Skip to Main Content
Summary form only given. The observations that security is not an add-on feature and that insiders pose a considerable security threat have both been familiar in the security community for a long time. Attempts to deal with insider threats are not new either. Relevant techniques such as separation of duties are part of the standard toolset of security practitioners. However, it may well be true that in the past most countermeasures against insider threats belonged to the social and not to the technical domain. With increasing automation and IT support for business processes this approach is reaching its limits, as are approaches that just add-on IT security to business processes. This talk will argue that defending against insider threats is in fact just one aspect of designing secure organisational (business) processes, and that one has to start at the design of the processes within an organization to make progress in dealing with insider threat.