This is Part Two of a multi-part series on the Insider Threat. I’m interested in what motivates this type of individual, the patterns of behavior, and what organizations can do to reduce the likelihood that a malicious insider can impact their business. In Part One, I relayed my own story of experience with what was most likely a malicious insider. In this part I will review some research that examines the insider threat and the pattern of behavior exhibited by malicious insiders. I’ll wrap up this discussion in Part Three where I examine what can be done to mitigate the threat malicious insiders pose to organizations. This may get a little academic for a while but if you can stick with me through the end of Part Three I promise that I’ll show you how it can be applied to real life situations.
There have been numerous studies on the insider threat and perhaps the most compelling is one that I found over at Carnegie Mellon University’s CyLab website (Management and Education of the Risk of Insider Threat). The report is a few years old (Preliminary System Dynamics Maps of the Insider Cyber-threat Problem) but I believe the basic tenets still hold true. (If anyone knows of any other studies please send me the information as I’d love to read them.) Let me cover the highlights quickly as the study is quite enlightening when it comes to the behavior exhibited by trusted insiders turned malicious. By understanding this behavior, we are one step closer to being able to mitigate the risk associated with malicious insiders.
The study involved twenty-five researchers from eight different institutions. These researchers represented a variety of disciplines (computer science, information security, law enforcement, psychology, etc) and came together in an attempt to develop system dynamics maps of the insider threat problem. There are many challenges in attempting to do what these researchers have done (the report covers these challenges so I will only allude to them here) but nonetheless, I believe they have establish a behavior map that simply and accurately lays out the cause and effect mechanisms existing within malicious insider behavior. (At least it is consistent with the cases that I’ve been exposed to).
The figure below shows a simplified number of behavior loops to simplify and focus the discussion. (The full loops shown in the report’s appendices are quite fascinating. If you have any interest at all in this subject, it would be worth your time to read through them.)
The researchers crafted scenarios around the three interconnected behavior loops. These loops are:
- The Detection Trap (R1 on the image);
- The Trust Trap (R2 on the image); and
- Unobserved Emboldening (R3 on the image.)
The Detection Trap (R1) illustrates the trap that most organizations fall into. As an organizations perceived risk increases, so does the investment. This typically results in an increase in the organizations capability to detect malicious behavior within their environment. With an increase in detection capability comes an increase in the number of detected precursor behaviors of malicious activity. This increases the perceived risk within the organization feeding back into the loop. While this is true, its inverse is also true. As the perceived organizational risk diminishes (through any number of means, most typically the application of appropriate security controls) so does incentive for funding security at current levels. Without appropriate funding an organizations detection capability is reduced. This reduction in capability also impacts the amount of detected precursor activity which in turns feeds the loop all over again. As can be seen by the image, this is complicated by the interaction the other behavior loops.
The Trust Trap (R2) illustrates the potentially negative impact that trust can have within an environment. Trust is a good thing to have within an organization. It is indicative of supportive corporate cultures and can in many ways reduce the motivation which feeds the transformation of trusted insiders to malicious insiders. An untended consequence of this trusting environment is that an increase in trust can lead management to believe that their organization does not need the capability to detect malicious behavior from their employees. This reduction in detection capability would then result in the inability of the organization to detect if violations of acceptable behavior are occurring. This inability to detection violations can reinforce the conclusion that the detective capability is not needed lowering the organizations perceived risk thus feeding the Detection Trap loop.
The final behavior loop in this behavior map is the Unobserved Emboldening (R3) loop. This loop is intertwined with The Detection and Trust Traps and is fed by the concept of motive. The researchers in the study decided not to actually define the various types of motive but rather to recognize that it is a necessary trigger for malicious activity. By treating motive generically, we focus on the pattern of behavior rather than specifics of individual motivation.
The actor in this behavior loop is the insider. At this point they are trusted and motivated to become classified as a malicious insider but have not as of yet become one. These insiders initiate a series of events that serve to “probe organizational defenses” as the report puts it. If these events are undetected or ignored it lowers the risk the insider perceives in carrying out malicious behavior. As the insider’s perception of risk decreases they become emboldened to continue this precursor activity. The activity continues until the insider’s threshold for risk decreases to a point where the insider is willing to accept the risks involved in carrying out an attack.
Understanding how these behavior loops interact and influence each other is an important step towards designing and implementing controls that help us to mitigate the risk from malicious insiders. Ironically, the very actions of trust and empowerment that have proven so beneficial to workplace satisfaction and performance may be the very things that support the transformation of trusted insiders to malicious insiders. In Part Three of this series we will examine this conundrum and offer suggestions on how to address these issues within your organization.
Entries (RSS)