Skip to main content
SpringerLink
Log in

The Dynamic Nature of Insider Threat Indicators

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Insider threat indicators are not equally indicative of potential insider threat activity. Indicator risk assessments depend not only on the number of observed concerning behaviors, but also on their nature. This paper discusses some initial work examining features and relationships among indicators that underlie this dynamic characteristic of insider threat indicators. Among the factors that may affect the level of concern of insider threat indicators are temporal factors and indicator interactions. An expert knowledge elicitation study was conducted to examine possible temporal effects and indicator interactions on judged level of concern for individual and/or combinations of indicators. Results suggested that the impact of an indicator on expert judgment of threat tends to decrease over time and that increments in threat value when indicators are aggregated are not simply a linear combination of the individual threat values. Broader implications of this dynamic nature of insider threat indicators are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. CERT Insider Threat Center. Common sense guide to mitigating insider threats, 5th ed., Carnegie Mellon University Software Engineering Institute, technical note CMU/SEI-2015-TR-010. 2016. https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf. Accessed 30 Sept 2021

  2. Schultz EE. A framework for understanding and predicting insider attacks. Comput Secur. 2002;21(6):526–31.

    Article  Google Scholar 

  3. Magklaras GB, Furnell SM (2005) A preliminary model of end user sophistication for insider threat prediction in IT systems. Comput Secur 24(5): 371–380. Doi: https://doi.org/10.1016/j.cose.2004.10.003. https://www.sciencedirect.com/science/article/pii/S0167404804002603. Accessed 30 Sept 2021

  4. Legg P, Moffat N, Nurse JRC, Happa J, Agrafiotis I, Goldsmith M, Creese S. Towards a conceptual model and reasoning structure for insider threat detection. J Wirel Mob Netw Ubiquitous Comput Dependable Appl. 2013;4(4):20–37. https://doi.org/10.22667/JOWUA.2013.12.31.020.

    Article  Google Scholar 

  5. Nurse JRC, Buckley O, Legg P, Goldsmith M, Creese S, Wright GRT, Whitty M. Understanding insider threat: a framework for characterising attacks. IEEE security and privacy workshops (SPW), San Jose, CA, IEEE. 2014, pp. 214–228. http://ieeexplore.ieee.org/document/6957307/?arnumber=6957307. Accessed 30 Sept 2021

  6. Greitzer FL, Kangas LJ, Noonan CF, Brown CR, Ferryman T. Psychosocial modeling of insider threat risk based on behavioral and word use analysis. e-Service J 2014; 9(1): 106–138. http://www.jstor.org/stable/. Doi: https://doi.org/10.2979/eservicej.9.1.106. Accessed 30 Sept 2021

  7. Greitzer FL, Purl J, Leong YM, Becker DE. SOFIT: sociotechnical and organizational factors for insider threat. In: 2018 IEEE security and privacy workshops, San Francisco, CA, 2018

  8. Greitzer FL, Purl J, Becker DE, Sticha P, Leong YM. Modeling expert judgments of insider threat using ontology structure: effects of individual indicator threat value and class membership. 52nd Hawaii international conference on systems sciences (HICSS-52), Maui, Hawaii, 2019; pp. 3202–3211

  9. Senator TE et al. Detecting insider threats in a real corporate database of computer usage activity. Proceedings of the 19th ACM SIGKDD conference on knowledge discovery and data mining, Aug 11–14, Chicago, IL, 2013; 1393–1401

  10. Buede DM, Axelrad ET, Brown DP, Hudson DW, Laskey KB, Sticha PJ, Thomas JL. Inference enterprise models: an approach to organizational performance improvement. Wiley Interdiscip Rev Data Min Knowl Discov. 2018; 8(6), e1277. Doi: https://doi.org/10.1002/widm.1277. Accessed 30 Sept 2021

  11. Greitzer FL, Purl J, Leong YM, Sticha P. Positioning your organization to respond to insider threats. IEEE Eng Manag Rev. 2019;47(2):1–11.

    Article  Google Scholar 

  12. Greitzer FL, Purl J, Sticha PJ, Yu MC, Lee J. Use of expert judgments to inform bayesian models of insider threat risk. J Wirel Mob Netw Ubiquitous Comput Dependable Appl (JoWUA) 12(2): 3–47. 2021. https://doi.org/10.22667/JOWUA.2021.06.30.003. Accessed 30 Oct 2021

  13. Cobb-Clark DA, Schurer S. The stability of big-five personality traits. Econ Lett. 2012;115(1):11–5.

    Article  Google Scholar 

  14. Shaw E, Sellers L. Application of the critical-path method to evaluate insider risks. Stud Intell. 2015;59(2):41–8.

    Google Scholar 

  15. Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, Vol. 1. Monterrey, CA: Defense Personnel Security Research and Education Center. 2005

  16. Agrafiotis I, Nurse JRC, Buckley O, Legg P, Creese S, Goldsmith M. Identifying attack patterns for insider threat detection. Comput Fraud Secur. 2015;7:9–17.

    Article  Google Scholar 

  17. Legg PA, Buckley O, Goldsmith M, Creese S. Automated insider threat detection system using user and role-based profile assessment. IEEE Syst J. 2017;11(2):503–12. https://doi.org/10.1109/JSYST.2015.2438442[online:accessedonSeptember30,2021].

    Article  Google Scholar 

  18. INFOSEC Research Council (IRC). Hard Problems List. 2005. https://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf. Accessed 13 June 2021

  19. Hogarth R. A note on aggregating opinions. Organ Behav Hum Perform. 1978;21:40–6.

    Article  Google Scholar 

  20. Yusoff, MSB (2019) ABC of content validation and content validity index calculation. Educ Med J 11(2): 9–54, 2019. https://doi.org/10.21315/eimj2019.11.2.6. Accessed 30 Sept 2021

  21. Forrester Y. The quality of expert judgment: an interdisciplinary investigation, Ph.D. Thesis, University of Maryland, College Park, MD. 2005

  22. Herath T, Rao HR. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst. 2009. Doi: https://doi.org/10.1016/j.dss.2009.02.005. https://www.sciencedirect.com/science/article/abs/pii/S0167923609000530. Accessed 30 Sept 2021

  23. Balozian P, Leidner D. Review of IS security policy compliance: toward the building blocks of an IS security theory. Data Base Adv Inf Syst. 2017;48(3):11–43.

    Article  Google Scholar 

  24. Henderson J, Cavalanca N. Insider threat program maturity model report. 2019. https://cdn2.hubspot.net/hubfs/5260286/PDFs%20-%20%20Whitepapers,%20Case%20Studies,%20%20Datasheets/Whitepapers/insider-threat-maturity-report-2019.pdf. Accessed 30 Sept 2021

Download references

Acknowledgements

The authors gratefully acknowledge useful suggestions on analytic methods by Dr. Martin C. Yu (HumRRO) and Dr. Paul Sticha (PsychInference, LLC). The research study was reviewed and approved by the Human Resources Research Organization (HumRRO) IRB.

Funding

This research was supported, in part, under IARPA contract 2016-16031400006. The content is solely the responsibility of the authors and does not necessarily represent the official views of the U.S. Government.

Author information

Author notes

  1. Justin Purl

    Present address: Google, Mountain View, CA, USA

  2. Frank L. Greitzer and Justin Purl contributed equally to this work.

Authors and Affiliations

  1. PsyberAnalytix, Richland, WA, USA

    Frank L. Greitzer

  2. Human Resources Research Organization, Alexandria, VA, USA

    Justin Purl

Authors
  1. Frank L. Greitzer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justin Purl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frank L. Greitzer.

Ethics declarations

Conflict of Interest

On behalf of all the authors, the corresponding author states that there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Cyber Security and Privacy in Communication Networks” guest edited by Rajiv Misra, R K Shyamsunder, Alexiei Dingli, Natalie Denk, Omer Rana, Alexander Pfeiffer, Ashok Patel and Nishtha Kesswani.

Supplementary Information

Below is the link to the electronic supplementary material.

Supplementary file1 (PDF 118 kb)

Supplementary file2 (PDF 88 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Greitzer, F.L., Purl, J. The Dynamic Nature of Insider Threat Indicators. SN COMPUT. SCI. 3, 102 (2022). https://doi.org/10.1007/s42979-021-00990-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-021-00990-1

Keywords

Search

Navigation