A commonly-held conception in the commercial world (in my experience) is that
most threats to "corporate security" come from the Internet-at-large, and
therefore being behind a firewall is a Good Thing and generally Sufficient.
Of course there are many references in the literature which dispute that
one-sided posture, and it is a reasonably commonly-held (again in my
experience) amongst security weanies that just as many if not more threats may
emanate from within one's organization (a university being an canonical
example), but I haven't uncovered any references that directly cite evidence
quantifying this perception.
Do any folks out there have any pointers to docs, study reports, whathaveyou
that provide quanifiable evidence about either or both external or internal
threats?
thanks,
JeffH
