A Risk Management Approach to the “Insider Threat”

Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an "insider;" indeed, many define it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policy in a form that can be implemented on a computer system or network, creates gaps in enforcement. This paper defines "insider" precisely, in terms of these gaps, and explores an access-based model for analyzing threats that include those usually termed "insider threats." This model enables an organization to order its resources based on the business value for that resource and of the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which users are at the greatest risk of acting inappropriately. We conclude by examining how to merge this model with one of forensic logging and auditing

Outsourcing Information Technology and the Insider Threat

As one of our nation\u27s top critical infrastructures, telecommunications is an essential element of many aspects of our lives upon which we, as a society, are becoming increasingly dependent. Computers, digital telephone switches, and interconnected information technology (IT) systems impact finances, travel, infrastructure management, and missions of national defense. This research examined whether the trend in increased outsourcing of information technology systems is a significant contributing factor to a reportedly increasing amount of insider attacks. In light of changing social, global economic, and technological conditions, the paradigm in which risk analysis, management practices, and operational and personnel security practices are applied to protect information has shifted over the last decade. A comprehensive model of the discursive nature of the insider threat in the outsourced IT environment was developed using a qualitative grounded theory approach put forth by Glaser and Strauss in 1967. The theory generated by this research suggests a multidimensional real and growing threat resulting from outsourced IT as well as preconditions for continued future growth of the insider threat phenomenon

Organisational vulnerability to intentional insider threat

In recent times there has been a spate of reporting on the counterproductive behaviour of individuals in both private and public organisations. As such, research into insider threat as a form of such behaviour is considered a timely contribution. The Australian Government now mandates that public sector organisations protect against insider threat through best practice recommendations and adopting a risk management approach. Whilst non-government organisations and private businesses are less accountable, these organisations can also benefit from the efficiencies, performance, resilience, and corporate value associated with an insider threat risk management approach. Mitigating against Intentional Insider Threat (IIT) is an organisational priority which requires new ways of thinking about the problem, especially in terms of a multidisciplinary approach that holistically addresses the technical, individual, and organisational aspects of the problem. To date, there has been limited academic and practical contribution and a dearth of literature providing recommendations or practical tools as a means to mitigate IIT. The purpose of this study is to develop a set of diagnostic inventories to assess for Organisational Vulnerability to Intentional Insider Threat (the OVIT). In order to achieve this overall purpose, the study sought to answer three research questions: Research Question 1: What are the main organisational influences on Intentional Insider Threat (IIT) based on available literature? Research Question 2: What are the main organisational influences on IIT based on expert opinion? Research Question 3: How is organisational vulnerability to IIT operationalised by the study? The methodology adopted by the study assumes a pragmatist paradigm and mixed methods design. There were three phases to this research: - Phase One - a thorough review of the extant literature to determine the status of research and applied knowledge and identify factors and variables of IIT. - Phase Two - conduct of a Delphi study to gather expert opinion on IIT and combine this professional knowledge with the literature review outcomes to enhance the factors and variables associated with IIT. - Phase Three - operationalise IIT diagnostic instruments utilising multivariate statistical techniques to determine the validity of the inventories and develop a framework of organisational vulnerability to IIT. Qualitative and quantitative analysis procedures were used throughout the research. The final survey data of phase three was analysed using multivariate statistics. The results from Exploratory Factor Analysis (EFA) demonstrate the underlying factors of each of the three dimensions (individual, technical, and organisational) which operationalise the construct of organisational vulnerability to IIT. The exploratory results indicate that diagnostic inventories of organisational vulnerability to IIT can validly and reliably measure each of the three dimensions. These were triangulated with the Delphi panel results and indicated alignment while further developing the IIT construct. A reflection on additional contributions is an important aspect of pragmatic research. The literature available on insider threat highlights the emerging focus on the topic. Gaps in the literature indicate a number of limitations which were addressed in the current research beginning with the development of a conceptual framework illustrating the relationships of the construct, dimensions, and factors of organisational vulnerability to IIT. Whilst this work-based study had three very specific research questions to operationalise IIT, additional contributions from the research emerged as follows: The research enhanced knowledge through: (1) study of IIT from an Australian perspective, utilising Australian expert opinion and Australian samples; (2) demonstration of the utility of the Delphi method in the study and further development of the insider threat construct; (3) an Australian definition of IIT; (4) integration of risk management standards with the available literature on insider threat; and, (5) contribution to the foresight and futures study of IIT. While this research study has proved beneficial in addressing gaps in current literature, it is not without limitations. The generalisability of findings is hampered by the size and nature of an Australian sample and the study’s exploratory approach. The ability to generalise findings and assert causality is restricted in this research, and this can be overcome by undertaking future longitudinal research or other future studies based on the findings of this study

Development and Validation of a Proof-of-Concept Prototype for Analytics-based Malicious Cybersecurity Insider Threat in a Real-Time Identification System

Insider threat has continued to be one of the most difficult cybersecurity threat vectors detectable by contemporary technologies. Most organizations apply standard technology-based practices to detect unusual network activity. While there have been significant advances in intrusion detection systems (IDS) as well as security incident and event management solutions (SIEM), these technologies fail to take into consideration the human aspects of personality and emotion in computer use and network activity, since insider threats are human-initiated. External influencers impact how an end-user interacts with both colleagues and organizational resources. Taking into consideration external influencers, such as personality, changes in organizational polices and structure, along with unusual technical activity analysis, would be an improvement over contemporary detection tools used for identifying at-risk employees. This would allow upper management or other organizational units to intervene before a malicious cybersecurity insider threat event occurs, or mitigate it quickly, once initiated. The main goal of this research study was to design, develop, and validate a proof-of-concept prototype for a malicious cybersecurity insider threat alerting system that will assist in the rapid detection and prediction of human-centric precursors to malicious cybersecurity insider threat activity. Disgruntled employees or end-users wishing to cause harm to the organization may do so by abusing the trust given to them in their access to available network and organizational resources. Reports on malicious insider threat actions indicated that insider threat attacks make up roughly 23% of all cybercrime incidents, resulting in $2.9 trillion in employee fraud losses globally. The damage and negative impact that insider threats cause was reported to be higher than that of outsider or other types of cybercrime incidents. Consequently, this study utilized weighted indicators to measure and correlate simulated user activity to possible precursors to malicious cybersecurity insider threat attacks. This study consisted of a mixed method approach utilizing an expert panel, developmental research, and quantitative data analysis using the developed tool on simulated data set. To assure validity and reliability of the indicators, a panel of subject matter experts (SMEs) reviewed the indicators and indicator categorizations that were collected from prior literature following the Delphi technique. The SMEs’ responses were incorporated into the development of a proof-of-concept prototype. Once the proof-of-concept prototype was completed and fully tested, an empirical simulation research study was conducted utilizing simulated user activity within a 16-month time frame. The results of the empirical simulation study were analyzed and presented. Recommendations resulting from the study also be provided

TACKLING INSIDER THREATS USING RISK-AND-TRUST AWARE ACCESS CONTROL APPROACHES

Insider Attacks are one of the most dangerous threats organizations face today. An insider attack occurs when a person authorized to perform certain actions in an organization decides to abuse the trust, and harm the organization by causing breaches in the confidentiality, integrity or availability of the organization’s assets. These attacks may negatively impact the reputation of the organization, its productivity, and may incur heavy losses in revenue and clients. Preventing insider attacks is a daunting task. Employees need legitimate access to effectively perform their jobs; however, at any point of time they may misuse their privileges accidentally or intentionally. Hence, it is necessary to develop a system capable of finding a middle ground where the necessary privileges are provided and insider threats are mitigated. In this dissertation, we address this critical issue. We propose three adaptive risk-and-trust aware access control frameworks that aim at thwarting insider attacks by incorporating the behavior of users in the access control decision process. Our first framework is tailored towards general insider threat prevention in role-based access control systems. As part of this framework, we propose methodologies to specify risk-and-trust aware access control policies and a risk management approach that minimizes the risk exposure for each access request. Our second framework is designed to mitigate the risk of obligation-based systems which are difficult to manage and are particularly vulnerable to sabotage. As part of our obligation-based framework, we propose an insider-threat-resistant trust computation methodology. We emphasize the use of monitoring of obligation fulfillment patterns to determine some psychological precursors that have high predictive power with respect to potential insider threats. Our third framework is designed to take advantage of geo-social information to deter insider threats. We uncover some insider threats that arise when geo-social information is used to make access control decisions. Based on this analysis, we define an insider threat resilient access control approach to manage privileges that considers geo-social context. The models and methodologies presented in this dissertation can help a broad range of organizations in mitigating insider threats

A HOLISTIC APPROACH TO PROTECTING NATIONAL SECURITY: INTEGRATING INTELLIGENCE AND RISK MANAGEMENT TO REDUCE INSIDER THREATS

Reviewed by Thomas Stanton and Anthony Lang, this thesis explores the important question of how a combination of security intelligence and risk management could be used to address insider threats and their impact on national security. As the thesis documents, insiders threaten not only the wellbeing of employees and facilities, but also the confidentiality and integrity of sensitive information, which could be used by foreign adversaries of the United States. The first chapter recommends more systematic integration of intelligence information into security programs. The second chapter explores the role of risk management, and especially Enterprise Risk Management, in improving the effectiveness of federal security programs and organizations. The third chapter focuses directly on the problem of insider threats. It highlights the remarkable number of ways that insiders such as Edward Snowden displayed warning signs of the danger they posed to national security, long before the damage they caused occurred. It was discovered that analyzing current threat information, which makes it intelligence, enables security programs to allocate resources and deploy countermeasures more appropriately. The intelligence findings enable risk management, which is the ongoing process federal organizations use to determine how they will respond to threats. Organizations that fail to understand their threat, and subsequently impose risk-driven countermeasures, are likely to suffer consequences from attacks – many of which come from insider threats. Insiders acting against federal organizations stand to damage national security by harming people they work with, revealing defense secrets, and/or weakening international relations. The potential damage to national security can be mitigated using the holistic approach outlined throughout this thesis

Human element of corporate espionage risk management : literature review on assessment and control of outsider and insider threats

The primary purpose of this study is to determine how suitable human risk management con- trols are against corporate espionage. Information risks are ascending problem with corpora- tions all over the world. Cyber attacks are commonplace, and the attackers are often trying to compromise valuable data assets. These malicious targeted attacks are bypassing traditional information security controls; therefore, organizations are endangered by these threats. Since the traditional information security measures cannot effectively prevent trade secret thefts, companies must look for alternative remedies to mitigate the risks of corporate espionage. One eligible solution is to focus on the human element of information risks management, and thereby defeating the malicious corporate spies. This theoretical thesis aims to consolidate various sources of research literature in order to approach targeted threats from a human risk management perspective. The literature review incorporates research from various fields, such as cyber security, information risk manage- ment, corporate espionage, insider threat, and social engineering. The objective of the thesis is to merge these fields together, and identify the most suitable risk management controls against corporate espionage activities. Corporate espionage activities often include exfiltrating valuable data via Internet and information technology. Hence, the espionage activities are oc- curring in a challenging risk environment, which is introduced in this thesis. A large part of this thesis focuses on the assessment of insider and outsider threats. These threat actors are analyzed and evaluated thoroughly, focusing on the motivation and oppor- tunity of the perpetrators. The two main attack methods are social engineering and malicious insider activity. These attack methods are extremely dangerous to companies of all size, and risk management literature has largely ignored the subject. The legal ramifications to the problems are inadequate as well, since corporate espionage attacks often emanate from states with weaker legislation towards Internet crimes. However, companies can brace themselves against malicious insider activity and social engineering with careful assessment and risk management decisions. The research literature supports the view that the most effective ways to mitigate risks of corporate espionage is to control the awareness and behavior of organiza- tion s employees. The corporate espionage risks will not subside by themselves; hence, or- ganizations must reinforce their policies and data management procedures

Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders