Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems.

Abstract : On August 16-i 8, 1999, approximately 40 researchers and government research sponsors involved with information system security met at RAND, Santa Monica CA, to address and recommend technical research and development initiatives focused on mitigating the insider threat. The workshop was sponsored by NSA/R2, DARPA/ISO, and the Army Research Laboratory. Although the workshop's main purpose was to propose technical research initiatives, it was clear to all participants that enabling policies are required in order for the results of insider threat research to be effective. Policies and procedures needed to form an environment for mitigating the insider threat include: guidance and requirements for researchers from the legal and law enforcement communities regarding the attribution, collection, maintenance, processing, and storage of data in a manner that allows proper forensic analysis, and a trail of custody to permit later legal prosecution; clear definitions regarding what constitutes "critical assets" on a system to be protected against insider misuse; clarity about the definition of an "insider;" cost/benefit analysis to help determine whether the cost to personnel and organizations, as well as dollar cost, of new Security procedures are worth the security benefits obtained; plans for technology transfer; and support of multiple, diverse, concurrent approaches.