Shuyuan Mary Ho

Composite Role-Based monitoring (CRBM) for countering insider threats

Through their misuse of authorized privileges, insiders have caused great damage and loss to corporate internal information assets, especially within the Intelligence Community (IC). Intelligence management has faced increasing complexities of delegation and granular protection as more corporate entities have worked together in a dynamic collaborative environment. We have been confronted by the issue of how to share and simultaneously guard information assets from one another. Although many existing security approaches help to counter insiders’ unlawful behavior, it is still found at a preliminary level. Efficiently limiting internal resources to privileged insiders remains a challenge today. In this paper we introduce the CRBM (Composite Role-Based Monitoring) approach by extending the current role-based access control (RBAC) model to overcome its limitations in countering insider threats. CRBM not only inherits the RBAC’s advantages, such as scalable administration, least privilege, and separation of duties, but also provides scalable and reusable mechanisms to monitor insiders’ behavior in organizations, applications, and operating systems based on insiders’ current tasks.

Demystifying Insider Threat: Language-Action Cues in Group Dynamics

Written language as a symbolic medium of expression plays an important role in communications. In particular, written words communicated online can provide indications of an actors behavioral intent. This paper describes an ongoing investigation into the interconnectivity between words and actions for a deceptive insider on group dynamics in virtual team collaboration. An experiment using an online game environment was conducted in 2014. Our findings support the hypothesis that language-action cues of group interactions will change significantly after an insider has been compromised. Deceptive actors tend to use more cognition, inclusivity and exclusivity words when interacting with group members. Future work will employ finely tuned complex Linguistic Inquiry and Word Count (LIWC) dictionaries to identify additional language-action cues for deception in various experimental conditions.

Insider Threat: Language-action Cues in Group Dynamics

Language as a symbolic medium plays an important role in virtual communications. Words communicated online as action cues can provide indications of an actors behavioral intent. This paper describes an ongoing investigation into the impact of a deceptive insider on group dynamics in virtual team collaboration. An experiment using an online game environment was conducted in 2014. Our findings support the hypothesis that language-action cues of group interactions will change significantly after an insider has been compromised and makes efforts to deceive. Furthermore, the language used in group dynamic interaction will tend to employ more cognition, inclusivity and exclusivity words when interacting with each other and with the focal insider. Future work will employ finely tuned complex Linguistic Inquiry and Word Count dictionaries to identify additional language-action cues for deception.

Attribution-based Anomaly Detection: Trustworthiness in an Online Community

This paper conceptualizes human trustworthiness1 as a key component for countering insider threats in an online community within the arena of corporate personnel security. Employees with access and authority have the most potential to cause damage to that information, to organizational reputation, or to the operational stability of the organization. The basic mechanisms of detecting changes in the trustworthiness of an individual who holds a key position in an organization resides in the observations of overt behavior – including communications behavior – over time. “Trustworthiness” is defined as the degree of correspondence between communicated intentions and behavioral outcomes that are observed over time [27], [25]. This is the degree to which the correspondence between the target’s words and actions remain reliable, ethical and consistent, and any fluctuation does not exceed observer’s expectations over time [10]. To be able to tell if the employee is trustworthy is thus determined by the subjective perceptions from individuals in his/her social network that have direct business functional connections, and thus the opportunity to repeatedly observe the correspondence between communications and behavior. The ability to correlate data-centric attributions, as observed changes in behavior from human perceptions; as analogous to “sensors” on the network, is the key to countering insider threats.

Leader's dilemma game: An experimental design for cyber insider threat research

One of the problems with insider threat research is the lack of a complete 360° view of an insider threat dataset due to inadequate experimental design. This has prevented us from modeling a computational system to protect against insider threat situations. This paper provides a contemporary methodological approach for using online games to simulate insider betrayal for predictive behavioral research. The Leader’s Dilemma Game simulates an insider betrayal scenario for analyzing organizational trust relationships, providing an opportunity to examine the trustworthiness of focal individuals, as measured by humans as sensors engaging in computer-mediated communication. This experimental design provides a window into trustworthiness attribution that can generate a rigorous and relevant behavioral dataset, and contributes to building a cyber laboratory that advances future insider threat study.

Real or Spiel? A Decision Tree Approach for Automated Detection of Deceptive Language-Action Cues

As the use of computer-mediated communications has increased, the potential risk of online deception has grown -- as has the importance of better understanding human behavior online to mitigate these risks. Previous research has demonstrated that linguistic features provide crucial cues to detect deception, and that reasonable accuracy in detection of deception can be achieved by applying certain classification methodologies to these cues. This paper expands on this line of inquiry, and presents findings from a study conducted in the Spring of 2015. Our findings suggest a viable process for and the feasibility of using a decision-tree classification approach to develop an automated process to detect deception in computer-mediated communications.

Computer-Mediated Deception: Strategies Revealed by Language-Action Cues in Spontaneous Communication

Abstract Computer-mediated deception threatens the security of online users’ private and personal information. Previous research confirms that humans are bad lie detectors, while demonstrating that certain observable linguistic features can provide crucial cues to detect deception. We designed and conducted an experiment that creates spontaneous deception scenarios in an interactive online game environment. Logistic regression, and certain classification methodologies were applied to analyzing data collected during fall 2014 through spring 2015. Our findings suggest that certain language-action cues (e.g., cognitive load, affective process, latency, and wordiness) reveal patterns of information behavior manifested by deceivers in spontaneous online communication. Moreover, computational approaches to analyzing these language-action cues can provide significant accuracy in detecting computer-mediated deception.

Dyadic attribution model: A mechanism to assess trustworthiness in virtual organizations

Language as a symbolic medium plays an important role in virtual communications. In a primarily linguistic environment such as cyberspace, words are an expressed form of intent and actions. We investigate the functions of words and actions in identifying behavioral anomalies of social actors to safeguard the virtual organization. Social actors are likened to “sensors” as they observe changes in a focal individuals behavior during computer‐mediated communications. Based on social psychology theories and pragmatic views of words and actions in online communications, we theorize a dyadic attribution model that helps make sense of anomalous behavior in creative online experiments. This model is then tested in an experiment. Findings show that observation of the behavioral differences between words and actions, based on either external or internal causality, can offer increased ability to detect the compromised trustworthiness of observed individuals—possibly leading to early detection of insider threat potential. The dyadic attribution model developed in this sociotechnical study can function to detect behavioral anomalies in cyberspace, and protect the operations of a virtual organization.

Factors Affecting Individual Information Security Practices

Data and information within organizations have become important assets that can create a significant competitive advantage and therefore need to be given careful attention. Research from industry has reported that the majority of security-related problems are indirectly caused by employees who disobey the information security policies of their organizations. This study proposes a model to evaluate the factors that influence the individuals information security practices (IISP) at work. Drawing on social cognitive and control theories, the proposed model includes cognitive, environmental, and control factors as antecedents of ISSP. The findings of this study could be used to develop effective security policies and training. They could also be used to develop effective security audits and further recommendations for organizations that are looking to make significant improvements in their information security profiles

Gender deception in asynchronous online communication: A path analysis

The increasing social reliance on computer-mediated communication has resulted in the rise of deceptive communication. Gender is a salient feature of identity that can be easily disguised online, and yet the phenomenon of gender deception has not been fully investigated. This study adopts a multifactorial analysis to examine motivation, self-efficacy and gender of a deceiver in relation to self-efficacy and gender of the detector as a contribution to understanding online gender deception. An asynchronous online game was developed to simulate scenarios in which males were incentivized to speak like females, and females were incentivized to speak like males. Using path analysis, we analyzed cognitive factors of gender deception, to support our hypotheses that an actor’s actual gender can affect the motivation to deceive; males had higher self-efficacy beliefs in gender deception, and females had a higher success rate in detecting such deception. Our research suggests that the gender of the message recipient could be a significant factor in uncovering gender deception.