INSIDER THREAT: A CONSTANT PROBLEM WITH A CONTINUOUS APPROACH

In 2001, the Transportation Security Administration (TSA) was created to secure all modes of transportation from external threats such as terrorists and other actors with malicious intent. Currently, the most dangerous threat to aviation security is an insider threat. What TSA can do better to address insider threats is the primary focus of this thesis. This thesis utilizes a comparative analysis to examine the insider threat programs at the Department of Defense and the Federal Bureau of Investigation in the United States and the Centre for the Protection of National Infrastructure in the United Kingdom to explore insider threat mitigation options for TSA. This thesis finds that TSA should establish a more thorough vetting of applicants and an ongoing review of current aviation employees. Accomplishing this recommendation will require multiple strategies, including establishing and strengthening partnerships to leverage expertise and maximize resources.Civilian, Department of Homeland SecurityApproved for public release. Distribution is unlimited

Mitigating Insider Sabotage and Espionage: A Review of the United States Air Force\u27s Current Posture

The security threat from malicious insiders affects all organizations. Mitigating this problem is quite difficult due to the fact that (1) there is no definitive profile for malicious insiders, (2) organizations have placed trust in these individuals, and (3) insiders have a vast knowledge of their organization’s personnel, security policies, and information systems. The purpose of this research is to analyze to what extent the United States Air Force (USAF) security policies address the insider threat problem. The policies are reviewed in terms of how well they align with best practices published by the Carnegie Mellon University Computer Emergency Readiness Team and additional factors this research deems important, including motivations, organizational priorities, and social networks. Based on the findings of the policy review, this research offers actionable recommendations that the USAF could implement in order to better prevent, detect, and respond to malicious insider attacks. The most important course of action is to better utilize its workforce. All personnel should be trained on observable behaviors that can be precursors to malicious activity. Additionally, supervisors need to be empowered as the first line of defense, monitoring for stress, unmet expectations, and disgruntlement. In addition, this research proposes three new best practices regarding (1) screening for prior concerning behaviors, predispositions, and technical incidents, (2) issuing sanctions for inappropriate technical acts, and (3) requiring supervisors to take a proactive role

Assessing and mitigating the impact of organisational change on counterproductive work behaviour: An operational (dis)trust based framework.:Full Report

This report comprises the findings of CREST funded research into organisational change and insider threat. It outlines the individual, social and organisational factors that over time, can contribute to negative employee perceptions and experiences.These factors can produce a reduction in an employee’s psychological attachment to, and trust in, their employing organisation which then allows them to undertake Counterproductive Work Behaviour (CWB). CWB concerns action which threatens the effectiveness, or harms the safety of, an employer and its stakeholders.It can develop from small scale discretions (e.g., time wasting, or knowledge hiding) into serious insider threat activities (e.g., destroying systems or exchanging confidential information with malicious others). Following past research linking CWB to both organisational change and trust breach, the aim of the study was to produce a (dis)trust based framework for predicting, identifying and mitigating counterproductive work behaviour and insider threat within the context of organisational change.We posed the following research questions:1. What effect does organisational change have in relation to counterproductive work behaviour (CWB) and insider threat acts?2. What role does (dis)trust play in CWB during organisational change?3. What preventative measures can be taken by organisations to help mitigate CWB and insider threat in organisational change initiatives?To address these questions, we collected empirical data from a case study organisation undergoing change: two sets of interviews, i.) with selected managers and staff outlining the key changes in the organisation, ii.) with a range of stakeholders involved in/privy to one of three insider threat case studies in two different departments, iii.) a review of HR and security paperwork on the insider threat cases, and then, iv.) anonymous surveys of the workforce in the same two departments in which our case studies occurred. Using these methods, we explored individuals’ cognitions and emotions to understand why while some employees remain engaged, loyal and trusting during change, others become disengaged, distrusting and behave in deviant ways

A Framework for an Adaptive Early Warning and Response System for Insider Privacy Breaches

Organisations such as governments and healthcare bodies are increasingly responsible for managing large amounts of personal information, and the increasing complexity of modern information systems is causing growing concerns about the protection of these assets from insider threats. Insider threats are very difficult to handle, because the insiders have direct access to information and are trusted by their organisations. The nature of insider privacy breaches varies with the organisation’s acceptable usage policy and the attributes of an insider. However, the level of risk that insiders pose depends on insider breach scenarios including their access patterns and contextual information, such as timing of access. Protection from insider threats is a newly emerging research area, and thus, only few approaches are available that systemise the continuous monitoring of dynamic insider usage characteristics and adaptation depending on the level of risk. The aim of this research is to develop a formal framework for an adaptive early warning and response system for insider privacy breaches within dynamic software systems. This framework will allow the specification of multiple policies at different risk levels, depending on event patterns, timing constraints, and the enforcement of adaptive response actions, to interrupt insider activity. Our framework is based on Usage Control (UCON), a comprehensive model that controls previous, ongoing, and subsequent resource usage. We extend UCON to include interrupt policy decisions, in which multiple policy decisions can be expressed at different risk levels. In particular, interrupt policy decisions can be dynamically adapted upon the occurrence of an event or over time. We propose a computational model that represents the concurrent behaviour of an adaptive early warning and response system in the form of statechart. In addition, we propose a Privacy Breach Specification Language (PBSL) based on this computational model, in which event patterns, timing constraints, and the triggered early warning level are expressed in the form of policy rules. The main features of PBSL are its expressiveness, simplicity, practicality, and formal semantics. The formal semantics of the PBSL, together with a model of the mechanisms enforcing the policies, is given in an operational style. Enforcement mechanisms, which are defined by the outcomes of the policy rules, influence the system state by mutually interacting between the policy rules and the system behaviour. We demonstrate the use of this PBSL with a case study from the e-government domain that includes some real-world insider breach scenarios. The formal framework utilises a tool that supports the animation of the enforcement and policy models. This tool also supports the model checking used to formally verify the safety and progress properties of the system over the policy and the enforcement specifications

Modeling Expert Judgments of Insider Threat Using Ontology Structure: Effects of Individual Indicator Threat Value and Class Membership

We describe research on a comprehensive ontology of sociotechnical and organizational factors for insider threat (SOFIT) and results of an expert knowledge elicitation study. The study examined how alternative insider threat assessment models may reflect associations among constructs beyond the relationships defined in the hierarchical class structure. Results clearly indicate that individual indicators contribute differentially to expert judgments of insider threat risk. Further, models based on ontology class structure more accurately predict expert judgments. There is some (although weak) empirical evidence that other associations among constructs—such as the roles that indicators play in an insider threat exploit—may also contribute to expert judgments of insider threat risk. These findings contribute to ongoing research aimed at development of more effective insider threat decision support tools

Game of Travesty: Decoy-based Psychological Cyber Deception for Proactive Human Agents

The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes

Outsourcing Information Technology and the Insider Threat

As one of our nation\u27s top critical infrastructures, telecommunications is an essential element of many aspects of our lives upon which we, as a society, are becoming increasingly dependent. Computers, digital telephone switches, and interconnected information technology (IT) systems impact finances, travel, infrastructure management, and missions of national defense. This research examined whether the trend in increased outsourcing of information technology systems is a significant contributing factor to a reportedly increasing amount of insider attacks. In light of changing social, global economic, and technological conditions, the paradigm in which risk analysis, management practices, and operational and personnel security practices are applied to protect information has shifted over the last decade. A comprehensive model of the discursive nature of the insider threat in the outsourced IT environment was developed using a qualitative grounded theory approach put forth by Glaser and Strauss in 1967. The theory generated by this research suggests a multidimensional real and growing threat resulting from outsourced IT as well as preconditions for continued future growth of the insider threat phenomenon

Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection

The insider threat faced by corporations and governments today is a real and significant problem, and one that has become increasingly difficult to combat as the years have progressed. From a technology standpoint, traditional protective measures such as intrusion detection systems are largely inadequate given the nature of the ‘insider’ and their legitimate access to prized organisational data and assets. As a result, it is necessary to research and develop more sophisticated approaches for the accurate recognition, detection and response to insider threats. One way in which this may be achieved is by understanding the complete picture of why an insider may initiate an attack, and the indicative elements along the attack chain. This includes the use of behavioural and psychological observations about a potential malicious insider in addition to technological monitoring and profiling techniques. In this paper, we propose a framework for modelling the insider-threat problem that goes beyond traditional technological observations and incorporates a more complete view of insider threats, common precursors, and human actions and behaviours. We present a conceptual model for insider threat and a reasoning structure that allows an analyst to make or draw hypotheses regarding a potential insider threat based on measurable states from real-world observations

Obfuscation of Malicious Behaviors for Thwarting Masquerade Detection Systems Based on Locality Features

In recent years, dynamic user verification has become one of the basic pillars for insider threat detection. From these threats, the research presented in this paper focuses on masquerader attacks, a category of insiders characterized by being intentionally conducted by persons outside the organization that somehow were able to impersonate legitimate users. Consequently, it is assumed that masqueraders are unaware of the protected environment within the targeted organization, so it is expected that they move in a more erratic manner than legitimate users along the compromised systems. This feature makes them susceptible to being discovered by dynamic user verification methods based on user profiling and anomaly-based intrusion detection. However, these approaches are susceptible to evasion through the imitation of the normal legitimate usage of the protected system (mimicry), which is being widely exploited by intruders. In order to contribute to their understanding, as well as anticipating their evolution, the conducted research focuses on the study of mimicry from the standpoint of an uncharted terrain: the masquerade detection based on analyzing locality traits. With this purpose, the problem is widely stated, and a pair of novel obfuscation methods are introduced: locality-based mimicry by action pruning and locality-based mimicry by noise generation. Their modus operandi, effectiveness, and impact are evaluated by a collection of well-known classifiers typically implemented for masquerade detection. The simplicity and effectiveness demonstrated suggest that they entail attack vectors that should be taken into consideration for the proper hardening of real organizations