Slashdot Mirror
Study Show Link Between IT Sabotage, Work Behavior
narramissic writes "According to recent research by the U.S. military and CERT, workers who sabotage corporate systems are almost always IT workers who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly."
Interesting article. Unfortunately since most companies never wise up about security, its probably in the companies best interest to recognize the needs of IT workers instead of being even more paranoid about them. I used to work as a system administrator at a company where most of us where disgruntled due to the lack of progress of the company and poor leadership, then things got worse when the new owner of the company stopped trusting the admins for no good reason. This created a situation where long time employees started taking the attitude of "This company wouldn't survive for a month without me here". Amazingly, companies like this do survive the departure of their best employees.
I think that this 'study' needs to be included on this list.
There are shills on slashdot. Apparently, I'm one of them.
workers who sabotage corporate systems are almost always IT workers who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.
Maybe they just want their red stapler back.
The theory of relativity doesn't work right in Arkansas.
So fired...
Trouble making decisions? Just flip for it.
*Cough* IT people are also likely to know *how* to properly sabotage computers for the maximum effect....
Let's see... the study shows that people who are fired generally are considered by their employers to have performed poorly...
This is groundbreaking!
"In God we trust, all others we monitor." -- Unofficial NSA motto
Wow. That's odd. I would've figured IT workers who sabotage corporate systems would be the workers who are happy, secure, generally show up on time, work well with colleagues, and generally perform superbly. Goes to show you that logic doesn't always pay off. (I'm ready for the Troll/Flamebait mod guys :)
but I also happen to be far too lazy to do any of that shit.
I think the point of this study is that management doesn't have to be paranoid about normal IT people abusing the trust the organization has placed in them. The people truly likely to cause harm will broadcast that fact clearly in advance through egregious behavior.
org.slashdot.post.SignatureNotFoundException: ewg
If they'd turned up on time, were cordial with their colleagues and performed better, they'd never have been caught.
Disgrutled = Forced to install Notes
Paranoid = Forced to sit next to Notes Server all day waiting for the memory leak to take over
Late = Due to sleep deprevation from having to go in at 2am to reboot the Notes Server
Argumentative = Caught whispering "Exchange, bitches." under his breath
Poor Performer = Changed Cert ID password to "Fuck Notes"
Whats not to understand?
The flip side is that the fastest way for management to make a worker into someone who's disgruntled, paranoid, shows up late, argues all the time and performs poorly is to treat them like a potential problem. You're giving people privileged access, either you trust them and thus don't need to worry until after they start showing obvious signs, or you don't trust them in which case why are you giving them privileged access in the first place?
To be honest, I think if you have to worry about abuse of privileged access after termination then you have a more fundamental problem that no access-management system will solve. After all, if you can't trust someone to behave professionally after you've given them their 2-weeks' notice then what makes you think you can trust them to behave professionally before that?
The openly disgruntled will cause trouble when they leave.
the quiet meek ones will come in with automatic weapons and start "cutting expenses" when they leave.
I fear the quiet meek ones. They frighten me.
Do not look at laser with remaining good eye.
Well, I think those are just symptoms of some nasty disease. If you've got people like that onboard - it's important to find out the causes and do what can be done to improve their workday.
I had a boss at (insert large corporation) who disrespected me, never allowed me to be challenged, set me up on a doomed project on my second week of work with people who didn't understand the business - and generally pissed me off. I was cussed out by the CIO and his Italian mobster friend who claimed to be a business manager.
After the second month I would have fit into most of those categories - simply because of the experience I'd had. I decided that my boss didn't deserve anything other than what was in my job description. I proceeded to immerse myself in the codebase, business, and financials. After a couple of months I was answering questions in meetings which the original developers didn't even know.
There on out, I involved myself in other projects, got involved in design and generally worked my way past my boss - though he was still my boss until he was layed off.
In the end, I was one of the architects. All the people who made my life miserable were fired, left, or otherwise shown the door. They caused millions of dollars in losses - and I made the company millions.
Moral of the story: Sometimes it's management.
I said no... but I missed and it came out yes.
If you ever worked with Notes, you would thank Microsoft everyday for Exchange.
This article stinks. Macleod concluded: "So as far as doing the right thing, I'd suggest that you start from the basis that your IT staff are the biggest risk to your organization's security, and if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack. I wouldn't recommend taking that attitude with ANY branch of your organization unless you're looking for a fight. Oh no! I might be one of them!
The last few paragraphs of the article are more-or-less unedited PR hype from a vendor:
"According to security management vendor Calum Macleod of Cyber-Ark..Macleod's solution is password management....'If privileged password management is not on your shopping list in 2007 it may already be too late.'"
This is preceded with a 'people who say you shouldn't buy my product may already be criminals':
"'if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack.'"
I can't believe this ran! This reporter was shockingly lazy.
I believe we've all seen this recent memo from HR, to all IT department staff: 'Floggings will continue until morale improves!'
But seriously, you could swap IT for any discipline and come up with the same bullet-point: "Study Shows Link Between Grounds Keeping Sabotage, Work Behavior" - so what's the point? Just because I hold your entire work history in my shaky, sweaty hands doesn't mean I will automatically go postal and cause trouble for you and your unborn grandchildren. A cafeteria worker can spit in the soup. A parking security wanker can key your new Astro. A disgruntled department head can arbitrarily black mark a borderline performance appraisal.
Screw this generalized dust-kickup of a 'study' and go talk to anyone you think just needs someone to listen. If they tell you they "can't talk...busy...voices said time to clean my guns", then you might want to restrict their security access for a while. Otherwise, treat them like humans and stop watching for signs the sky is getting ready to fall.
And I said, I don't care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I'm, I'm quitting, I'm going to quit. And, and I told Don too, because they've moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn't bind up as much, and I kept the staples for the Swingline stapler and it's not okay because if they take my stapler then I'll set the building on fire...
According to the research, 86 percent of those who committed cybercrimes held ...
That's nearly useless information. By analogy, nearly 100% of rapists are male, yet very few males are actually rapists.
What about workers who are routinely abused? Workers who are pushed to make themselves desperate (financially desperate, usually) to keep the job so they can be treated like slaves, and who are then forced to work long hours for no extra pay because they're salaried, constantly threatened with termination, blamed for problems but denied power to deal with them, and so on, did the study account for that? Doesn't look like the study did. Study talks about "work behavior" but not "work treatment", as if companies have no effect on whether a worker would want to sabotage something.
Ignoring signs-- signs such as a person coming in late who had always come in on time in the past-- is a sure invitation to trouble. People who feel they can't communicate one way will communicate another way. Maybe before concluding that someone who is causing "trouble" better be escorted off the premises in handcuffs before they can do real damage, management ought to try a few other things first. Like, listen in such a way that workers feel they can speak openly. And removing the temptation. If a nuclear missile could be launched with the push of one button, it probably would've happened. Good thing the missiles require several keys, codes, and such like.
This study strikes me as narrow.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Those who are capable of wrecking systems thoroughly are usually also smart enough not to show signs that they are willing to do so... The ones who grumble and complain need to be shown the door before they wreak havoc or, pacify them. It's the non-complainers you need to make sure are really happy because if they're not...you could be screwed.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
BEDEVERE:
Quiet! Quiet! Quiet! Quiet! There are ways of telling whether she is a witch.
VILLAGER #1:
Are there?
VILLAGER #2:
Ah?
VILLAGER #1:
What are they?
CROWD:
Tell us! Tell us!...
BEDEVERE:
Tell me. What do you do with witches?
VILLAGER #2:
Burn!
VILLAGER #1:
Burn!
CROWD:
Burn! Burn them up! Burn!...
BEDEVERE:
And what do you burn apart from witches?
VILLAGER #1:
More witches!
I got pissed off with what someone said so I deleted that blue 'e' on my computer. Now the whole internet has been destroyed.
Engineering is the art of compromise.
As a sysadmin/webmaster at a small company I was involved in the infrastructure and in daily stuff that made money, like doing websites for the company's customers.
At one point I was drawn into an "argument" with colleagues over two things:
1) they needed a new box to run the firewall on. Owners wanted to postpone indefinitely. Sysadmin pressed his point. CEO suspected sabotage or other agenda... in spite of having had a prior avoidable firewall failure take down the network. He decided the sysadmin was crying wolf, or worse.
2): graphic designers and marketing people had proposed, priced and designed a website concept without consulting the guy who was going to code it. There were problems in the executability of the design and an underbid situation.
A technical problem that could be solved with a technical approach, if there were trust. Once again, sysadmin/webmaster "argued" for another approach on technical grounds. Answer: defenses, emotionalism, circle the wagons.
Net result of both contentions: emotionalism, accusations; sysadmin forced to resign.
The firewall did have a hardware failure after about six months; the website proposal flopped and the company lost their major client's web work. Satisfaction for the sysadmin? H**l no. There are no winners in something like this. You need to work with people you can trust and who trust you. This untrusted crap is destroying the very idea of "a good job" and consuming businesses and relationships from within.
You have to be able to air the relative merits of various technical approaches in a respectful, professional way so that what's rational and feasible emerges.
If this is "arguing with colleagues", resulting in an immediate security red-flag and dismissal... how can you have peer review or objective discussions? Worse still, it means we've descended into a totalitarian workplace.
Let's see... the study shows that people who are fired generally are considered by their employers to have performed poorly...
... I have yet to meet a "gruntled" IT professional.
This is groundbreaking!
And while we're at it: How many employees who do NOT sabotage corporate systems "are disgruntled", "are paranoid", "generally show up late", and/or "argue with colleagues"?
Last time I looked:
- A large fraction of the best IT people often work late, for any or all of several reasons: They prefer it, they need to work when load is light to minimize impact on business processes, fixing what the users broke during the day skews the time of their peak workload to later than that of the mainstream users, etc.
They often work more than a normal workday - but they'd have to work two shifts every day and only take time out for sleep, in order to come in bright and early to impress the suits who read this "study". But any sane IT professional will take advantage of flex time and come in late instead.
Programmers and other IT professionals coming in late has been a stereotype since computers used vacuum tubes. (I know because I was there and was one of many who created it. B-) )
- "Argue with colleagues"? Maybe yes-maning works in the executive suite. But when a crew of experts is chasing down a problem there will be a slew of hypotheses tried and discarded, with different workers coming up with different hypotheses and evidence to falsify them. To an outsider this looks like an argument, when it's actually progress. Experts will also often have differing opinions and will discuss them - ditto.
(I recall one company where upper-level executives quietly added themselves to an engineering internal mailing list. There we discussed the latest problems - often heatedly - until they were solved. When one was solved the traffic on THAT problem stopped cold and another would take its place. To the suits it looked like a disaster, when in fact the project was on time, within budget, exceeding targets, and still looked like it would have been a quantum leap when delivered - if the company hadn't suddenly shut it down...)
- "disgruntled"? With the continuing budget shortfalls, IT resource expansion always lagging company growth, lusers opening virus email,
- "paranoid"? (I presume we're talking the folk etymology, not clinical paranoia.) IT, like other forms of engineering, is an exercise in staying at least one step ahead of Murphy's Law. If an IT professional isn't "paranoid" he's not doing his job.
Watch the suits who saw this start canning their best IT people - zero-notice style. (That's where the employee arrives at work to find his cardkey doesn't work his passwords are rescinded, and he is escorted to HR where he is handed two weeks pay in lieu of notice, a box containing anything from his desk that the company didn't think was theirs, and a threatening document in lawyerese, and then kicked out of the building.)
And of course the fired employees will be blamed when the network starts to go to hell when the remaining people can't apply duct tape and chewing gum fast enough or the next rash of malware gets past the firewall.
= = = =
This reminds me of the "profiles" of school-age mass-murderers: They're always described as loners and introverts who don't get along with others in their school. In other words, just like all the nerds who get pounded on by the jocks and snubbed by the cheerleaders and queen-bees and react by withdrawing from contact with the "beautiful people" cliques. And every time one of these "studies" come out the administrators (generally former "beautiful people" themselves) dump on the nerds and side with the jocks that much more...
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Careful, making cynical comments like that may negatively affect your career prospects. Don't want to get labled as a whiner, people might think your planning to nuke the servers and fire you.
Especially if your bosses who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.
Oh no!
This story really needs to be filed under, "The best way to improve moral is to fire all the unhappy people."
Friends don't help friends install M$ junk.
"Where quality is like a dead stinking rat - you just can't miss it."
As long as you treat your staff as the enemy, they will be... http://www.accel-team.com/human_relations/hrels_03 _mcgregor.html
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
At the risk of being obvious or redundant--
Aren't the IT people the only ones who smart enough to sabotage IT systems?
I mean, those smug assholes up on the 42nd floor don't give a shit about how hard we work just to help them print their e-mail. We'll see how smug they are when....
oh...wait...
[BOFH]
I might know what I'm talkin' about, but then again, this is Slashdot...
But if there is a nine year old girl who understands UNIX handy you should be ok.
http://michaelsmith.id.au
This 'virtuous cycle' is a good reason to stay out of corporate IT at American companies.
If you're with a rare IT group that has good relations with the business unit, and can collaboratively prioritize projects so you're not reacting all the time, stick with them, and let them know why. Otherwise, find a company who directly sells your software product, or services around that. Firms that only indirectly depend on you will screw you every time.
Corporate IT is just a cost center, at most companies, and the CIO will never get adequate resources if they report through Finance. This problem is especially bad in health care and insurance firms.
Consider corporate management, who generally didn't have either the inclination or the intellectual capacity to get a REAL technology degree, and don't get ongoing technology training. They secretly resent that they are dependent on "technology folks" - who they don't understand - for the companies operations (and survival, when things go wrong).
And now, imagine you're a company like TJX (parent company of TJ Maxx and Marshall's), who have inappropriately retained credit card numbers, then had a security breach. They have NO IDEA how many people's numbers were lost.
It's natural to look to IT as a scapegoat, when it's their own boneheaded prioritization that put information security last.
"IT espically, they are a dime a dozen andthere is 6 of them out there waiting to take the one job."
That's because people go into IT because "they heard it was a good field to get into".
The people who are good at IT are hard to replace and are usually rewarded that way. There's no doubt that when you break into the field it's rough. But that's when you distinguish yourself. Your hard work didn't stop the day you graduated from a university... oh wait... you didn't go to a University?
Okay, let's start at the beginning:
1) The IT field is littered with has-been's, wanna-be's and never-was-es. Don't be one of those. How?
2) Show a commitment. Get a degree from a University. Doesn't matter what it is; if you're smart, you turn that to your advantage. If you want to be involved in the business, get a degree in business with a lot of programming courses. If you want to be involved primarily in the bits and bytes, get a degree more closely related to Computer Science. Information Management can be useful too, although the too are not at all similar. I have a computer science degree, my wife has an information management degree. I'm the director of architecture at a fortune 1000, she's a program manager at a fortune 2000.
3) Where's the Sysadmin paths? Unfortunately, the days of the Unix Admin with infinite knowledge have all passed. Well, not all. There are a few old timers left. God bless them, love them to death. They're really smart, and those last few guys get paid a lot. The rest? A dead end job. It puts food on the table. It's better than working at Wal-Mart.
4) All the good jobs in IT require that you start as a programmer. No exceptions. If you're not good at programming, you don't belong in IT.
5) Set your sights on moving up. You don't want to be the 45 year old programmer. Not unless you're so good that people just leave you alone to develop. If you're not sure you're that good, then you aren't. If you are that good, you can tell because your boss never hassles you about your hours, or anything. They let you alone because you're the goose laying the golden egg. God bless you. You are the heart and soul of this industry.
6) You've got to pay your dues in IT, and you may move around some. Changing jobs every 9 months guarantees you'll be a 50 year old programmer some day who knows VB6 really well and suddenly finds themselves without work.
7) Get better all the time. Read read read. Be energetic.
8) Understand the business you're in. Unless you aspire to #5. Push for ways to improve the business. And that doesn't include suggesting changes to the SCM.
9) Develop a 6th sense about what will help your career. Usually that goes hand in hand with helping the business but not always. When the two diverge, it might be time to leave. You don't want to be the 60 year old programmer who is good at FORTRAN on VAX. If I have to explain this to you, then you shouldn't be looking for a job in IT.
10) If you don't love this field, if you don't go into work in the morning because you can't imagine not doing it, then you don't belong in this field.
Here I thought that:
So most good IT people fit the profile, but maybe the last point is valid. :p
I do not fail; I succeed at finding out what does not work.
_If_ he's a sociopath (you can't diagnose that from just one message), it just doesn't work that way. You're making the usual mistake of assuming that all humans are essentially, well, equally human and you only need appeal to someone's humanity/feelings/moral-sense/flash-of-enlightenm
Sociopathy is, simply put, completely lacking the empathy and connection to other humans. It's being the only human in a single-player world full of generic NPCs. They're not your peers, they don't matter, their feelings don't matter, they're there just to be used, abused, manipulated, lied to, whatever gets you closer to your objectives.
Think of your relationship to NPCs in a computer game. Do you really care what that generic NPC in Oblivion or GTA feels or thinks? Do you care if he/she had a bad day, or if his/her kid is sick? Would you feel any sense of accomplishment of having him/her as a friend? Would you feel bad for clicking on a complete lie dialogue choice just to finish a quest? Would you even really think of them as a "he" or a "she", or more along the lines of "it"? I mean, don't be silly, it's just a game and just a scripted NPC. Right?
Well, in a nutshell that's the kind of world that a sociopath lives in. You can't even be seen as a friend by one. You're at most a sucker to be used for a purpose, even if that purpose is a few minutes of entertainment.
So expecting that one would wake up one day and think "man, I wasted my life, I should have made friends" is naive. That's the kind of notion that doesn't even compute in their world. Or not for the same meaning of "friend" that you'd use.
A polar bear is a cartesian bear after a coordinate transform.
I know that a lot of you out there will be thinking, "hell ya, it is managements fault we are treating like this so lets get back at them but destroying their systems."
Believe me guys that is not the case, the only people you hurt are your co-workers. I joined a company where a lot of the Admin stuff were fired. Some of them left nice little surprises that went off a couple of days later. Guess who was there until 3am in the morning putting everything back together? I can tell you it wasn't the managers. I can also tell you that those guys that got fired lost many good friends the day they did that and a lot of hard earned respect. Most of them are still looking for jobs a year later as NO ONE from their previous job (which many had held for 6+ years) will give them a good reference anymore because of their actions.
So my point is that if you are pissed off at management then complain or leave. Don't destroy things as it only hurts your co-workers not management.
It said "windows 98 or better" so I installed Linux
Sure if you're talking about sabotage as in taking time to plan out something that causes harm to the system, you probably have to be in IT and pretty smart, or you can take a basic approach. You know that owner/supervisor or whatever higher up that thinks that they are so important that they need full system access...give it to them. I've had to recover a system after one of the higher ups decided that they didn't need want a system directory folder anymore and decided to delete it. Needless to say after that an audit was performed on the system to see who had rights to things that they shouldn't have, and I finally had the approval to apply the restricted rights policy that I'd been advocating for months.
They're also the most productive! http://seattlepi.nwsource.com/business/302397_grum pyworkers05.html
No comment.