A Critical Reflection on the Threat from Human Insiders – Its Nature, Industry Perceptions, and Detection Approaches

Nurse, Jason R. C.; Legg, Phil; Buckley, Oliver; Agrafiotis, Ioannis; Wright, Gordon; Whitty, Monica T.; Upton, David M.; Goldsmith, Michael; Creese, Sadie

doi:10.1007/978-3-319-07620-1_24

Cited by 25 publications

(31 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The majority of the security controls were put in place as a knee-jerk reaction to the breach itself, and because of the fear of losing everything. For a business that makes profit from generating intellectual property, IP theft is a great concern [17]and likely to be caused by a disgruntled insider [17]. Such existential threats place cyber security at a level of priority for the board rather than remaining an 'IT concern' [19].…”

Section: A Post-shock Securitymentioning

confidence: 99%

See 1 more Smart Citation

2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

Demjaha

Caulfield

Sasse

et al. 2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization's security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization's security behaviour may be ineffective.

show abstract

Section: A Post-shock Securitymentioning

confidence: 99%

“…Company boards are increasingly being encouraged to become seriously involved with the security of their organization [25]. However, when it comes to insider attacks, many companies underestimate them and fail to report them when they occur [17]. Company A is on the other side of this spectrum though.…”

Section: A Post-shock Securitymentioning

confidence: 99%

2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

Demjaha

Caulfield

Sasse

et al. 2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

show abstract

“…Insider threat has advanced to an issue of growing concern and significance, a fact also reflected in the soaring number of publications dedicated to the topic. 6 Contributions cover a wider range of different themes spanning from behavioural research to technical attack modelling. 7 10 Insider threat management denotes an emerging focus area of operational risk and information security management.…”

Section: Related Workmentioning

confidence: 99%

Insider threat response and recovery strategies in financial services firms

Eggenschwiler

Agrafiotis

Nurse

2016

Computer Fraud & Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, the absence of previously logged malicious insider threats, among the logs of normal users' behaviour in an organisation, shapes the insider threat detection mechanism into a one-class data mining approach, namely anomaly detection. The topic of insider threat detection is getting increased concern by organisations, as a result of the significant number of malicious insider threats reported in recent years [3]. These threats are attributed to insiders; current or former employees, contractors, or business partners in an organisation, who have privileged access to the network, system, and data.…”

Section: Introductionmentioning

confidence: 99%

Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats

Haidar¹,

Gaber²

2018

2018 International Joint Conference on Neural Networks (IJCNN)

View full text Add to dashboard Cite

The malicious insider threat is getting increased concern by organisations, due to the continuously growing number of insider incidents. The absence of previously logged insider threats shapes the insider threat detection mechanism into a one-class anomaly detection approach. A common shortcoming in the existing data mining approaches to detect insider threats is the high number of False Positives (FP) (i.e. normal behaviour predicted as anomalous). To address this shortcoming, in this paper, we propose an anomaly detection framework with two components: one-class modelling component, and progressive update component. To allow the detection of anomalous instances that have a high resemblance with normal instances, the oneclass modelling component applies class decomposition on normal class data to create k clusters, then trains an ensemble of k base anomaly detection algorithms (One-class Support Vector Machine or Isolation Forest), having the data in each cluster used to construct one of the k base models. The progressive update component updates each of the k models with sequentially acquired FP chunks; segments of a predetermined capacity of FPs. It includes an oversampling method to generate artificial samples for FPs per chunk, then retrains each model and adapts the decision boundary, with the aim to reduce the number of future FPs. A variety of experiments is carried out, on synthetic data sets generated at Carnegie Mellon University, to test the effectiveness of the proposed framework and its components. The results show that the proposed framework reports the highest F1 measure and less number of FPs compared to the base algorithms, as well as it attains to detect all the insider threats in the data sets.

show abstract

A Critical Reflection on the Threat from Human Insiders – Its Nature, Industry Perceptions, and Detection Approaches

Cited by 25 publications

References 11 publications

2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

2 Fast 2 Secure: A Case Study of Post-Breach Security Changes

Insider threat response and recovery strategies in financial services firms

Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats

Contact Info

Product

Resources

About