Chronological Examination of Insider Threat Sabotage: Preliminary Observations

The threat of malicious insiders to organizations is persistent and increasing. We examine 15 real cases of insider threat sabotage of IT systems to identify several key points in the attack time-line, such as when the insider clearly became disgruntled, began attack preparations, and carried out the attack. We also determine when the attack stopped, when it was detected, and when action was taken on the insider. We found that 7 of the insiders we studied clearly became disgruntled more than 28 days prior to attack, but 9 did not carry out malicious acts until less than a day prior to attack. Of the 15 attacks, 8 ended within a day, 12 were detected within a week, and in 10 cases action was taken on the insider within a month. This exercise is a proof-of-concept for future work on larger data sets, and in this paper we detail our study methods and results, discuss challenges we faced, and identify potential new research directions.

[1]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[2]  Paul R. Sackett,et al.  The Structure of Counterproductive Work Behaviors: Dimensionality and Relationships with Facets of Job Performance , 2002 .

[3]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[4]  Lynn F. Fischer,et al.  Ten Tales of Betrayal: The Threat to Corporate Infrastructure by Information Technology Insiders Analysis and Observations , 2005 .

[5]  Maureen L. Ambrose,et al.  Sabotage in the workplace: The role of organizational injustice , 2002 .

[6]  M. Maxfield,et al.  The cycle of violence. Revisited 6 years later. , 1996, Archives of pediatrics & adolescent medicine.

[7]  L. Hough The 'Big Five' Personality Variables--Construct Confusion: Description Versus Prediction , 1992 .

[8]  Keith M. Sturges,et al.  Mapping the Process: An Exemplar of Process and Challenge in Grounded Theory Analysis , 2005 .

[9]  Terry M. Gudaitis,et al.  The Missing Link in Information Security: Three Dimensional Profiling , 1998, Cyberpsychology Behav. Soc. Netw..

[10]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[11]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[12]  Katherine L. Herbig,et al.  Espionage against the United States by American citizens, 1947-2001 , 2003 .

[13]  A. Strauss Basics Of Qualitative Research , 1992 .

[14]  Dawn M. Cappelli,et al.  Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis , 2006 .

[15]  Jean Hartley,et al.  Case study research , 2004 .

[16]  Joel H. Neuman,et al.  Workplace violence and workplace aggression: Evidence on their relative frequency and potential causes , 1996 .

[17]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[18]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[19]  Dawn M. Cappelli,et al.  Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage , 2008 .

[20]  J. Block A contrarian view of the five-factor approach to personality description. , 1995, Psychological bulletin.

[21]  Suzanne Wood,et al.  American Who Spied against Their Country Since World War 2 , 1992 .

[22]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[23]  N. Anderson,et al.  Handbook of Industrial, Work & Organizational Psychology , 2001 .

[24]  Robert H. Anderson Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. , 1999 .

[25]  Thomas Bozek,et al.  Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .

[26]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[27]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[28]  Keven G. Ruby,et al.  The Insider Threat to Information Systems , 2022 .

[29]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[30]  Udo Konradt,et al.  Handbook of industrial, work and organizational psychology (Vol. 1: Personnel Psychology; Vol. 2: Organizational Psychology) , 2004 .

[31]  Hans J. Eysenck,et al.  Four ways five factors are not basic , 1992 .