Introduction
The corporate insiders are comprised of the authorized people who use their access credentials to perform unauthorized tasks. These people have legitimate access to the corporate resources and the organization has attached a level of trust to their access credentials based on the security levels as defined in the information security policies in the organization. There are inadvertent or malicious insiders in the corporate insider category. Several incidences have been recorded in the past such as the infamous Wiki-Leaks that hit the US during the year 2013. The Wiki-Leaks incidence saw thousands of classified government documents and information from emails to reports, disclosed to the public. Such incidences force organizations, both private and public, to re-evaluate their information policy documents to determine if there are any loop holes in their information security system. A corporate insider threat is bound to have a larger effect on the organization as the insider has authorized access to the company’s resources (Cappelli, Moore, Trzeciak, 2005).
Based on previous research, the incidence of employee financial hardships are encountered during economic downturns. Sometimes the increased use of technology in communication within an organization may ease theft in an organization. Some reports have shown that the insider threat is quite more expensive and damaging as corporates are bound to spend up to $412,000 per threat incident annually. The more the incidences, the higher the loss the organization is bound to incur. There are a number of factors to consider as potential risk indicators in determining a corporate insider. Corporate insiders tend to attempt to bypass security controls and protocols especially if they do not have security clearance in a certain level or they may have unjustified work pattern (Legg, et al., 2013 p. 25 ). Some indicators are such as unjustified work patterns, chronic violation of information security policies, emotional expression of conflicted loyalty to the organization and a competitor, disgruntled employees, use of unauthorized digital external storage devices, failure to report foreign contacts, and insensitive access to data on terminal of employment (Bishop, et al., 2014). The following pie charts illustrate the types of insider acts alongside their primary motivation,
It is important to know that the corporate insider threat is not categorized as hacking or under cyber security as the detection of corporate insiders focuses on the behavioral techniques. Based on several research and statistics, the corporate insider threats are mainly carried out by authorized staff members and smaller percentages of the acts are carried out by contractors and temporary staff (CPNI). The corporate staff exploits corporate weaknesses such as poor management practices, auditing functions, improper protective security controls and culture, employment and HR screening, threat awareness at management level, and inadequate corporate governance (Greitzer, et al., 2011, p. 32). Currently, corporate are quite cautious and they do all that is necessary to protect their resources especially information, data, and hardware resources by implementing insider threat detection programs and policies.
Literature Review
During economic crisis, people tend to find ways to make ends meet. Corporate insiders are considered to be quite active during such periods. These are the individuals who have access to corporate hardware, software, and firmware. They may have authorized or non-authorized access to the proprietary information and equipment in a given organization by using their personal accounts or hacked accounts. Some of the common resources that the corporate insiders get access to are computers, network rooms and other intangible resources such as the email accounts, user accounts, and the human resource in an organization. Most of the corporate insiders are either disgruntled employees or victims of turf financial times or economic recess. The main point is that these corporate insiders always have motive to have unauthorized access to proprietary organization materials and leak them to unauthorized users (Kammueller, et al., 2014, p.68).
There are several research papers done to determine the type of behavior of an insider. Most of the research work done in the information security and corporate data security entails the threat prevention and detection. The threat prevention has to do with enforcement of good policies, procedures, and practices where one can manage and monitor the flow of information, the utilization of corporate resources, the resource management and role allocation strategies as well as the honeypots. To prevent insider threats, an organization formulates and enforces good information security policies, procedures, and practices. To mitigate the incidences of insider threats, organizations implement secure backup and recovery processes and perform periodic information audits on cyber activities. Bertacchini, et al., did a survey that sought to analyze the use of UNIX commands on an information system to detect insider threats. The most plausible detection method for the insider threats is the behavioral techniques. It has to do with biometric, printing, login, online communication and other psychosocial behavior on systems.
One of the key methods in the classification of detection mechanisms has to do with the employee behavior and identification of anomalies and inconsistencies in the operations. The communication behavior is focused on as it determines the information theft. Under communication, there are biometric, cyber, psychosocial, and communication behavior that is analyzed in the determination of corporate insider threats. The organization seeks to detect the threat based on the security levels defined in the information security policies. The information auditors and forensic officers may search through reports and system logs to detect malicious insider behavior (Ogiela, et al., 2012, p.42).
Biometric behavior is used in recognizing a given user. The employee’s behavior can be studied from the biometric information obtained and inconsistencies in the implementation or testing of biometric information can be recorded in system log files. The system records the masqueraders and any person willing to do malicious activities (Spitzner, 2003, p.175).
Cyber behavior observes the staff users activities while using corporate resources such as printing, web searches, external devices use, login attempts, serial file search attempts. The activities and the cyber actions are used to detect anomalies in the use of corporate resources. The cyber activities detect information but detecting the actors behind the activities recorded requires an involvement with the biometric information. It helps distinguish information over different environments. Further, the threat prevention and detection systems implemented in the organizations to determine the anomalies in the cyber behavior. It focuses on UNIX commands and determines what the staff has been doing on the company system (Magklaras, 2002, p.68).
Psychosocial behavior focuses on actors who wish to sabotage corporate resources. These actors may be disgruntled employees who may perform sophisticated cyber-attacks. Some of the attacks include spoofing, denial of service attacks, and account espionage. The actors tend to have conflict with supervisors and their fellow colleagues. The actors have cases of anomalies in their social behavior. The information security policy requires that the psychosocial behavior is collected on periodic basis.
Communication behavior determines the characteristics for the communication and employees in different departments. The information is obtained from the communication methods used in an organization such as email accounts, instant messaging applications, file sharing applications, and telephone conversations and messages. The information is collected and stored for forensic, insider threat, and quality checks. The system uses threat detection and prevention systems that can search through system logs to detect flagged words or activities that are highlighted as threats. However, the logging data may contain a lot of data which may be too much to interpret. The user activity recording is important and it is instantly understood by the auditors and the irrefutable evidence of user actions (Myers, et al., 2009, p 46).
Research Methodology
System Requirements Analysis
- The system should determine an insider threat score and alert the administrator when the threat level is too high.
- The system requires distinguishing the insider threat before obtaining a score for the sabotage, data fraud, and intellectual property theft.
- The system requires determining the new and anticipating potential threats that may not have been captured in the information security policy.
Study Design
Some of the techniques that are useful in accomplishing the research work are as discussed in this section. A case scenario is adopted in a given organization. The main tasks include reviewing the current information security policy. The data collection techniques will be implemented so as to determine the security constraints, loopholes, and UNIX commands which raises an alarm. The following datasets are analyzed in the research study to determine the insider threats for a given security system.
Behavior types | Availability in the system |
UNIX Commands | PublicOn request |
System Level | PrivateOn Request |
Cyber | Private On Request |
Flowchart
Insider Threat detection system follows the following flowchart,
Some of the algorithms that need to be implemented in the system and the synthesis of data may include the following case scenario,
Case Scenario | Algorithm |
Guild leaving the online gaming platform during a session | Random Forest |
Personal interaction with colleagues and their interpersonal relations at the workplace | Bayesian Network |
Human Resource Management evaluation of the staff behavior | Bayesian Network |
Communication on social media platforms using corporate resources. For instance, YouTube Comments | Naïve Bayes Support Vector Machine Logistic regression |
The experimental data was created based on the synthetic datasets that were conducted for the isolation of the detection system. The datasets are obtained from transactional activities carried out in the information system to attack data based on the log files. The information security policy determines an employee’s role in the organization to determine the,
- Log-in attempts
- HTTP requests
- Email contacts
- Email communication and IM interactions
Hypothesis
H0: The Information security policy is sufficient for the management of the insider threat system analysis.
H1: The insider threat is commonly caused by biometric, communication, and cyber behavior as compared to the psychosocial behavior.
Results
These algorithms form part of a larger information security threat detection system that are implemented to determine the insider threat. Data is obtained from the system log which contains data over a period of time. The study was conducted on 5 insiders with information security clearance levels 2 and 3. The table below illustrates the alerts obtained from the threat detection system,
# | L2 alerts (ϭ<0.1) | L2 alerts (ϭ<0.2) | L2 alerts (ϭ<0.3) | L3 alerts (ϭ<1.0) | L3 alerts (ϭ<2.0) | L2 anomaly vectors | L3 anomaly vectors |
1 | 915 | 415 | 352 | 276 | 75 | n/a | n/a |
2 | 3015 | 92 | 88 | 68 | 24 | Logon, logon duration | Insert, file, hourly, user, total |
3 | 904 | 553 | 474 | 287 | 82 | User, new, this | New, email |
4 | 1572 | 125 | 89 | 977 | 276 | Logon, logon duration | User, file, total |
5 | 1645 | 610 | 526 | 452 | 73 | n/a | New, number, user, role, total, hourly |
Discussion
Some of the useful behavior captured from the system is the search behavior, UNIX commands, system level behavior, and print, browse and search activities, upload and download on the information system, communication and social media interactions on the corporate resources. The proposal discusses the algorithms that are implemented in the system to determine the evaluation of the information security system. The data obtained from the information security system is evaluated using the algorithms and the potential risks that may overcome the system and cause it loop holes. The research on the insider threat is not an isolated issue in the information security system rather it performs the detection of security flaws based on the insider or the actor’s behavior while using the corporate resources. The system attacks are caused by the biometric interactions on the system, the communication and interaction on social media using the corporate resources.
Conclusion
In a nutshell, the research proposal has surveyed the potential insider threats and risk indicators. The paper compares the different behavioral analysis such as the psychosocial, cyber, biometric, and communication that may cause potential threat in a corporate. Having categorized the insider threats and assigned them scores based on the occurrence, the threats are seen are evaluated and provided for the data behavior. The proposal is given such that malicious threats can be detected on the system. The information obtained to form the case scenarios is obtained on the basis of the information security policy. The policy acts as a guide and the system data collection methods are implemented in the organization. The information is evaluated using the common statistical techniques and it enables the researcher make relevant deductions on the systems. The information obtained from the analysis is used to improve the current information security policy.
References
D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley Professional, 1st edition, 2012. I. Jolliffe. Principal component analysis. Wiley Online Library, 2005.
P. A. Legg, N. Moffat, J. R. C. Nurse, J. Happa, I. Agrafiotis, M. Goldsmith, and S. Creese. Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications, 4(4):20–37, 2013.
M. Bishop, B. Simidchieva, H. Conboy, H. Phan, L. Osterwell, L. Clarke, G. Avrunin, and S. Peisert. Insider threat detection by process analysis. In IEEE Security and Privacy Workshops (SPW). IEEE, 2014.
M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. We have met the enemy and he is us. In Proc. of the 2008 workshop on New security paradigms (NSPW’08), Lake Tahoe, California, USA, pages 1–12. ACM, September 2008.
F. L. Greitzer and R. E. Hohimer. Modeling human behavior to anticipate insider attacks. Journal of Strategic Security, 4(2):25–48, 2011.
J. R. C Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. T. Wright, and M. Whitty. Understanding insider threat: A framework for characterising attacks. In IEEE Security and Privacy Workshops (SPW). IEEE, 2014.
F. Kammueller and C. W. Probst. Invalidating policies using structural information. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 5(2):59–79.
M. R. Ogiela and U. Ogiela. Linguistic protocols for secure information management and sharing. Computers & Mathematics with Applications, 63(2):564–572, January 2012.
L. Spitzner. Honeypots: catching the insider threat. In Proc. of the 19th IEEE Computer Security Applications Conference (ACSAC’03), Las Vegas, Nevada, USA, pages 170–179. IEEE, December 2003.
G. B. Magklaras and S. M. Furnell. Insider threat prediction tool: Evaluating the probability of IT misuse. Computers and Security, 21(1):62–73, 2002.
J. Myers, M. R. Grimaila, and R. F. Mills. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, CSIIRW ’09, pages 54:1–54:4, New York, NY, USA, 2009. ACM.