A Simulation-Based Approach to Development of a New Insider Threat Detection Technique: Active Indicators

Current cybersecurity research on insider threats has focused on finding clues to illicit behavior, or “passive indicators”, in existing data resources. However, a more proactive view of detection could preemptively uncover a potential threat, mitigating organizational damage. Active Indicator Probes (AIPs) of insider threats are stimuli placed into the workflow to trigger differential psychophysiological responses. This approach requires defining a library of AIPs and identifying eye tracking metrics to detect diagnostic responses. Since studying true insider threats is unrealistic and current research on deception uses controlled environments which may not generalize to the real world, it is crucial to utilize simulated environments to develop these new countermeasures. This study utilized a financial work environment simulation, where participants became employees reconstructing incomplete account information, under two conditions: permitted and illicit cyber tasking. Using eye tracking, reactions to AIPs placed in work environment were registered to find metrics for insider threat.

[1]  Kathryn B. Laskey,et al.  Developing an Ontology for Individual and Organizational Sociotechnical Indicators of Insider Threat Risk , 2016, STIDS.

[2]  Bruno Verschuere,et al.  Practical guidelines for developing a CIT , 2011 .

[3]  Andrew P. Moore,et al.  Common Sense Guide to Mitigating Insider Threats 4th Edition , 2012 .

[4]  Derek Mohammed Cybersecurity Compliance in the Financial Sector , 2015 .

[5]  Dirk Wentura,et al.  The revealing glance: Eye gaze behavior to concealed information , 2012, Memory & cognition.

[6]  Dale H. Leschnitzer Cyber Security Lecture Series: The CERT Insider Threat Guide , 2013 .

[7]  R. Schleicher,et al.  Blinks and saccades as indicators of fatigue in sleepiness warners: looking tired? , 2022 .

[8]  P. Ekman,et al.  Nonverbal Leakage and Clues to Deception †. , 1969, Psychiatry.

[9]  Yair Neuman,et al.  Identifying the location of a concealed object through unintentional eye movements , 2015, Front. Psychol..

[10]  J. Staab,et al.  The influence of anxiety on ocular motor control and gaze. , 2014, Current opinion in neurology.

[11]  P. Ekman Mistakes When Deceiving , 1981 .

[12]  Christopher King,et al.  Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources , 2013 .

[13]  Daniel J. Barber,et al.  The Psychometrics of Mental Workload , 2015, Hum. Factors.

[14]  Jay F. Nunamaker,et al.  Autonomous Scientifically Controlled Screening Systems for Detecting Information Purposely Concealed by Individuals , 2014, J. Manag. Inf. Syst..

[15]  Ram Dantu,et al.  Towards Insider Threat Detection Using Psychophysiological Signals , 2015, MIST@CCS.

[16]  D. Wall Enemies within: Redefining the insider threat in organizational security policy , 2012, Security Journal.

[17]  Maria Ioannou,et al.  A review of the polygraph: history, methodology and current status , 2015 .

[18]  Lauren Reinerman-Jones,et al.  Developing an Insider Threat Training Environment , 2016 .