The survey of "300 senior IT professionals" was completed by Cyber-Ark, described on their website as "the leader in securing and managing privileged identities and highly-sensitive information." In other words, they're an IT-security outfit.

While the survey might surprise some, the real takeaway is that geeks are people, too. There is a rule of thumb in loss prevention that suggests:

• 20% of your employees will steal from you no matter how well you treat them, how strong your business controls are perceived to be, or even their likelihood of being caught.
• 60% of your employees will steal from you if they can rationalize it (My raise wasn't fair.) and have some expectation of getting away with it.
• 20% of your employees won't steal from you under any circumstances.

The trick is to manage those in the middle 60% and keep the first 20% out of your organization. My HR and employee relations experience suggests that this rule is applicable to employees' adherance to all sorts of company policies, including IT security and data confidentiality.

What's really scary about IT professionals is how the risk associated with their roles is underestimated by many employers. "These guys are professionals making good money - not petty criminals," is the common argument. Too often, they learn their lesson the hard way.

UBS PaineWebber hired this guy, Roger Duronio as one of only 40 out of their 20,000 employees with the company's highest level of computer security clearance, which included root access to UBS' network.

What UBS didn't know and a good background check would have revealed is that Duronio had previous aggravated assault and burglary criminal convictions as well as a number of other criminal cases. Not someone to whom you want to give the keys to the kingdom.

After 9/11, the financial markets were in crisis and firms like UBS PaineWebber were hit hard. When Duronio's bonus was less than what he thought was fair, he quit his job in early 2002. He left behind a "logic bomb" (a computer virus) designed to cripple UBS' computer system.

That logic bomb went off on March 4, 2002, moments after the market opened. Suddenly, UBS' 2,000 Unix-bases servers were offline and the company's army of 17,000 brokers were unable to make trades. Just days before the logic bomb was executed, Duronio purchased stock options that would only pay out if the company's stock took a dive within 11 days, which of course it did when UBS was offline following the attack.

Duronio was sentenced last year to 97 months in federal prison for actions. He was also ordered to repay UBS PaineWebber the $3.1 million they spent recovering from the actions of this single programmer. I doubt that they are counting on that money ever coming in.

A thorough criminal background check on Duronio would probably have cost less than $125, which must seem like a deal to UBS PaineWebber at this point.