1 / 62

Cybersecurity: Role of Psychological Forensic & Predictive Tools in Combating Insider Threat

This presentation explores the importance of psychological forensic and predictive tools in combating the insider threat in cybersecurity.

sbraswell
Download Presentation

Cybersecurity: Role of Psychological Forensic & Predictive Tools in Combating Insider Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ethan S. Burger, Esq. Fulbright Foundation Grantee & Visiting Professor Faculty of Mathematics & Informatics Vilnius University Cybersecurity: What should be the Role of Psychological Forensic & Predictive Tools in Combating the Insider Threat? Cyberspace Conference 2016 Masaryk University, Brno, Czech Republic November 26, 2016

  2. The Demand for Experienced Cybersecurity Specialists with Security Clearances is Very Large

  3. But the Supply is Limited

  4. Lie Detector, Polygraph, ???Employee Polygraph Protection Act, (EPPA) 1988

  5. Why Psychology & Cybersecurity? • Its all about filling cybersecurity positions (jobs) ! ! ! • Human Resources often require newly hired employees to have an active security clearances (many of which required a satisfactory polygraph examination). • Delays in receiving security cleaerances or results of background checks clearances can be long and outcomes unpredictable. • Also, private organizations want people who have work experience in the relevant industry and usually treats security clearance is treated as a proxy for ‘trustworthy”.

  6. Transparency & Disclosure[“Where one stands depends on where on sits.”] • Countering the ‘insider threat’ is primarily a ‘counter-intelligence’ activity occurring in both the physical and cyber [virtual] worlds [domains]. • Effective insider-threat programs should focus primarily on deterrence since absolute security is unachievable. • Nonetheless, deterrence failures are inevitable (not all persons are deterred by the same thing). Consequently, cyber-defenses should utilize technology to support behavioral analytics and monitoring (persons & systems). • “Detecting insiders requires a defined process and a focused team, in addition to detection technology.” (see Blankenship Monograph at http://www.techrepublic.com/resource-library/whitepapers/hunting-insider-threats-forrester-s-model-for-establishing-an-insider-threat-team/, see also Stroz https://hbr.org/2016/09/psychology-is-the-key-to-detecting-internal-cyberthreats?cm_sp=Article-_-Links-_-Comment).

  7. Provisos • Do not take detailed notes. • The use of collective nouns and the aggregation (classification, grouping) of data has real consequences. • agreeing on definitions, especially when discussing cyber-matters, are important to avoid ‘talking past’ one another.

  8. Road Map I. The Nature of the Insider Threat in the Cybersecurity Context II. Psychology & Deception Detection: Initial Observations III. Cybersecurity Psychological Forensic Technical Tools IV Active Monitoring, Profiling [Personality Traits] & Predictive Behavior V. U.S. Legal Considerations & Constraints VI. Where Do We Go From Here?

  9. I. THE NATURE OF THE INSIDER THREAT IN THECYBERSECURITYCONTEXT

  10. How to Define the Cyber ‘Insider’?It can have very consequences. An individual (human being) who . . . • . . . is a current or former employee; • . . . has, will have, or had authorized access to an organization’s computer information network, system, or data, and • . . . intentionally misused, or plans to misuse that access to negatively affect the confidentiality, integrity, or availability of the organization's information. Therefore, only individual employees acting out of malice are examined in this presentation.

  11. Not included here as ‘Insiders’, but not to be ignored + Consultants: auditors, lobbyists, and management consultants » + Contractors: temporaryemployees, (service company) subcontractors » + Agents: international intermediaries, domestic agencies, local advertisers, and marketers » + Vendors: data vendors, maintenance, on-demand service providers, and offshore service providers » + ‘Rubber-Hosed’ Black-mailed individuals » + Suppliers: branded, white-branded or third-party branded material suppliers and manufacturers as well as those suppliers’ suppliers » + Distributors: dealers and resellers, foreign distribution firms and their local resellers » + Joint ventures: partnerships, international joint ventures (factories, manufacturers, dealers), and franchisees.

  12. Insiders Represent a Major Cybersecurity Challenge Since They . . . • Have privileged access eliminating a need for them to penetrate perimeter defenses (e.g. gullible email recipient not required). • Are knowledgeable about an organization’s defenses and potential targets (e.g. valuable data). • Can cause greater harm than most outsiders because their misconduct is more difficult to detect (longer dwell times) and remedy. ‘Insider’Percentage of All Cyber Attacks 60% -- 2016 Cybersecurity Intelligence Index (IBM); 29% -- 2014 US State of Crime Survey (Carnegie Mellon U.); 21% -- 2011 Cybersecurity Watch Survey (SCO/Deloitte); and 17% -- 2016 Data Breach Investigations Report (Verizon). Note these studies used different definitions for insiders

  13. Harm Caused by Insiders • Direct financial loss caused by theft, fraud, or business disruption • Investigation, mitigation, remediation, and litigation costs and losses • Losses to stockholder value • Harm to reputation and relationship with consumers, commercial customers, and business partners • Disclosure of confidential information • Loss of competitive advantage • Civil liabilities and regulatory penalties • Issues for corporate officers & directors • Increased insurance premiums and loss of insurance

  14. Some Insider Threat Motivations • Financial gain • Anger/Revenge • Recognition/Power • Adventure/Thrill • Love/Jealousy • Extortion/Blackmail • Ideology/Terrorism • State Actor

  15. It is Easy to Give Cyber-Advice(1 of 2)(http://www.securitymagazine.com/articles/85081-how-to-reduce-the-insider-cyber-threat) • Pre-employment screening (including background checks). • Physical property inventories and audits (computers, removable media, security tokens, and access cards). • Continuous monitoring, logging, and automated correlation in order to: establish a baseline of normal behavior; provide real-time detection and alerts of anomalies; track data exfiltration methods (including the use of encrypted sessions, sending data to cloud storage providers, sending email with attachments to personal accounts, high-volume printer activity, and the use of removable media); implement rule-based mitigation responses; and perform real-time damage assessments. • Establish forensic analysis capability for use in disciplinary or criminal proceedings, enhance deterrence through punishing persons shown to be insiders (within and external to organization).

  16. It is Easy to Give Cybersecurity-Advice(2 of 2)(http://www.securitymagazine.com/articles/85081-how-to-reduce-the-insider-cyber-threat) • Enhanced auditing of higher-risk users, who: previously violated IT security policies or tolerated violations by others, express long-term job dissatisfaction; seek sensitive information not required for their job; are on probation or leaving their jobs; and are likely social engineering targets. • Make more stringent access controls and auditing of privileged users (performing high-risk tasks require at least two persons). • Operate first-class tools to aggregate and correlate network logs, facility access logs, and personnel records of higher-risk users to identify known or suspected misconduct. • Promote the resolution of employee grievances and protect whistleblowers. • Employee awareness, training and testing specific to identifying and reporting insider threat indicators.

  17. II. Psychology & Deception Detection: Initial Observations

  18. Cyber-Psychology according to Europol(https://www.europol.europa.eu/iocta/2014/appendix-3.html) Impact of technology on human behavior. Synthesis of virtual environments, artificial intelligence, and social media. 30 peer-reviewed journals, over 1000 articles per year. Exponential risks resulting from “unprecedentedly pervasive and profound influence of the Internet on human beings.”

  19. Cyber-Psychology: Convergence of Multiple Disciplines (“MITRE Study”)(PsychNology Journal 9(2):79-122 · January 2011, athttps://www.researchgate.net/publication/220168886_Scientometrics_of_Deception_Counter-deception_and_Deception_Detection_in_Cyber-space) • Cyber-psychology interdisciplinary. It uses numerous analytical approaches, not only psychology and computer science, but also network science, data visualization, and digital humanities. • Analysts must use both qualitative and quantitative tools (e.g. computer analytics, interviews, surveys). • Cyber-Psychology demands methodological and ideological openness (& agility) on the part of the cybersecurity systems designer. Unfortunately, most of the cybersecurity research undertaken to date does not demonstrate a deep and extensive knowledge of the field of criminology nor reflect generally-accepted scientific techniques.

  20. III. Cybersecurity Psychological Forensic ‘Technical’ Tools“Solutionism [interprets] issues as puzzles to which there is a solution, rather than problems to which there may be a response.”-- Gilles Paquet

  21. Underlying Premises of Using ‘Deception Detection’ for Investigative and Screening Purposes Research models presume that: • persons engaged in deception can be identified by an increase in psycho-physiological manifestations (autonomic arousal), demonstrable behavior, or cognitive patterns; and • there are technical tools that reliably measure this heightened state in persons or detect the relevant behavior.

  22. National Research Council’s 2003 Findings Re Use of Polygraph Examinations (1 of 2) • Theoretical Basis: “The theoretical rationale for the polygraph is quite weak, especially in terms of differential fear, arousal, or other emotional states that are triggered in response to relevant or comparison questions.” • Estimate of Accuracy: “In populations of examinees [are usually . . .] untrained in countermeasures. . . [S]pecific-incident polygraph tests for event-specific investigations can discriminate lying from truth telling at rates well above chance, though well below perfection. The evidence does not allow any precise quantitative estimate of polygraph accuracy or provide confidence that accuracy is stable across personality types, socio-demographic groups, [etc.]. “

  23. National Research Council’s 2003 Findings Re Use of Polygraph Examinations (2 of 2) • Utility: “Polygraph examinations may have utility to the extent that they can elicit admissions and confessions, deter undesired activity, and instill public confidence. However, such utility is separate from polygraph validity. There is substantial anecdotal evidence that admissions and confessions occur in polygraph examinations, but no direct scientific evidence assessing the utility of the polygraph.” • Research Progress: “Polygraph research has proceeded in relative isolation from related fields of basic science and has benefited little from conceptual, theoretical, and technological advances in those fields that are relevant to the psychophysiological detection of deception.” {The was subsequently confirmed by MITRE Study}. • Future Potential: The inherent ambiguity of the physiological measures used in the polygraph suggest that further investments in improving polygraph technique and interpretation will bring only modest improvements in accuracy.”

  24. Selective Broad Categories of Cyber-Psychological Technical Tools Polygraphsmeasures various types of bodily activity, such as heart rate, blood pressure, respiration, and palm sweating (using Concealed Information Tests (CITs) and Control Question Tests ((CQT), they are also known as Comparison Question Tests); Electroencephalography (EEG) and functional magnetic resonance imaging (f-MRI) are used for measuring brain activity to identify patterns connected with deception.  A variety of this technique is known as 'brain-fingerprinting'; Radar-based lie detection -- both the electrocardiogram (ECG)and Ultra-Wide Band (UWB) impulse-based monostatic radar measure heartbeat-related data.  In particular, they measure the time interval between successive heartbeats   known as the Heart Rate variability (HRV).   Whereas, the ECG requires the placement of electrodes on the body, the UWB can be performed remotely (i.e. it is unobtrusive and non-invasive); and Other invasive tools to measure HRV (e.g. the ECG).

  25. “Deception detection with behavioral, autonomic, and neural measures: Conceptual and methodological considerations that warrant modesty”(“http://onlinelibrary.wiley.com/doi/10.1111/psyp.12609/full) Paradigms and Physiological Measures Used in Studies of Deception and its Detection Paradigm Measure Use in Field Measures

  26. Some Proponents of Technical Tools. Although many government entities see polygraph machines and other deception identification tools as having value both for investigations and screening within the scientific community, there seems to be a consensus that current science only supports the use of such technologies in the investigation of actual matters. Larry Farwell’s Brain Fingerprinting approach is a variant of the Guilty Knowledge Test (GKT) or Concealed Information Test (CIT) (http://larryfarwell.com/). He claims proper detection in excess of 95%. Many specialists criticize his work. (e.g. B. Verschuere, G. Ben-Shakhar, & E. Meijer). John J. Palmatier (http://www.polygraphexperts.com/) and Lewis Rovner (http://polygraph-west.com/) are perhaps the best-known promoters of the use of polygraph examinations. They see merit in studying psycho-physiological data generated by the Comparison Question Test (CQT) and the CIT. Surprisingly, the efforts to validate their positions rely on small sample sizes, which has been widely criticized. Also, very important is that the “experiment” population sampled usually does not resemble the real-life population (e.g. outliers). Query if we cannot use an MRI to identify schizophrenia, how can we suggest to use it in an area some complex as deception?

  27. Yessir Hashem, “Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals,” Journal of Internet Services and Information Security (JISIS), Volume: 6, Number: 1 (February 2016), pp. 20-36 Abstract Insider threat is a great challenge for most organizations. It is almost impossible to stop threats at the gate. It receives substantial research attention as a significant information security threat that could cause more financial losses and damages than any other threats. Designing an effective monitoring and detection framework is difficult. Researchers examined the use of human bio-signals to detect the malicious activities and show that its applicability for insider threats detection. Researchers used electroencephalography (EEG) and the electrocardiogram (ECG) signals to provide a framework for insider threat monitoring and detection. They ‘”empirically tested the framework with ten subjects and used several activities scenarios.” Framework purported to achieve up to 90% detection accuracy of the malicious activities using the electroencephalography (EEG) signals alone. Adding electrocardiogram (ECG) signals seemed to increase the accuracy of detecting the malicious activity increases by about 5%. Researchers concluded that their framework shows that human brain and heart signals can reveal valuable knowledge about the malicious behaviors and could be an effective solution for detecting insider threats. BUT REMEMBER THE LIMITS OF STATISTICAL TOOLS SUCH AS REGRESSION ANALYSIS.

  28. Best Results . . . Good Enough?

  29. Detecting Deception (& Lying) Some researchers have indicated that the CQT approach yields results “no better than chance . . . and others estimated the accuracy of GKT/CIT and CQT between 75% and 80%. Former Supreme Court Justice John P. Stevens wrote that a number studies “place the reliability of polygraph tests” in the 85-90% range (United States v. Scheffer, 523 U.S. 303, 333 (1998)(see item below)). Professor Charles A. Morgan III, Associate Professor of National Security at University of New Haven and former CIA official, has used a Modified Cognitive Interview Technique (MCI) that analyzes speech content [number of words, unique words, nature of responses (e.g. character of detail of facts)] to produce deception detection rates above 80%. Charles Morgan, et al., http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1249&context=jss). E-mail, instant messaging, other communications, and work-product forensics involve analyzing word choice has been used for insider threat detection approach. Search for ‘key words’ and other indicators (use of capital letters, abbreviations, apparent use of ‘Aesopian language,’) facial expression, other codes/signaling, etc. (e.g. Stroz’s “Scout” technology). Important Query: What are the privacy issues involved in viewing employees emails and making sound recordings of their conversations? (see Armknect and Dewald “Privacy-preserving email-forensics,” (2015), at http://www.sciencedirect.com/science/article/pii/S1742287615000481. Kristin E. Heckman & Mark D. Happel’s “Mechanical Detection of Deception: A Short Review” provides an excellent examination of technical tools in this area in Robert Fein, ed.,“Educing Information, Interrogation Science, and Art: Foundation for the Future,” (2009), at http://hrlibrary.umn.edu/OathBetrayed/Intelligence%20Science%20Board%202006.pdf.

  30. American Psychological Association’s Detecting Deception Through Appearance(http://assets.cambridge.org/97805218/33752/excerpt/9780521833752_excerpt.pdf) APA, CIA, DEA (Drug Enforcement Agency), FBI Workshop, and National Institute for Justice. Studying alleged associations (behavioral cues in the psycho-physiological realm): -- Increased pupil size (indication of tension & concentration), -- High pitched voices, -- Tendency to press lips together, -- But not necessarily more fidgety, more likely to blink, or less relaxed posture, -- Facial cues (Facial Action Coding System – Paul Ekman found 90% effectiveness (face, voice, speech patterns/linguistics), and -- Linguistic Inquiry & Word Count -- Lawrence Erlbaum found 67% effectiveness, APA’s analysis of 253 cyber-psychological deception detection technical tools and behavior techniques found an overall accuracy of 53%.

  31. MITRE’s Kristin E. Heckman, and Mark D. Happel in “Mechanical Detection of Deception: A Short Review” Are Spot On (Link in 2 Above) • “There are two schools of thought on the approach to solving this problem. One, referred to as “theory first,” states that there must first be a sound theoretical basis on which to design such a system. The second, referred to as “system first,” asserts that such a system can be developed in the absence of a theory • Even if the National Research Council is wrong, and the “system first” school of thought is correct, other problems may need to be solved before any practical system for deception detection can be developed, tested, and operationally deployed in the field. These problems are characteristic of experimentation in an artificial laboratory setting. Such research does not typically result in subjects’ experiencing the same level of threat, motivation, stress, or fear that is likely to be experienced by a subject in a real-world situation involving detection of deception. The demographics of the cohorts used in these, usually university, experiments are likely to differ greatly from those of individuals of interest in the field. These problems make it difficult to use the findings of laboratory research as a basis on which to develop a practical deception detection system. • Thus, despite the polygraph’s shortcomings, there is currently no viable technical alternative to polygraphy. After reviewing the EEG and fMRI deception detection efforts, as well as some other psychophysiological candidate techniques (e.g., VSA), the National Research Council concluded that “some of the potential alternatives show promise, but none has yet been shown to outperform the polygraph. None shows any promise of supplanting the polygraph for screening purposes in the near term” (Committee to Review the Scientific Evidence on the Polygraph, 2002, p. 6–15). This does not imply that these efforts have no value. On the contrary, the results to date show that these approaches have promise, and may even be viable in some situations where their level of accuracy is acceptable. However, much more research is needed if these techniques are to become operationally useful and reliable in situations that require a higher level of accuracy.

  32. IV. Active Monitoring, Profiling [Personality Traits] & Predictive Behavior

  33. “Did You Pack Your Own Bag?” Good security: Redundancy Profiling Creativity But, Limited Resources

  34. The ‘cost’ of failure can be catastrophic, but resources are always limited.

  35. Personality of Effective Insiders(Linda Ray, “What Are Qualities That Spies Have?” Houston Chronicle (undated), at http://work.chron.com/qualities-spies-have-11003.html) Cultural Adaptation – ability to blend in, multilingual, knowledge of range of cultures, proficient storyteller, discreet, wears right attire. Keen Observational Skills -- spying is collecting relevant information; good ability; collect, evaluate and disseminate vital information, good observation skills, ability to pay close attention to detail and be able to compile and retain meaningful and relevant data. Intelligence agencies look for a strong record in academics to determine one’s observational skills and abilities to translate information accurately. Previous achievements in professional occupations that demonstrate your observational skills or a background in research can provide a solid basis from which you can perform the duties of a spy. Interpersonal Skills -- a natural, adaptable and high functioning ability to interact with other; able to comfortably associate broad spectrum of personality types; be at ease in this wide variety of social environments, you need to be able to take initiative and rely on skills of persuasion to get people to disclose information to you without letting on to the importance of that information. Self-Reliance– ability to keep composure and be able to work independently., be committed to your role able to take care of oneself physically and mentally and seek out the training you need to succeed. You need to be able to think quickly on your feet and make snap decisions regarding safety and your mission and technologically inclined to be able to work on your own with advanced tools, such as tracking and listening devices.

  36. Individual Behavior & Preferences Can Be Explained by Persons’ Web Browsing Habits (http://www.cs.ox.ac.uk/publications/publication9392-abstract.html) OCEAN -- Openness, Conscientiousness, Extroversion, Agreeableness, and Neuroticism. The Dark Triad -- Machiavellianism, Narcissism, and Psychopathy. “As personality traits influence an individual’s actions, they are also a key factor in whether or not [an] individual is likely to carry out a malicious attack. Although personality traits and behavior alone are not indicative of an individual’s insider threat potential, when combined with other observations this can yield significant confidence in the threat posed. The high frequency of web browsing usage provides an opportunity for organizations to detect a potential insider threat through analysis of employees’ browsing history. By monitoring these traits as they are, and also as they change over time, [the researchers] believe they [may have found a novel way to identify potential insider threat[s].” ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Key to Chart on Following Page Darker shade (blue) indicates a positive correlation while lighter shades (yellow) indicate a negative correlation. For example, leesbingo.co.uk, a gambling website, is positively correlated with Neuroticism and its more specific traits (Anxiety, Hostility, Depression Self-consciousness, Immoderation and Vulnerability) in addition to Excitement –seeking while negative correlated with Adventure, Intellect, and Liberalism.

  37. Website-OCEAN Personality Correlation Tool Process(http://www.cs.ox.ac.uk/publications/publication9392-abstract.html)

  38. “Insider-Treat Detection Application: Exployee’s browsing profile is input into tool. The tool then calculates the OCEAN personality trait score for each website based on the websites’ textual content. The Score for each OCEAN personality trait is averaged. By comparing each averaged OCEAN score with the previously calculated score in the employee personality profile, we can detect personality deviations. In this example, the Neuroticism score has increased rapidly from 3 to 35, which indicates a significant change in behavior and possibly an insider threat.”

  39. Website Keywords and the Associated Linguistic Inquiry and Word Count (LIWC) Dictionary(http://www.cs.ox.ac.uk/publications/publication9392-abstract.html)

  40. Selective Personal Indicators for Troubled Individuals(https://ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf)

  41. Selective Behavior Indicators(ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf )

  42. Selective Background Indicators(ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf)

  43. Selective Network Indicators(ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf

  44. Survey: Do You Monitor User Behavior Within Your Organization? (N = ?? ! ! !)(http://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2016.pdf) 21% Yes – we continuously monitor user behavior and proactively identify threats Yes – but access logging only Yes – but only after an incident (e.g., forensic analysis) Yes – but only under specific circumstances (e.g., shadowing specific users) No – we don’t monitor user behavior at all Not sure / Other

  45. Level of Visibility Into User Behavior(% of Respondents’ Organizations)(http://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2016.pdf) • 48% rely on server logs to review user behavior. • 28% have deployed dedicated user activity monitoring solutions. • 75% deploy user monitoring for on-premise applications, while only 25% monitor user behavior within their cloud footprint. • 48% do not use analytics to determine insider threats. • Of the 30% that leverage analytics, one-third uses predictive analytics and two-thirds deploy behavior analytics.

  46. 45% can’t determine whether their organizations experienced insider attacks in the last 12months. 22 % experiencedbetweenoneandfiveattacks. 24% believe they experiencednoattacksatall. Theaveragenumberofknowninsiderattacks was 3.8incidentsperorganizationper year. This figure is very low compared with other surveys. 45% 24% 22% 4% 1% 4% None 1 – 5 6 – 10 11- 20 More than 20 Not Sure

  47. Dwell Time is Key to Cyber Hygiene(Time Need Before Detection)(http://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2016.pdf)

  48. Cybersecurity FocusOne Hundred Fifty-Five Percent (155%) {??}(http://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2016.pdf)

  49. Predictive Behavior • One is unlikely to be able to predict ‘cyber-behavior’ based on insiders ’behavior and motivations. Nonetheless, some researchers found that many perpetrators‘ ‘wrongful acts’ could have been prevented had organizations reacted to ‘red flags’. • 2010 DOE Report doubts that a systematic methods for evaluating psychosocial behaviors can predict increased risk for insider threats. Only the use of multiple indicators combined with workstation and network activity logs seem to hold promise. • Traditional means of assessing psychological profiles and predispositions are problematic, in part because existing laws (e.g. 1992 Americans with Disabilities Act and the 1983 Rehabilitation Act §§ 503) preclude using clinical testing for mental disabilities (both for pre-hiring screening and during employment). Other complexities: • Usefulness of traditional psychological profile assessment approaches due to lack of valid data for “good” employees versus hackers or ‘disgruntled’ employees. • Many non-technical measure often contain obvious psychological questions that are easily picked out and answered ‘appropriately’. • Unpredictability of the employees’ life and work circumstances in relation to their work place behavior after being employed.

  50. “Predictive” Tools & Cyber-Threat Intelligence (CTI) • Predictive analytics evaluates ‘risks’ and ranks them on a sliding scale of importance. If suspicious or malicious behavior is suspected, the analytics engine alerts the right people about the suspicious behavior, ranking it from highest to lowest risk. • Leveraging vast amounts of data, but processing it efficiently, ensures that predictive analytics can provide real-time responses. • Predictive analytics are not perfect. Cyber criminals mimic normal behavior in the hope of remaining undetected. Managing the predictive analytics process requires an organization to handle the false positives and false negatives during the threat surveillance process. • System must have a very low tolerance for false negatives since missing active threats can lead to the disaster. Conversely, they need to determine how many false positives have been received to ensure that neither the system nor the people are overburdened.

More Related