External Insider Threat: a Real Security Challenge in Enterprise Value Webs

V. Nunes Leal Franqueira, A. van Cleeff, Pascal van Eck, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    13 Citations (Scopus)
    699 Downloads (Pure)


    Increasingly, organizations collaborate with other organizations in value webs with various arrangements, such as outsourcing, partnering, joint ventures, or subcontracting. As the Jericho Forum (an industry consortium of the Open Group) observed, in all these forms of collaboration, the boundaries between organizations become permeable and, as a consequence, insiders and outsiders can no longer be neatly separated using the notion of a perimeter. Such organizational arrangements have security implications because individuals from the value web are neither outsiders nor completely insiders. To address this phenomenon this paper proposes a third set of individuals, called External Insiders. External insiders add challenges to the already known insider threat problem because, unlike outsiders, external insiders have granted access and are trusted; and, unlike traditional insiders, external insiders are not subjected to as many internal controls enforced by the organization for which they are external insiders. In fact, external insiders are part of two or more organizational control structures, and business-to-business contracts are often insufficiently detailed to establish security requirements at the level of granularity needed to counter the threat they pose.
    Original languageUndefined
    Title of host publicationProceedings of the Fifth International Conference on Availability, Reliability and Security (ARES'2010)
    Place of PublicationLos Alamitos
    Number of pages8
    ISBN (Print)978-0-7695-3965-2
    Publication statusPublished - 2010
    Event5th International Conference on Availability, Reliability, and Security, ARES 2010: The International Dependability Conference - Andrzej Frycz Modrzewski Cracow College, Krakow, Poland
    Duration: 15 Feb 201018 Feb 2010
    Conference number: 5

    Publication series

    PublisherIEEE Computer Society Press


    Conference5th International Conference on Availability, Reliability, and Security, ARES 2010
    Abbreviated titleARES
    Internet address


    • Business-to-Business (B2B) contracts
    • IR-69327
    • METIS-270697
    • Value Web
    • EWI-16493
    • Risk Management
    • Extended Enterprises
    • SCS-Services
    • Security Metrics

    Cite this