Insider Threats: The Major Challenge to Security Risk Management

Security risk management is by definition, a subjective and complex exercise and it takes time to perform properly. Human resources are fundamental assets for any organization, and as any other asset, they have inherent vulnerabilities that need to be handled, i.e. managed and assessed. However, the nature that characterize the human behavior and the organizational environment where they develop their work turn these task extremely difficult, hard to accomplish and prone to errors. Assuming security as a cost, organizations are usually focused on the efficiency of the security mechanisms implemented that enable them to protect against external attacks, disregarding the insider risks, which are much more difficult to assess. All these demands an interdisciplinary approach in order to combine technical solutions with psychology approaches in order to understand the organizational staff and detect any changes in their behaviors and characteristics. This paper intends to discuss some methodological challenges to evaluate the insider threats and its impacts, and integrate them in a security risk framework, that was defined according to the security standard ISO/IEC_JTC1, to support the security risk management process.

[1]  Stephen H. Conrad,et al.  Building A System For Insider Security , 2009, IEEE Security & Privacy.

[2]  Marco Casassa Mont,et al.  Using security metrics coupled with predictive modeling and simulation to assess security processes , 2009, ESEM 2009.

[3]  Fred Cohen,et al.  How Do We Measure Security , 2011 .

[4]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[5]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[6]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[7]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[8]  Paul Thompson,et al.  Weak models for insider threat detection , 2004, SPIE Defense + Commercial Sensing.

[9]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[10]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[11]  Andrew P. Lenaghan,et al.  Challenges and complexities of managing information security , 2009, Int. J. Electron. Secur. Digit. Forensics.

[12]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[13]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[14]  Abbas Asosheh,et al.  A new quantitative approach for information security risk assessment , 2009 .

[15]  Wei Xu,et al.  Advances and challenges in log analysis , 2011, Commun. ACM.

[16]  Paolo Spagnoletti,et al.  A Business Aware Information Security Risk Analysis Method , 2011 .

[17]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[18]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.