Understanding Insider Threat: A Framework for Characterising Attacks (original) (raw)
Related papers
Lecture Notes in Computer Science, 2014
Organisations today operate in a world fraught with threats, including "script kiddies", hackers, hacktivists and advanced persistent threats. Although these threats can be harmful to an enterprise, a potentially more devastating and anecdotally more likely threat is that of the malicious insider. These trusted individuals have access to valuable company systems and data, and are well placed to undermine security measures and to attack their employers. In this paper, we engage in a critical reflection on the insider threat in order to better understand the nature of attacks, associated human factors, perceptions of threats, and detection approaches. We differentiate our work from other contributions by moving away from a purely academic perspective, and instead focus on distilling industrial reports (i.e., those that capture practitioners' experiences and feedback) and case studies in order to truly appreciate how insider attacks occur in practice and how viable preventative solutions may be developed.
Security Journal, 2017
Any organisation is susceptible to a breach of security from outside: hacking, product contamination, theft of intellectual property and so on. Although all of these are risks to an organisation and can be highly deleterious to its financial health and reputation, the threat posed by a malevolent insider can be even more challenging. Whilst there has been a large quantity of academic articles and industry surveys produced on the theme of Insider Threats-the majority of this published work is descriptive or details the effects of insiders' actions. This paper provides initial thoughts around some practical and pragmatic steps to being to gain clarity on the challenge of insider threat and how organisations may draw on novel approaches to grow early warning, response and mitigation against Insider Threats. The paper also discusses the importance of security culture and risk communication.
Organizational Vulnerability to Insider Threat
Communications in Computer and Information Science, 2016
Approaches to the study of organizational vulnerabilities to intentional insider threat has been narrow in focus. Cyber security research has dominated other forms of insider threat research [1]. However, within the scope of cyber security, the effort is predominantly focused on external threats or technological mitigation strategies. Deeper understanding of organizational vulnerabilities influencing insider threat and responses to insider threats beyond technological security remains limited in Australia. Despite the increasing potential threat and impact of such risk to organizations, empirical studies remain rare. This paper presents an initial study related to identifying organizational vulnerabilities associated with intentional insider threat. A Delphi Method was employed as part of a broader mixed methods study. There was a strong consensus amongst Australian experts as to the primary organizational vulnerabilities to insider threat. These main risks extend across personnel, process, technological and strategic (resource allocation) domains. The organizational vulnerabilities identified by Australian experts is consistent with research, literature, and guidelines, available from other countries. The results confirm the need to look beyond the narrow focus on individuals and technology in order to fully address the insider threat problem. Whilst only preliminary results are presented here, future analysis of data will focus on identifying best practice solutions for the Australian market.
Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses
Electronics
The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed.
THE INSIDER THREAT – UNDERSTANDING THE ABERRANT THINKING OF THE ROGUE “TRUSTED AGENT”
ECIS, European Conference on Information Systems
A deficiency exists in the Information Systems Security literature because of the paucity of research aimed at understanding the mind of the ‘insider criminal’. Much of the academic and popular press focuses on external breaches but the greatest danger to an organisation lurks within. Whatever the motivation, the ‘trusted agent’ inside the organisation has the potential to do more damage than an anonymous outsider and it is by increasing our understanding of this threat that we will get greater value for our defence efforts. While acknowledging that a significant number of security incidents are attributable to employees, it is important to remember in an organisational context, that simply increasing security controls and sanctions has previously been shown to be counterproductive. Therefore this research-in-progress takes the approach of increasing our understanding of how such offenders think, through a synthesis of Rational Choice Theory, Deterrence Theory, Neutralisation Theory and elements from Criminological Theory. In deliberately prioritising problems that are important in practice and basing our measures on these priorities we will improve on the contextual relevance of previous studies in this area, thereby making a solid contribution to the field.
Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies
2014 47th Hawaii International Conference on System Sciences, 2014
Organizations often suffer harm from individuals who bear them no malice but whose actions unintentionally expose the organizations to risk in some way. This paper examines initial findings from research on such cases, referred to as unintentional insider threat (UIT). The goal of this paper is to inform government and industry stakeholders about the problem and its possible causes and mitigation strategies. As an initial approach to addressing the problem, we developed an operational definition for UIT, reviewed research relevant to possible causes and contributing factors, and provided examples of UIT cases and their frequencies across several categories. We conclude the paper by discussing initial recommendations on mitigation strategies and countermeasures.
Contextualising the insider threat: a mixed method study
2016
The insider threat is potentially the most damaging and costly threat to organisations, and while there is a considerable body of literature aimed at understanding this phenomenon, we contend that the theories contained in such literature are most beneficial if they can be utilised in a way that is contextually relevant. Our research, and this paper, is specifically focussed on developing and improving this contextual validity. We find that malicious acts arising from disgruntlement are perceived as very real problems in practice. We also present a current list of non-malicious aberrant behaviours and show how they rank in relative seriousness to one another. Given that the primary motivation for conducting this study is the view that reliance on the traditional conceptualisation of a boundary or perimeter is no longer viable, our essential contribution lies in devising a series of vignettes that empirically reflect this current contextual validity.
Assessing the Mind of the malicious Insider
This paper reviews and integrates several accepted psychological constructs into a behavioral model that can be adapted for practical use and suggests new tools to leverage this model to mitigate threats from insiders who may intentionally decide to harm their organization or our national security.
ACM Computing Surveys (CSUR), 2018
Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit from the proposed structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while leveraging existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of attackers, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an updated overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.