Abstract
Insider threat indicators are not equally indicative of potential insider threat activity. Indicator risk assessments depend not only on the number of observed concerning behaviors, but also on their nature. This paper discusses some initial work examining features and relationships among indicators that underlie this dynamic characteristic of insider threat indicators. Among the factors that may affect the level of concern of insider threat indicators are temporal factors and indicator interactions. An expert knowledge elicitation study was conducted to examine possible temporal effects and indicator interactions on judged level of concern for individual and/or combinations of indicators. Results suggested that the impact of an indicator on expert judgment of threat tends to decrease over time and that increments in threat value when indicators are aggregated are not simply a linear combination of the individual threat values. Broader implications of this dynamic nature of insider threat indicators are discussed.
Similar content being viewed by others
References
CERT Insider Threat Center. Common sense guide to mitigating insider threats, 5th ed., Carnegie Mellon University Software Engineering Institute, technical note CMU/SEI-2015-TR-010. 2016. https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf. Accessed 30 Sept 2021
Schultz EE. A framework for understanding and predicting insider attacks. Comput Secur. 2002;21(6):526–31.
Magklaras GB, Furnell SM (2005) A preliminary model of end user sophistication for insider threat prediction in IT systems. Comput Secur 24(5): 371–380. Doi: https://doi.org/10.1016/j.cose.2004.10.003. https://www.sciencedirect.com/science/article/pii/S0167404804002603. Accessed 30 Sept 2021
Legg P, Moffat N, Nurse JRC, Happa J, Agrafiotis I, Goldsmith M, Creese S. Towards a conceptual model and reasoning structure for insider threat detection. J Wirel Mob Netw Ubiquitous Comput Dependable Appl. 2013;4(4):20–37. https://doi.org/10.22667/JOWUA.2013.12.31.020.
Nurse JRC, Buckley O, Legg P, Goldsmith M, Creese S, Wright GRT, Whitty M. Understanding insider threat: a framework for characterising attacks. IEEE security and privacy workshops (SPW), San Jose, CA, IEEE. 2014, pp. 214–228. http://ieeexplore.ieee.org/document/6957307/?arnumber=6957307. Accessed 30 Sept 2021
Greitzer FL, Kangas LJ, Noonan CF, Brown CR, Ferryman T. Psychosocial modeling of insider threat risk based on behavioral and word use analysis. e-Service J 2014; 9(1): 106–138. http://www.jstor.org/stable/. Doi: https://doi.org/10.2979/eservicej.9.1.106. Accessed 30 Sept 2021
Greitzer FL, Purl J, Leong YM, Becker DE. SOFIT: sociotechnical and organizational factors for insider threat. In: 2018 IEEE security and privacy workshops, San Francisco, CA, 2018
Greitzer FL, Purl J, Becker DE, Sticha P, Leong YM. Modeling expert judgments of insider threat using ontology structure: effects of individual indicator threat value and class membership. 52nd Hawaii international conference on systems sciences (HICSS-52), Maui, Hawaii, 2019; pp. 3202–3211
Senator TE et al. Detecting insider threats in a real corporate database of computer usage activity. Proceedings of the 19th ACM SIGKDD conference on knowledge discovery and data mining, Aug 11–14, Chicago, IL, 2013; 1393–1401
Buede DM, Axelrad ET, Brown DP, Hudson DW, Laskey KB, Sticha PJ, Thomas JL. Inference enterprise models: an approach to organizational performance improvement. Wiley Interdiscip Rev Data Min Knowl Discov. 2018; 8(6), e1277. Doi: https://doi.org/10.1002/widm.1277. Accessed 30 Sept 2021
Greitzer FL, Purl J, Leong YM, Sticha P. Positioning your organization to respond to insider threats. IEEE Eng Manag Rev. 2019;47(2):1–11.
Greitzer FL, Purl J, Sticha PJ, Yu MC, Lee J. Use of expert judgments to inform bayesian models of insider threat risk. J Wirel Mob Netw Ubiquitous Comput Dependable Appl (JoWUA) 12(2): 3–47. 2021. https://doi.org/10.22667/JOWUA.2021.06.30.003. Accessed 30 Oct 2021
Cobb-Clark DA, Schurer S. The stability of big-five personality traits. Econ Lett. 2012;115(1):11–5.
Shaw E, Sellers L. Application of the critical-path method to evaluate insider risks. Stud Intell. 2015;59(2):41–8.
Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, Vol. 1. Monterrey, CA: Defense Personnel Security Research and Education Center. 2005
Agrafiotis I, Nurse JRC, Buckley O, Legg P, Creese S, Goldsmith M. Identifying attack patterns for insider threat detection. Comput Fraud Secur. 2015;7:9–17.
Legg PA, Buckley O, Goldsmith M, Creese S. Automated insider threat detection system using user and role-based profile assessment. IEEE Syst J. 2017;11(2):503–12. https://doi.org/10.1109/JSYST.2015.2438442[online:accessedonSeptember30,2021].
INFOSEC Research Council (IRC). Hard Problems List. 2005. https://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf. Accessed 13 June 2021
Hogarth R. A note on aggregating opinions. Organ Behav Hum Perform. 1978;21:40–6.
Yusoff, MSB (2019) ABC of content validation and content validity index calculation. Educ Med J 11(2): 9–54, 2019. https://doi.org/10.21315/eimj2019.11.2.6. Accessed 30 Sept 2021
Forrester Y. The quality of expert judgment: an interdisciplinary investigation, Ph.D. Thesis, University of Maryland, College Park, MD. 2005
Herath T, Rao HR. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst. 2009. Doi: https://doi.org/10.1016/j.dss.2009.02.005. https://www.sciencedirect.com/science/article/abs/pii/S0167923609000530. Accessed 30 Sept 2021
Balozian P, Leidner D. Review of IS security policy compliance: toward the building blocks of an IS security theory. Data Base Adv Inf Syst. 2017;48(3):11–43.
Henderson J, Cavalanca N. Insider threat program maturity model report. 2019. https://cdn2.hubspot.net/hubfs/5260286/PDFs%20-%20%20Whitepapers,%20Case%20Studies,%20%20Datasheets/Whitepapers/insider-threat-maturity-report-2019.pdf. Accessed 30 Sept 2021
Acknowledgements
The authors gratefully acknowledge useful suggestions on analytic methods by Dr. Martin C. Yu (HumRRO) and Dr. Paul Sticha (PsychInference, LLC). The research study was reviewed and approved by the Human Resources Research Organization (HumRRO) IRB.
Funding
This research was supported, in part, under IARPA contract 2016-16031400006. The content is solely the responsibility of the authors and does not necessarily represent the official views of the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
On behalf of all the authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the topical collection “Cyber Security and Privacy in Communication Networks” guest edited by Rajiv Misra, R K Shyamsunder, Alexiei Dingli, Natalie Denk, Omer Rana, Alexander Pfeiffer, Ashok Patel and Nishtha Kesswani.
Supplementary Information
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Greitzer, F.L., Purl, J. The Dynamic Nature of Insider Threat Indicators. SN COMPUT. SCI. 3, 102 (2022). https://doi.org/10.1007/s42979-021-00990-1
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-021-00990-1