The Insider Threat

How many times have you heard it? Insider threat makes up 75% of cyber attacks. Or, is it 80% ? Or 85%?

Enough already! I can't take it any more!

I first heard this 10 years ago as a fledgling infosec geek from a company called Trident Data Systems who quoted a government study pegging the number at 80%. Since then I've heard this type of statistic quoted at anywhere from 50% to 90%. Studies and surveys seem to post lower, but similarly diverse, numbers.

So, I'm getting a wee bit weary of hearing people quoting this apocryphal statistic, passing it around. So much so that now I have to coin a new term: "urban statistic."

...On the other hand, being able to play the FUD card at any time is kind of handy. Why analyze threats and risk and apply appropriate controls? That's too hard. It's so much more fun to just scare people. F-U-D -- that spells "security"!

And besides, everyone knows 90% of all statistics can be made to say anything....

50% of the time.