Ben Lund
Manager, Customer Engineering Security, Qualcomm Inc.
Michigan State University Alumnus, M.S. Criminal Justice

Christopher Logan
Security Specialist, Customer Engineering Security, Qualcomm Inc.
Michigan State University Student, M.S. Law Enforcement Intelligence and Analysis

Technological innovations continue to drive consumer demand. Tech companies now represent eight of the top 10 brands worldwide compared to three of 10 in 2007 (Brand Finance, 2017). The consumer electronics industry alone is on pace to reach $2.9 trillion in total market value by 2020 (Persistence Market Research, 2017). As product life cycles have shortened and product development cycles have sped up in this competitive environment, a market has emerged demanding information on anticipated technologies. That greater demand has given rise to a “leak culture.” A “leak” is information released to the public without the information owner’s consent. Leaks often include product specifications, product and technology roadmaps, and photos of pre-release products and features. They may also include the actual physical product in whole or in part.

Security professionals tasked with protecting intellectual property and mitigating the risk of leaks may find success in addressing undesirable behavior by analyzing the characteristics of a situation’s environment (Clarke, 1980). Influencing environmental characteristics can also decrease intentional and unintentional leaks. Part art, part science, situational crime prevention, as described in Ronald Clarke’s (1983) theoretical model, decreases undesirable behavior by incorporating measures that “involve the management, design, or manipulation of the immediate environment in a systematic and permanent way.” Cornish and Clarke (2003) identify five areas of focus for mitigating undesirable behavior:

  • Increase the effort
  • Increase the risks
  • Reduce the rewards
  • Reduce provocations
  • Remove excuses

Increase the Effort

Logically, increasing the effort required for intentional or even unintentional leaks can decrease the chance of it occurring. Increasing the effort generally refers to target product or technology “hardening,” that is, the addition of security measures to make targets more resistant to threats. Such measures may include controlling access, screening exits, deflecting wrongdoers, or controlling tools. For example, limiting access to company confidential information decreases the risk of leaks. However, overt hardening may signal the target’s importance and thus increase the risk of intentional disclosure. Solutions to this could include dedicating entire rooms where confidential information can be housed or implementing subtle security measures within shared spaces. Each option adds a layer of security that would increase the effort required to leak information.

Increase the Risks

Increasing the risk of being associated with the leak can help reduce both intentional and unintentional leaks. Extending guardianship, promoting natural surveillance, reducing anonymity for the would-be leaker, utilizing place managers, and strengthening formal surveillance all increase the risk of an individual being associated with a leak. As the chance of an individual being associated with a leak increases, the likelihood that a person would intentionally leak information decreases. Unintentional information leaks may also decrease as individuals become aware of the lack of anonymity for their actions. One way to decrease anonymity is to foster a culture of guardianship and encourage people to say something if they notice something odd. Engendering this culture of shared responsibility and accountability may also increase the perceived significance of the target product or technology—and help decrease the potential for disclosure by increasing the risk of detection.

Reduce the Rewards

Reducing the rewards of leaks focuses on the point at which the actor makes an intentional choice. Hence, this mitigation strategy works to prevent intentional disclosures. Ways to reduce rewards includes concealing or removing target products or technologies, uniquely identifying these targets, decreasing demand for the leak, and denying its benefits. Directly denying benefits of a leak could include making the information public but this would contradict a company’s goals to gain market advantage by keeping confidential business information and trade secrets hidden from competitors.

Reducing rewards of leaks can also help reduce unintentional disclosures. For example, watermarking sensitive documents, code, or hardware with unique identification may deter intentional leaks and signal the importance of the asset. This will increase its perceived value and encourage asset owners to be mindful of possible unintentional leaks.

Reduce Provocations

Changing the characteristics of an environment by reducing provocation directly affects intentional disclosures but may help prevent unintentional ones as well. General ways to reduce provocation include reducing frustration and stress, avoiding disputes, reducing temptation, neutralizing peer pressure, and discouraging imitation. For example, employees may feel the urge to retaliate against perceived unfair treatment by intentionally leaking company confidential information. Reducing provocation to retaliate in such a manner may decrease the risk of leaks. Those with legitimate access to company confidential information may feel tempted to “show off” this access to friends, family, and other coworkers by sharing company confidential information (especially in resumes or professional social media profiles like LinkedIn). Such inappropriate sharing may be reduced by encouraging and having leaders model a company culture of “I only want to know what I need to know” (to do my job).

Remove Excuses

The final way to change environmental characteristics so as to decrease the risk of leaks is to focus on the moral judgments of individuals. This, too, applies directly to intentional disclosures but may also help reduce unintentional leaks. Methods of removing excuses include setting rules, posting instructions, alerting the conscience, and assisting compliance. Removing excuses for undesirable behavior may be one of the more obvious strategies to decrease the likelihood of leaks as this may be the focus of company policy.

Setting rules for handling confidential information helps set the standard and removes any ambiguity between good and bad behavior. Posting instructions or quick reminders may help individuals remember the rules but also may signal their importance. Alerting an individual’s conscience or thinking at the decision point may help reduce intentional and unintentional disclosures. For example, a company may use an email macro to ask users if they are sure they want to send an email that may contain confidential information to persons outside the company.

One of the most important ways to decrease leaks may be in assisting employees to comply with rules and best practices. Continually ask, “How can I make rule compliance easier?” and seek out feedback regarding such. Doing this may foster cohesion between security professionals and employees working with intellectual property and confidential information.