Overview

There are two questions you should be asking yourself about your organization’s insider threat program:

1. What is the probability that your organization will experience an insider threat?  The assumption is that the probability is probably low.  Again, that fateful mental model based on the perception that “the worst-case scenario is also the least probable’ applies to an organization’s efforts to stand up even a minimum viable product (MVP)-level insider threat or counter cyber espionage program.  The reality is 34% of all breaches in 2018 were caused by insiders (a), yet less than 20% of U.S. organizations possess effective security programs to combat it. (b)
2. What will be the impact if your organization experiences an insider threat incident or damage linked to insider activity?  “The results range from information leakage and national security breaches to workplace violence and even reputational damage. Insiders’ unintentional actions can be equally damaging. Clearly, a robust insider threat program that protects government resources, employees, and contractors can deliver significant value and reduce associated risks.”  (1)

Government efforts to implement insider threat programs have increased and improved steadily since OODA CTO BOb Gourley’s initial analysis of the severity of the threat and since they were mandated in 2011 by Executive Order 13587.  Private-sector efforts tend to be less uniform across the Fortune 500 (depending on the industry sector and threat exposure as determined by the parent company) and SMB insider threat programs probably lean towards non-existent.

Besides assessments and evaluations, generating threat matrices, countless meetings with vendors, and working on draft versions of an internal, bare-bones “What to do in the event of an Insider Threat Handbook“,  how can a serious internal commitment to the design process and collective intelligence (aka community-driven insider threat initiatives) give this often ignored sub-sector of risk management the priority it requires within your organization, driven by innovation?

Following are a few initiatives that are thinking differently about insider threat program implementation through innovative architectures, collective intelligence, advanced analytics, and the use of publicly available information (PAI).  Community-based and partner collaborations up and down the supply chain are also a hallmark of these efforts, as there is a growing acknowledgment that internal-facing and traditionally siloed insider threat efforts are part of the problem.

The Transportation Security Administration (TSA) Insider Threat Roadmap 2020 and Advanced Analytics

TSA Administrator David Pekoske spoke to this need for broad collaboration in the opening statement:  “The Insider Threat Roadmap defines the common vision for the Transportation Systems Sector that insider threat is a community-wide challenge since no single entity can successfully counter the threat alone.” (c)

The release of the TSA Insider Threat Roadmap in 2020 was precipitated by incidents wrought by insiders:  “In July 2019, a surveillance camera at the Miami International Airport captured footage of an airline mechanic sabotaging a plane’s navigation system with a simple piece of foam. The TSA road map describes this incident along with a number of others dating back to 2014 spanning a range of activities including terrorism, subversion, and attempted or actual espionage to stress the need for a ‘layered strategy of overall transportation security.’” For a sobering perspective on the nature of the threat in the transportation security sector (TSS),  see the chronological threat assessment on pages 6 and 7 of the TSA Roadmap document.

When engaged in your insider threat program design process, the TSA breakdown of “risk indicators” is a good start and includes the following attributes:  behavioral, physical, technological, or financial.  An initial commitment to the identification of patterns and trends is the key design element.  The TSA elaborates:

“Risk indicators, whether they be behavioral, physical, technological, or financial can expose malicious or potential malicious insiders to detection. TSA and its security partners and stakeholders will identify and assess key indicators to assist with the evaluation and identification of insider threats and to inform the development of effective mitigation strategies across the Transportation Systems Sector (TSS).  We will review insider threat cases for the purposes of identifying patterns or trends of significance, especially for indicators of developing threats. TSA will increase its profile as a source of information on the types of behaviors and actions that have occurred in actual insider threat incidents to inform awareness, preparedness, and risk mitigation measures.”

For some organizations, the use of advanced technology may be out of reach or like swatting a fly with an elephant gun.  Somewhat ironically, some of the techniques used for consumer behavior or marketing efforts might informally port over for use in an insider threat program. Overall, advanced analytics is a powerful tool and because it has the resources it needs to implement the technology, the TSA has committed to modeling “the probability of factors that influence insider threat”:

“We will improve the TSS’s ability to detect potentially malicious insiders by implementing comprehensive solutions encompassing advanced empirical models, improved information/intelligence sharing, and threat detection. Advanced analytic solutions (e.g., artificial intelligence, probabilistic analytics, data mining) will help develop insider threat screening and staffing models to best allocate resources and deploy mitigation measures.” (c)

In roadmap documents, the frameworks offered are often filled with catchphrases and bureaucrat-sims – sound and fury signifying nothing.  Not so with this TSA roadmap.  The TSA Threat Roadmap is clear, concise, agnostic, and – as a result – potable to your organization:

1. Promote meaningful data-driven decision making to detect threats by:
   • Collecting and using threat information better, and
   • Developing and maintaining technical capabilities to identify and evaluate risk indicators
2. Advance operational capability to deter threats by:
   • Optimizing information to improve capabilities, and
   • Enhancing insider threat detection and case management
3. Mature the capability of [your industry vertical here] to mitigate threats by:
   • Fostering an agile insider threat posture, and
   • Partnering with stakeholders to create tailored mitigation strategies.

OODA Loop Resources for your Design Process/Ideation

OODA Loop Contributor Rich Heimann (Chief AI Officer at Cybraics Inc.) recently contributed the following posts on how to think about ‘threats’, problem-solving, and the mental models and faulty assumptions we bring to “detection” broadly considered.  His insights apply to the design of insider threat programs as well:

The Problem With Solutions To Cyber Threat Detection and Why is cyber threat detection so hard?:  Why is cyber threat detection so hard? The most obvious reason threat detection is hard is that “threat” is too abstract to solve. It may seem obvious, but effective problem solving requires problem framing. Hence, everyone involved in the process clearly understands the problem and what it is not. We get distracted by vague and amorphous claims of AI outthinking humans or being “slightly” conscious. We forget that problem-solving is more complicated than pip install TensorFlow.

OODA Loop Contributor Crystal Lister (President, Cyber Threat Intelligence, Omniangle Technologies; previously Co-founder of Cyber at Global Professional Services Group – GPSG) penned a four-part series for OODA Loop on the management of insider threat risk: 

Manage Insider Threat Risk and Prevent ‘Big Brother’ Perception – Part I:  What your organization should be doing to proactively manage corporate security culture and workforce expectations as it prepares to prevent, detect, and respond to insider risk incidents.  GPSG’s insider threat risk team introduces its workforce investment strategy and provided actionable steps for explaining to your workforce why you are including insider threats in your risk calculus.

Part II:  The second step in the GPSG workforce investment strategy is to proactively seek ways to manage and be upfront with your workforce about what you are doing to manage insider risk.

Part III: After explaining to your workforce why you are including insider risk in your corporate security culture, how can you explain the benefits of an insider threat management program or the ‘what’s in it for them?’  The third step in my workforce investment strategy is to explain the benefits of insider risk management to your workforce.

Part IV:  After sharing the benefits of insider threat risk management with your workforce, how can you solicit their assistance in helping manage this type of enterprise risk?  The fourth step in my workforce investment strategy is to solicit workforce help in managing insider threat risks.

What Next? 

Innovate:  Depending on the resources available to your organization, advanced analytic solutions (e.g., artificial intelligence, probabilistic analytics, data mining) are a tight fit for this threat vector.  Leverage advanced analytics platforms and products which may already be deployed in other functions within your organization.

Resources are Available:  Since the publication of the TSA Roadmap in 2020, we have been unable to find public-facing information about or access to the “Insider Threat Mitigation Hub” the TSA was committed to standing up in the roadmap.   CISA’s Insider Threat Mitigation web page is designed for public use and is comprehensive.  CISA products and resources are available on the Insider Threat Mitigation Resources site.  The CISA Insider Threat Mitigation Guide is impressive and also very comprehensive.

Commit Early in the Design Process to Privacy and Civil Liberties Concerns:  In its roadmap document, the TSA “pre-empted concerns usually associated with massive data collection practices by including the protection of privacy and civil liberties among the “guiding principles” it said would accompany its efforts.” (2)  Your organization should do the same.

References

(a) Verizon (2019). The Verizon 2019 Data Breach Investigations Report

(b) Gartner (Jan 2020). How to Build Incident Response Scenarios for Insider Threats

(c) TSA Insider Threat Roadmap 2020

https://oodaloop.com/archive/2022/05/05/is-your-insider-threat-risk-management-program-ripe-for-innovation-part-2/

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.