An Experience Using System Dynamics to Facilitate an Insider Threat Workshop

CERT has been investigating the use of system dynamics to better understand the threat to an organization’s information technology (IT) systems posed by malicious employees or contractors of that organization. At the 2006 International System Dynamics Conference (ISDC 2006) we published a system dynamics model that was originally intended to be used as an interactive simulation in a workshop on insider threat. We believed that the model and simulation would effectively communicate the risks and mitigations involved in the insider threat problem. Through several pilots of the model-based workshop we learned how to better use system dynamics modeling as the basis for communicating complex concepts within the insider threat domain to an audience of business and IT managers who are neither familiar with nor interested in becoming familiar with system dynamics modeling. This paper describes the MERIT model as well as the development and evolution of the insider threat workshop based on this model.