Frank L. Greitzer

Identifying At-Risk Employees: Modeling Psychosocial Precursors of Potential Insider Threats

In many insider crimes, managers and other coworkers observed that the offenders had exhibited signs of stress, disgruntlement, or other issues, but no alarms were raised. Barriers to using such psychosocial indicators include the inability to recognize the signs and the failure to record the behaviors so that they can be assessed. A psychosocial model was developed to assess an employees behavior associated with an increased risk of insider abuse. The model is based on case studies and research literature on factors/correlates associated with precursor behavioral manifestations of individuals committing insider crimes. To test the models agreement with human resources and management professionals, we conducted an experiment with positive results. If implemented in an operational setting, the model would be part of a set of management tools for employee assessment to identify employees who pose a greater insider threat.

Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits

Organizations often suffer harm from individuals who bear no malice against them but whose actions unintentionally expose the organizations to risk-the unintentional insider threat (UIT). In this paper we examine UIT cases that derive from social engineering exploits. We report on our efforts to collect and analyze data from UIT social engineering incidents to identify possible behavioral and technical patterns and to inform future research and development of UIT mitigation strategies.

Identifying at-risk employees: A behavioral model for predicting potential insider threats

A psychosocial model was developed to assess an employee’s behavior associated with an increased risk of insider abuse. The model is based on case studies and research literature on factors/correlates associated with precursor behavioral manifestations of individuals committing insider crimes. In many of these crimes, managers and other coworkers observed that the offenders had exhibited signs of stress, disgruntlement, or other issues, but no alarms were raised. Barriers to using such psychosocial indicators include the inability to recognize the signs and the failure to record the behaviors so that they could be assessed by a person experienced in psychosocial evaluations. We have developed a model using a Bayesian belief network with the help of human resources staff, experienced in evaluating behaviors in staff. We conducted an experiment to assess its agreement with human resources and management professionals, with positive results. If implemented in an operational setting, the model would be part of a set of management tools for employee assessment that can raise an alarm about employees who pose higher insider threat risks. In separate work, we combine this psychosocial model’s assessment with computer workstation behavior to raise the efficacy of recognizing an insider crime in the making.

Methods and Metrics for Evaluating Analytic Insider Threat Tools

The insider threat is a prime security concern for government and industry organizations. As insider threat programs come into operational practice, there is a continuing need to assess the effectiveness of tools, methods, and data sources, which enables continual process improvement. This is particularly challenging in operational environments, where the actual number of malicious insiders in a study sample is not known. The present paper addresses the design of evaluation strategies and associated measures of effectiveness; several quantitative/statistical significance test approaches are described with examples, and a new measure, the Enrichment Ratio, is proposed and described as a means of assessing the impact of proposed tools on the organizations operations.

Predicting Insider Threat Risks through Linguistic Analysis of Electronic Communication

Organizations face growing risks from malicious or careless insiders. An insider threat may take many forms, including disgruntled workers, individuals under financial stress or intentional acts of espionage. Waiting for threats to manifest may leave an organization open to liability, hurt morale and in extreme cases lead to physical harm of others. However, predicting who may pose the greatest risk is challenging. Legal and economic concerns make direct psychological examinations challenging, while reliance upon supervisor or co-worker assessments may lead to unfounded accusations. This research investigates the potential for active monitoring of electronic communications as a method that may identify problems early, allowing for proactive mitigation through coaching, assistance programs and where warranted, termination. Research has found correlations between word use and behavior. This research demonstrates that subtle but measurable differences in the frequency of common words found in electronic communication may provide clues about potential insider threat risks.

Unintentional Insider Threat: Contributing Factors, Observables, and Mitigation Strategies

Organizations often suffer harm from individuals who bear them no malice but whose actions unintentionally expose the organizations to risk in some way. This paper examines initial findings from research on such cases, referred to as unintentional insider threat (UIT). The goal of this paper is to inform government and industry stakeholders about the problem and its possible causes and mitigation strategies. As an initial approach to addressing the problem, we developed an operational definition for UIT, reviewed research relevant to possible causes and contributing factors, and provided examples of UIT cases and their frequencies across several categories. We conclude the paper by discussing initial recommendations on mitigation strategies and countermeasures.

Factors influencing network risk judgments: a conceptual inquiry and exploratory analysis

Effectively assessing and configuring security controls to minimize network risks requires human judgment. Little is known about what factors network professionals perceive to make judgments of network risk. The purpose of this research was to examine first, what factors are important to network risk judgments (Study 1) and second, how risky/safe each factor is judged (Study 2) by a sample of network professionals. In Study 1, a complete list of factors was generated using a focus group method and validated on a broader sample using a survey method with network professionals. Factors detailing the adversary and organizational network readiness were rated highly important. Study 2 investigated the level of riskiness for each factor that is described in a vignette-based factor scenario. The vignette provided context that was missing in Study 1. The highest riskiness ratings were of factors detailing the adversary and the lowest riskiness ratings detailed the organizational network readiness. A significant relationships existed in Study 2 between the level of agreement on each factor’s rating across our sample of network professionals and the riskiness level each factor was judged. Factors detailing the adversary were highly agreed upon while factors detailing the organizational capability were less agreed upon. Computational risk models and network risk metrics ask professionals to perceive factors and judge overall network risk levels but no published research exists on what factors are important for network risk judgments. These empirical findings address this gap and factors used in models and metrics could be compared to factors generated herein. Future research and implications are discussed at the close of this paper.

Cognitive Foundations for Visual Analytics

In this report, we provide an overview of scientific/technical literature on information visualization and VA. Topics discussed include an update and overview of the extensive literature search conducted for this study, the nature and purpose of the field, major research thrusts, and scientific foundations. We review methodologies for evaluating and measuring the impact of VA technologies as well as taxonomies that have been proposed for various purposes to support the VA community. A cognitive science perspective underlies each of these discussions.

Realizing scientific methods for cyber security

There is little doubt among cyber security researchers about the lack of rigor underlying much of the scientific literature. The issues are manifold and are well documented. Much of the problem lies with insufficient scientific methods. Cyber security exists at the frontier between the operations of machines and the behaviors and actions of users. While we inherit the challenges of computer and social sciences, we also must face a variety of new issues that are unique to cyber security. In this paper we discuss the challenges created by the need for rigorous cyber security science. We review the methods used by other sciences and discuss how they relate to cyber security. This paper is by no means comprehensive: its purpose is to foster discussion in the community on how we can improve rigor in cyber security science.

Human Factors Evaluation of Advanced Electric Power Grid Visualization Tools

This report describes initial human factors evaluation of four visualization tools (Graphical Contingency Analysis, Force Directed Graphs, Phasor State Estimator and Mode Meter/ Mode Shapes) developed by PNNL, and proposed test plans that may be implemented to evaluate their utility in scenario-based experiments.