Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection

The insider threat faced by corporations and governments today is a real and significant problem, and one that has become increasingly difficult to combat as the years have progressed. From a technology standpoint, traditional protective measures such as intrusion detection systems are largely inadequate given the nature of the ‘insider’ and their legitimate access to prized organisational data and assets. As a result, it is necessary to research and develop more sophisticated approaches for the accurate recognition, detection and response to insider threats. One way in which this may be achieved is by understanding the complete picture of why an insider may initiate an attack, and the indicative elements along the attack chain. This includes the use of behavioural and psychological observations about a potential malicious insider in addition to technological monitoring and profiling techniques. In this paper, we propose a framework for modelling the insider-threat problem that goes beyond traditional technological observations and incorporates a more complete view of insider threats, common precursors, and human actions and behaviours. We present a conceptual model for insider threat and a reasoning structure that allows an analyst to make or draw hypotheses regarding a potential insider threat based on measurable states from real-world observations.

[1]  Dawn M. Cappelli,et al.  A Preliminary Model of Insider Theft of Intellectual Property , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[2]  Takayuki Sasaki,et al.  A Framework for Detecting Insider Threats using Psychological Triggers , 2012, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[3]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[4]  D. Paulhus,et al.  The Dark Triad of personality: Narcissism, Machiavellianism, and psychopathy , 2002 .

[5]  B. Burmahl The big picture. , 2000, Health facilities management.

[6]  Thomas Koch,et al.  Cybercrime: protecting against the growing threat , 2011 .

[7]  D. Tamilselvan,et al.  Advanced framework of defense system for prevetion of insider's malicious behaviors , 2012, 2012 International Conference on Recent Trends in Information Technology.

[8]  Shigeo Tsujii On Information Security , 1987 .

[9]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.

[10]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[11]  J. S. Wiggins,et al.  The five-factor model of personality : theoretical perspectives , 1996 .

[12]  Carrie Gates,et al.  Case Studies of an Insider Framework , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[13]  B. Panda,et al.  A Knowledge-Base Model for Insider Threat Prediction , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[14]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[15]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[16]  V. Devita,et al.  We Have Met the Enemy and He Is Us , 2011 .

[17]  Common Attack Pattern Enumeration and Classification — CAPEC TM A Community Knowledge Resource for Building Secure Software , 2013 .

[18]  Gurvirender P. Tejay,et al.  Developing insider attack detection model: A grounded approach , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[19]  Robert F. Mills,et al.  Developing an Insider Threat Model Using Functional Decomposition , 2005, MMM-ACNS.

[20]  Min-Woo Park,et al.  A framework of defense system for prevention of insider's malicious behaviors , 2011, 13th International Conference on Advanced Communication Technology (ICACT2011).

[21]  M. Bishop,et al.  AZALIA: an A to Z assessment of the likelihood of insider attack , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[22]  Carrie Gates,et al.  Case Studies of an Insider Framework , 2009 .

[23]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[24]  Eric D. Shaw,et al.  The role of behavioral research and profiling in malicious cyber insider investigations , 2006, Digit. Investig..

[25]  Thomas Bozek,et al.  Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .

[26]  Stephen H. Conrad,et al.  Modeling the Emergence of Insider Threat Vulnerabilities , 2006, Proceedings of the 2006 Winter Simulation Conference.

[27]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[28]  Dawn M. Cappelli,et al.  Combating the Insider Cyber Threat , 2008, IEEE Security & Privacy.

[29]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[30]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[31]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[32]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[33]  Thomas P. Minka,et al.  Gates , 2008, NIPS.

[34]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[35]  Sadie Creese,et al.  A logical high-level framework for Critical Infrastructure resilience and risk assessment , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).