S.M.A.R.T. System: Behavior-based machine learning for cybersecurity

S.M.A.R.T. System: Behavior-based machine learning for cybersecurity

Matthew Day

American Military University

October 22nd, 2017

Research paper for the class “IT Security: Attack and Defense”



As the internet began to grow throughout the 1980’s and into, the 1990’s so too did the data. The internet was a long ways from the nineteen nodes it started back in in the mid-1960’s as ARPANET  (Kleinrock, 2010). As networks grew more extensive and more international, so did the data. Around the same time as ARPANET, or slightly prior, Richard Bellman was starting to develop the idea of artificial intelligence (Arel, Rose, & Karnowski, 2010).

Artificial intelligence can be easily described as a non-human form of intelligence. Many could argue a simple computer is an artificial intelligence in the way it processes information and makes decisions. However, with Bellman on the discovery of artificial intelligence in the 1950’s and throughout the modernization of the computer and networking world, A.I., as it is called was progressing.

During the technology revolution of the late 1990’s and into the 2000’s, many companies use some form of artificial intelligence in their products. Apple smart products, iPhone, and iPad use “Siri” who is artificial intelligence based. When the user says something, “Siri” can translate what was said into text, then convert it into a search or command on the phone.

As consumers, it is almost everywhere in products, from cameras to televisions, to even child toys. They all seem to have an aspect of artificial intelligence to them. However, they are not quite to the robotic stage that Hollywood often represents.

The question becomes, why isn’t this technology being used for good? Is law enforcement using artificial intelligence? Militaries, do they use it? What about healthcare, is it used in that field? This paper is going to address using a subset of artificial intelligence called machine learning to secure a network from intrusion.

Network and cyber security are significant problems around the world today. Over 60% of the American economy is made up of assets that are vulnerable to adversaries over a network (Slate, 2009). The technology is becoming so pronounced and substantial, it is already possible, or will be within five-years, to use artificial intelligence and machine learning to harden one’s system. As readers will see, machine learning is already being used in some forms of cybersecurity, and it would be a good bet the government has implemented machine learning to process the massive amounts of data it receives as well. However, using it to protect a local area network from intrusion is the key, and what the possibilities of combining machine learning and security are.

Part 1. Machine Learning

What is Machine Learning?

As explained earlier, Machine learning is a subset of Artificial intelligence (Arel et al., 2010). Machine learning is nothing new and has been around since the seventies when computer and math scientist first started using algorithms to make predictive outcomes from data (Louridas & Ebert, 2016). Today’s use of machine learning is not much different than it was fifty years ago, the only difference is in the data (Louridas & Ebert, 2016). The amount of data that is typically needed to train a machine is a lot, much more than it was in the 1970’s. Because if the massive amounts of data needed, it means processing power must be more massive; ram cache must be more extensive; the entire system has to be more significant and much faster.

In the simplest terms, machine learning is relatively close to how humans learn with a little extra mathematics involved. Humans learn from being shown how to do something; repetitiveness leads to memory. If someone wants to know how to edit a photo in Adobe Photoshop he or she can go to YouTube and watch as many videos as it takes for them to learn how to edit the photo. At the same time, they are practicing editing the photo and evaluating their work. They keep practicing until he or she sharpens their skills enough to where they do not need to practice anymore to be somewhat successful.

In another example is behavioral analysis in the form of forensics can be tied to the “process” of machine learning. In forensic psychology, profiling, or behavior analysis, whichever one might label it, these all mine data, process data, learn from the data and export a predictive function based on the information they have studied.

In machine learning, the process is similar only it is algorithms that are computing an incredible amount of data. The YouTube videos from the human examples are ‘Data’ in the machine examples. However, they go through the same process via written code on a machine. There are typically seven steps in a standard machine learning session, these steps are; gathering data, preparing the data, choosing a model for training, training, evaluation, tuning, and prediction (Guo & Google, 2017).

There are several different models to choose from when training a machine, but for the process of network security, the best model would be more of a numerical based model due to binary language. Training the machine is the most important, but it is also the most difficult. It involves computer scientist and individuals who are experts at data and data compression.

Applying Machine Learning to IT Security

Information security already utilizes some form of artificial intelligence or machine learning in some of its technology, that is nothing new. Most of the technology comes from virus protection software that scans and analyzes programs, software, apps, files, etc. on a computer. These programs use what’s considered a virus library and run the known viruses they have stored against any file on a computer (Kaur, Khalsa, & Dhesian, 2016).

As technology is getting better, antivirus programs are moving in the direction of behavioral modeling (Zhang, Raghunathan, & Jha, 2014) some are even using machine learning basics to detect viruses. Behavioral modeling is one of the foundations of the SMART system. However, the newer technology for antivirus is going after how programs usually act, their behavior (Kamesh & Sakthi Priya, 2014), then when they detect a change; it alerts the software something may be wrong.

This is the concept of the SMART system, however on a much larger scale. Think of IBM Watson. IBM Watson is comprised of somewhere around twenty-five-hundred computing cores throughout its entire processing core (Ferrucci et al., 2010). Watson and its multiple nodes can be preloaded with massive amounts of data and trained on just about anything. It beat the world record holder in Jeopardy using algorithms.

A system made for one single Local Area Network does not need twenty-five-hundred computing cores for processing strength. However, Watson gives the reader an idea of what the SMART system is about. Watson knew everything about, well, everything (Ferrucci et al., 2010). This is the power that the one part of the SMART system will harness over all the nodes inside the LAN. The other two sections of the system will work like a typical antivirus system with a database and an incident response center. They both will use much smaller hardware to detect and contaminate malicious traffic. This paper will speak more about the machine learning side and how it mitigates security threats than the antivirus side.

Without getting into the math, as mentioned in the first half of part one, machine learning is about teaching the machine everything about an object. For our example, we will use a desktop workstation. The SMART system needs data from this desktop labeled PC1 to conduct its hierarchical learning process about every single piece of information from PC1. This means the processor’s name, clock speed, temperature, DRAM usage, SRAM usage, cache usage, all the open and closed ports, the programs installed, files, keystrokes, accounts, etc. The entire goal of the training and evaluation phase is to know PC1 inside and out, have the data to recognize a pattern of behavior when it opens up an application or a particular file (Arel et al., 2010).

This will all be stored, processed, and sifted through to come out with a profile of that workstation. The SMART system will know how that PC1 is supposed to act at all times. Since before doing this, weighted measurements were placed in that would show the DRAM overworking or the cache overclocking, or a scan coming into a port. The SMART system is now adequately trained on two different outcomes and knows what to do when that happens because he has been programmed to. For example, if a port scan was conducted on PC1 ports 43/77/1134, the SMART system generally under normal behavior might show them at 0.0002hz. However, since the scan has occurred, there is a bump in all three ports of 0.0003hz. This slightest change causes the SMART system to immediately send a response to the Incident Response Center who deals with the incident.

This is the purpose of the training for the smart system. It is to gain the knowledge it needs to know exactly everything about the entire network and how it usually operates. Due to the fact, a typical network may handle more or fewer data during different times, that also has to be accounted for during the training process. This is why the mathematics of the training is not linear. Instead of it being one linear line if you will, it is multiple lines with multiple slopes (Guo & Google, 2017). See Fig. 1-3 to show the example from (Guo & Google, 2017) as they walked through the first phase of training.

IMG_0894 IMG_0892IMG_0893

With one part of the machine knowing exactly how the machine responds when every program is opened when every port is used, and every connection is connected, it uses this information and compares it to current information it is getting. This is how the process works. Just as in the port example above, there are several other examples too where a host’s behavior and pattern will change alerting the machine that it needs to send this incident to the Incident Response Center.

Incident Response Center

The Incident Response Center is the next step in the process of the entire ecosystem where the machine learning aspects have identified an incident, and now it is time to look further into it. The incident response section or center on this system is run by a computer separate from the learning section. The goal of the incident response is to identify the incident along with containing it immediately. In a typical incident command structure, there would be an identification, analyzing the scene and determining the damage, and contaminating the incident if it was malicious (Oriyano, 2012). With this incident response center, the process is still reasonably the same. However, the priority is gaining knowledge on the incident itself.

If the incident is deemed to be malicious, the incident response center will contain the file or seal the port or area so nothing malicious can occur. It may automatically disconnect the workstation from the internet disabling the card. Once everything is contained, the process of evaluating the event will occur to see what happened along with notifying the user or administrator. This would all be done in under five seconds time. The administrator could then log in to the SMART system and look at the malicious content as the SMART system begins to run it through a preprogrammed and continuously updated database.

At the same time, the SMART system knows precisely where the malicious material came from and logged it for the report along with preloaded instructions on how to fix that issue from the database. This is printed out or emailed to the administrator as a final report so the firm or person can debrief others and investigate the malicious material as they wish. The malicious content is taken out of the system, logged into the national database and shredded. Alternatively, if it were just a scan, nothing further would be done except propose to the administrator they close that port for good as it could be a vulnerability.

Part 2. Vulnerabilities and Theoretical Application

Server Vulnerabilities

Websites can have many vulnerabilities to them. There are DDOS attacks that occur when multiple people send traffic to a web server, and it overflows the servers ability to handle that much traffic (Stewart, 2014). Applications from websites or applications based on a web server can also have open port vulnerabilities, but one of the most common vulnerabilities are the developers themselves. There is a slew of exploits that an adversary can use to attack a web server from SYN flooding where the attacker sends out a constant stream of packets with a return receipt. However, the return address is not correct and this causes the system to flood.

Another conventional attack on a web server is a buffer overflow, and this is an attack on a PC as well. The exploit makes it into the host, either a server or a PC, and goes directly to the DRAM and figures out how much storage it needs to go outside the stack just enough to inject malicious code (Chien & Szor, 2002). Once the correct size of storage is found from the stack, the code is injected, and this code can do a lot while the host DRAM is wholly overloaded (Chien & Szor, 2002). Large viruses have used this exploit such as the ‘Code Red’ virus in 2001. However, it is important to point out that to perform this exploit, the adversary either has to know how large the stack is or do a test to figure out the initial size of storage to consume so there would be a behavior change in the host DRAM. See Fig. 3 for example of buffer overflow.


Database exploits are widespread. Cross-site scripting and SQL exploits are two common ways adversaries get into databases. Databases are very lucrative for all hackers. No matter if they are a hacktivist or a crime ring, a database and achieving root can get the sensitive data.

Cross-site scripting works on the level of website forms, and the vulnerability comes from website developers who either forgot to or didn’t write into the source code a function for handling script. When someone types in a less than or greater than sign and an error page does not appear saying the form did not accept that character, the form may be vulnerable. There are several scripts that hackers could use to gain access to the database. However, they all maintain characters not generally used by people on the site. The characters would show up as a different weight when making comparisons with the SMART system.

The same method is used for SQL injection where a more in-depth script is used to try and breach the entire database to inject malicious material or grab things from it. The SMART system would see the ‘weird’ characters and immediately know something is going on in milliseconds.

Email Vulnerabilities

Phishing attacks are where an adversary usually sends an email to a user with the hopes the user clicks on the email and gives up personal information (Wright & Marett, 2010). These emails are typically well designed to look exactly like the real company or organization and are made to scam to the user. Unfortunately, technology has lacked in this arena. There are spam filters that try and scan the websites against a database or try to use its algorithms to identify it as spam, however, in the majority of cases, email is a user based vulnerability (Wright & Marett, 2010).

When it comes to after the fact, after the user has possibly downloaded a virus, that is when the SMART system would kick in and would be able to trace it. However, having a robust security plan already in place with straight-forward policies and consequences for breaking those policies is extremely important when it comes to aspects of user-based vulnerabilities.


Every host out there has a vulnerability to a virus. A virus can come in the form of almost anything. A downloaded file, an injection, a website; security is never going to be 100%. However, when a virus enters a host, it will affect the host in some way, even in the smallest form.

It will cause the behavior of that host to change in some form or another. A trojan horse that a user downloaded as a ‘fun game’ but now let in a backdoor for a hacker will change the behavior. “While every day this host has been asleep at 2300 hours, now it is wide awake, and it is downloading administration files” – SMART system. Malicious content that attacks root systems will affect the normal behavior and patterns of that host. There might be an uptick in the CPU clock that is traced back to the root directory or a port.

No matter the virus there will be a change, the perfect example was mentioned before about the ‘Code Red’ virus that used a buffer overload to inject itself (Chien & Szor, 2002). Back then IT security professionals, especially antivirus professionals had no idea how to fix it by detection according to the authors of this article (Chien & Szor, 2002). Times changed and technology with it, we know viruses affect a host, antivirus specialist should be concentrating on the effect as a detection mechanism.


Human behavior is an exciting topic; we have collegiate degrees on it, we even have people who make a nice living trying to understand human behavior and then monitoring this behavior. The U.S. has behavioral analysts, Behavioral Detection Officers, whose job it is to watch people at airports and look for specific behavior indicators (Wigginton, Jensen, Graves, & Vinson, 2014).

As humans, we look at behavior and patterns all the time to determine threats. Criminal Intelligence Units use pattern analysis quite often to predict where an offender might strike next for example (Carter, 2004). For as much as humans do this for other humans to notice threats, targets, vulnerabilities, the question should be why hasn’t the IT security field been taking this approach to protecting a network? Studying network behavior and identifying or predicting changes.

Machine learning at this level does not exist that this writer is aware of. This entire unit would need a minimum of three separate computers, the first being the learning computer with a processor up near the hundreds of cores and hundreds of TB of cache. It would more than likely need no less than TB of DRAM or 2 Petabytes of DRAM. The internal storage would have to be flash storage as hard disk would be too slow, and it is unknown to this author how much internal storage would be needed. The two other sections of the SMART system would not have to be this large. However, they would have to reasonably large compared to typical computer systems.

It is possible to build a system such as this, IBM has created such a device. However, this is a futuristic device due to the knowledge it must obtain. As for now, software or hardware that is more behavior-based should be implemented for network security to be proactive instead of reacting to a database and scanning a file as it comes in.


Arel, I., Rose, D., & Karnowski, T. (2010). Deep machine learning-A new frontier in artificial intelligence research. IEEE Computational Intelligence Magazine, 5(4), 13–18. https://doi.org/10.1109/MCI.2010.938364

Carter, D. L. (2004). Law Enforcement Intelligence: A Guide for State, Local, and Tribal Law Enforcement Agencies (1st Editio). Washington, D.C. Retrieved from https://ric-zai-inc.com/Publications/cops-w0277-pub.pdf

Chien, E., & Szor, P. (2002). Blended attacks exploits, vulnerabilities and buffer-overflow techniques in computer viruses. Virus Bulletin Conference, (September), 1–36.

Ferrucci, D., Brown, E., Chu-Carroll, J., Fan, J., Gondek, D., Kalyanpur, A. a., … Welty, C. (2010). Building Watson: An Overview of the DeepQA Project. AI Magazine, 31(3), 59–79. https://doi.org/10.1609/aimag.v31i3.2303

Guo, Y., & Google. (2017). The 7 Steps of Machine Learning. USA: YouTube. Retrieved from https://www.youtube.com/watch?v=nKW8Ndu7Mjw

Kamesh, & Sakthi Priya, N. (2014). Security enhancement of authenticated RFID generation. International Journal of Applied Engineering Research, 9(22), 5968–5974. https://doi.org/10.1002/sec

Kaur, G., Khalsa, G. N., & Dhesian, B. S. (2016). Network security : anti-virus. International Journal of Advanced Research in Computer Science, 7(6), 79–85.

Kleinrock, L. (2010). An early history of the internet. IEEE Communications Magazine, 48(8), 26–36. https://doi.org/10.1109/MCOM.2010.5534584

Louridas, P., & Ebert, C. (2016). Machine Learning. IEEE Software, 33(5), 110–115. https://doi.org/10.1109/MS.2016.114

Oriyano, S.-P. (2012). Hacker techniques, tools, and incident handling (2nd Editio). Burlington, MA: Jones & Bartlett Learning, LLC Publications.

Pound, M., & Computer Science at the University of Nottingham. (2016). Buffer Overflow Attack. Youtube. Retrieved from https://www.youtube.com/watch?v=1S0aBV-Waeo

Slate, R. (2009). Competing with intelligence: New directions in China’s quest for intangible property and implications for homeland security. Homeland Security Affairs, 5(1), 29. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1266213070/fulltextPDF/3BA31AD0F0634D73PQ/1?accountid=8289

Stewart, J. (2014). Network security, firewalls, and VPNs (2nd Editio). Burlington, Vermont: Jones & Bartlett Learning. Retrieved from https://online.vitalsource.com/#/books/9781284107715/cfi/6/2!/4/2/2@0:0

Wigginton, M., Jensen, C. J., Graves, M., & Vinson, J. (2014). What Is the Role of Behavioral Analysis in a Multilayered Approach to Aviation Security? Journal of Applied Security Research, 9(4), 393–417. https://doi.org/10.1080/19361610.2014.942828

Wright, R. T., & Marett, K. (2010). The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal of Management Information Systems, 27(1), 273–303. https://doi.org/10.2753/MIS0742-1222270111

Zhang, M., Raghunathan, A., & Jha, N. K. (2014). A defense framework against malware and vulnerability exploits. International Journal of Information Security, 13(5), 439–452. https://doi.org/10.1007/s10207-014-0233-1

Workplace Violence: Fight it before it fights you

Workplace Violence: Fight it before it fights you

Matthew Day

American Military University

Contemporary Issues in Security Management

June 18th, 2017



Part I. Introduction


Workplace violence in the United States is an issue that is not talked about in broad circles or on popular media platforms very often, but it is a highly problematic event that plagues American business and workers yearly. Not only does workplace violence affect employees physically, but it also affects them mentally as fear starts to set it or lack of assurance. All these emotions that pour in lead to a lack of productivity (Emmerik, Martin, & Arnold, 2007) that eventually leads to fewer profits for the company. This is why every company needs to have a workplace violence program in effect at their organization, to make sure crisis management is adhered to and possible threats are averted before anything can happen. With proper programs, policies, and training, it is feasible to lessen the likelihood of workplace violence and create a better and safer work environment for employees.

Several incidents that have gained national attention in the past decade have brought workplace violence to the forefront of business such as the 2009 downtown Orlando shooting where Jason Rodriguez entered his former employer’s office building with a handgun and killed one and shot five others (Orlando Sentinel Staff, 2009). Also, a more recent case like Cedric Anderson, who walked into his estranged wife’s classroom in San Bernardino, California and murdered her and another student, injuring one more (Fernandez, 2017) has stirred up thoughts on workplace violence. Dallas was even shaken with workplace violence when a former employee walked into the office building and murdered his former boss in front of other employees (Fox News Staff, 2017). Both of these cases were just in April of 2017, and these were just the homicides, they do not account for the assaults or threats that go on every day in office buildings, hospitals, retail establishment, or other environments around the country.

Work Environment

The work environments can be a daunting place for clashing personalities. It is built on a hierarchal platform where executives receive excellent benefits for perceived little work and line workers receive reduced benefits for hard work. Mix this with poor management, and this could be a disaster waiting to happen for many reasons, but in the context of workplace violence, a healthy work environment is imperative.

A company’s work environment is its basis for creating the ideas and production for its profits. If the environment is not beneficial to the employee, it hinders employees from doing productive and profitable activities (Amabile et al., 1996). If office space is over packed or not organized correctly, it is going to affect the overall productivity of each staff member and profits will likely decline. This is the same when it comes to workplace violence and other safety issues. If employees do not feel safe at work, their productivity will drop. Employees need a safe space where they can open their minds to do their jobs and safety be the last thing on their minds.


Workplace violence has a vast history in the United States and around the world. Anytime human beings are connected to an environment there are going to be conflicts. If added to the picture, personal feeling, personal finances, relationships, and strong emotions like in society, it is the fuel for violence. Even though most people think of workplace violence as the “employee who went postal”, most incidents of workplace violence include incidents of simple assaults & battery, verbal threats, and harassment (Dillon, 2012).

These types of cases happen more than we often like to think about in the United States. It is estimated that over half of all U.S. companies that have over 1,000 employees experience cases of workplace violence (Dillon, 2012). The retail industry is hit the hardest by workplace violence with 944 victims of homicides from 2003-2008 (Northwood, 2011). However, in these cases, the majority of incidents, 77%, were accompanied by robberies (Northwood, 2011).

In 2005, a survey was conducted by the U.S. Bureau of Labor Statistics that showed a mass difference in co-worker workplace violence in State Government sectors (Fig 1) than any other sector (Bureau of Labor Statistics, 2006). This survey showed State Governments, across the board led workplace violence in every category. The same study revealed that over 30% of private companies with at least 1,000 employees (Fig. 2) saw violence from co-workers and approximately 25% saw domestic violence (Bureau of Labor Statistics, 2006).

Labor 2

Fig 1. (Bureau of Labor Statistics, 2006)

Labor 3

Fig. 2 (Bureau of Labor Statistics, 2006)

Still, workplace shootings are still a deep fear due to the national spotlight they capture. In 2010 there were 405 workplace shootings across the U.S., 295 occurring in non-retail environments (Bureau of Labor Statistics, 2013). It is estimated that in companies with over 1,000 employees, 70% do not have workplace violence programs to assist in this threat (Dillon, 2012). Not having programs or just having incidents of workplace violence significantly increases employee turnover, low morale among other things (Bureau of Labor Statistics, 2006).

Part II. Identifying the Threat

Threats & Assessments

There are several ways threats can be made, direct, indirect, passive, aggressive, etc. Threats can come from telephone calls or emails even via third person notifications. In the day in age we live in now, society seems to be living on edge on people can often say things they sometimes don’t mean which is why it is essential to take all threats serious but all need to be assessed.

Assessing each threat will not only assist in making the victim of the threat feel at ease it will also allow the company to determine the likelihood of the threat. A threatening communication is a message that states, or could merely imply, some harm is going to come to someone else (O’Hair, Bernard, & Roper, 2011). People who typically mean to harm do not usually threaten their intended targets in person; they tend to place threats elsewhere (O’Hair et al., 2011). This makes it typically difficult for most organizations to assess threats due to focusing on aggressive individuals who threaten people to their faces but as little as one-third do that (O’Hair et al., 2011).

Two-thirds of attackers tell others about their plans to attack or harm individuals (O’Hair et al., 2011). Most of these interactions are with family, friends, other co-workers, or other people whom the attacker has some trust with. In this era of social media, many times, attackers will post threats on their social media accounts before they act (O’Hair et al., 2011). This has been seen a lot lately in terrorism with the Ohio State University incident, the suspect posted on his facebook “he was “sick and tired” of seeing fellow Muslims “killed and tortured,”..” (Grinberg & Prokupecz, 2016). Also with the Orlando, Florida shooting where the suspect pledged his allegiance to ISIS (CNN Wire, 2016). The majority of attackers also do not react emotionally (Harris & Lurigio, 2012). Meaning they do not immediately attack after being angered but typically take a certain amount of time where they think about their attack. This is when the attacker makes online threats or talks to friends and families and when others will see a change in the attacker’s personality often called “warning signs” (Harris & Lurigio, 2012).

When conducting threat assessments on individuals, it is vital to not only look at singular events. People can react differently to news than others based on their life experiences, culture, religion, or even mental illness if applicable (O’Hair et al., 2011). It is important to remember to gauge past and present actions and calculate the threat based on a contextual sense rather than an instinctual one (O’Hair et al., 2011). Once a threat assessment is completed, proper action can be done whether it be employee assistance programs or dismissal or nothing at all.

RAM Teams

More and more companies are implementing conflict management teams inside their operations to deal with workplace violence threats. As more cases evolve on the national level, employee fear rises and creates anxiety that can handicap the activities of the business. Conflict management can be described as using interpersonal skills or diplomatic skills to relieve conflict between people (Godiwalla, 2016). This takes exceptional skills which many different managers do not have. Managers are undertrained in most cases to adequately manage conflicts on the routine basis, just a standard argument between two employees, let alone an employee who is having thoughts of committing workplace violence.

This is why companies have begun to create specialized teams to handle perceived conflicts outside the usual arguments. These groups are typically referred to as The Risk Assessment & Management Team or “RAM” (Kenny, 2010), and they are highly trained in conflict management along with threat and risk assessments.  These teams can work with line supervisors to properly train them on conflict management and run programs within the company such as an anonymous hotline for threats or and some anonymous notification system.

The RAM teams responsibility is ultimately to identify and mitigate the risk of workplace violence (Kenny, 2010). They do this through the identification of early warning signs, patterns, and trends of possible individuals, then try and mitigate the risk by diffusing the situation, employee assistance, or some other program (Kenny, 2010). The point of the RAM team is to be the backbone of the company when it comes to workplace violence and depending on the size of the enterprise; it could be just a part-time team all the way to an entire department for an international corporation.

The other responsibilities of the RAM team should be to advise stakeholders regarding policies and procedures when it comes to workplace violence. Executive management should give RAM team members the authority to do what they need to do without distraction from other supervisors when it comes to their job which must be written as a policy. Being that early intervention is crucial to stopping workplace violence (Kenny, 2010) RAM must have a close and trusted relationship with all employees within the company. RAM members must be trusted with confidential information from employees and sensitive information about employees.

Part III. Mitigating the Threat

Security Design

A mitigating factor for workplace violence can be the overall security design of the facility. A proper security design can affect the mindset of threat and prevent an attack (Tseng, Duane, & Hadipriono, 2004). Specific environmental factors can be set up to destabilize a possible attacker’s decision-making ability and cause them to re-think their plan. This can delay the attack, creating the needed time for witnesses to observe the attacker and notify the right personnel, or it can cause the attacker to cancel the attack altogether (Tseng et al., 2004).

This practice is referred to as Crime Prevention Through Environmental Design and is typically used during the design phase of a facility. There is also an economic theory referred to as the rational choice theory. The rational choice theory can be described as when a human as all the information they need to know about multiple things, strategies, cost, benefits, etc., they will choose the one that best meets their needs utilizing all the information they know (Meyer, 2012). This means humans are self-serving typically and tend to think rationally about the best choice for themselves. An example of this would when people go shopping for a new sofa, they are presented with many options, and the majority of individuals gather information and compare it with the information they know about their financial lives, bills, savings, etc. They then make the most “rational choice” on which sofa they can afford.

However, most would assume an attacker that is coming to harm someone is already in some altered mental state. There is a substantial likelihood the adversary is not able to process information and make rational choices cognitively. However, studies have shown, most workplace violence offenders plan their attacks over time (O’Hair et al., 2011) so the chance of a more rational mind is increased. Research suggests offenders that do not act spontaneously, such as in the case of road rage can still think rationally.

Thinking about all of this, why sometimes do people buy the expensive sofa that puts them in grave debt? It is something many people have done, and it is something that the security environment of a facility needs to do for potential attackers. A well thought out security environment should provide obstacles to anyone looking to cause harm, forcing someone with evil intentions to make irrational choices to continue. Having access control systems in place or more extended walkways in public views, or forcing interaction with other people will more than likely make the attacker make irrational choices which will lead to either delaying the offender or even creating an environment where the attacker becomes deterred from committing the act.

The security environment plays a vital role in all potential attacks on a facility but in particular to workplace violence incidents. Just like conflict management, immediate interception and displacement can often produce significant rewards. Creating an environment that offers availability to employees with correct credentials but requires unauthorized individuals to make irrational choices to enter will make the facility a safer place. When people make irrational choices they often become more stressed and end up making mistakes putting themselves in dangerous situations that will lead to adverse outcomes for their ultimate objectives.


Training employees is a crucial factor in preventing workplace violence. Whether the company needs to hire outside resources or can use support from within to train its employees, providing adequate knowledge of what to do can save lives and the company. One form of training that should be conducted is what to do in the case of an emergency situation such as an active shooter. Another form should be on how to identify co-workers who may be presenting early signs of problems.

All of the training should lead into how employees can report issues they notice. They should be able to report these matters quickly, and signage should be posted around the facility to keep them reminded. Another part of the training should be to inform them of the resources the company offers to assist them if they are going through difficulties. Emphasis should be placed on the confidentiality of these resources and packets as well as signage should be provided.

This training should be provided during orientation of new employees to familiarize them with this information, and current employees should be required to take a short refresher course every couple of years on the company resources. When it comes to what to do in the time of an emergency, this training should be held yearly and be held if any modifications are made to the facility, so employees are familiar with the layout of the environment and any evacuation plans that are set forth. Precautions should be used when employees are let go due to the possibility an ex-employee might know these evacuation plans and set traps for evacuating employees.

Work Programs

One of the primary programs a company must have to fight workplace violence is an Employee Assistance Program or EAP. These programs are workplace resources designed to assist employees with problems impacting work performance (Hardison Walters et al., 2012). EAP’s are also a cost-saving measure for companies saving them anywhere from $5.00-$16.00 of healthcare investment cost on every dollar spent on the expense of the program (Carchietta, 2015). The EAP has been in use for a while and has been a success. However, employees do need to know about the benefits and confidentiality of its use. When EAP’s were first introduced they only covered issues like substance abuse, however, now they include a lot more issues including mental health, intimate partner violence, financial issues, and more (Carchietta, 2015).

When it comes to workplace violence, ex-employees are not the only threat. Domestic violence, dating violence, and inter-office arguments can lead to violent acts in the workplace. Having an active EAP program can allow for the ability to mitigate these risks. People go through hard times throughout their life and having a company who will stand with them and offer them confidential assistance will mean a lot to them and lower the chance of violence in the workplace. These programs, although confidential, when it comes to specific issues such as domestic and dating violence, should share information between only a select few individuals..

Another program that should be in place is a hotline and email contact site where anonymous employees can contact to report suspicious behavior by other employees. This program should be taken with caution and only be given access to by a select few on the RAM team. All of these programs should be marketed well within the work environment. Branding the EAP and hotline is key to having employees reach out for help (Carchietta, 2015).

Financial Loss from Workplace Violence

The cost of workplace violence is immense. Not only in human life or the psychological toll it can take, but the financial toll it can take on a company as well. Workplace violence can be compared financially to sexual harassment cases due to the mental status it puts on employees (Dillon, 2012).  As mentioned prior in this paper, the morale within the company can drop significantly after workplace violence or even the threat of workplace violence driving overall profit margins down (Dillon, 2012). Not dealing with conflict instantly can drive employees to not only lash out violently but also lash out criminally in other ways, such as theft or sabotage (Dillon, 2012), or even if they are capable, theft of trade secrets.


Other than the loss of life that can potentially come with workplace violence, companies can suffer financially. Whether it is through lawsuits or adverse brand reputation, a company that has been exposed to an incident of workplace violence is guaranteed to see a loss. The only way to mitigate this loss is with a plan of action to deal with conflict and crisis before it gets to the point of violence.

Something as simple as verbal threats can have an adverse impact on employee morale, it can be unneeded stress, lack of productivity, high turnover, and give the brand a bad name to potential recruits (Emmerik et al., 2007). Having safeguards and countermeasures in place to handle these situations will reduce the risk of violence and increase productivity for the business creating both a win for shareholders and a safer environment for employees.

Establishing anonymous or confidential programs will help employees feel safer while at work. Anxious employees who see written policies and physical security measures implemented will allow some of those anxieties to fade into the background so they can stay focused on work and not on their safety. Having trust in an employer that they will be a protector is vital to an employee’s psychological contract with the company where they believe the employee is giving their time and expecting to at minimum be protected while doing so (Emmerik et al., 2007).







Amabile, Teresa, M., Conti, Regina, Coon, Heather, … Herron. (1996). Assessing the work environment for creativity. Michael Academy of Management Journal, 39(5). Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1840079183?pq-origsite=summon&accountid=8289

Bureau of Labor Statistics. (2006). Survey of Workplace Violence Prevention 2005. Washington, DC. Retrieved from https://www.bls.gov/iif/oshwc/osch0033.pdf

Bureau of Labor Statistics. (2013). Workplace Homicides from Shootings. Retrieved May 17, 2017, from https://www.bls.gov/iif/oshwc/cfoi/osar0016.htm

Carchietta, G. (2015). Five steps to increasing utilization of your employee assistance program. Workplace Health & Safety, (March). Retrieved from http://search.proquest.com.ezproxy1.apus.edu/docview/1730775796/fulltextPDF/48BBCCD313A04A78PQ/1?accountid=8289

CNN Wire. (2016). Orlando shooter posted to Facebook before and during nightclub attack | WGN-TV. Retrieved May 19, 2017, from http://wgntv.com/2016/06/16/orlando-shooter-posted-to-facebook-before-and-during-his-attack/

Dillon, B. L. (2012). Workplace violence: Impact, causes, and prevention. Work 42, 42(1), 15–20. https://doi.org/10.3233/WOR-2012-1322

Emmerik, I. J. H. Van, Martin, C., & Arnold, B. (2007). Threats of workplace violence and the buffering effect of social support. Group & Organization Management, 32(2).

Fernandez, A. (2017). California Elementary School Shooter Called Estranged Wife “Angel” on His Facebook. Retrieved May 19, 2017, from http://people.com/crime/san-bernadino-school-shooting-facebook-page/

Fox News Staff. (2017). Dallas office shooting: Man fatally shoots boss before killing himself. Retrieved May 19, 2017, from http://www.foxnews.com/us/2017/04/24/two-people-reportedly-shot-at-dallas-office-building.html

Godiwalla, Y. H. (2016). Conflict management strategies in global firms. Journal of Management Policy and Practice, 17(2), 11–18. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1860725196/fulltextPDF/C75AF7CD9A424DF4PQ/1?accountid=8289

Grinberg, E., & Prokupecz, S. (2016). Ohio State University: Attacker killed, 11 hospitalized after campus attack. Retrieved May 19, 2017, from http://www.cnn.com/2016/11/28/us/ohio-state-university-active-shooter/

Hardison Walters, J. L., Pollack, K. M., Clinton-Sherrod, M., Lindquist, C. H., Mckay, T., & Lasater, B. M. (2012). Approaches used by employee assistance programs to address perpetration of intimate partner violence. Violence and Victims, 27(2), 135–147. https://doi.org/10.1891/0886-6708.27.2.135

Harris, A. J., & Lurigio, A. J. (2012). Threat assessment and law enforcement practice. Journal of Police Crisis Negotiations, 12(51), 51–68. https://doi.org/10.1080/15332586.2012.645375

Kenny, J. (2010). Risk assessment and management teams : A comprehensive approach to early intervention in workplace violence. Journal of Applied Security Research, 5(2), 159–175. https://doi.org/10.1080/19361611003601033

Meyer, S. (2012). Reducing harm from explosive attacks against railways. Security Journal, 25(4), 309–325. https://doi.org/10.1057/sj.2011.23

Northwood, J. (2011). Assaults and violent acts in the private retail trade sector, 2003—2008. Retrieved from https://www.bls.gov/opub/mlr/cwc/assaults-and-violent-acts-in-the-private-retail-trade-sector-20032008.pdf

O’Hair, H. D., Bernard, D., & Roper, R. (2011). Threatening Communications and Behavior: Perspectives on the Pursuit of Public Figures Approaching. In C. Chauvin (Ed.) (p. 117). Washington, DC: National Research Council.

Orlando Sentinel Staff. (2009). Jason Rodriguez : Shooting at downtown Orlando office building leaves 5 hurt, 1 dead. Retrieved May 19, 2017, from http://articles.orlandosentinel.com/2009-11-06/news/os-shooting-reported-downtown-orlando-20091106_1_gateway-center-downtown-orlando-office-building-police-cruiser

Slate, R. (2009). Competing with Intelligence: New Directions in China’s Quest for Intangible Property and Implications for Homeland Security.  Homeland Security Affairs, 5(1), 29. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1266213070/fulltextPDF/3BA31AD0F0634D73PQ/1?accountid=8289

Tseng, C.-H., Duane, J., & Hadipriono, F. (2004). Performance of Campus Parking Garages in Preventing Crime. Journal of Performance of Constructed Facilities, (February), 21–28. https://doi.org/10.1061/(ASCE)0887-3828(2004)18

Exclusion Rule in the Private Sector



Exclusion Rule in the Private Sector

Matthew Day

January 22, 2017

Essay for the class “Legal Issues in Security Management”




In public law enforcement, there are several critical issues for the suppression of evidence in all types of cases. From an illegal search to illegal seizures or even illegal statements that may cause the downfall of a case. The United States Constitution sets forth the right for every American to be free from government intrusion into their private space or to seize their property without just cause. The 4th Amendment is arguably the most challenged legal motion in U.S. courts but when it comes to private security, where is the line drawn? These two separate examples will show what could be the most challenging for private security when it comes to the 4th Amendment and private security and how case law has ruled on them in the past.

Miranda Warnings for Private Security

In 1966, the U.S. Supreme Court heard the case of Miranda v Arizona and ruled that interrogation by law enforcement where the person being interrogated be in custody need to be advised of their rights in regards to self-incrimination (Miranda v Arizona, 1966). This ruling set precedence in law enforcement that forever changed the landscape for how the public police interrogated and even spoke with individuals whom they were interviewing about a crime.

However, there wasn’t much as far as case law in regards to private security until 1968 and the case of U.S. v Antonelli. In this case, Antonelli, who was a dock worker in New York City, was trying to exit Pier 90 when he was stopped by a security guard (U.S. v Antonelli, 1970). The guard requested he open his trunk, which he did. In his trunk were thousands of dollars of imported goods likely stolen from shipping containers. During the conversation, Antonelli requested several times that the security officer lie about the incident and say he found them at the end of the pier (U.S. v Antonelli, 1970). Antonelli, throughout the conversation, confessed to the theft while being stopped and “in custody”.

At trial and on appeal, Antonelli tried to assert that due to the security officer never reading him his Miranda Rights and the fact that he was in custody, the confession and seizure should be thrown out as it was “fruit of the poisonous tree” (U.S. v Antonelli, 1970). The court ruled a security guard is no different from a private citizen and being there was no government intervention during the interview or search then there was no need for Miranda Warnings to be issued (U.S. v Antonelli, 1970). The court cited in their opinion Burdeau v McDowell, which states the origin of the 4th Amendment “clearly show that it was intended as a restraint upon the activities of sovereign authority, and was not intended to be a limitation upon other than governmental agencies” (Burdeau v Mcdowell, 1921, p. 12). As mentioned in Antonelli, “The federal exclusionary rule enforcing adherence to the intendment of the Fifth Amendment, like the Fourth Amendment, has long been construed as ‘a restraint upon the activities of sovereign authority’” (U.S. v Antonelli, 1970, p. 5)

Since Miranda has been in place, it would appear it has been there with the intention to protect citizens from public police. As for other fourth and fifth amendment activities, private police are looked at as private citizens. Due to the rise in the number of private security forces patrolling areas where they will come into contact with more citizens, more cases will likely be challenged, and further case law will be heard and made in the realms of the seizure of people and interview/interrogation.

Stop and Frisk

With the numbers of private security officers growing rapidly to over 1.1 million nationwide according to the Department of Labor, issues on the subject of Terry Stops or “Stop and Frisk” as they are commonly known will become more common. For public police, stop and frisk is vital when it comes to keeping officers safe as well as finding evidence of crimes. The U. S. Supreme Court Ruled in 1968 that a police officer may search a person without a warrant if that officer has a reasonable suspicion that “that the person has committed, is committing, or is about to commit a crime and has a reasonable belief that the person “may be armed and presently dangerous.” (Terry v Ohio, 1968). However, when it comes to private security, one must ask if private security officers fall under the same requirements as public police officers?”. One case that took this head on was U.S. v Day in 2010.

Day was at an apartment complex with a friend when he got into an argument and brandished a gun. Two security officers observed this and responded drawing their weapons and ordering Day to comply which he did. Upon taking day into custody a “pat down” was conducted and nothing noticeable was found as what would be met in a Terry stop. However, the private security officers continued to question Day while he was handcuffed and asked him about the gun and if he had anything illegal on him which he stated he had marijuana on him.

In the appeals court, they suppressed the marijuana, firearms statements, and the marijuana itself due to the fact the court believed the private security officers were working on behalf of the government and should have read Day his Miranda warnings. They also proclaimed an unconstitutional search was conducted for the marijuana. The ACLU of Virginia assisted in the appeal and stated uniforms and equipment along with the state regulating the private security officers all made the officers a part of the government (ACLU, 2009).

However, the government appealed that decision to the District court which overturned that ruling stating that there was no evidence to support the private security officers were acting on behalf of the government and they were acting as private citizens (U.S. v Day, 2010). They go on to state in their opinion “The Fourth Amendment, however, does not provide protection against searches by private individuals acting in a private capacity United States v. Jacobsen, 466 U.S. 109, 113 (1984)” (U.S. v Day, 2010).


Both of these issues are similar in the fact they share the same test to see if evidence will be excluded. Did the private security officer act as an agent of the government or did they act as a private citizen? That seems to be the dominant question in all of the case law. With the security industry growing at a rapid pace and over 52 billion being spent in the industry while over 30 billion spent in public law enforcement (ACLU, 2009), it is clear that more of these kinds of cases are going to come up in the future.





ACLU. (2009). Case Brief U.S. v Day. Richmond, VA. Retrieved from https://acluva.org/wp-content/uploads/2010/02/USvDayAmicus.pdf

Burdeau v Mcdowell, 256 U.S. 465 (United States District Court for the Western District of Pennsylvania June 1, 1921). Retrieved from https://supreme.justia.com/cases/federal/us/256/465/case.html

Miranda v Arizona, 384 U.S (U.S. Supreme Court June 13, 1966).

Sable, M. (1972). Miranda Warnings in Other than Police Custodial Interrogations. Cleveland: Cleveland State Law Review.

Terry v Ohio, 392 U.S. 1 (U.S. Supreme Court June 10, 1968).

U.S. v Antonelli, 434 F.2d 335 (United States Court of Appeals, Second Circuit November 24, 1970). Retrieved from https://law.resource.org/pub/us/case/reporter/F2/434/434.F2d.335.220.34489.html

U.S. v Day, 08-5231 (United States 4th Circuit District Court of Appeals January 8, 2010). Retrieved from http://www.ca4.uscourts.gov/Opinions/Published/085231.P.pdf


Mitigating Industrial Espionage

American Military University

Mitigating industrial espionage

February 18, 2018

Matthew Day

Submitted in partial fulfillment of the degree requirements for the BA in Security Management



The intent of this mixed method capstone is to show how vulnerable American corporations are to industrial espionage and security measures must be in place to mitigate risks associated with trade secret theft. The American economy is the largest in the world as it is comprised of powerful multinational corporations. As a result, industrial espionage, or the unlawful gain of trade secrets have emerged as organizations have attempted to stay competitive in the global marketplace. These acts of espionage have caused significant losses not only to corporations but also to the US economy in estimates from 100 billion dollars to over 500 billion dollars a year. Despite the risks associated with espionage, companies struggle to secure their intangible assets as most firms do not have the bandwidth to deal with this issue themselves adequately and they focus their security measures on only network security. Since the September 11th terrorist attacks, the United States Government, with efforts headed by the Federal Bureau of Investigation has concentrated most of its resources toward efforts to protect against acts of domestic terrorism, concentrating little on preventing industrial espionage. This study utilized a mixed research methodology to gauge the risk, mitigation strategies, and contingency plans for a massive loss event.


Business is a never-ending game with a continuous revolution of players. For companies to be successful, they must engage in robust and well-planned strategies utilizing strategic data analysis when searching external and internal environments (Porter, 1980). In business, one of the leading contributors to growth comes in the form of opportunities individual markets afford (Porter, 1980). Individual market strategies are comprised of other information including valuable data on the needs of consumers within that particular region. Therefore, to grow a robust strategy and succeed in both entering and growing in a modern business environment, companies are forced to be innovative to meet the needs of their consumers.

Competition drives businesses and inspires consumers to achieve lower pricing and a more significant market share to be competitive. To accomplish this, companies have been utilizing data analytics to gain a better perspective for decision-making. Since the 1990’s, data has been ever growing in the measures business’s use to evaluate, plan, and implement their strategies over multiple markets (Rowe, 2016). With the appropriate data, a firm could analyze available information to employ a strategy that would give them an edge over their competitors (Gainor & Bouthillier, 2014). Since the mid-1990’s, methods such as business intelligence have emerged and later combined with competitive intelligence to perform the same operations but rather than only concentrating on internal strengths and weaknesses; competitive intelligence focuses on the entire business environment.

Competitive intelligence is essential in reviewing the strengths and weakness of a corporation as well as the threats, and opportunities of the market. Competitive intelligence analyzes these elements to adapt to innovations developed by competitors, new market products, internal and external financial data to get a better understanding of the environment and the competition to ensure decision-makers are well informed before developing a strategy.

Although market data plays a crucial role in succeeding in a modern business environment, some companies go too far in their attempt to collect data from their competitors. There is an ethical standard for competitive intelligence professionals that must be followed. The Strategic and Competitive Intelligence Professionals Association has conducted extensive research on ethical conduct in collecting business information. Although there are right and wrong ways to obtain business data, sometimes the lines are not always black and white, they sometimes become mixed and turn gray. This gray area could lead to problems as business professionals might overstep their ethical practices and move toward illegal activities known as industrial espionage.

Adding to this dilemma, modern business and communication are dependent mainly on extensive global networks. Due to the lack of security across these networks, many large firms have an abundance of assets that are vulnerable to the industrial espionage tradecraft. With many businesses holding what are called trade secrets in the form of intellectual property, these secrets comprise a massive amount of the enterprise value of the company (GIFT, CIMA, & IPA, 2016).

With competition and the need to gain a competitive advantage over companies becoming critical to a corporation’s health and success, both foreign and domestic firms have participated in the unethical side of competitive intelligence. One primary concern is the amount of industrial espionage that occurs or has occurred increases is the likelihood that millions, if not billions of dollars of valuable trade secrets will become vulnerable or be stolen within modern networks. This presents a higher organizational risk for corporations as now a threat can come from both internal and external adversaries through the use of remote access tools known as “RAT’s” (Rowe, 2016). If a company were to have a massive loss in their enterprise value, American firms would be significantly impacted as they typically have approximately ninety-eight percent of intangible assets that are vulnerable to some form of cybercrime (Fitzpatrick & Dilullo, 2017). One must consider how that would affect not only the company but the entire economy of the United States?

This research explores the impact of loses sustained by industrial espionage on American corporations. The research also studies mitigation strategies to lessen the probability of a significant loss event. Industrial espionage is a substantial risk for American firms, and that threat is continuing to grow due to advanced technology, corporation’s dependence on intellectual property, and natural business competition. If the proper mitigation strategies to combat the risk of espionage are not implemented, the impact could have massive consequences for both a firm and the economy.

Foundations for Industrial Espionage

Competition in Business

Creating shareholder wealth is the top financial priority for corporations in America (Keown, Martin, & Petty, 2017). American firms must gain actionable intelligence in several different environments to create wealth for their investors. A significant segment of a company’s decision-making capability is getting to know the needs of their selected group of consumers. Organizations often rely on gaining as much knowledge as they can to understand the needs of the customer base they are targeting to create advantages for themselves. This type of data gathering on consumers often referred to as marketing intelligence.

Businesses also require data to plan business strategies and to remain competitive in their markets (Porter, 1980). When entering a new marketplace, firms will often seek information to assist with strategic planning for that particular business environment. Many barriers can be in place for corporations looking to grow into different sectors, creating the need for departments whose sole purpose is to gather market data or intelligence. Some key areas organizations need to know and understand are; cultural dimensions, economic traits, consumer needs, market statistics, the abundance of resources, as well as the ability to understand their competitors (Porter, 1980; Gainor & Bouthillier, 2014).

Getting to know all of the information on specific markets is a difficult task and requires the skills of specialized professionals. A business is nothing more than a game, and when someone is playing a game, the firm needs to create a strategy to win. Companies want to have as much knowledge about the market and competitors as they can to build a strategy. This knowledge is the foundation for building a successful clear strategy. Strategies are mostly planned and implemented by management and decision-makers at a company (Gainor & Bouthillier, 2014). Therefore, information on the external and internal environments must be delivered to these decision-makers, so they have the best chance of forming and communicating the most effective strategic plan (Gainor & Bouthillier, 2014).

Competitive Intelligence and Industrial Espionage

Since the 1990’s, the field of competitive intelligence has grown. With more companies growing to global corporations and with more data being sent and received via online communication, competitive intelligence professionals look to legally ‘spy’ on competitors to gain the most information possible regarding their competition (Gainor & Bouthillier, 2014). Competitive intelligence departments work in an arena that is public domain. These professionals play by the rules and seek open-source information to bring to decision-makers (Babaimehr & Zingir, 2016). The competitive intelligence mission is to research and find essential data on environments that could potentially give the firm a competitive advantage or streamline internal operations (Babaimehr & Zingir, 2016). However, studies have shown that depending on the competition and other market factors, competitive intelligence departments may relax their ethical and moral operations to obtain the desired data (Babaimehr & Zingir, 2016).

The critical difference between competitive intelligence and industrial espionage is moral and ethical methods of gaining the information (Gainor & Bouthillier, 2014). Competitive intelligence can quickly become an illegal or an immoral operation due to the nature of business competition. Methods used to procure data legally in one country may be illegal in another (Babaimehr & Zingir, 2016). Other practices may be questionable, as there are no specific legal ramifications for the methods used to procure data. However, these methods may be immoral and therefore controversial. For example, a competitive intelligence professional observes an online blog where it is known an engineer for one of their competitors often posts. This competitive intelligence professional uses the method of social engineering to figure out the engineer’s blog handle and strategically discusses the new technology the engineer is working on in a blog post. Communications between the two reveal segments of proprietary information. The competitive intelligence professional knows that the competitor is inventing a new product and already has the general outline of what the new item is. When the competitive intelligence professional goes on the blog, they ask strategic questions or comments that the engineer will give but not know they are being used. The competitive intelligence pro can now quickly put the pieces together to conclude the proprietary information that the new invention uses. The engineer does not know they are being manipulated for bits of information because the engineer did not put their work information or use their real name in their blog profile. However, due to social engineering, the competitive intelligence professional has identified the engineer based on the provided information.

The example provided represents, what possibly could be considered unethical methods of obtaining information due to not disclosing who they were or where they worked. However, the competitive intelligence professional has violated no laws and all the information received was open-access, nothing was stolen. Most firms have ethical standards and policies when it comes to gaining intelligence on competitors (Babaimehr & Zingir, 2016). However, depending on the market, the product, and the overall environment, some competitive intelligence professionals may be more aggressive in their tactics (Babaimehr & Zingir, 2016).

Because competitive intelligence and industrial espionage are so closely aligned, combined with firms keeping a growing number of trade secrets on a network, makes American organizations substantially vulnerable to adverse events that have a massive potential for loss. In the past five years, corporations have increased their dependence on intellectual property (GIFT, CIMA, & IPA, 2016). Multinational companies like Kraft foods (80%) and AT&T (84%) have massive amounts of their value wrapped up in intangible assets with over 100 billion dollars at stake (GIFT et al., 2016). A lot of the intangible asset values are in the form of copyrights and patents. However, there is a sharp increase in undisclosed intangible assets that are likely trade secrets. Technology companies lead American corporations in the number of intangible assets they possess. Apple, for example, has approximately 60% of its entire enterprise value in intangible assets (GIFT et al., 2016). Of that, 98% were undisclosed intangible assets valued at 379 billion dollars (GIFT et al., 2016).

Studies by the Institute of Practitioners in Advertising and Chartered Institute of Management Accountants along with Brand Financial show a massive vulnerability for American corporations due to having such a high dependency on undisclosed intangible assets (GIFT et al., 2016). These values of companies and the growth of cyberspace have created an opportunity for adversaries to steal these undisclosed assets and do it from afar. Even though internal threats are the highest (Fitzpatrick & Dilullo, 2017), the increase in both the global internet and firm’s reliance on keeping trade secrets on a network platform, are creating massive vulnerabilities to corporations.

The Vulnerability of Firms

Industrial espionage has a significant financial impact on American corporations with the typical yearly loss totaling over 100 billion dollars, with some estimates even totaling 600 Billion dollars (Bressler & Bressler, 2015). With so many trade secrets vulnerable to theft, these numbers reflect an emerging threat to corporations and the national economy. Individually, businesses can be impacted substantially. For example, in a 1996 study, a researcher was brought in to see how secure the corporation’s trade secrets were from external sources. After only one day of attempting to penetrate the firm’s network, the researcher was able to steal over 1 billion dollars’ worth of information (Winkler, 1996). If these capabilities existed in 1996, one could only assume that the threat to a corporation’s security has intensified.

This study is not the only one that has produced such results. Other cases that involved internal employees and contractors suggest intellectual property and trade secret theft are growing with the rise of opportunities and motivations (Bressler & Bressler, 2015; Fitzpatrick & Dilullo, 2017). In 2012, an employee was found guilty of stealing roughly 40 million dollars’ worth of trade secrets (Price Waterhouse & Create, 2014). Another example in 2012 when an employee was able to gain access to a source code that the company labeled trade secret worth 100 million dollars. (Price Waterhouse & Create, 2014).

The majority of threats to firms are by internal employees who have some motivation for stealing trade secrets (Fitzpatrick & Dilullo, 2017). Previous corporate studies have found that current or former insiders make up a vast majority of trade secret thefts (Fitzpatrick & Dilullo, 2017; Price Waterhouse & Create, 2014). In this context, insiders are considered former and current employees along with contracted employees, and supply chain vendors (Fitzpatrick & Dilullo, 2017). Based on these studies, security departments should focus a majority of their efforts on internal adversaries. However, only a small percentage of companies actively have security measures in place or look at preventing insider theft (Fitzpatrick & Dilullo, 2017).

With the increase in storage devices, insider threats do not appear to be on the downslope. As it gets easier and creates more of an ability for an employee, contractor, or supply chain official to steal secrets, the risk of industrial espionage growth. Although insiders are the most considerable threat, it is not the only threat. Cybercrime is a massive threat as well that is growing (Bressler & Bressler, 2015). Most corporations have a dedicated team to prevent outside penetration of the networks (Bressler & Bressler, 2015). This is not a guarantee that espionage will not occur as the growth and use of global networks is expanding, and opportunities to steal trade secrets manually are on the rise.

Preventing Industrial Espionage

Mitigation Strategies

In prior era’s, industrial espionage was committed by physically stealing or manipulating an insider to commit the crime. However, with the rise of the internet, offenders can both remotely take trade secrets from abroad and physically take data on-site. With technology increasing in size, it is possible for one person to steal millions of dollars’ worth of intangible assets with a single thumb drive or thousands of miles away (Rowe, 2016).

Several methods of industrial espionage have outlasted technology. Blackmail and internal stealing of trade secrets are just some of the techniques that can be deployed (Benny, 2013). Seeking information fraudulently at trade shows and seducing employees into revealing valuable information are other parts of espionage tradecraft that are still utilized today (Benny, 2013). Although physically going to a location or having contact with people raises the risk for adversaries, sometimes, depending on the industry, this might be the only option. According to several studies, employees, contractors, and value chain members are responsible for well over sixty-percent of trade secret thefts (Fitzpatrick & Dilullo, 2017). Employees and contractors are labeled the most significant threat to proprietary information (Fitzpatrick & Dilullo, 2017; Price Waterhouse & Create, 2014).

Insider theft can come in many different forms. However, based on studies, the most significant factor in insider theft has typically been employees who feel harmed by the company or are leaving the company (Fitzpatrick & Dilullo, 2017). Sometimes an employee of one company who has a high-level job at a firm will be recruited by another organization, a competitor, and persuaded to download trade secrets before they leave (Price Waterhouse & Create, 2014). Utilizing this method of espionage creates losses to corporations that total in the hundreds of millions of dollars every year. In 2015, Price Waterhouse completed a survey which showed internal coercion as the most significant threat to a business in the form of industrial espionage (Bressler & Bressler, 2015).

Mitigating Insider Threats

There are several approaches that a well-defined security department can take to mitigate the risk of internal threats; one such approach includes the recruiting practices implemented by the organization. An efficient security department will work with the human resources department of a corporation to make sure employees that are hired meet a standard of ethical and moral behavior based on their employment history. Human resources can achieve a candidate’s background by conducting background checks and forming an internal investigation unit that focuses on employees, contractors, and vendors. Constant observation, training, and programs can be established to counter threats from internal sources properly.

To mitigate risks with existing employee’s corporations could place controls on those who were fired or recently announced that they are leaving the organization. If an employee has put in their notice of resignation and they have access to proprietary information, it is prudent for corporations to place restrictions on the departing employee’s access to sensitive data. Additionally, a security department can audit an employee’s history within a certain amount of time, giving them vital information regarding what an employee is viewing on a day to day basis. If the company tracks login information, which a firm should do for basic information security, security professionals should be able to audit that employee’s history of where the employee visited during the suggested time frame. The security professionals should also be able to see if any proprietary information was opened or downloaded by the resigning or fired worker.

Mitigating Cyber Threats

Those within and outside of corporations have been utilizing cyber vulnerabilities to steal information. A company’s network security is paramount which is why the majority of organizations focus their security efforts on hardening their internal networks. This is often consumer-based for some corporations as data that is hacked containing personal information of consumers can be a public relations crisis. However, this primarily focuses on trying to keep external threats out, and internal risks are not often assessed (Fitzpatrick & Dilullo, 2017). Cyber threats from internal sources are on the rise as technology to store large amounts of data has become smaller and more accessible to hide (Bressler & Bressler, 2015).

To protect their assets efficiently, a firm should already have an existing network security infrastructure with proper hardening solutions. These measures should include firewalls, virtual private networks, and an intrusion prevention system, by having a properly designed architecture a corporation can decrease the risk of trade secrets being compromised by both internal and external adversaries.

Methods and Prevention

The profile of offenders is significant, however, deterring the crime is a substantial step where security departments can be inadequate. The foundations for industrial espionage are closely aligned with the basic principles of crime itself. Motivation, ability, and opportunity are how researchers have discussed what is needed to commit a crime (Cohen & Felson, 1979). With industrial espionage, motivation and opportunity are in line with the ability or target element. A target is usually already established as it would be the affected corporation. Another aspect of why or how insiders commit industrial espionage is how they rationalize the crime (Benny, 2013). As previously stated, an employee who perceives they have been harmed or did not get a promotion or even fired might attempt to steal protected data or recruit another employee. Other ways one might rationalize the crime is the number of benefits the firm gives the employee. If this amount is not enough in the mind of the offender, they might view stealing and selling trade secrets as a way to get compensated in the way they feel they deserve to be.

Overall, the methods used by spies to commit industrial espionage have not changed a lot in the last several decades. The one area where industrial espionage has changed is in the access, or “opportunity” to steal information. The rise in cyberspace, technology, and the growing amount of intellectual information stored by corporations digitally have made them more vulnerable (Bressler & Bressler, 2015).

It is essential firms look at both their network security and physical security when developing mitigation strategies to prevent trade secret theft. Controlling access to an area that store proprietary information is a significant step. However, businesses must conduct proper risk analyses on all of their infrastructures including physical, internal employees, supply chain, and corporate networks, to ensure that the firm is secure with the lowest number of vulnerabilities. The risk organizations find from the risk analysis framework need to be treated by either countermeasures, insurance, training, or some other form of risk treatment.

Legal Environment of Industrial Espionage

Trade secrets are defined as any proprietary information that has economic value (Fitzpatrick & Dilullo, 2017; McCollum, 1996). Depending on the law, there are different elements to make proprietary information a trade secret. Most regulations require trade secrets to have reasonable protections in place that keep them hidden from the general public (Fitzpatrick & Dilullo, 2017). Another element of a trade secret is the fact it must give or have the potential to provide the firm with economic value, whether the value is in competitiveness, innovation, or an actual dollar amount, the data must offer a financial benefit to the company (Fitzpatrick & Dilullo, 2017).

Most companies who have in place security measures against espionage, make data known that is a trade secret as well as reinforcements of security measures put directly on the employee (Fitzpatrick & Dilullo, 2017). These actions can be nondisclosure agreements or contracts that stipulate how to handle valuable information that is not available to the general public. There is a long history of case law that goes into supporting the protection of trade secrets. From all the way back to the days of the Roman Empire, courts applied protections to proprietary information not available to the public (Fitzpatrick & Dilullo, 2017). More recently, the very first case of protections against case law was in 1837 in the United States. Vickery v Welch (1837) was a case in which the ownership of a chocolate recipe was disputed. The Massachusetts courts ruled that the recipe be an intangible business asset giving the firm economic value before the recipe was stolen (Fitzpatrick & Dilullo, 2017).

In the early 1900s as business started to grow throughout the United States, more courts were issuing rulings that involved trade secrets. In 1985, the Uniform Trade Secrets Act (UTSA) passed which provided civil litigation opportunities for firms who had proprietary information stolen (Fitzpatrick & Dilullo, 2017). A majority of the states use the UTSA as a foundation to write their state laws regarding trade secrets and theft. It was not until 2016 when the Defend Trade Secrets Act (DTSA) became implemented that allowed firms to challenge cases civilly in a federal court rather than state courts (Fitzpatrick & Dilullo, 2017).

In 1996, Congress passed the Economic Espionage Act which offered law enforcement more ability to criminally prosecute offenders of trade secret theft (McCollum, 1996). This act did assist in prosecutions for the theft of trade secrets, and according to legal studies, prosecutions double every five to seven years since the implementation of the Economic Espionage Act (Fitzpatrick & Dilullo, 2017). The Federal Bureau of Investigation has seen a significant rise in espionage investigations since the Act primarily attributed to the increase of cybercrime methods (Fitzpatrick & Dilullo, 2017).

Several large corporations have been targeted for trade secret theft including Ford Motor Company, Dupont, Motorola, Boeing, Cisco, and several others (Fitzpatrick & Dilullo, 2017; Rowe, 2016). Other forms of legal regulation exist to protect businesses and allow them to seek retribution. One such law is the Computer Fraud and Abuse Act, which protects organizations from people intentionally causing harm to the company through the use of computer code or any program connected to the internet (Banks, 2017). Even with all of the laws passed, there have been questions regarding the criminal prosecutorial abilities of foreign adversaries. The Federal Bureau of Investigation has extraterritorial rights to prosecute foreign criminals of industrial espionage, however, depending on the location; these convictions can be tricky (Rowe, 2016). International law cannot adequately mitigate these threats and offer punishments of foreign offenders (Rowe, 2016).


The world faces an epidemic of security problems on any given day. World history has shown kingdoms and societies fall; empires break apart. Unbreakable nations shatter leaving millions hungry, weak, and insecure. This has all led to countries adopting policies to treat these risk and threats. The history of America and American firms starting to visualize and plan for more in-depth security programs began during the early twentieth century and continued for over fifty years changing with the times and threats. However, it was not until the turn of the millennium until everything changed with National Security.

September 11th, 2001 will never be forgotten in history. It is the day in which the United States of America turned into a new era of security. September 11th changed the way American corporations made its decisions based on preserving their assets, and a new process of organizing and strategy was going to be needed. With the September 11th attacks on a privately-owned building and the rise of global communication, businesses required to expand their security strategies. On the one hand, the growth in communications meant companies could develop their market knowledge more easily through units such as competitive intelligence. On the other hand, they had to defend themselves more creatively because the opportunity to steal inside proprietary information became easier.

What has not changed since the rebirth of corporate security was the amount of competitiveness around the world corporations needed to enter marketplaces and stay competitive. Competitors are required to gain as much data as possible so the executives could make the best decisions possible for the company. This has led to more cases of trade secrets being stolen occurring globally. A prime assailant for corporate espionage is other countries that want to grow their economy the easy way. However, due to the nature of competition, companies were targeting their competitors in an attempt to both gain an advantage and build.

Industrial espionage has been around for centuries. Growing technology and an increase in the global competition are making this threat more substantial and more accessible to commit. Companies are taking massive losses due to industrial espionage and research has shown that little focus has been put on counter-espionage strategies (Fitzpatrick & Dilullo, 2017). Companies are upgrading their networks and defense mechanisms to prevent external adversaries. However, studies show that firms are lacking the effort to focus on internal offenders who are the primary offenders.

Businesses are also placing more proprietary information in a digital format which makes it easier for either an insider or outsiders to steal. Surveillance equipment that was thought only to be available to government spy agencies is now readily available for purchase to the general public (Banks, 2017). Issues such as these are creating a threat that has the potential for increasing losses due to industrial espionage. In the modern era of competitive business, especially if the market is particularly competitive, it is essential that companies identify threats and vulnerabilities, then take measures to reduce the likelihood of industrial espionage.

Business competitiveness will never go away; however, the security industry can do more to mitigate organizational risk by creating counterintelligence units, training programs, employee awareness, and other mitigation strategies.


Babaimehr, H., & Zingir, M. F. (2016). Competitive intelligence impact on ethical behavior: Evidence from Melli bank staff. / International Journal of Management Research & Review, 6(510), 2249–7196.

Banks, W. C. (2017). Cyber espionage and electronic surveillance: Beyond the media coverage. Emory Law Journal, 66(3), 513–525.

Benny, D. (2013). Developing a counterespionage program. In Industrial espionage. CRC Press.

Bressler, M. S., & Bressler, L. (2015). Protecting your company’s intellectual property assets from cyber-espionage. Journal of Legal, Ethical and Regulatory Issues, 18(1), 21–34.

Fitzpatrick, W. M., & DiLullo, S. (2013). International trade secret protection: Global issues and responses. Competition Forum, 11(2), 21–46.

Gainor, R., & Bouthillier, F. (2014). Competitive intelligence insights for intelligence measurement. International Journal of Intelligence and Counterintelligence, 27(1), 590–603. https://doi.org/10.1080/08850607.2014.900299

GIFT, CIMA, & IPA. (2016). Global intangible financial tracker. London, UK.

Javers, E. (2011). Secrets and lies: The rise of corporate espionage in a global economy. Georgetown Journal of International Affairs, 12(1), 63–60.

Keown, J., Martin, J., & Petty, W. (2017). Foundations of finance. (A. D’Ambrosio, Ed.) (9th ed.). Boston, MA: Pearson Education, Inc.

McCollum, B. H.R.3723 – 104th Congress (1995-1996): Economic Espionage Act of 1996 (1996). Washington, D.C.: House of Representatives.

Office of the DNI. (2011). Foreign spies stealing US economic secrets. Director of National Intelligence. Washington, DC.

Porter, M. E. (1980). Competitive strategy: Techniques for analyzing industries and competitors. The Free Press. New York, NY: The Free Press.

Price Waterhouse & Create. (2014). Economic impact of trade secret theft: A framework for companies to safeguard trade secrets and mitigate potential threats.

Rowe, E. A. (2016). Rats, traps, and trade secrets. Boston College Law Review, 57(1), 381–426.

Slate, R. (2009). Competing with intelligence: New directions in China’s quest for intangible property and implications for homeland security. Homeland Security Affairs, 5(1), 29.

Winkler, I. S. (1996). Case study of industrial espionage through social engineering. Carlisle, PA.

You, I., Lenzini, G., & Santis, A. De. (2017). Guest editorial special issue on insider threats to information security, digital espionage, and counter-intelligence ” IEEE Systems Journal, 11(2), 371–372. https://doi.org/10.1109/JSYST.2017.2658258

Powered by WordPress.com.

Up ↑