According to a new report sponsored by an IT performance management software vendor, federal agencies aren't spending as much as they should on battling internal threats — the kinds of threats the vendor's software is designed to help protect against.
But the recommendations were based on misleading interpretations of the results of the survey of 200 federal IT professionals who were asked about both internal and external threats and their security spending priorities.
"What was surprising was that they identified careless and untrained insiders was one of the biggest threats, where the investment was focused was on the external side," said Chris LaPoint, VP of product management at Austin-based SolarWinds Inc., the vendor that sponsored the survey.
He shouldn't have been surprised, since the question was rigged from the start.
Respondents were asked to choose which of eight different threats was of concern to them — two of those threats were internal and six were external.
That is, respondents were choosing between malicious insiders and careless insiders on one hand, and six different external groups on the other — ordinary hackers, foreign governments, hacktivists, terrorists, for-profit criminals, and industrial spies.
Careless insiders had the most responses, at 53 percent, followed by the general hacking community at 46 percent, foreign governments at 38 percent, hacktivists at 30 percent, then malicious insiders at 23 percent, and finally terrorists, for-profit crime and industrial spies.
But using this question to demonstrate that careless insiders were the biggest threat was a case of comparing apples to oranges. After all, if the insiders were split into six categories as well, instead of two, it's much less likely that they would have come up on top.
And, in fact, the implications that the vendor drew from this question — that federal IT professionals were more worried about careless insiders than anything else — were contradicted by other survey responses.
However, instead of admitting that the question was rigged to favor internal threats, LaPoint argued that there was another explanation for the contradiction.
"One might justify this discrepancy by posturing that malicious external threats are more damaging, even if they aren't the largest source of threats," he said.
One of those contradictory questions asked how much agencies' concern about particular threats increased or decreased over the past two years.
Concern about malicious external threats increased for 81 percent of the respondents. Concern about malicious insiders increased only 52 percent, and concern about careless insiders increased 53 percent.
Meanwhile, spending to battle malicious external threats increased by 69 percent, and spending on malicious and careless insiders rose by 46 and 44 percent, respectively.
"A greater proportion of respondents indicate concern and investment of resources has increased significantly or somewhat for malicious external threats relative to insider threats," confirmed Laurie Morrow, the analyst at Market Connections who oversaw the study. "Investment in resources lags slightly behind concern for all three categories of threats."
Sign up for Computerworld eNewsletters.