Insiders Behaving Badly: Addressing Bad Actors and Their Actions

We present a framework for describing insiders and their actions based on the organization, the environment, the system, and the individual. Using several real examples of unwelcome insider action (hard drive removal, stolen intellectual property, tax fraud, and proliferation of e-mail responses), we show how the taxonomy helps in understanding how each situation arose and could have been addressed. The differentiation among types of threats suggests how effective responses to insider threats might be shaped, what choices exist for each type of threat, and the implications of each. Future work will consider appropriate strategies to address each type of insider threat in terms of detection, prevention, mitigation, remediation, and punishment.

[1]  Jose J. Gonzalez,et al.  A system dynamics model of an insider attack on an information system , 2003 .

[2]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[3]  Geoff Skinner,et al.  A framework of privacy shield in organizational information systems , 2005, International Conference on Mobile Business (ICMB'05).

[4]  R. Bies,et al.  How employees respond to personal offense: the effects of blame attribution, victim status, and offender status on revenge and reconciliation in the workplace. , 2001, The Journal of applied psychology.

[5]  Joon S. Park,et al.  Composite Role-Based Monitoring (CRBM) for Countering Insider Threats , 2004, ISI.

[6]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[7]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[8]  P. Goodman,et al.  Latent errors and adverse organizational consequences: a conceptualization , 2003 .

[9]  David De Cremer,et al.  Unfair treatment and revenge-taking: The roles of collective identification and feelings of disappointment , 2006 .

[10]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[11]  Matt Bishop Position: "insider" is relative , 2005, NSPW '05.

[12]  William Yurcik,et al.  Toward a threat model for storage systems , 2005, StorageSS '05.

[13]  M. Feldman,et al.  Reconceptualizing Organizational Routines as a Source of Flexibility and Change , 2003 .

[14]  Robert F. Mills,et al.  Developing an Insider Threat Model Using Functional Decomposition , 2005, MMM-ACNS.

[15]  Matt Bishop,et al.  The insider problem revisited , 2005, NSPW '05.

[16]  Alfred P. Sloan,et al.  My years with General Motors , 1964 .

[17]  Shambhu J. Upadhyaya,et al.  Security policies to mitigate insider threat in the document control domain , 2004, 20th Annual Computer Security Applications Conference.

[18]  Eugene Schultz,et al.  Incident Response: A Strategic Guide to Handling System and Network Security Breaches , 2001 .

[19]  Judith M. Collins,et al.  Dysfunctional behavior in organizations: Violent and deviant behavior. , 1998 .

[20]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[21]  Ning Hu,et al.  Applying role based access control and genetic algorithms to insider threat detection , 2006, ACM-SE 44.

[22]  Marc Sageman,et al.  Understanding terror networks. , 2004, International journal of emergency mental health.

[23]  Christian W. Probst,et al.  Countering Insider Threats , 2008 .

[24]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[25]  Robert H. Anderson Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. , 1999 .

[26]  Thomas Bozek,et al.  Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .

[27]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .