Detecting Insider Attack from Behavioral and Organizational Approach

With alteration in many activities to digital procedures comes vulnerability. Cyber-attack risk keeps increasing for individuals and businesses. One of the attacks that could occur inside companies or organizations is an “Insider Attack”. Due to the complexity of human factors, this issue is mainly dealt with and discussed in previous studies through a technical approach. This research aims to find the correlation between the possibility of insider attacks with behavioural and organizational factors. To evaluate the difference in practice between different business sectors in Indonesia. The data were collected through semi-structured interviews with people from diverse work backgrounds conducted online. The interview was recorded and transcribed manually. The data analysis was done using tables to help the coding and correlating variable process. This research is supposed to determine the most impactful factor based on people’s views. Possible gaps were found between theories and what happened in the practice of the company or organization. This research outcome intends to give information to future research and serve as a reference to businesses and organizations about current development and gaps in a business environment.Keywords: Digitalization Risk, Cyber Security, Cyber attack, Insider Attack, Behavioural and Organizational Factors, Gaps, Prediction, Prevention

Organisational vulnerability to intentional insider threat

In recent times there has been a spate of reporting on the counterproductive behaviour of individuals in both private and public organisations. As such, research into insider threat as a form of such behaviour is considered a timely contribution. The Australian Government now mandates that public sector organisations protect against insider threat through best practice recommendations and adopting a risk management approach. Whilst non-government organisations and private businesses are less accountable, these organisations can also benefit from the efficiencies, performance, resilience, and corporate value associated with an insider threat risk management approach. Mitigating against Intentional Insider Threat (IIT) is an organisational priority which requires new ways of thinking about the problem, especially in terms of a multidisciplinary approach that holistically addresses the technical, individual, and organisational aspects of the problem. To date, there has been limited academic and practical contribution and a dearth of literature providing recommendations or practical tools as a means to mitigate IIT. The purpose of this study is to develop a set of diagnostic inventories to assess for Organisational Vulnerability to Intentional Insider Threat (the OVIT). In order to achieve this overall purpose, the study sought to answer three research questions: Research Question 1: What are the main organisational influences on Intentional Insider Threat (IIT) based on available literature? Research Question 2: What are the main organisational influences on IIT based on expert opinion? Research Question 3: How is organisational vulnerability to IIT operationalised by the study? The methodology adopted by the study assumes a pragmatist paradigm and mixed methods design. There were three phases to this research: - Phase One - a thorough review of the extant literature to determine the status of research and applied knowledge and identify factors and variables of IIT. - Phase Two - conduct of a Delphi study to gather expert opinion on IIT and combine this professional knowledge with the literature review outcomes to enhance the factors and variables associated with IIT. - Phase Three - operationalise IIT diagnostic instruments utilising multivariate statistical techniques to determine the validity of the inventories and develop a framework of organisational vulnerability to IIT. Qualitative and quantitative analysis procedures were used throughout the research. The final survey data of phase three was analysed using multivariate statistics. The results from Exploratory Factor Analysis (EFA) demonstrate the underlying factors of each of the three dimensions (individual, technical, and organisational) which operationalise the construct of organisational vulnerability to IIT. The exploratory results indicate that diagnostic inventories of organisational vulnerability to IIT can validly and reliably measure each of the three dimensions. These were triangulated with the Delphi panel results and indicated alignment while further developing the IIT construct. A reflection on additional contributions is an important aspect of pragmatic research. The literature available on insider threat highlights the emerging focus on the topic. Gaps in the literature indicate a number of limitations which were addressed in the current research beginning with the development of a conceptual framework illustrating the relationships of the construct, dimensions, and factors of organisational vulnerability to IIT. Whilst this work-based study had three very specific research questions to operationalise IIT, additional contributions from the research emerged as follows: The research enhanced knowledge through: (1) study of IIT from an Australian perspective, utilising Australian expert opinion and Australian samples; (2) demonstration of the utility of the Delphi method in the study and further development of the insider threat construct; (3) an Australian definition of IIT; (4) integration of risk management standards with the available literature on insider threat; and, (5) contribution to the foresight and futures study of IIT. While this research study has proved beneficial in addressing gaps in current literature, it is not without limitations. The generalisability of findings is hampered by the size and nature of an Australian sample and the study’s exploratory approach. The ability to generalise findings and assert causality is restricted in this research, and this can be overcome by undertaking future longitudinal research or other future studies based on the findings of this study

Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Determining Small Business Cybersecurity Strategies to Prevent Data Breaches

Cybercrime is one of the quickest growing areas of criminality. Criminals abuse the speed, accessibility, and privacy of the Internet to commit diverse crimes involving data and identity theft that cause severe damage to victims worldwide. Many small businesses do not have the financial and technological means to protect their systems from cyberattack, making them vulnerable to data breaches. This exploratory multiple case study, grounded in systems thinking theory and routine activities theory, encompassed an investigation of cybersecurity strategies used by 5 small business leaders in Middlesex County, Massachusetts. The data collection process involved open-ended online questionnaires, semistructured face-to-face interviews, and review of company documents. Based on methodological triangulation of the data sources and inductive analysis, 3 emergent themes identified are policy, training, and technology. Key findings include having a specific goal and tactical approach when creating small business cybersecurity strategies and arming employees with cybersecurity training to increase their awareness of security compliance. Recommendations include small business use of cloud computing to remove the burden of protecting data on their own, thus making it unnecessary to house corporate servers. The study has implications for positive social change because small business leaders may apply the findings to decrease personal information leakage, resulting from data breaches, which affects the livelihood of individuals or companies if disclosure of their data occurs

An Insider Misuse Threat Detection and Prediction Language

Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested