How often is Employee Anger an Insider Risk I? Detecting and Measuring Negative Sentiment versus Insider Risk in Digital Communications

This research introduced two new scales for the identification and measurement of negative sentiment and insider risk in communications in order to examine the unexplored relationship between these two constructs. The inter-rater reliability and criterion validity of the Scale of Negativity in Texts (SNIT) and the Scale of Insider Risk in Digital Communications (SIRDC) were established with a random sample of email from the Enron archive and criterion measures from established insiders, disgruntled employees, suicidal, depressed, angry, anxious, and other sampled groups. In addition, the sensitivity of the scales to changes over time as the risk of digital attack increased and transitioned to a physical attack was also examined in an actual case study. Inter-rater reliability for the SNIT was extremely high across groups while the SIRDC produced lower, but acceptable levels of agreement. Both measures also significantly distinguished the criterion groups from the overall Enron sample. The scales were then used to measure the frequency of negative sentiment and insider risk indicators in the random Enron sample and the relationship between the two constructs. While low levels of negative sentiment were found in 20% of the sample, moderate and high levels of negative sentiment were extremely rare, occurring in less than 1% of communications. Less than 4% of the sampled emails displayed indicators of insider risk on the SIRDC. Emails containing high levels of insider risk comprised less than one percent or the sample. Of the emails containing negative sentiment in the sample, only 16.3%, also displayed indicators of insider risk. The odds of a communication containing insider risk increased with the level of negative sentiment and only low levels of insider risk were found at low levels of negative sentiment. All of the emails found to contain insider risk indicators on the SIRDC also displayed some level of negative sentiment. The implications of these findings for insider risk detection were then examined

How Often Is Employee Anger An Insider Risk II? Detecting and Measuring Negative Sentiment versus Insider Risk in Digital Communications–Comparison between Human Raters and Psycholinguistic Software

This research uses two recently introduced observer rating scales, (Shaw et al., 2013) for the identification and measurement of negative sentiment (the Scale for Negativity in Text or SNIT) and insider risk (Scale of Indicators of Risk in Digital Communication or SIRDC) in communications to test the performance of psycholinguistic software designed to detect indicators of these risk factors. The psycholinguistic software program, WarmTouch (WT), previously used for investigations, appeared to be an effective means for locating communications scored High or Medium in negative sentiment by the SNIT or High in insider risk by the SIRDC within a randomly selected sample from the Enron archive. WT proved less effective in locating emails Low in negative sentiment on the SNIT and Low in insider risk on the SIRDC. However, WT performed extremely well in identifying communications from actual insiders randomly selected from case files and inserted in this email sample. In addition, it appeared that WT’s measure of perceived Victimization was a significant supplement to using negative sentiment alone, when it came to searching for actual insiders. Previous findings ( Shaw et al., 2013) indicate that this relative weakness in identifying low levels of negative sentiment may not impair WT’s usefulness for identifying communications containing significant indications of insider risk because of the very low base rate and low severity of insider risk at Low levels of negative sentiment (Shaw et al., 2013). Although many of the “false positives” acquired in the successful search for actual insiders in this experiment were shown to be true positives for other forms of insider risk, WT still produced fairly high rates of false positives that could burden analysts, as described by the search times provided. As further research and development proceeds to address this problem, we again recommend the use of WT in an integrated multi-disciplinary array of detection methods that will serve as an initial screen to narrow the search for individuals at-risk for insider activities. The implications for insider threat research, detection and prevention are discussed

Research note: Complying with frustration, the experience of equality and diversity practitioners

The Equality and Diversity (E&D) role in Higher Education (HE) in the UK ensures that universities are compliant with equalities legislation and that they fulfil their duty to promote equality as these relate to employees and the institution as a whole. Hunter and Swan (2007) call for more research to explore how equality and diversity practitioners handle these complex and contradictory (E&D) duties (Healy et al, 2010). We also argue that, as the UK university context itself faces severe financial challenges, understanding the experiences of HE E&D practitioners/managers becomes more urgent. The purpose of the research is to explain the experience of equality practitioners in the HE context, an under-explored area of equality practice. Meyerson and Scully’s concept (1995) of the ‘tempered radical’ has been used to give us greater insight into how the challenges of this role are played out in the HE context

Brain Betrayal: A Neuropsychological Categorization of Insider Attacks

Thanks to an abundance of highly publicized data breaches, Information Security (InfoSec) is taking a larger place in organizational priorities. Despite the increased attention, the threat posed to employers by their own employees remains a frightening prospect studied mostly in a technical light. This paper presents a categorization of insider deviant behavior and misbehavior based off of the neuropsychological foundations of three main types of insiders posing a threat to an organization: accidental attackers; neurologically “hot” malcontents, and neurologically “cold” opportunists

The Insider Threat

The Insider threat is defined similarly by experts in the information technology world for businesses, but addressing the threat has not been of great focus for most organizations. Technology and the Internet have grown exponentially over the past decade leading to changes in how business is conducted. Some basic business practices remain the same; protect the organization and its customers from breach of privacy. How data is gathered, stored, and retrieved has changed. Protecting the perimeter is still important, but these changes in technology now open the doors to a new threat; one that is known but not commonly protected against; the insider. Whether intentionally, or accidentally, the insider threat needs to be incorporated into the currently used security architectures and best practices. How should an organization include the insider threat to the current architecture is the question. Changes need to be made by organizations to the current security architecture. Currently, using technology is not enough, but is still necessary. In order to make it better, considering the employee as a whole and the daily activities necessary to complete a job, as well as working with other business units as a whole needs to be included in the architecture. Behavioral traits can be considered but there are issues in privacy that also need to be considered. Monitoring can be done, but that should not be the only thing considered. Employees lack knowledge as to why actions can have a negative effect on an organization and the way to address this is education. Educating end users is necessary and should be performed regularly to keep not just the technologically inclined up to date. Without education, the current technology used will continue to keep out the intruders, but will not be effective enough to protect against intentional and accidental misuse of the organization and its networks

Assessing and mitigating the impact of organisational change on counterproductive work behaviour: An operational (dis)trust based framework.:Full Report

This report comprises the findings of CREST funded research into organisational change and insider threat. It outlines the individual, social and organisational factors that over time, can contribute to negative employee perceptions and experiences.These factors can produce a reduction in an employee’s psychological attachment to, and trust in, their employing organisation which then allows them to undertake Counterproductive Work Behaviour (CWB). CWB concerns action which threatens the effectiveness, or harms the safety of, an employer and its stakeholders.It can develop from small scale discretions (e.g., time wasting, or knowledge hiding) into serious insider threat activities (e.g., destroying systems or exchanging confidential information with malicious others). Following past research linking CWB to both organisational change and trust breach, the aim of the study was to produce a (dis)trust based framework for predicting, identifying and mitigating counterproductive work behaviour and insider threat within the context of organisational change.We posed the following research questions:1. What effect does organisational change have in relation to counterproductive work behaviour (CWB) and insider threat acts?2. What role does (dis)trust play in CWB during organisational change?3. What preventative measures can be taken by organisations to help mitigate CWB and insider threat in organisational change initiatives?To address these questions, we collected empirical data from a case study organisation undergoing change: two sets of interviews, i.) with selected managers and staff outlining the key changes in the organisation, ii.) with a range of stakeholders involved in/privy to one of three insider threat case studies in two different departments, iii.) a review of HR and security paperwork on the insider threat cases, and then, iv.) anonymous surveys of the workforce in the same two departments in which our case studies occurred. Using these methods, we explored individuals’ cognitions and emotions to understand why while some employees remain engaged, loyal and trusting during change, others become disengaged, distrusting and behave in deviant ways

Identifying Common Characteristics of Malicious Insiders

Malicious insiders account for large proportion of security breaches or other kinds of loss for organizations and have drawn attention of both academics and practitioners. Although methods and mechanism have been developed to monitor potential insider via electronic data monitoring, few studies focus on predicting potential malicious insiders. Based on the theory of planned behavior, certain cues should be observed or expressed when an individual performs as a malicious insider. Using text mining to analyze various media content of existing insider cases, we strive to develop a method to identify crucial and common indicators that an individual might be a malicious insider. Keywords: malicious insider, insider threat, the theory of planned behavior, text minin