabotage or espionage to further their careers. Subcategories include "exceptions" ° people who believe the rules apply only to less gifted employees ° and "proprietors," who believe that they alone "own" the systems entrusted to them. The three also describe "avengers" (needs no explanation); "career thieves" (any questions?); and finally "moles," whom the authors describe as "individuals who enter a company for the purpose of stealing trade secrets and other information assets for a competing company, outside group or foreign country." It takes a highly motivated company to develop sophisticated personnel security systems capable of distinguishing and defending against this range of attackers. Catching insiders is no easy job. Even institutions as security-conscious as the FBI and CIA have been attacked by insiders who wound up doing extensive damage. Remember Aldrich Ames? If these agencies' counterespionage techniques, psychological profiling and lie detector tests can't prevent attacks, how can a com pany expect to safeguard itself? The answer is that it can't. But the authors say that companies can use various ways to at least reduce the threat.

Simple steps, complex pathways

By its nature, the lifestyle of an introvert doesn't draw attention. As a rule, these quiet loners prefer to communicate misery in their work and life by means of online communications rather than face-to-face with a mental health professional. One solution might be to set up a network bulletin board and chat rooms to enable employees to register complaints and vent their anger about work-related setbacks or stress. A more complex undertaking may be a serious full-scale risk evaluation of the company's employee path "from recruitment to departure, in order to determine how (or if) your personnel-security system helps prevent, deter, detect and manage risk." That is not an easy undertaking, since there are bound to be a wealth of bureaucratic nooks and crannies throughout the company designed to maintain the status quo ° even as millions of dollars are being siphoned off by employees for any number of rationalized good reasons.

The problem with people

New Scientist writer Alison Mitchell says people's brains are "wired." But, while we can observe the physiological characteristics of the central nervous system, we still don't know if, or why, any individual is going to move left or right, or do right or wrong. Human beings are messy and chaotic. They do not boot up and they're not made up of zeros and ones. Brains don't crash or go black. No computer or electrical impulse-detector can discover a thief; no neural receptor will ever hunt down a human mole. Only another human being ° one who rationally assesses risk and responsibly acts on that assessment ° can prevent damage. Not all the time, to be sure, but maybe often enough to stem the tide of illicit attacks. Like I said ° it's a people problem.