Dan Airley has done a great video on the impact of micro versus macro dishonesty. You can watch it here: http://vimeo.com/49462153 - the gist is that large number of people being dishonest in a minor way have a greater impact than a small number of people undertaking major dishonest actions.
He tested 30,000 people. The results of the experiment found 12 “big” cheaters and 18,000 “small” cheaters. The impact of the big cheaters was around $150. The impact of the “small” cheaters was around $32,000.
This study shows something interesting, that the overall impact of small acts of dishonesty can be up to two orders of magnitude more than the overall impact of large acts of dishonesty – only because small acts of dishonesty are relatively common and large acts of dishonesty exceedingly rare.
Assuming this is true, it has consequences for the way we think about IT security. IT security is often about protecting against the “large acts of dishonesty”, often perpetrated by outsiders, rather than small acts of dishonesty perpetrated by insiders. If Airley’s results hold, it may turn out that the impact of the small acts of dishonesty perpetrated by insiders may vastly outweigh the impact of large acts of dishonesty perpetrated by outsiders. That because we aren’t that great at noticing the small acts, we tend to underestimate the collective overall impact.
Have a look at the video linked above. It is likely to change your thinking about security.