Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Combating the
Insider Cyber Threat
T
he penetration of US national security by foreign and technical issues underlying Frank L.
insider threats, training on insider Greitzer
agents as well as American citizens is a historical threat awareness and mitigation Pacific
must be flexible and customiz Northwest
and current reality that’s a persistent and increas able to different roles and respon National
sibilities. It should also be highly Laboratory
ing phenomenon. Surveys, such as the E-Crime relevant and realistic and address
privacy and legal issues. The ques Andrew P.
Watch Survey (www.cert.org/archive/pdf/2004eCrimeWatch tion of how to effectively convey Moore and
such complex knowledge and skills Dawn M.
Summary.pdf ), reveal that current an unauthorized act that benefits is tied to fundamental instruction Cappelli
or former employees and contrac the individual. A 1997 US Depart al systems design (ISD) issues with Software
tors are the second greatest cy ment of Defense (DoD) Inspec philosophical and theoretical roots Engineering
bersecurity threat, exceeded only tor General report1 found that 87 to theorists such as Jean Piaget, Institute
by hackers, and that the number percent of identified intruders into John Dewey, and Lev Vygotsky,2
of security incidents has increased DoD information systems were ei who argued that learning contexts Dee H.
geometrically in recent years. The ther employees or others internal should be coupled with multiple Andrews
insider threat is manifested when to the organization. More gener opportunities for the learner to Air Force
human behavior departs from com ally, recent studies of cybercrime “construct” or discover meaning Research
pliance with established policies, (such as the 2004 through 2006 in the material (a constructivist Laboratory
regardless of whether it results E-Crime Watch Surveys; www.cert. or student-centered instructional
from malice or a disregard for se org/archive/) in both government philosophy) in contrast with the Lynn A.
curity policies. The types of crimes and commercial sectors reveal that behaviorist or instructor-centered Carroll
and abuse associated with insider although the proportion of insid approach associated with tradi Karta
threats are significant; the most se er events is declining (31 percent tional expository instruction. Technologies
rious include espionage, sabotage, in 2004 and 27 percent in 2006), Ongoing research at each of
terrorism, embezzlement, extor the financial impact and operat our institutions attempts to raise Thomas D.
tion, bribery, and corruption. Ma ing losses due to insider intrusions the bar in both training and insid Hull
licious activities include an even are increasing. Of those compa er research and development. Oak Ridge
broader range of exploits, such as nies experiencing security events, Institute for
copyright violations, negligent use the majority (55 percent) report at Pacific Northwest Science and
of classified data, fraud, unauthor least one insider event (up from 39 National Laboratory Education
ized access to sensitive informa percent in 2005). PNNL has focused on interactive
tion, and illicit communications In this article, we’ll focus on training in a variety of domains
with unauthorized recipients. the need for effective training to and predictive modeling for insid
raise staff awareness about insider er threat detection. Specifically, its
The “insider” is an individual threats and the need for organi researchers have developed com
currently or at one time authorized zations to adopt a more effective plex, cognitive-based instruction
to access an organization’s infor approach to identifying potential to produce workshops and hands-
mation system, data, or network; risks and then taking proactive on training, interactive computer-
such authorization implies a de steps to mitigate them. based training systems, and serious
gree of trust in the individual. The gaming approaches, blended train
insider threat refers to harmful acts Training research ing techniques,3,4 and research on
that trusted insiders might carry To help staff, management, and the effectiveness of game-based
out; for example, something that human resource personnel under training.5 For cybersecurity, an
causes harm to the organization, or stand the social-behavioral factors R&D initiative at PNNL (the In
Published by the IEEE Computer Society n 1540-7993/07/$25.00 © 2007 IEEE n IEEE Security & Privacy 61
Education
Carnegie Mellon Univ., Software Dynamics Society, 2006; www. Dawn M. Cappelli is senior member of
Eng. Inst., 2004; www.sei.cmu. cert.org/archive/pdf/merit.pdf. the technical staff in CERT at Carnegie
edu/publications/documents/ Mellon University’s Software Engineer-
04.reports/04tr021.html. Frank L. Greitzer is a chief scientist at ing Institute (SEI). She is technical lead
9. A.P. Moore et al., “An Experience the Pacific Northwest National Labo- of CERT’s insider threat research and
Using System Dynamics Model ratory (PNNL). His research interests is also adjunct professor in Carnegie
ing to Facilitate an Insider Threat include human behavior modeling, sys- Mellon’s Heinz School of Public Policy
Workshop,” Proc. 25th Conf. System tem evaluation methods and metrics, and Management. Cappelli has a BS
Dynamics Soc., The System Dy and modeling human cyber behavior in mathematics and computer sci-
namics Society, 2007; www.cert. with application to identifying malicious ence from the University of Pittsburgh.
org/archive/pdf/ISDC2007.pdf. insider activities. Greitzer has a a BS in Contact her at dmc@sei.cmu.edu.
10. S.R. Band et al., Comparing In- mathematics from Harvey Mudd College
sider IT Sabotage and Espionage: A and a PhD in mathematical psychology Dee H. Andrews is senior scientist at the
Model-Based Analysis, tech. report with specialization in memory and cog- Human Effectiveness Directorate at the
CMU/SEI-2006-TR-026, Carn nition from the University of California, Air Force Research Laboratory in Mesa,
egie-Mellon Univ., Software Eng. Los Angeles. He is an editorial board Arizona. His research interests include
Inst., 2006. member of the Journal of Cognitive In- training in distributed environments,
11. D.M. Cappelli, A.P. Moore, and formatics & Natural Intelligence. Con- instructor-operator station design, per-
T.J. Shimeall, Common Sense tact him at frank.greitzer@pnl.gov. formance measurement, command and
Guide to Prevention/Detection of control, cost effectiveness, and decay
Insider Threats, tech. report, Carn Andrew P. Moore is a senior member of and retention of higher order cognitive
egie Mellon Univ., CyLab and the the technical staff of CERT at the Soft- skills. Andrews has a PhD in instruc-
Internet Security Alliance, July ware Engineering Institute at Carnegie tional systems from Florida State Uni-
2006; www.cert.org/archive/pdf/ Mellon University. His interests include versity. Contact him at dee.andrews@
Com monSenseInsiderThreats improving security, survivability, and mesa.afmc.af.mil.
V2.1-1-070118.pdf. resiliency of enterprise systems through
12. D. Cappelli et al., “Management attack and defense modeling, and in- Lynn A. Carroll is a consultant with
and Education of the Risk of In cident processing and analysis. Moore Karta Technologies. Previously, he was
sider Threat (MERIT): System has a BA in mathematics from the Col- a fighter pilot the US Air Force, and
Dynamics Modeling of Computer lege of Wooster and an MA in computer served in Thailand and the Republic of
System Sabotage,” Proc. 24th Conf. science from Duke University. Contact Korea where he commanded the 604th
System Dynamics Soc., The System him at apm@cert.org. Direct Air Support Squadron and served
at the Pentagon, where he oversaw
Air Force simulation and training pro-
grams. He is the author of Entertaining
Thank you to our 2007 reviewers! War: Let the Games Begin. Contact
him at lynnalncrl@aol.com.