Reachability-based Impact as a Measure for Insiderness

Insider threats pose a difficult problem for many organisations. While organisations in principle would like to judge the risk posed by a specific insider threat, this is in general not possible. This limitation is caused partly by the lack of models for human behaviour, partly by restrictions on how much and what may be monitored, and by our inability to identify relevant features in large amounts of logged data. To overcome this, the notion of insiderness has been proposed, which measures the degree of access an actor has to a certain resource. We extend this notion with the concept of impact of an insider, and present different realisations of impact. The suggested approach results in readily usable techniques that allow to get a quick overview of potential insider threats based on locations and assets reachable by employees. We present several variations ranging from pure reachability to potential damage to assets causable by an insider.

[1]  Deborah A. Frincke,et al.  A Risk Management Approach to the "Insider Threat" , 2010, Insider Threats in Cyber Security.

[2]  Karin Garrety,et al.  Actor-Network Theory , 2014, Encyclopedia of Social Network Analysis and Mining.

[3]  Dieter Gollmann,et al.  Aspects of Insider Threats , 2010, Insider Threats in Cyber Security.

[4]  B. Latour Reassembling the Social: An Introduction to Actor-Network-Theory , 2005 .

[5]  Christian W. Probst,et al.  An extensible analysable system model , 2008, Inf. Secur. Tech. Rep..

[6]  Flemming Nielson,et al.  Where Can an Insider Attack? , 2006, Formal Aspects in Security and Trust.

[7]  Joost Visser,et al.  Benchmark-Based Aggregation of Metrics to Ratings , 2011, 2011 Joint Conference of the 21st International Workshop on Software Measurement and the 6th International Conference on Software Process and Product Measurement.

[8]  Christian W. Probst,et al.  The Risk of Risk Analysis-And its relation to the Economics of Insider Threats , 2009, WEIS.

[9]  Gabrielle Durepos Reassembling the Social: An Introduction to Actor‐Network‐Theory , 2008 .

[10]  Pieter H. Hartel,et al.  Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain , 2010, ARSPA-WITS.

[11]  Arie van Deursen,et al.  Criteria for the evaluation of implemented architectures , 2009, 2009 IEEE International Conference on Software Maintenance.

[12]  Carrie Gates,et al.  Case Studies of an Insider Framework , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[13]  Thomas P. Minka,et al.  Gates , 2008, NIPS.

[14]  Rocco De Nicola,et al.  KLAIM: A Kernel Language for Agents Interaction and Mobility , 1998, IEEE Trans. Software Eng..

[15]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[16]  Christian W. Probst,et al.  Analysing Access Control Specifications , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[17]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[18]  Wolter Pieters,et al.  Representing Humans in System Security Models: An Actor-Network Approach , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[19]  Alan Burns,et al.  Real-Time Systems and Programming Languages , 2009 .

[20]  Dimitrios Pendarakis,et al.  Security audits of multi-tier virtual infrastructures in public infrastructure clouds , 2010, CCSW '10.