Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage

Abstract : The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University's Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem. The goal of Carnegie Mellon University's MERIT (Management and Education of the Risk of Insider Threat) project is to develop such tools.4 MERIT uses system dynamics to model and analyze insider threats and produce interactive learning environments. These tools can be used by policy makers, security officers, information technology, human resources, and management to understand the problem and assess risk from insiders based on simulations of policies, cultural, technical, and procedural factors. This paper describes the MERIT insider threat model and simulation results.

[1]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[2]  Eliot H. Rich,et al.  Simulating Insider Cyber-Threat Risks : A Model-Based Case and a Case-Based Model , 2005 .

[3]  David F. Andersen,et al.  Preliminary System Dynamics Maps of the Insider Cyber-threat Problem , 2004 .

[4]  B. Foss New Horizons in Psychology 1 , 1966 .

[5]  J. Sterman Learning from evidence in a complex world. , 2006, American journal of public health.

[6]  Donald A. Schön,et al.  Theory in Practice: Increasing Professional Effectiveness , 1974 .

[7]  R. Rosenthal,et al.  Pygmalion in the classroom , 1968 .

[8]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases: Biases in judgments reveal some heuristics of thinking under uncertainty , 1978 .

[9]  I. Janis,et al.  Decision Making: A Psychological Analysis of Conflict, Choice, and Commitment , 1977 .

[10]  Andreas Größler,et al.  Don't let history repeat itself—methodological issues concerning the use of simulators in teaching and experimentation , 2004 .

[11]  David C. Lane,et al.  On a Resurgence of Management Simulations and Games , 1995 .

[12]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[13]  Jose J. Gonzalez,et al.  A system dynamics model of an insider attack on an information system , 2003 .

[14]  J. Tedeschi Impression Management Theory and Social Psychological Research , 1981 .