Larger text Smaller text

Keeping computer records safe, avoiding identity theft and preventing spam no longer come down to using cutting-edge technology -- they now involve psychology and the courts, according to local computer security experts.

"All of our research so far has involved psychologists and technical experts," said Dawn Cappelli, team leader for insider threat research in the CERT program of the Software Engineering Institute at Carnegie Mellon University. "We just feel there is no way to solve the problem without looking at both sides."

One of the fastest growing concerns facing the computer security industry is "insider threat," or risks posed by employees or contractors with access to an organization's system and networks.

CERT has worked with the U.S. Secret Service to survey computer security risks. Last year, 55 percent of almost 500 organizations surveyed by CERT reported at least one problem with malicious activity from someone on the inside, up from 39 percent in 2005.

"What we're looking at is either current or former employees or contractors who have or have had authorized access to a company's systems and misused that access to commit some sort of malicious act, like fraud or stealing confidential information or (information technology) sabotage where they actually bring down the system," Cappelli said.

In addition to examining system flaws that permit such activity and technological ways of preventing it, CERT is using psychologists to "look at the behaviors that insiders exhibited before they committed the attacks," she said.

CERT has found that such fraud is usually committed by technologically savvy employees who are suddenly very disruptive, start coming in late or not coming in at all to work, don't get along with co-workers and sometimes exhibit aggressive physical behavior.

When employers suspect an insider threat, they should call law enforcement authorities and not try to investigate it themselves because they could inadvertently destroy or contaminate evidence, Cappelli said.

Spam is another growing problem that cannot be prevented with technology alone, said James Joshi, co-founder and coordinator of the University of Pittsburgh's Laboratory of Education and Research on Security Assured Information Systems.

"Definitely the legal framework has to be there," Joshi said. "You cannot really prevent something like spam with just technical solutions."

Securing personal information is increasingly falling on individuals, Joshi said.

When entering personal information into a computer database, such as an online banking Web site, people should use companies with security measures such as a certain picture that comes up when they log in or requests to answer questions that only the individual should know the answer to. This is called "multiple factor verification."

The computer security industry is likely to continue growing, Joshi said. Pitt is part of a national program to increase the number of graduates who will enter the industry.

"We need to make sure we generate a larger work force focused on preparing future generations for the computer security risk," he said.

• Most Read
• Most E-mailed
• Latest News