Modeling Expert Judgments of Insider Threat Using Ontology Structure: Effects of Individual Indicator Threat Value and Class Membership

Greitzer, Frank L.; Purl, Justin; Becker, Dovid; Sticha, Paul J.; Leong, Yung Mei

doi:10.24251/hicss.2019.387

Cited by 12 publications

(9 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several researchers have sought to identify and categorize individual insider threat indicators as part of an early warning system approach to insider threat detection (e.g., [2][3][4][5]), but few ( [6][7][8]) have attempted to quantify or distinguish among the contributions of different indicators to possible insider threat risk. For example, Magklaras and Furnell [3] proposed a metric called Evaluated Potential Threat (EPT) computed as a linear, weighted combination of individual threat component scores reflecting user role, behaviors (online actions), and sophistication (e.g., IT knowledge) that yields a score between 0 and 100, which is interpreted as a misuse probability between 0 and 1.…”

Section: Potential Factors In Insider Threat Indicator Severitymentioning

confidence: 99%

“…In this approach, the cybersecurity analysts (i.e., experts) establish the weights in accordance with their assessment of the emphasis they wish to place on the individual components. More recently, in separate expert knowledge elicitation studies focusing on expert judgments of the severity of insider threat indicators, Greitzer et al [6] demonstrated differential judgments of severity levels for 12 behavioral indicators, and in an independent set of studies, Greitzer et al [8] demonstrated differential severity levels of hundreds of individual technical and behavioral indicators. In these studies, and in the present work, in the absence of ground truth, the investigators test their models either by injecting simulated "target" data into a corpus of anonymized real-world data (e.g., [6,9]), or using expert judgments to classify "target" vs. baseline data in an anonymized real-world dataset (e.g., [3,7,8,10]).…”

Section: Potential Factors In Insider Threat Indicator Severitymentioning

confidence: 99%

“…In the Greitzer et al [8] study, expert judgments of severity levels were obtained for 202 individual indicators across a range of factors including behavioral, cybersecurity, job performance, and psychological indicators. Estimates of level of concern, on a 0-100 scale, were obtained and incorporated into an ontology of insider threat indicators (Sociotechnical and Organizational Factors for Insider Threats, or SOFIT [7,8,11,12]). The ontology distinguishes among five major classes of insider threat indicators [7]:…”

Section: Intrinsic Threat/risk Valuementioning

confidence: 99%

“…Role types form a complementary taxonomy that may be used to describe insider threat indicators. The SOFIT ontology defines five role types for insider threat indicators: Personal Predispositions, Precipitating Events, Behavioral Precursors, Technical Precursors, and Access Path [8]; definitions and examples are provided in Table 1. Personal predispositions overlap strongly with the psychological factor class.…”

Section: Intrinsic Threat/risk Valuementioning

confidence: 99%

See 3 more Smart Citations

The Dynamic Nature of Insider Threat Indicators

Greitzer¹,

Purl

2021

SN COMPUT. SCI.

Self Cite

View full text Add to dashboard Cite

Insider threat indicators are not equally indicative of potential insider threat activity. Indicator risk assessments depend not only on the number of observed concerning behaviors, but also on their nature. This paper discusses some initial work examining features and relationships among indicators that underlie this dynamic characteristic of insider threat indicators. Among the factors that may affect the level of concern of insider threat indicators are temporal factors and indicator interactions. An expert knowledge elicitation study was conducted to examine possible temporal effects and indicator interactions on judged level of concern for individual and/or combinations of indicators. Results suggested that the impact of an indicator on expert judgment of threat tends to decrease over time and that increments in threat value when indicators are aggregated are not simply a linear combination of the individual threat values. Broader implications of this dynamic nature of insider threat indicators are discussed.

show abstract

Section: Potential Factors In Insider Threat Indicator Severitymentioning

confidence: 99%

Section: Potential Factors In Insider Threat Indicator Severitymentioning

confidence: 99%

Section: Intrinsic Threat/risk Valuementioning

confidence: 99%

Section: Intrinsic Threat/risk Valuementioning

confidence: 99%

See 2 more Smart Citations

The Dynamic Nature of Insider Threat Indicators

Greitzer¹,

Purl

2021

SN COMPUT. SCI.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Insider threat risk prediction is a complex task for the research community to address, and recent studies such as those of (Greitzer et al, 2019(Greitzer et al, , 2018Legg et al, 2017) have started to consider insider threat issues from a different perspective of attempting to mitigate the risk of insider threats. Our work is inspired by the methodology proposed by (Kasanen et al, 1993) in combination with an empirical Bayes' method (Pearl, 1985).…”

Section: Conceptual Model For Insider Threat Predictionsmentioning

confidence: 99%

Insider Threat Risk Prediction based on Bayesian Network

Elmrabit

Yang

et al. 2020

Computers & Security

View full text Add to dashboard Cite

Insider threat protection has received increasing attention in the last ten years due to the serious consequences of malicious insider threats. Moreover, data leaks and the sale of mass data have become much simpler to achieve, e.g., the dark web can allow malicious insiders to divulge confidential data whilst hiding their identities. In this paper, we propose a novel approach to predict the risk of malicious insider threats prior to a breach taking place. Firstly, we propose a new framework for insider threat risk prediction, drawing on technical, organisational and human factor perspectives. Secondly, we employ a Bayesian network to model and implement the proposed framework. Furthermore, this Bayesian network-based prediction model is evaluated in a range of challenging environments. The risk level predictions for each authorised users within the organisation are examined so that any insider threat risk can be identified. The proposed insider threat prediction model achieved better results when compared to the empirical judgments of security experts

show abstract

A Theoretical Underpinning for Examining Insider Attacks Leveraging the Fraud Pentagon

Padayachee

2021

Human Aspects of Information Security and Assurance

View full text Add to dashboard Cite

Modeling Expert Judgments of Insider Threat Using Ontology Structure: Effects of Individual Indicator Threat Value and Class Membership

Cited by 12 publications

References 16 publications

The Dynamic Nature of Insider Threat Indicators

The Dynamic Nature of Insider Threat Indicators

Insider Threat Risk Prediction based on Bayesian Network

A Theoretical Underpinning for Examining Insider Attacks Leveraging the Fraud Pentagon

Contact Info

Product

Resources

About