lysiskaspersky.com

ACriticalReectionontheThreatfromHumanInsiders–ItsNature,IndustryPerceptions,andDetectionApproachesJasonR.
C.
Nurse1,PhilipA.
Legg1,OliverBuckley1,IoannisAgraotis1,GordonWright2,MonicaWhitty2,DavidUpton3,MichaelGoldsmith1,andSadieCreese11CyberSecurityCentre,DepartmentofComputerScience,UniversityofOxford,UK{firstname.
lastname}@cs.
ox.
ac.
uk2DepartmentofMediaandCommunications,UniversityofLeicester,UK{grw9,mw229}@leicester.
ac.
uk3Sa¨dBusinessSchool,UniversityofOxford,UKdavid.
upton@sbs.
ox.
ac.
ukAbstract.
Organisationstodayoperateinaworldfraughtwiththreats,including"scriptkiddies",hackers,hacktivistsandadvancedpersistentthreats.
Althoughthesethreatscanbeharmfultoanenterprise,apo-tentiallymoredevastatingandanecdotallymorelikelythreatisthatofthemaliciousinsider.
Thesetrustedindividualshaveaccesstovaluablecompanysystemsanddata,andarewellplacedtounderminesecuritymeasuresandtoattacktheiremployers.
Inthispaper,weengageinacriticalreectionontheinsiderthreatinordertobetterunderstandthenatureofattacks,associatedhumanfactors,perceptionsofthreats,anddetectionapproaches.
Wedierentiateourworkfromothercontributionsbymovingawayfromapurelyacademicperspective,andinsteadfocusondistillingindustrialreports(i.
e.
,thosethatcapturepractitioners'ex-periencesandfeedback)andcasestudiesinordertotrulyappreciatehowinsiderattacksoccurinpracticeandhowviablepreventativesolutionsmaybedeveloped.
Keywords:insiderthreats,humanfactors,technicalandpsychologicalindicators,detectionapproaches,surveyreports.
1IntroductionCorporationstodayfaceanincreasinglydiculttaskwhenitcomestotheircomputersecurity.
Ontheonehand,thereareaplethoraofthreats(e.
g.
,crim-inals,hackers,hacktivists)keentopenetratedefencesandcompromisesystemsanddata.
Ontheotherhand,internal(orinsider)threatsappeartobeontheincreaseandcanbeparticularlydebilitatinggiventheirprivilegedaccesstotheenterprise.
Theinsider-threatproblemisespeciallyconcerningbecausecorpora-tions'defencesarearguablystillfocusedonexternalthreats,resultingininad-equateconsiderationofattacksoriginatingfromthosewithinsideknowledgeofandaccesstosystems,securityprocesses,andpreciouscompanysecrets.
T.
TryfonasandI.
Askoxylakis(Eds.
):HAS2014,LNCS8533,pp.
270–281,2014.
cSpringerInternationalPublishingSwitzerland2014ACriticalReectionontheThreatfromHumanInsiders271Toexplorethisproblemfurther,andtobetterunderstandthevariouselementsinvolved,thispaperengagesinacriticalreectionuponthethreatposedbyinsiders.
Weadoptanovelperspectivethatmovesawayfromapurelytheoreticaldiscussionandinsteadconcentratesondistillingtherangeofindustrialreports,whichcapturebroadexperiencesandfeedbackfrompractitioners[1,2,3,4].
Wealsolookatcasestudiesofinsider-threat(ourown[5]andthosefromCMU-CERT[6]),inordertofurtherunderstandhowandwhyinsiderattacksoccur,andhoweectivedetectiontoolscanbedevelopedanddeployed.
Ourreectionontheinsider-threatproblemissplitintothreebroadsections.
Firstly,weconsiderthenatureofhumaninsider-threats.
Thisincludesanin-vestigationintothetypesofattacksactuallybeinglaunchedagainstenterprises,ananalysisofthemotivesandpsychologicalaspectssurroundingtheseattacks,andtheimpactthatnewtechnologiesmayhaveonthefutureofinsiderattacks.
Wemoveontostudymanyoftheindustryreportsthathavebeenpublished(e.
g.
,[2,7,8]),inordertoassesshowcorporationsperceiveandarerespondingtothistypeofrisk.
Ourndingssuggestthatthereisanunderestimationoftherisksassociatedwiththesethreats,particularlyevidencedbytheminimalinvestmentbeingmade.
Finally,wedescribetechniquesthatarecurrentlyusedfordetectinginsiderthreats,andexplorethestate-of-the-artresearchthatiscurrentlybeingconductedinthisarea,discussingtheeectivenessoftechniquesandwhatlimitationsmayexist.
Toconclude,wediscussownresearchwithintheCorporateInsiderThreatDetectionproject(CITD),whichaimstoaddresstheinterdisciplinarynatureofinsiderthreat,toprovideanenhanceddetectiontoolthataddressesbothtechnicalandhumandimensionsofinsiderthreat.
2TheNatureofInsiderThreatInordertounderstandthenatureoftheinsider-threatproblem,therearesev-eralfundamentalquestionsofinterest.
Forinstance,whatexactlyisthethreat,andwhatarethemostprevalenttypesWhatmotivatesinsiderstoattackAresomeinsidersmoresusceptibletobecomingathreatWhatbehavioursmaybeindicativeofan(impending)attackWhatistheeect,ifany,ofnewtechnolo-giesontheproblemThesearethequestionswhichweseektodiscussinthissection,withaspecialfocusonreal-worldcases,feedbackandreports.
2.
1TypesofInsiderThreatTherehavebeenmanydenitionsofinsiderthreatthroughouttheyears[9].
Someofthesedenitionsemphasisetheactivemisuseofinsiderprivileges,whileothersbroadenthescopeandconsiderthenegativeimpactofsuchmisuseonthecondentiality,integrityandavailabilityoftheorganisation'ssystemsanddata[6].
Theessenceofmostdenitions,however,isthataninsiderthreatisamemberoftrustedpersonnel(e.
g.
,employee,contractors,businesspartners)thatusedtheirprivilegedaccessforsomeunauthorisedpurposesuchasrevengeornancialgain,andtothedetrimentoftheirenterprise.
CMU-CERT[6]iden-tiesthreetypesofthreatbasedonobservationoftypicalpatternsandonthe272J.
R.
C.
Nurseetal.
attacker'spurposeandmotivation–namely,fraud,theftofIntellectualProperty(IP),andsabotageofinfrastructure.
Insiderfraudisregardedasonethemostfrequentkindsofattack[2].
Incidentsoffraudcanrangefromdirecttheftofcompanyfunds,tocomplexcaseswherecompanyservicesordataisillegitimatelytradedforpersonalnancialgain.
KrollAdvisory'srecentfraudreportemphasisesthestronglinkbetweenfraudandinsiders,inthat,ofthecompanieshitbyfraudinthelastyear,morethan67%identiedaninsiderasaleadingperpetrator,signallingyetanotherincreasefrompreviousyears'studies[10].
Whilethisisconcerning,anevenmoredisturbingaspectlookingforwardisthataccordingtotheRiskofInsiderFraudreport[2],practitionerscontinuetobelievethattheirenterprisesareatahighriskofinsiderfraud.
Thisisclearlyaseriousandprevalentproblemincompaniestodayand,ashintedabove,nancialgainisoneofthemostcommonmotives.
AnotherthreatthatcausesgreatconcernisIPtheft.
Inthisattack,insidersusetheiraccesstostealvaluablecompanydata,includingtradesecrets,businessinformation,sourcecodeandcustomerinformation[11].
Thereareseveralkeyfeaturesofthistypeofattack.
First,thetargettendstobeproductinformation,proprietarysoftwareandsourcecode(thesearecleartargetsinCMU-CERTstudies[12]).
Also,attacksappearmorelikelytobeconductedbytechnicalpersonnel(e.
g.
,scientistsandengineers)[6]andusingtechnicalmeans(54%ofinsidersusedeitheremail,remoteaccesschannelornetworkletransfer[11])ratherthanphysicaltheftofprototypes,forexample.
Finally,amajorityofthesetheftsarecommittedbyemployeeswithlegitimateaccesstothestolenIP;almost75%stolematerialtheyhadauthorizedaccessto[12].
Although75%isastrongstatisticanditisthereforeverytemptingtomonitoronlytheseindividualsforthisattack,yetasotherarticleshavehighlighted(e.
g.
,thecaseoftheforeignnationalwhostoleFordsecretsworthinexcessof$50million[13]),insiderswithnolegitimateaccessarealsocausingagreatdealofharm.
IncidentsinvolvingITsabotage,asonemightimagine,tendtobemoretech-nicallysophisticated.
Theseattacksoftenrequireprivilegedaccesstosystemsandnetworks,orparticularknowledgeofhowtheyarecongured.
Examplesofspecicinsiderattacksrangefrominsertionofmalware(mostcommonly,logicbombs)totamperinganddisruptingsystemhardwarecomponents.
Mooreetal.
[14]provideoneofthemorecomprehensivepointsofreferencefordataonthesetypesofattack.
Amongsttheirndings,someofthemostsignicantin-cludethehighproportionofattackerswhohadsystem-administratorprivileges(90%)andthecrucialroleofunmetexpectations,disgruntlementandstressinthepathwaystoanattack(forinstance,92%ofalltheinsidersintheirsam-pleattackedenterprisesfollowinganegativework-relatedsituationorevent).
Intermsofreal-worldcases,theattemptedattackonFannieMae[15]isaperfectexampleofthesabotagethreat.
Presumablyaggrievedafterbeingdismissed,theinsiderinthiscaseusedthelasthoursofhislegitimateaccesstouploadmaliciouscodesettoauto-execute7dayslateranddesignedtoeraseessentialcompanydataonnances,securitiesandmortgages.
ACriticalReectionontheThreatfromHumanInsiders273Inadditiontothefocusonmaliciousinsiders(coveredabove),emphasisonbenignoraccidentalinsidershasalsogrown[16].
Theseindividualshavelegiti-mateaccesstosystems,butthroughcarelessness,neglectoraccidentintroduceaformofinsiderattack.
Theseaccidentalattackshavebecomemoreimportanttoorganisationsandresearchersbecause,asstudiessuchastheCredant[17]andClearswift[18]surveyspointout,theyoccursignicantlymoreoftenthantheirmaliciouscounterparts.
Unwiseemailactivitiesandlossofstoragedevicesorlaptopsaresomeofthemostcommonsourcesofthesebreaches.
Furtherana-lysisonthedierenttypesofbenigninsiderscanbefoundinseveralreports,particularlytheSymantec'sDataLossPreventionwhitepaper[19]wheretheauthordistinguishesanumberofcategoriesofnegligentinsiders.
2.
2ThePsychologyoftheInsiderResearchershavearguedthatinsidershavespecicpsychologicaltraitsandchar-acteristics.
TurnerandGelles[20],forinstance,believethefollowingtypesofbehaviouralindicatorsneedtobeconsideredwhenexamininginsiderrisk:self-centredness,arrogance,risk-taking,manipulativeness,coldness,self-deceptionanddefensiveness.
Othershavesuggestedthatinsiderthreatsscorehighonthepersonalitytraitsthatmakeupthe'Darktriad':narcissism,Machiavellianismandpsychopathy[11,12,14,20].
TheUK'sCentrefortheProtectionofNationalInfrastructure(CPNI)haveidentiedanumberofotherpersonalitycharacteris-ticstheybelievearetypicalofaninsider,including:immaturity,lowself-esteem,amoralandunethicalperspective,superciality,pronenesstofantasy,restless-nessandimpulsivity,andlackofconscientiousness[21].
Ifitisindeedthecasethatinsiderthreatspossessspecicpsychologicaltraitsandcharacteristics,thenitmightaiddetectionifemployerswereabletobeprivytotheiremployees'psychologicalmake-ups.
However,thereisalsothepossibilitythatspecicpersonalitycharacteristicsarelinkedtospecicattacksratherthanallattacks.
Forexample,aninsiderwhoscoreshighonnarcissismandMachiavel-lianismandisarisktakermightbemorelikelytocommitIPtheftbutlesslikelytodefaceWebsites.
Moreover,psychologicalcharacteristicsontheirownareclearlynotenoughtopredictthatsomeoneislikelytobecomeamaliciousinsider,andalsothatthereareotherpersonalattributesthatshouldalsobeconsidered.
Ithasbeenarguedthatshorter-termpsychologicaloremotionalstatescanalsohelpidentifythetypeofindividualwhoismorelikelytoattacktheirorgan-isation.
Suchpsychologicalstatesmightincludestress,depressionoranxiety,forinstance.
Ithasbeentheorised,forexample,thatthoseunderextremestressaremorelikelytobecomethreats[11,20].
Itmightbethattheinsiderinstigatestheattacktohelpalleviatethestressthattheyareencountering.
Itisarguedhere,however,thatconsiderationofpsychologicalstatesinisolationisnotsucient.
Asisoftenthecase,anexternaleventcantriggerapsychologicalstate.
Takethecaseofapersonwhohasexperiencednancialhardship–suchaneventmaywellcauseextremestress;however,inaddition,theindividualmightseeanopportunityatworktoconductfraudulentactivitieswhichwillhelpthemoutoftheirproblems.
Incontrast,someonewhoisunderextremestressbecauseof274J.
R.
C.
Nurseetal.
maritalproblems(exhibitingthesamebehavioursasinthepreviouscase)mightbefarlesslikelytoconductfraudulentactivities.
Theseexamplesillustratetheimportanceofdevelopingamoreholisticmodeloninsider-threatpsychology.
Inadditiontoexternalevents,psychologicaldisordershavebeenreportedtomakesomeemployeesmoreofarisktoanorganisation.
CPNIhavefoundthatthosewithagamblingordrugaddictionaremorelikelytoattackanorganisationthanthosewithoutsuchaddictions[21].
Ofcourse,ifanindividualisidentiedashavingsuchaproblem,thenanorganisationmightndwaystoprovidesupportforthatindividual,whichinturnmightreducetherisktheypose.
Inconsideringthepsychologyoftheinsiderwemightwantalsotoconsidertheirattitudetowardstheworkplace.
Forexample,apersonwhoscoreshighonthedarktriadtraitsandishighlystressedmightbelesslikelytoattackanorganisationiftheyhaveastronganitytotheirworkplace.
CPNIhavefoundthatthosewhodonotfollowestablishedprocedures,orreadorfollowannouncementsandinstructionsissuedbytheirorganisation,aremorelikelytoattackanorganisation[21].
Othershaveidentiedthe'disgruntledemployee'asarealpotentialrisk[22];thatis,someonewhobelievestheyhavenotbeenfairlytreatedbytheirorganisation(e.
g.
,missingoutonapromotion).
Ourbeliefisthatthosewhohaveastrongidenticationwiththeirworkplace,andthenexperienceaneventwhichleadsthemtodisgruntlement,poseagreaterrisk.
Whilstourpreliminaryndingshaveidentiedimportantpsychologicalfactorsinthecontextofinsider-threat,itbecomesquiteapparentthatthereismuchmoreworktobedoneinthisspace,byconsideringamorecompleteviewoftheattributesthatareassociatedwithidentifyingpotentialinsider-threats.
2.
3TheImpactofNewTechnologiesAsnewtechnologiesevolvewithinorganisations,sodoesthepotentialinsider-attacksurface[3,18].
BringYourOwnDevice(BYOD)isbecomingincreasinglypopularwithinmanyorganisations,andyetinthesurveybyPonemon[2],al-mosthalfofthe700participantsstatethatBYODhasresultedinasignicantincreaseinfraudrisk.
Thesamestudyalsoreportssignicantchallengesinse-curingcorporatedataandnetworksthatarenowbeingaccessedthroughthisgrowinggamutofpersonaldevices.
Thereisadenitetrade-obeingexperiencedbetweentheconvenienceandcost-savingsofBYOD,asagainstthesecurityim-plicationsandattackvectorsthatthisalsointroduces,whichorganisationswillneedtoconsidercarefullyinthefuture.
Cloudservicesalsointroducedicultiesregardingsecurityofinformation.
Credantexpandsontherisksassociatedwiththecloud,andhighlightthatalthoughthisdistributedapproachhasbenets,ittranslatesintoadirectlossofcontrolforthebusiness[17].
Thisintroducesyetanotherpossibleattackvector,andcouldalsobeexploitedaspartofanattackbyexistingemployeesorbythethirdpartiesinvolved.
Again,thisraisesthetrade-oofconvenienceandcost-savingsagainstmaintainingandmanagingbothdataandsecurityfromwithinthewallsoftheorganisation.
Social-mediauseisalsogeneratingcomplexnewchallengesforenterprises[8,23].
ThroughsitessuchasFacebook,Twitter,blogsandforums,sensitiveinformationACriticalReectionontheThreatfromHumanInsiders275(e.
g.
,tradesecrets,organisationplansandIP)canbeleakedmuchmoreeasilythanbeforeandpublicisedtoanyone,anywhereintheworld.
Theliteratureisfullofcasesofthishappening,anditsaectonbothprivateandgovernmentalorgan-isations[24,25].
Maliciousorcarelessinsidersarenottheonlyconcerneither.
Asaresultoftheamountofinformationfreelysharedonthesesites,externalenti-tiescannowexploitsocialmediatoidentify,targetorrecruitprospectiveinsiderthreats[8].
Associalmediacontinuetoexpandinpopularity,organisationsappeartounderestimatethepowerandreachthattheycanhave.
However,theethicalandlegalconcernsaboutmonitoringpersonalcommunications,andwhetherthisisabreachofprivacy,remaintoberesolved.
3InsiderThreatfromtheOrganisationalPerspectiveFromtheprevioussection,itisclearthatthethreatfrominsidersisrealandsig-nicant.
Despitethisfact,however,reportssuggestthatcorporationscontinuetounderestimatetheassociatedrisks,asespeciallyevidencedbyminimalin-vestment.
Forexample,thendingsintheStateofSecurityreport[7]showthatmanycompaniesallocatebetween11-14%oftheirannualrevenuetotheirtotalITbudget,andofthis,theyspend10-14%onsecurity-relatedissuesingeneral.
Investmentindetectingandpreventinginsiderthreatsisthereforelikelytobemuchlower.
Ofcourse,theappropriateamounttoinvestmustbedeterminedcontingently,byindividualcompanies,dependingontheircircumstances.
Butthereisevidenceofgeneralunderinvestmentinmitigatingthisriskattheboardlevel.
Anotherarticle[8]reportsthat25%ofrespondentsstatedthattherewasnoregularformalreviewofcybercrimethreatsbytheChiefExecutiveOcerandtheBoard.
Thissuggeststhatsecurityinsomecorporationsstillhasnotreachedthelevelofimportancethatitwarrants,andagain,thisobviouslyhasknock-oneectsforanyhopeofadequatelymanagingtheriskofinsiderthreat.
Morespecically,Ponemon'ssurveyconcludesthatalargenumberofcom-paniesarenotattributingtheappropriateprioritytotheriskofinsiderfraud,whilealsonotingthatitisbecomingmoreofachallenge[2].
Oneoftheirmainobservationsasitpertainstoorganisations'viewsonriskisthat,although61%ofrespondentsratedthethreatofinsiderfraudwithintheirenterpriseasveryhighorhigh,only44%believedthattheircompanyviewedthepreventionofinsiderthreatsasatoppriorityinsecurity.
Thishighlightsthateventhoughorganisationsviewthemselvesassomewhatunprepared,theredoesnotappeartobeanoverwhelmingimpetustoaddresstherisks.
ThesendingsmirrorthoseinearlierstudiessuchasMcAfee'sreport[7],where68%ofcompaniesrecogniseinsiderthreatintheirsecurityplansbutonly48%haveactuallyaddressedit.
Anotherindicationthatcompaniesmaybeunderestimatinginsiderthreatisthelackofawarenessdemonstratedbyemployeesandthedearthoftrainingprogrammesoered.
Inonereport[23],itwasfoundthat42%oflargecompaniessurveyeddonotconducton-goingsecurityawarenesstrainingsessionswithstaand,worseyet,10%failtobriefstaoninduction.
Thistrendofpoorawarenessinorganisationscanalsobeseenmoreglobally,ashighlightedintheGlobal276J.
R.
C.
Nurseetal.
StateofInformationSecuritysurvey[3].
Theissuehereisthatduetoalackoftraining,personnelmaybeunawareofnewrisksthatinsidercrimesmaypresenttothecompanyor,indeed,mayhaveforgottenabouttheriskstheyusedtobeawareof.
Duediligenceisalsoaparticularlysalientpoint,aswecontinuetoseeevidence(e.
g.
,[1])ofaconsiderablenumberofcompaniesnotconductingpersonnelbackgroundchecksontheiremployees.
Companies'viewsoninsiderriskcanalsobeunderstoodfromhowtheytreatthemoncedetected.
Therstaspecttonoteisthattheyaretypicallyunder-reported[8,26].
InKaspersky'sarticle[26],forinstance,respondentsreportedthatin59%ofthecasesnobodyoutsidethecompanywasnotied.
PwC'ssur-vey[8]supportsthispoint,butalsofoundthatforveryseriousfraudoences,someonlyissuedawarning(18%ofrespondents)and,inafewincidents,organ-isationsdidnothingatall(4%ofthecases).
Whilewemightassumethatfailuretoreportincidentsislinkedtothefearofnegativepublicity,itisunclearwhy,eveninthecaseofseriousinsiderincidents,strictermeasuresarenotunder-taken.
Thismightfurtheremphasiseanunderestimationoftheproblemwithincorporateculture,butcouldequallybeduetoadearthofsolidevidence.
4DetectingInsiderThreatsAstheproblemofinsiderthreatcontinuestoescalate,thereisagrowingfocusonhowtodetectsuchattacks.
Here,weexplorethecurrenttechniquesfordetection,andwherestate-of-the-artresearchismovingtowardsinthefuture.
4.
1TechniquesinUseAvarietyofapproacheshavebeenproposedtomitigatetheriskofinsiderattacks,focusingonprevention,detectionandresponse.
BestpracticesfromCMU-CERTinclude:consideringthreatsfrominsidersandbusinesspartnersinenterprise-wideriskassessment;logging,monitoring,andauditingemployee'sonlineactions;anticipatingandmanagingnegativeworkplaceissues;anddevel-opinginsiderincident-responseplans[6].
Whileanumberoftheseareincom-monuse,theMaliciousInsiderThreatsreportnotesthatmanymorecouldbeadopted[1].
AsdiscussedinSection3,whatisrequiredisimprovededucationandawarenesswithinenterprise,toencourageactiveuseofsuchpractices.
Akeypointthatarisesfrompublishedsources(e.
g.
,[12])isthatmanyat-tacksaredetectedbynon-technicalmeans(e.
g.
,co-workersnoticingsuspiciousbehaviour).
Kaspersky'ssurveyarticleoninsidersalsoidentiesreportingbyco-workersasthemaindetectionresourceaswell(indicatedin47%ofcases),butalsonotesthecontributionofITstaindiscoveringirregularitiesinsystemactiv-itylogs(41%ofcases)[26].
PwC'scybercrimesurveyidentiesthreeapproachesthatorganisationsusetodetectthreats:corporatecontrols(e.
g.
,suspicious-transactionmonitoring),corporateculture(e.
g.
,whistle-blowingsystems),andthosebeyondtheinuenceofmanagement(e.
g.
,discoveringbyaccidentorathird-party)[8].
Theyfoundthattheeectivenessofcorporate-culturemethodsACriticalReectionontheThreatfromHumanInsiders277hasdeclinedcomparedtopreviousyears.
Fromthedetectionmethodsreported,theonlynoteworthyincreaseineectivenesscomparedwithpreviousyearswasinautomatedsuspicious-transactionmonitoring(upfrom0%in2005to18%in2011).
Itwasobserved,however,thatwhistle-blowingandtip-osarestillanimportantpartofdetection,contributingtosuspiciousbehaviourbeingreportedratherthanoverlooked.
Thisdoesnotstopatemployeesalone,sincereportsofsuspiciousbehaviourmaycomefromlawenforcement,businesspartners,andevenfromcustomers[12,26].
Activitylogsarebecomingmorewidelyusedfordetectingsuspiciousactivityconductedonorganisations'systems[26].
Thesecanprovidedetailonarangeofactivitiesthatemployeesconduct,fromenteringbuildingsandlogging-ontosystems,throughtothee-mailcommunicationsthattheymakeandthelesthattheyaccessonadataserver.
Thismassofdataprovidesawealthofinfor-mationonemployeeusagepatterns,includinganypotentiallymaliciousactivitythattheymaychoosetocarryout.
However,duetothelargeamountofdatathatcanpotentiallybelogged,actuallyanalysingthiscanquicklybecomealaboriousanderror-pronetask.
Thereisgrowinginterestaroundthenotionofautomateddetectionofinsiderthreat,andmorerecentlytherehavebeencom-mercialsoftwaretoolssuchasSpectorSoft'sSpector360,SureViewbyRaytheon,andDarkTrace.
TheRiskofInsiderFraudreportemphasisesthisdesireforautomatedtoolsfordetectingandanalysinginsiderrisk[2].
Manyanomaly-basedapproaches[27,28]aimtoestablishwhatanemployee'snormalactivitymaylooklike,andthenanalysehowtheircurrentbehaviourdiersfromthisnormal.
Thisopensupanumberofchallenges,suchashowtoestablishwhatisactuallynormalbehaviourwithinanorganisation,particularlygiventhattheremayalreadybemaliciousactivitypresent,andhowmuchofadeviationcausesanemployeetobeclassiedasapotentialinsiderthreat.
Allorganisationswilloperatedierently,asdoallhumans,andsotherewillexistmanyformsofwhatisdeemedtobenormal.
Likewise,theroutinethatemployeeswillperformactivitiesonadailybasiswilloftenvarybasedontheircurrentworkload,theirpersonallife,andtheirmindset,aswellasdemandsmadeofthembysupervisorsandco-workers.
Anemployeemaywellbeasked,orneed,toperformactivitiesthatareoutsideoftheirexpectednormalinordertofulltheirjob,andyetthiswouldbeaggedasanomalousbehaviour.
Forasystemtoautomaticallydeterminewhetheranemployeeisposingathreatornotrequiresverycarefulmanagementbythesystemanalyst.
Anexcessoffalse-positivesresultsinaburdenofcasesthatrequireinvestigation,andcouldresultinhighresentmentbyemployees.
Ontheotherhand,afalse-negativewouldrendersuchasystemafailureandcouldallowtheorganisationtobeseverelydamaged.
Itisclearthen,thattherearemanychallengesstilllefttoovercomeintermsofbothdetecting,andalsoanalysing,thethreatposedbyanemployee'sactions.
4.
2StateoftheArtinResearchGiventheseverityofinsiderthreatwithinmanyorganisationsandthestrongdesiretodetectandpreventfutureattacks,therehasnaturallybeenawealthof278J.
R.
C.
Nurseetal.
researcharoundtheproblem.
Here,weshallexaminesomeofthemostnotablecontributionsintheliteratureandaddressissuesthatarecurrentlypresent.
Brdiczkaetal.
[29]presentanapproachforproactivedetectionofinsiderthreats.
Theirmethodincorporatesstructuralanomaly-detection,whichconsistsoffourstages:graph-structureanalysis,graphembedding,dynamictracking,andanomaly-detection.
Astheyaddress,thisidentiesanomalieswithinthedata,notnecessarilythreats.
Inordertoassessthepotentialofathreat,theyconductpsychologicalprolingusingtheBig-5model,withbehavioural,textanalysis,andsocial-networkinginformationasthedatausedfortheirproling.
Forexperimentation,theydetectmaliciousinsidersinWorldofWarcraftdataasaproof-of-concept.
Asacknowledgedbytheauthors,however,in-gamemaliciousbehaviourismuchmoreobviousthanthatofaninsiderthreatintheworkplace,whoaimstobediscreteintheirmaliciousintent.
Thereforeitwouldbeofgreatinteresttoknowhowtheapproachcopeswithmorerealisticdata.
Greitzeretal.
[30,31]discusstheuseofpsychologicalfactorsforidentifyingpotentialinsiderthreats.
TheyproposeaBayesianNetworkmodelthatconsistsofavarietyofbinaryobservablebehaviours(e.
g.
,engagement,acceptingcrit-icism,confrontation,performance,stress,absenteeism).
Eachbehaviourhasapriorprobabilitythatestimateshowfrequentlyitoccurs,andaweightingtermthatspecieshowsignicantthebehaviouriswithregardtomonitoringthreats.
Theyderiveconditionalprobabilitiesthroughatrainingprocess,usingexpertjudgementtoassessthethreatthatanemployeeexhibitsbasedonparticularpa-rametersbeingsettotrue.
Duetothequalitativenatureofthebehavioursthataremodelled,thereremainsaneedforahumanobservertoassesswhethertheemployeeinquestionisexhibitingsuchcharacteristics.
Theauthorsnotethatfutureworkisnecessarytodevelopmethodsforautomaticallyextractingandinferringpsychologicalfactorsfromemployee-dataanalysis,ratherthanusingsubjectivebehaviouralassessment,whichisclearlyanon-trivialtasktoachieve.
Kandiasetal.
[32]alsopresentapredictionmodelthatconsistsofpsycho-logicalprolingandreal-timeusageproling.
Thesetwoaspectsserveasinputtoadecisionmanagerthatdetermineswhethertheuserisapotentialthreat,basedonscoringtheirmotive,opportunityandcapability.
Eachuseriscatego-rizedbytheirsystemrole,theircapability,theirpredispositionandtheirstresslevel.
Thepsychologicalprolingisconductedbyquestionnairesthatcoverusersophistication,predispositionandstresslevel,whilsttheusageprolingconsistsofmonitoringsystemcalls,intrusion-detectionsystems,andhoneypots.
Theau-thorsstatethattheirfutureworkwillfocusontheimplementationofthemodel,andsothereiscurrentlynoindicationofhowwellthisperforms.
Theuseofques-tionnairesforpsychologicalassessmentraisesissuessuchastheaccuracyoftheanswersprovidedbyparticipants.
Inaddition,asophisticatedinsidermaywellbecapableofcircumventingtraditionalmonitoringtoolsaspartoftheirattack.
Aswehaveseen,therearemanyproposalsformanaginginsiderthreat.
Theseapproachesdrawonawiderangeoftasks,suchasmonitoring,detection,prevention,andprediction.
Yetstilltheinsider-threatproblempersists.
Onereasonforthisisthedicultyofimplementingsuchapproachesinreal-worldACriticalReectionontheThreatfromHumanInsiders279environments.
Proposalsthatrelyonpsychologicalproling,forinstance,mayrequirecompliancefromtheinsideratsomestage(e.
g.
,accuratecompletionofquestionnaires).
Similarly,gatheringdataonpsychologicalandbehaviouralfac-torswithinaworkplaceisachallengingtask,asitalsorequirestheattentionandcomplianceofotheremployees(e.
g.
,reportingsuspiciousbehaviour),whilealsoappreciatingtherelatedlegalandethicalconsiderationswithsuchmonitoring.
Regardingthedevelopmentofprototypedetectionsystems,thelackofreal-istictestingdatarepresentingtheactivitiesmonitoredstillremainsadiculthurdletoovercome.
Therehasbeenworkonthedevelopmentofsynthetic-datageneration,suchasthatbyCMU-CERT[33],wheremalicious-insiderthreatdataisinsertedwithinnormalemployee-monitoringdata.
However,theyacknowledgethateventhesedatasetslackthenoiseandvariationthatwouldbepresentinanyreal-worlddata.
Undoubtedly,however,andasstressedin[1],thereiscer-tainlymorethatcouldbedonebyorganisationsinordertohelpsupportanddeveloptheresearchsurroundinginsiderthreats.
Previously,wehaveproposedaconceptualmodelforinsider-threatdetection[34].
Aspartofouron-goingresearch,wehavedevelopedaninitialsystemthatiscapableofreasoningaboutthethreatposedbyanindividual,basedontheirobservedactivitiesinthetech-nicaldomain,whilstalsoincorporatingbehaviouralanalysisandpsychologicalassessment.
Whilstthesystemperformswellinpreliminaryexperimentation,wearecurrentlyatthestageofrequiringmorecompletedata,eithersyntheticorreal-world,inordertotrulyevaluateitseectiveness.
5ConclusionsOurresearchintheCITDprojectrecognisesthemulti-disciplinarynatureofinsiderthreat,coveringresearchintothepsychologicalandbehaviouralaspectsthatmotivateanindividual,developmentofdetectionsystemsandanalysistools,andeducationandawareness-raisingwithinorganisations.
Asameanstodetect,prevent,anddeterinsiderthreat,thecollaborationbetweenthesedevelopmentsisfundamentalforaddressingtheproblemeectively.
Whatisclearlyapparent,though,isthattheinsider-threatproblemisevidentinalltypesoforganisa-tions,canoriginateinavarietyofindividuals,rangingfromlow-levelemployeesthroughtohigh-rankingbusinesspartners,andcanescalateintoanattackinmanydierentways.
Inthispaper,weprovideastudyontheproblem,withtheintentionofallowingforabetterunderstandingofthenatureofinsiderthreats,industryviewsontherisksfaced,andpreventionanddetectiontechniquesinpracticeandresearch.
Withthiscriticalreectiononcurrentndingsanddevel-opments,webelievethatthisservesasanimportantstageinunderstandingtheever-persistentandever-evolvingthreatsthatareincreasinglyoccurringwithinorganisationsoftoday.
Acknowledgements.
Thisresearchwasconductedinthecontextofacollab-orativeprojectonCorporateInsiderThreatDetection,sponsoredbytheUKNationalCyberSecurityProgrammeinconjunctionwiththeCentreforthe280J.
R.
C.
Nurseetal.
ProtectionofNationalInfrastructure,whosesupportisgratefullyacknowledged.
TheprojectbringstogetherthreedepartmentsoftheUniversityofOxford,theUniversityofLeicesterandCardiUniversity.
References1.
ComputerEconomics:Maliciousinsiderthreats(2010),http://www.
computereconomics.
com/page.
cfmname=Insider_Threats2.
PonemonInstituteandAttachmateCorporation:Theriskofinsiderfraudsec-ondannualstudy:Executivesummary(2013),http://www.
attachmate.
com/resources/analyst-papers/bridge-ponemon-insider-fraud-survey.
htm3.
PricewaterhouseCoopers:TheglobalstateofinformationsecurityR2014(2013),http://www.
pwc.
com/gx/en/consulting-services/information-security-survey/index.
jhtml4.
PricewaterhouseCoopers:USstateofcybercrimesurvey(2013),http://www.
pwc.
com/us/en/increasing-it-effectiveness/publications/us-state-of-cybercrime.
jhtml5.
Whitty,M.
,Wright,G.
:Deliverable3.
1-ShortreportofndingsfromCaseStudies(CorporateInsiderThreatDetectionproject),LeicesterUniversityReport(2013)6.
Cappelli,D.
M.
,Moore,A.
P.
,Trzeciak,R.
F.
:TheCERTGuidetoInsiderThreats.
Addison-Wesley(2012)7.
McAfeeandEvalueserve:Stateofsecurity(2011),http://www.
mcafee.
com/us/resources/white-papers/wp-state-of-security.
pdf8.
PricewaterhouseCoopers:Cybercrime:Protectingagainstthegrowingthreat(2012),http://www.
pwc.
tw/en/publications/events-and-trends/e256.
jhtml9.
Hunker,J.
,Probst,C.
W.
:Insidersandinsiderthreats–anoverviewofdeni-tionsandmitigationtechniques.
JournalofWirelessMobileNetworks,UbiquitousComputing,andDependableApplications2(1),4–27(2011)10.
KrollAdvisorySolutionsandEconomistIntelligenceUnit:Theglobalfraudreport2012/13(2012),http://www.
kroll.
com/library/KRL_FraudReport2012-13.
pdf11.
Shaw,E.
D.
,Stock,H.
V.
:Behavioralriskindicatorsofmaliciousinsidertheftofintellectualproperty:Misreadingthewritingonthewall,SymantecReport(2011)12.
Moore,A.
P.
,Cappelli,D.
M.
,Caron,T.
C.
,Shaw,E.
,Spooner,D.
,Trzeciak,R.
F.
:Apreliminarymodelofinsidertheftofintellectualproperty.
Technicalreport,CMU-CERT(2011)13.
Kaspersky:Threatpostseries:Insiderthreats(2011),http://usa.
kaspersky.
com/resources/knowledge-center/threatpost14.
Moore,A.
P.
,Cappelli,D.
M.
,Trzeciak,R.
F.
:The"bigpicture"ofinsiderITsab-otageacrossU.
S.
criticalinfrastructures.
Technicalreport,CMU-CERT(2008)15.
FBI:FannieMaecorporateintrudersentencedtooverthreeyearsinprisonforattemptingtowipeoutfanniemaenancialdata(2010),http://www.
fbi.
gov/baltimore/press-releases/2010/ba121710.
htm16.
Allen,B.
:Theaccidentalinsiderthreat:Isyourorganizationready(expertvoicespanel)(2012),http://www.
boozallen.
com/media/file/Accidental-Insider-Threat-Panel-Discussion-Transcript.
pdf17.
Credant:Insiderthreat(2011),http://go.
credant.
com/campaigns-insider18.
Clearswift:Theenemywithin:anemergingthreat(2013),http://www.
clearswift.
com/blog/2013/05/02/enemy-within-emerging-threatACriticalReectionontheThreatfromHumanInsiders28119.
Wall,D.
S.
:Organizationalsecurityandtheinsiderthreat:Malicious,negligentandwell-meaninginsiders.
Technicalreport,Symantec(2011)20.
Turner,J.
T.
,Gelles,M.
:Threatassessment:Ariskmanagementapproach.
Rout-ledge(2003)21.
CPNI:CPNIinsiderdatacollectionstudy–reportofmainndings(2013),http://www.
cpni.
gov.
uk/Documents/Publications/2013/2013003-insiderdatacollectionstudy.
pdf22.
Holton,C.
:Identifyingdisgruntledemployeesystemsfraudriskthroughtextmin-ing:Asimplesolutionforamulti-billiondollarproblem.
DecisionSupportSys-tems46(4),853–864(2009)23.
TheDepartmentforBusiness,InnovationandSkills(BIS)&PricewaterhouseC-oopers:2013Informationsecuritybreachessurvey(2013)24.
SkyNews:MoDsecretsleakedontotheInternet(2010),http://news.
sky.
com/story/753966/mod-secrets-leaked-onto-the-internet25.
Harrysson,M.
,Metayer,E.
,Sarrazin,H.
:Hownottounwittinglyrevealcompanysecrets(HarvardBusinessReviewblognetwork)(2012),http://blogs.
hbr.
org/2012/12/how-not-to-unwittingly-reveal/26.
Kaspersky:Threatpost'sinsiderthreatssurvey(2011),http://usa.
kaspersky.
com/resources/knowledge-center/threatpost27.
Patcha,A.
,Park,J.
M.
:Anoverviewofanomalydetectiontechniques:Existingsolutionsandlatesttechnologicaltrends.
ComputerNetworks51(12),3448–3470(2007)28.
Salem,M.
,Hershkop,S.
,Stolfo,S.
:Asurveyofinsiderattackdetectionresearch.
In:Stolfo,S.
,Bellovin,S.
,Keromytis,A.
,Hershkop,S.
,Smith,S.
,Sinclair,S.
(eds.
)InsiderAttackandCyberSecurity.
AdvancesinInformationSecurity,vol.
39,pp.
69–90.
SpringerUS(2008)29.
Brdiczka,O.
,Liu,J.
,Price,B.
,Shen,J.
,Patil,A.
,Chow,R.
,Bart,E.
,Ducheneaut,N.
:Proactiveinsiderthreatdetectionthroughgraphlearningandpsychologicalcontext.
In:IEEESymposiumonSecurityandPrivacyWorkshops(2012)30.
Greitzer,F.
L.
,Hohimer,R.
E.
:Modelinghumanbehaviortoanticipateinsiderat-tacks.
JournalofStrategicSecurity4(2),25–48(2011)31.
Greitzer,F.
L.
,Kangas,L.
J.
,Noonan,C.
F.
,Dalton,A.
C.
,Hohimer,R.
E.
:Identify-ingat-riskemployees:Modelingpsychosocialprecursorsofpotentialinsiderthreats.
In:45thHawaiiInternationalConferenceonSystemScience.
IEEE(2012)32.
Kandias,M.
,Mylonas,A.
,Virvilis,N.
,Theoharidou,M.
,Gritzalis,D.
:Aninsiderthreatpredictionmodel.
In:Katsikas,S.
,Lopez,J.
,Soriano,M.
(eds.
)TrustBus2010.
LNCS,vol.
6264,pp.
26–37.
Springer,Heidelberg(2010)33.
Glasser,J.
,Lindauer,B.
:Bridgingthegap:Apragmaticapproachtogenerat-inginsiderthreatdata.
In:IEEESymposiumonSecurityandPrivacyWorkshops(2013)34.
Legg,P.
A.
,Moat,N.
,Nurse,J.
R.
C.
,Happa,J.
,Agraotis,I.
,Goldsmith,M.
,Creese,S.
:Towardsaconceptualmodelandreasoningstructureforinsiderthreatdetection.
JournalofWirelessMobileNetworks,UbiquitousComputing,andDe-pendableApplications4(4),20–37(2013)