Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection

The insider threat faced by corporations and governments today is a real and significant problem, and one that has become increasingly difficult to combat as the years have progressed. From a technology standpoint, traditional protective measures such as intrusion detection systems are largely inadequate given the nature of the ‘insider’ and their legitimate access to prized organisational data and assets. As a result, it is necessary to research and develop more sophisticated approaches for the accurate recognition, detection and response to insider threats. One way in which this may be achieved is by understanding the complete picture of why an insider may initiate an attack, and the indicative elements along the attack chain. This includes the use of behavioural and psychological observations about a potential malicious insider in addition to technological monitoring and profiling techniques. In this paper, we propose a framework for modelling the insider-threat problem that goes beyond traditional technological observations and incorporates a more complete view of insider threats, common precursors, and human actions and behaviours. We present a conceptual model for insider threat and a reasoning structure that allows an analyst to make or draw hypotheses regarding a potential insider threat based on measurable states from real-world observations

Detecting insider threat within institutions using CERT dataset and different ML techniques

The reason of countries development in industrial and commercial enterprises fields in those countries. The security of a particular country depends on its security institutions, the confidentiality of its employees, their information, the target's information, and information about the forensic evidence for those targets. One of the most important and critical problems in such institutions is the problem of discovering an insider threat that causes loss, damage, or theft the information to hostile or competing parties. This threat is represented by a person who represents one of the employees of the institution, the goal of that person is to steal information or destroy it for the benefit of another institution's desires. The difficulty in detecting this type of threat is due to the difficulty of analyzing the behavior of people within the organization according to their physiological characteristics. In this research, CERT dataset that produced by the University of Carnegie Mellon University has been used in this investigation to detect insider threat. The dataset has been preprocessed. Five effective features were selected to apply three ML techniques Random Forest, Naïve Bayes, and 1 Nearest Neighbor. The results obtained and listed sequentially as 89.75917519%, 91.96650826%, and 94.68205476% with an error rate of 10.24082481%, 8.03349174%, and 5.317945236%

Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats

Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems. Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat. Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed. This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs

A função do Chief Information Security Officer nas organizações

Mestrado em Gestão de Sistemas de InformaçãoNum mundo cada vez mais conectado e digital, a informação é crescentemente vista como potenciador do negócio e fonte de vantagem competitiva. Assim, a segurança de informação torna-se crítica ao proteger os ativos de informação, pelo que a estratégia de segurança organizacional tem vindo a alinhar-se com os seus objetivos de negócio. Por outro lado, as recentes alterações legais, tais como a Diretiva Segurança das Redes e da Informação e o Regulamento Geral de Proteção de Dados, vêm impor regras relativamente à privacidade e à segurança da informação, permitindo às organizações um redesenho ou ajuste dos seus processos de forma a garantir que a informação se encontra efetivamente segura. Neste contexto, o Chief Information Security Officer assume um papel de destaque na coordenação da confidencialidade, integridade e disponibilidade da informação na organização. Este trabalho pretende estudar o ambiente geral da segurança de informação nas organizações, analisar o papel do CISO, e compreender onde este deverá estar integrado na estrutura organizacional. Para tal, foram realizadas entrevistas a consultores especialistas e a pessoas com cargos diretivos nas áreas de sistemas de informação e de segurança da informação, que permitiram concluir que ainda é necessário um grande amadurecimento a nível das organizações em Portugal relativamente ao tema, e que tal poderá dever-se à ausência de uma cultura de segurança estabelecida no país. Por outro lado, o papel do CISO tem assumido uma maior relevância, sendo que é uma opinião geral que o mesmo deverá ter uma relação próxima com a administração das organizações.In an increasingly connected and digital world, information is seen as a business enabler and a source of sustained competitive advantage. Thus, information security is becoming critical so to protect these information assets, which is why the concern with organizations’ security strategy has been aligning with their strategic objectives. On the other hand, recent changes in regulation, as Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR), come to regulate and create rules when it comes to information security, and allow organizations to redesign or adjust these processes in order to ensure that information is, in fact, safe. In this context, the Chief Information Security Officer (CISO) comes to play an important role in coordinating confidentiality, integrity, and availability of information in the organization. This paper aims to study organizations’ information security environment in general, analyse the CISO’s role inside them, and understand where they should be integrated in the corporate structure. To do so, interviews were conducted on experienced information security consultants and information systems and information security directors, which allowed to conclude that organizations in Portugal still need a great amount of maturing when it comes to information security, and that this may eventually be due to the absence of an established security culture in the country. On the other hand, the CISO’s role has been increasing in relevance, being a general opinion that their relationship with organizations’ boards should be close.info:eu-repo/semantics/publishedVersio

Organisational vulnerability to intentional insider threat

In recent times there has been a spate of reporting on the counterproductive behaviour of individuals in both private and public organisations. As such, research into insider threat as a form of such behaviour is considered a timely contribution. The Australian Government now mandates that public sector organisations protect against insider threat through best practice recommendations and adopting a risk management approach. Whilst non-government organisations and private businesses are less accountable, these organisations can also benefit from the efficiencies, performance, resilience, and corporate value associated with an insider threat risk management approach. Mitigating against Intentional Insider Threat (IIT) is an organisational priority which requires new ways of thinking about the problem, especially in terms of a multidisciplinary approach that holistically addresses the technical, individual, and organisational aspects of the problem. To date, there has been limited academic and practical contribution and a dearth of literature providing recommendations or practical tools as a means to mitigate IIT. The purpose of this study is to develop a set of diagnostic inventories to assess for Organisational Vulnerability to Intentional Insider Threat (the OVIT). In order to achieve this overall purpose, the study sought to answer three research questions: Research Question 1: What are the main organisational influences on Intentional Insider Threat (IIT) based on available literature? Research Question 2: What are the main organisational influences on IIT based on expert opinion? Research Question 3: How is organisational vulnerability to IIT operationalised by the study? The methodology adopted by the study assumes a pragmatist paradigm and mixed methods design. There were three phases to this research: - Phase One - a thorough review of the extant literature to determine the status of research and applied knowledge and identify factors and variables of IIT. - Phase Two - conduct of a Delphi study to gather expert opinion on IIT and combine this professional knowledge with the literature review outcomes to enhance the factors and variables associated with IIT. - Phase Three - operationalise IIT diagnostic instruments utilising multivariate statistical techniques to determine the validity of the inventories and develop a framework of organisational vulnerability to IIT. Qualitative and quantitative analysis procedures were used throughout the research. The final survey data of phase three was analysed using multivariate statistics. The results from Exploratory Factor Analysis (EFA) demonstrate the underlying factors of each of the three dimensions (individual, technical, and organisational) which operationalise the construct of organisational vulnerability to IIT. The exploratory results indicate that diagnostic inventories of organisational vulnerability to IIT can validly and reliably measure each of the three dimensions. These were triangulated with the Delphi panel results and indicated alignment while further developing the IIT construct. A reflection on additional contributions is an important aspect of pragmatic research. The literature available on insider threat highlights the emerging focus on the topic. Gaps in the literature indicate a number of limitations which were addressed in the current research beginning with the development of a conceptual framework illustrating the relationships of the construct, dimensions, and factors of organisational vulnerability to IIT. Whilst this work-based study had three very specific research questions to operationalise IIT, additional contributions from the research emerged as follows: The research enhanced knowledge through: (1) study of IIT from an Australian perspective, utilising Australian expert opinion and Australian samples; (2) demonstration of the utility of the Delphi method in the study and further development of the insider threat construct; (3) an Australian definition of IIT; (4) integration of risk management standards with the available literature on insider threat; and, (5) contribution to the foresight and futures study of IIT. While this research study has proved beneficial in addressing gaps in current literature, it is not without limitations. The generalisability of findings is hampered by the size and nature of an Australian sample and the study’s exploratory approach. The ability to generalise findings and assert causality is restricted in this research, and this can be overcome by undertaking future longitudinal research or other future studies based on the findings of this study

Insider Threats\u27 Behaviors and Data Security Management Strategies

As insider threats and data security management concerns become more prevalent, the identification of risky behaviors in the workplace is crucial for the privacy of individuals and the survival of organizations. The purpose of this three-round qualitative Delphi study was to identify real-time consensus among 25 information technology (IT) subject matter experts (SMEs) in the Washington metropolitan area about insider threats and data security management. The SMEs participating in this study were adult IT professionals and senior managers with certification in their area of specialization and at least 5 years of practical experience. The dark triad theory was the conceptual framework used for describing behaviors attributed to reasons and motivators for insider threats in public and private organizations. The research questions pertained to reasons and motivators for insider threats in organizations, security strategies and early interventions used, and potential policies and procedures to manage insider threats’ access to systems. One open-ended survey and two closed-ended surveys were disseminated via Survey Monkey. Data analysis consisted of data reduction through consolidation, data display, and data verification. Data were analyzed through categorization and direct interpretation using a 5-point Likert agreement scale. The findings revealed consensus about reasons and motivators such as insufficient guidelines and training, lack of background investigations, and financial gain and money; security strategies and early interventions; and policies and procedures to manage insider threats’ access to systems. Overall, training was the most important element preventing insider threats. The findings may inform how organizations build safe working environments that increase employee recruitment, retention, and loyalty while reducing identity theft and increasing data security in organizations