Securing the Extended Enterprise: A Method for Analyzing External Insider Threat

V. Nunes Leal Franqueira, A. van Cleeff, Pascal van Eck, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingChapterAcademicpeer-review

    2 Citations (Scopus)


    In extended enterprises, the traditional dichotomy between insiders and outsiders becomes blurred: consultants, freelance administrators and employees of business partners are both ‘inside’ and ‘outside’ of the enterprise. As a consequence, traditional controls to mitigate insider and outsider threat do not completely apply to this group of individuals, and additional or improved solutions are required. The ISO 27002 security standard, recognizing this need, proposes third-party agreements to cover security requirements in B2B relationships as a solution, but leaves open how to realize them to counter security problems of inter-organizational collaboration. To reduce this gap, this chapter presents a method for identifying external insiders and analyzing them from two perspectives: as threat and as possible mitigation. The output of the method provides input for further engineering of third-party agreements related to non-measurable IT security agreements; we illustrate the method using a manufacturer-retailer example. This chapter also provides an overview of the external insider threat, consisting of a review of extended enterprises and of challenges involved with external insiders.
    Original languageUndefined
    Title of host publicationStrategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions
    EditorsManish Gupta, John Walp, Raj Sharman
    Place of PublicationHershey, USA
    PublisherIGI Global
    Number of pages28
    ISBN (Print)978-1-46660-197-0
    Publication statusPublished - Feb 2012

    Publication series

    PublisherIGI Global


    • IR-79582
    • METIS-285203
    • Outsider
    • External Insider
    • EWI-19963
    • IT Security Agreement
    • Extended Enterprise
    • SCS-Services
    • Insider

    Cite this