A Privacy-Preserving, Context-Aware, Insider Threat prevention and prediction model (PPCAITPP)

The insider threat problem is extremely challenging to address, as it is committed by insiders who are trusted and authorized to access the information resources of the organization. The problem is further complicated by the multifaceted nature of insiders, as human beings have various motivations and fluctuating behaviours. Additionally, typical monitoring systems may violate the privacy of insiders. Consequently, there is a need to consider a comprehensive approach to mitigate insider threats. This research presents a novel insider threat prevention and prediction model, combining several approaches, techniques and tools from the fields of computer science and criminology. The model is a Privacy- Preserving, Context-Aware, Insider Threat Prevention and Prediction model (PPCAITPP). The model is predicated on the Fraud Diamond (a theory from Criminology) which assumes there must be four elements present in order for a criminal to commit maleficence. The basic elements are pressure (i.e. motive), opportunity, ability (i.e. capability) and rationalization. According to the Fraud Diamond, malicious employees need to have a motive, opportunity and the capability to commit fraud. Additionally, criminals tend to rationalize their malicious actions in order for them to ease their cognitive dissonance towards maleficence. In order to mitigate the insider threat comprehensively, there is a need to consider all the elements of the Fraud Diamond because insider threat crime is also related to elements of the Fraud Diamond similar to crimes committed within the physical landscape. The model intends to act within context, which implies that when the model offers predictions about threats, it also reacts to prevent the threat from becoming a future threat instantaneously. To collect information about insiders for the purposes of prediction, there is a need to collect current information, as the motives and behaviours of humans are transient. Context-aware systems are used in the model to collect current information about insiders related to motive and ability as well as to determine whether insiders exploit any opportunity to commit a crime (i.e. entrapment). Furthermore, they are used to neutralize any rationalizations the insider may have via neutralization mitigation, thus preventing the insider from committing a future crime. However, the model collects private information and involves entrapment that will be deemed unethical. A model that does not preserve the privacy of insiders may cause them to feel they are not trusted, which in turn may affect their productivity in the workplace negatively. Hence, this thesis argues that an insider prediction model must be privacy-preserving in order to prevent further cybercrime. The model is not intended to be punitive but rather a strategy to prevent current insiders from being tempted to commit a crime in future. The model involves four major components: context awareness, opportunity facilitation, neutralization mitigation and privacy preservation. The model implements a context analyser to collect information related to an insider who may be motivated to commit a crime and his or her ability to implement an attack plan. The context analyser only collects meta-data such as search behaviour, file access, logins, use of keystrokes and linguistic features, excluding the content to preserve the privacy of insiders. The model also employs keystroke and linguistic features based on typing patterns to collect information about any change in an insider’s emotional and stress levels. This is indirectly related to the motivation to commit a cybercrime. Research demonstrates that most of the insiders who have committed a crime have experienced a negative emotion/pressure resulting from dissatisfaction with employment measures such as terminations, transfers without their consent or denial of a wage increase. However, there may also be personal problems such as a divorce. The typing pattern analyser and other resource usage behaviours aid in identifying an insider who may be motivated to commit a cybercrime based on his or her stress levels and emotions as well as the change in resource usage behaviour. The model does not identify the motive itself, but rather identifies those individuals who may be motivated to commit a crime by reviewing their computer-based actions. The model also assesses the capability of insiders to commit a planned attack based on their usage of computer applications and measuring their sophistication in terms of the range of knowledge, depth of knowledge and skill as well as assessing the number of systems errors and warnings generated while using the applications. The model will facilitate an opportunity to commit a crime by using honeypots to determine whether a motivated and capable insider will exploit any opportunity in the organization involving a criminal act. Based on the insider’s reaction to the opportunity presented via a honeypot, the model will deploy an implementation strategy based on neutralization mitigation. Neutralization mitigation is the process of nullifying the rationalizations that the insider may have had for committing the crime. All information about insiders will be anonymized to remove any identifiers for the purpose of preserving the privacy of insiders. The model also intends to identify any new behaviour that may result during the course of implementation. This research contributes to existing scientific knowledge in the insider threat domain and can be used as a point of departure for future researchers in the area. Organizations could use the model as a framework to design and develop a comprehensive security solution for insider threat problems. The model concept can also be integrated into existing information security systems that address the insider threat problemInformation ScienceD. Phil. (Information Systems

Organisational vulnerability to intentional insider threat

In recent times there has been a spate of reporting on the counterproductive behaviour of individuals in both private and public organisations. As such, research into insider threat as a form of such behaviour is considered a timely contribution. The Australian Government now mandates that public sector organisations protect against insider threat through best practice recommendations and adopting a risk management approach. Whilst non-government organisations and private businesses are less accountable, these organisations can also benefit from the efficiencies, performance, resilience, and corporate value associated with an insider threat risk management approach. Mitigating against Intentional Insider Threat (IIT) is an organisational priority which requires new ways of thinking about the problem, especially in terms of a multidisciplinary approach that holistically addresses the technical, individual, and organisational aspects of the problem. To date, there has been limited academic and practical contribution and a dearth of literature providing recommendations or practical tools as a means to mitigate IIT. The purpose of this study is to develop a set of diagnostic inventories to assess for Organisational Vulnerability to Intentional Insider Threat (the OVIT). In order to achieve this overall purpose, the study sought to answer three research questions: Research Question 1: What are the main organisational influences on Intentional Insider Threat (IIT) based on available literature? Research Question 2: What are the main organisational influences on IIT based on expert opinion? Research Question 3: How is organisational vulnerability to IIT operationalised by the study? The methodology adopted by the study assumes a pragmatist paradigm and mixed methods design. There were three phases to this research: - Phase One - a thorough review of the extant literature to determine the status of research and applied knowledge and identify factors and variables of IIT. - Phase Two - conduct of a Delphi study to gather expert opinion on IIT and combine this professional knowledge with the literature review outcomes to enhance the factors and variables associated with IIT. - Phase Three - operationalise IIT diagnostic instruments utilising multivariate statistical techniques to determine the validity of the inventories and develop a framework of organisational vulnerability to IIT. Qualitative and quantitative analysis procedures were used throughout the research. The final survey data of phase three was analysed using multivariate statistics. The results from Exploratory Factor Analysis (EFA) demonstrate the underlying factors of each of the three dimensions (individual, technical, and organisational) which operationalise the construct of organisational vulnerability to IIT. The exploratory results indicate that diagnostic inventories of organisational vulnerability to IIT can validly and reliably measure each of the three dimensions. These were triangulated with the Delphi panel results and indicated alignment while further developing the IIT construct. A reflection on additional contributions is an important aspect of pragmatic research. The literature available on insider threat highlights the emerging focus on the topic. Gaps in the literature indicate a number of limitations which were addressed in the current research beginning with the development of a conceptual framework illustrating the relationships of the construct, dimensions, and factors of organisational vulnerability to IIT. Whilst this work-based study had three very specific research questions to operationalise IIT, additional contributions from the research emerged as follows: The research enhanced knowledge through: (1) study of IIT from an Australian perspective, utilising Australian expert opinion and Australian samples; (2) demonstration of the utility of the Delphi method in the study and further development of the insider threat construct; (3) an Australian definition of IIT; (4) integration of risk management standards with the available literature on insider threat; and, (5) contribution to the foresight and futures study of IIT. While this research study has proved beneficial in addressing gaps in current literature, it is not without limitations. The generalisability of findings is hampered by the size and nature of an Australian sample and the study’s exploratory approach. The ability to generalise findings and assert causality is restricted in this research, and this can be overcome by undertaking future longitudinal research or other future studies based on the findings of this study

Constructions of flood vulnerability across an etic-emic spectrum

Constructions of vulnerability are varied and contested through different research traditions, such that there is no agreed definition of its meaning. In an attempt to lessen this confusion, this thesis builds upon the distinction between etic (“outsider”) and emic (“insider”) orientated research and examines the extent to which vulnerability knowledge can be aligned to this spectrum. The nature of emic-orientated research necessitates the identification of “insiders”, who are assumed to be those ‘closest’ to the issue at hand and able to offer first-hand insights based on personal experience. However, it is arguably inappropriate to assume the existence of a supposedly homogeneous group of insiders, or a definitive boundary between insiders and outsiders. Therefore, this research critically examines the notion of “insiderness” and the extent to which this influences constructions of flood vulnerability. Mixed methods are employed to elicit the perspectives of emergency professionals and the public in two socially-contrasting locations exposed to multiple flood drivers; a Bradford town in West Yorkshire (fluvial and pluvial flooding) and a town on the Isle of Wight (tidal and pluvial flooding). Contents analysis, semi-structured interviews and cognitive interviews facilitated by a GIS-based flood risk mapping tool (“KEEPER”), demonstrate the influence of professional roles, scales of decision making and phase of emergency management upon constructions of vulnerability. From this, it is argued that area-wide vulnerability assessment could benefit from more interactive and malleable forms of mapping, flexible to different place and hazard contexts, and professional needs. With residents, questionnaires, in-depth interviews and vignettes reveal evidence of hazardcentric, social-centric and existential constructions, which inform self-declared vulnerabilities. A number of variables and processes are identified as relevant for understanding the formation of these constructions. For instance, this research documents the process of othering, whereby residents distance vulnerability from the self, onto a real or illusionary “vulnerable other”. Moreover, analysis suggests that this is partly motivated amongst “insiders” by the need to preserve ontological security. At a time where flooding is set to increase and households are expected to embrace responsibility and act to mitigate risks to their properties, these findings highlight a potentially significant barrier to household resilience, especially in the context of pluvial flooding. On the basis of this research, recommendations are made for using the concept of “insiderness” to target and tailor communication and community engagement in FRM