If you read my first two posts on this topic, you may be thinking that I\u2019m describing the traditional \u201cinsider threat\u201d that security professionals have faced for years. (The link is to the research at CERT on this topic.) But hold on a minute. It\u2019s a bit more complicated than that. Bruce Schneier has a blog from 2005 which describes several different types of profiles that McAfee had identified on employees who put enterprises at risk. While the groupings are interesting, I especially like the (often hostile) comments from the masses regarding this post. It\u2019s definitely entertaining to read through what are generally very defensive responses from people who have, for the most part, placed themselves into one of the four insider threat groups.\u00a0\u00a0The percentages listed here are huge. (Such as: 51% connect their own devices or gadgets to their work PCs.) \u00a0Based upon McAfee\u2019s categories, I would likely be talking about: \u201cThe Squatter \u2013 those who use the company IT resources in ways they shouldn't (i.e. by storing content or playing games).\u201d The problem is - there are no neat little categories for this stuff. It\u2019s all very messy, since employees don\u2019t register themselves into those groupings and many people probably fit into multiple categories at various times in their careers. The security staff needs to figure out what\u2019s what and who\u2019s who.\u00a0(That is: are you a hacker, saboteur, gadget geek, innocent victim, etc.) It would be nice to see new percentages from McAfee for 2006 as well.\u00a0Now I feel a need to get philosophical. Why? Why do they behave this way? Why is this a growing trend? If you\u2019ll allow me to broaden the question and enlarge the focus group, why do an increasing number of people send e-mails and go to sites that they know are inappropriate\u00a0using company networks or equipment? They know that what they\u2019re doing is wrong, violates policies, and is out of place by any standard, but they do it anyway.\u00a0Some of these people are technical experts. Most are not. Nevertheless, there are plenty of easy to use websites telling them how to bypass filters.We\u2019ve all read stories about some of the new kids on the block. They\u2019ve grown up as the tech savvy gamers that are now entering the work force with different values and expectations. They\u2019re coming off of college campuses with networks resembling the wild, wild west, where almost anything goes. Perhaps, this cyber-smart crowd is just young and restless and looking for a few dates? They see nothing wrong with hiding certain behaviors that may happen to violate company policies \u2013 as long as their jobs are getting done, etc.\u00a0\u00a0 So how do I know that they realize what they are doing is wrong? Like drivers slowing down when they see a cop car, this group knows enough to go out of their way to cover their tracks. By using TOR, encrypted tunnels, proxies, or whatever works, they surf around controls.What about the lawsuits surrounding internet use? USA Today just ran a piece on an IBM case. Should employees be fired or placed into internet addiction classes if they\u2019re surfing unacceptable chat rooms and worse?\u00a0 The easy answer is to issue more speeding tickets and hold "public hangings" (that is discipline the violators).\u00a0I agree that some of that is needed, but there must be a balanced approach regarding education and trying to answer a new set of questions. So what\u2019s the root issue? I think\u00a0we're witnessing\u00a0our society\u2019s new cyber ethics - or lack thereof. It may sound simple and a bit like a cop-out, but we\u2019re talking about internet behaviors, conduct and choices in\u00a02006\u00a0where work and home are blurring. This trend will only accelerate.As expressed in the responses to Schneier\u2019s blog, people are now connected all the time with blackberries, web-enabled phones, and a 7x24x365 set of expectations.\u00a0\u00a0There are\u00a0also many other 21st century lifestyle factors. Acceptable use policies, legal issues, office politics, and a whole host of other challenges have yet to catch up with the pace of this cultural change. \u00a0There are many new social trends developing online, and I don\u2019t pretend to understand them all. I do know that current approaches are severely lacking. When growing numbers start speeding on our cyber highways, giving out more tickets (alone) won\u2019t solve the problem. Don\u2019t misunderstand what I\u2019m saying. We\u2019ve disciplined (even dismissed) plenty of people in Michigan for inappropriate surfing. I\u2019m no softee. In fact, I\u2019ve\u00a0been accused of being too harsh on employee conduct. (Note: HR actually makes the discipline decisions here. We\u2019re just the cyber police.) Still,\u00a0America needs to start rethinking policies, employee education and many related\u00a0cyber education\u00a0topics. We need to get at motivational and heart-level HR issues. \u00a0Yes, this is way beyond the scope of CSOs alone, but we need to lead, or at least actively participate in, this new challenge. In early 2007, I plan on a series of posts regarding new perspectives on cyber ethics and possible solutions. You may agree or disagree with my viewpoint and labels, but you\u2019d better not ignore the problem.