A multiple-perspective approach for insider-threat risk prediction in cyber-security

Currently governments and research communities are concentrating on insider threat matters more than ever, the main reason for this is that the effect of a malicious insider threat is greater than before. Moreover, leaks and the selling of the mass data have become easier, with the use of the dark web. Malicious insiders can leak confidential data while remaining anonymous. Our approach describes the information gained by looking into insider security threats from the multiple perspective concepts that is based on an integrated three-dimensional approach. The three dimensions are human issue, technology factor, and organisation aspect that forms one risk prediction solution. In the first part of this thesis, we give an overview of the various basic characteristics of insider cyber-security threats. We also consider current approaches and controls of mitigating the level of such threats by broadly classifying them in two categories: a) technical mitigation approaches, and b) non-technical mitigation approaches. We review case studies of insider crimes to understand how authorised users could harm their organisations by dividing these cases into seven groups based on insider threat categories as follows: a) insider IT sabotage, b) insider IT fraud, c) insider theft of intellectual property, d) insider social engineering, e) unintentional insider threat incident, f) insider in cloud computing, and g) insider national security. In the second part of this thesis, we present a novel approach to predict malicious insider threats before the breach takes place. A prediction model was first developed based on the outcomes of the research literature which highlighted main prediction factors with the insider indicator variables. Then Bayesian network statistical methods were used to implement and test the proposed model by using dummy data. A survey was conducted to collect real data from a single organisation. Then a risk level and prediction for each authorised user within the organisation were analysed and measured. Dynamic Bayesian network model was also proposed in this thesis to predict insider threats for a period of time, based on data collected and analysed on different time scales by adding time series factors to the previous model. Results of the verification test comparing the output of 61 cases from the education sector prediction model show a good consistence. The correlation was generally around R-squared =0.87 which indicates an acceptable fit in this area of research. From the result we expected that the approach will be a useful tool for security experts. It provides organisations with an insider threat risk assessment to each authorised user and also organisations can discover their weakness area that needs attention in dealing with insider threat. Moreover, we expect the model to be useful to the researcher's community as the basis for understanding and future research

Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Overcoming the insider: reducing employee crime through Situational Crime Prevention

Information security has become increasingly important for organizations, given their dependence on ICT. Not surprisingly, therefore, the external threats posed by hackers and viruses have received extensive coverage in the mass media. Yet numerous security surveys also point to the 'insider' threat of employee computer crime. In 2006, for example, the Global Security Survey by Deloitte reports that 28% of respondent organizations encountered considerable internal computer fraud. This figure may not appear high, but the impact of crime perpetrated by insiders can be profound. Donn Parker argues that 'cyber-criminals' should be considered in terms of their criminal attributes, which include skills, knowledge, resources, access and motives (SKRAM). It is as a consequence of such attributes, acquired within the organization, that employers can pose a major threat. Hence, employees use skills gained through their legitimate work duties for illegitimate gain. A knowledge of security vulnerabilities can be exploited, utilising resources and access are provided by companies. It may even be the case that the motive is created by the organization in the form of employee disgruntlement. These criminal attributes aid offenders in the pursuit of their criminal acts, which in the extreme can bring down an organization. In the main, companies have addressed the insider threat through a workforce, which is made aware of its information security responsibilities and acts accordingly. Thus, security policies and complementary education and awareness programmes are now commonplace for organizations. That said, little progress has been made in understanding the insider threat from an offender's perspective. As organizations attempt to grapple with the behavior of dishonest employees, criminology potentially offers a body of knowledge for addressing this problem. It is suggested that Situational Crime Prevention (SCP), a relative newcomer to criminology, can help enhance initiatives aimed at addressing the insider threat. In this article, we discuss how recent criminological developments that focus on the criminal act, represent a departure from traditional criminology, which examines the causes of criminality. As part of these recent developments we discuss SCP. After defining this approach, we illustrate how it can inform and enhance information security practices. In recent years, a number of criminologists have criticised their discipline for assuming that the task of explaining the causes of criminality is the same as explaining the criminal act. Simply to explain how people develop a criminal disposition is only half the equation. What is also required is an explanation of how crimes are perpetrated. Criminological approaches, which focus on the criminal act, would appear to offer more to information security practitioners than their dispositional counterparts. Accordingly, the SCP approach can offer additional tools for practitioners in their fight against insider computer crime