Article Preview
TopIntroduction
In the past, companies were loosely linked only to a few other companies and their IT resources, i.e. IT infrastructure, data and business processes, remained in-house under their custody and control. Today, companies no longer operate in isolation but are rather tightly connected to other companies in a network-like structure, called business networks, inter-organisational networks or extended enterprises (Wiendahl & Lutz, 2002; Jagdev & Thoben, 2001; Baraldi et al., 2012; Hakansson & Ford, 2002), with different levels of integration and cooperation.
Extended enterprises are ever more attractive because they provide competitive advantage by allowing cost savings, time and quality-related benefits, and by increasing business agility and flexibility; each participant in an extended enterprise specializes on its core competencies and takes advantage of other organisations’ expertise to deliver its business mission (Jagdev & Thoben, 2001; Starr et al., 2003). The growth in the adoption of Cloud Computing and the diversity of service bundles on offer exacerbate the fact that organisational boundaries in an extended enterprise context are overwhelmingly fuzzy (Jericho-Forum, n.d.; Thoben & Jagdev, 2001; Jagdev & Thoben, 2001). The size of an extended enterprise can be significant, typically reaching hundreds; research from the Information Security Forum indicates that, on average, companies work with 750 service providers (Davis, 2010). This adds-up to other factors, such as the complexity of dependencies among participants of the network, geographic dispersion, and distributed sources of risk (Thoben & Jagdev, 2001; Davis, 2010), and to the fact that each company part of an extended enterprise is most likely to be itself an extended enterprise, creating a chain of non-transparent B2B relationships.
Extended enterprises create a security management problem in part because it is difficult to have a holistic overview of security across systems, technologies and resources in the entire network. One specific sub-problem of security management in extended enterprises is what we call the external insider threat. Such threat is posed by a class of individuals employed by participants of a company’s extended enterprise network − or their network − who need access to a certain extent to the assets (e.g., data, IT infrastructure, processes) the company owns and is accountable for, regardless of where and by whom it is handled. External insiders are a class of individuals which do neither completely fall under the class of insiders nor of outsiders of one company, and therefore, mitigations to insiders and outsiders do not completely solve the external insider threat problem. External insiders of a company assume a large number of roles across numerous other companies part of its extended enterprise in a variety of B2B arrangements. Those arrangements involve different levels of integration, cooperation and resources sharing (Kumar & van Dissel, 1996; Jagdev & Thoben, 2009). They can span from more traditional arrangements such as trading partners in a value chain, service providers, business partners, to less traditional arrangements such as outsourced operations or facilities providers, security managed providers, Federated Cloud service providers (Bernsmed et al., 2011), or even innovation-driven cooperatives (Thorgren et al., 2009) and consortia for collective management of security (Gupta & Zhdanov, 2007).