Overview

There are two questions you should be asking yourself about your organization’s insider threat program:

1. What is the probability that your organization will experience an insider threat? The assumption is that the probability is probably low.  Again, that fateful mental model based on the perception that “the worst-case scenario is also the least probable’ applies to an organization’s efforts to stand up even a minimum viable product (MVP)-level insider threat or counter cyber espionage program.  The reality is that 34% of all breaches in 2018 were caused by insiders (a), yet less than 20% of U.S. organizations possess effective security programs to combat it. (b)
2. What will be the impact if your organization experiences an insider threat incident or damage linked to insider activity?  “The results range from information leakage and national security breaches to workplace violence and even reputational damage. Insiders’ unintentional actions can be equally damaging. Clearly, a robust insider threat program that protects government resources, employees, and contractors can deliver significant value and reduce associated risks.”  (1)

In this series of posts, we ask the further question:  how can a serious internal commitment to the design process and collective intelligence (aka community-driven insider threat initiatives) give this often ignored sub-sector of risk management the priority it requires within your organization, driven by innovation?

In Part I of this series, we took a look at the Transportation Security Administration (TSA) Insider Threat Roadmap 2020 and advanced analytics.  Following are two more initiatives that are thinking differently about insider threat program implementation through innovative architectures, collective intelligence, advanced analytics, and the use of publicly available information (PAI).  Community-based and partner collaborations up and down the supply chain are also a hallmark of these efforts, as there is a growing acknowledgment that internal-facing and traditionally siloed insider threat efforts are part of the problem.

In Part II, we examine the approaches taken and the resources available at the Carnegie Mellon University Software Engineering Institute (SEI) and the MITRE Center for Threat-Informed Defense (CTID).

Carnegie Mellon University Software Engineering Institute (SEI)

According to the Carnegie Mellon University Software Engineering Institute (SEI) website, the institute:

“…adopts a holistic approach to insider threat research to understand not only the ‘how’ of insider incidents, but also the ‘why.’  In most cases, employees don’t join their organizations with the intent to do harm.  Rather, employees can become motivated to carry out attacks against their employers when they experience a series of stressors, when they exhibit concerning behaviors, and when employers address those behaviors in some maladaptive way. When that happens, employees can become easy and willing targets of pressure from criminals and foreign agents, or they might become disgruntled and careless on the job. A major goal of insider threat research, therefore, is to understand root causes of stressors and concerning behaviors to detect them early and offer employees better help before they commit a harmful act.”

SEI’s Insider Threat research is organized around a concept they call positive deterrence, providing a framework for how best to provide employees positive incentives for reducing insider threat.

Positive Deterrence 

In the SEI Technical Report, The Critical Role of Positive Incentives for Reducing Insider Threats, discusses insider threats from the perspective of “the traditional approach focused on negative incentives that restrict employees to prevent abuse and detects and punishes abuse when it occurs. This approach is based on a negative form of deterrence as promulgated in Deterrence Theory, which says that people obey rules because they fear getting caught and being punished.  Restricting, detecting, and punishing employees reinforces the deterrence (negative) of abuse.

Our extension of security through positive incentives is shown on the left side of [Figure 16 below]. In its current form, as supported by our research, organizational support (including organization justice) is shown as the foundation of positive deterrence.  With this foundation in place, connectedness with co-workers and job engagement serve to strengthen an employee’s commitment to the organization. Organization support and connectedness also strengthen overall engagement in a feedback effect.  This form of positive deterrence complements the use of negative deterrence by reducing the baseline of insider threat in a way that can improve employees’ satisfaction, performance, and commitment to the organization.” (1)

Rethinking Security Strategies 

Again, the SEI captures the nature of research efforts best:  “At the SEI, we help organizations use their data and their resources to get a clearer picture of possible threats in their workforce and in the supply chains and contractors they work with. Our goal is to advance the state of insider threat research through the development of capabilities for preventing, detecting, and responding to evolving cyber and physical threats.

We focus on building repeatable, verified, and context-aware processes and preventative controls based on careful research and empirical evidence. We develop techniques that improve detection through tools that quickly detect patterns and anomalies; that automate prediction of risk and prevention controls; and that quickly and accurately identify indicators of various insider attack types.

The SEI is leading this effort thanks to our unique combination of experience and expertise. Since 2001, we have partnered with government agencies—such as the Department of Defense, the Department of Homeland Security, Secret Service, and many federal agencies—as well as with private industry, academia, and the vendor community. We are also leaders in modeling and simulation, software engineering, cybersecurity, and data science, and we engage in collaborative research relationships with a cadre of multidisciplinary experts in the social and behavioral sciences. As a result, we are the only source for a data-driven, risk-based, socio-technical approach to insider threats. (2)

The SEI Insider Threat Test Dataset

We have a database of over 3,000 insider incidents that we use to characterize the nature of the evolving insider threat problem, develop indicators of insider risk, and prototype and transition technical and administrative controls for insider threat mitigation. In our insider threat lab, we measure the effectiveness of new tools, indicators, and analytic techniques. We’ve developed assessments to help organizations identify their vulnerabilities to insider threats, and several training courses on establishing and operating an insider threat program.

The Insider Threat Test Dataset is a collection of synthetic insider threat test datasets that provide both background and malicious actor synthetic data.  For a direct link to the dataset, go here.

Dataset – Abstract