Why People Leak Data
A question that some people find difficult to understand is this: What are the motivating factors that drive insider data leakage? What drives employees to voluntarily divulge information about the organizations that support their livelihood?
While this question is probably better answered by a psychologist some in the information security industry rely on strategy called the "MICE" principle to help determine why a person may act inappropriately.
The MICE principle simply suggests that a person's actions are always driven by one or several of the following: Money, Ideology, Coercion, or Ego. It becomes easier to understand how each can be a motive for data leakage when put in the context of a weak economy.
Money drives most of our actions, and the potential of an easy payday for providing pieces of information that on the surface seems innocuous may not cause a moral dilemma. A weak economy only exacerbates the issue as people may be struggling to make ends meet.
Individuals who are approached to participate in inappropriate activity for monetary advancement often find ways of convincing themselves that the actions they are taking do not impact the organization or believe that it is owed to them for services rendered.
Individuals who act out against an organization for their own personal beliefs or political views are very difficult to identify and able to cause extensive damage through their actions.
If people have deep-rooted beliefs that their actions are just, it's likely that they are not as concerned with hiding their activity. In some cases, they may attempt to make a statement by leaking significant amounts of information with little concern of the consequences.
Some argue that the recent case of alleged data leaker Bradley Manning falls into this camp and is an example of how ideology, among other factors, has lead to one of the most significant data leak events in recent history.
Coercion like social engineering is often a component mixed in with many other elements to lure an individual into unwittingly participate in actions that they would not normally perform. In extreme cases, a person can be extorted into being a participant in activities, while in other situations a pretty woman's smile can sway an individual's assistance.
Throughout the years, there have been numerous examples of how people in positions of power were easily coerced or tricked into providing information. A good example was demonstrated by Ryan Thomas, a security researcher, at the 2010 Blackhat Security conference.
Ryan created a false persona of an attractive young woman named Robin Sage and posted it on the social media site Linkedin. Several hundred friend requests were sent to high-profile government and industry leaders. Ryan stated that the social experiment was to determine whether people could be manipulated into accepting connection requests or would divulge sensitive information to a person they did not know.
The details of the experience can be found here and are an excellent read. Ryan's experiment was very successful in getting people to accept requests from the fake identity, including individuals from the Joint Chiefs of Staff and even a ranking member of the National Security Agency (NSA). What Ryan's experiment teaches us is that even people trained to keep secrets can be easily coerced when provided the right situation.
Egos are a funny thing. We all have them, and occasionally they get the better of us. Ego can cause people to act out against an organization's best interests when there is a belief that they have been wronged or cheated. The stresses of a weak economy can also play havoc on a person's ego.
As our sense of self-worth is challenged because of financial problems or related issues, we may find our tolerance and judgment begin to falter. Information law enforcement and information security professionals alike often use indicators of a person's ego to determine likely behavior and potential issues.