Insider Threat: An Analysis from Cyber City USA Puzant Balozian Matt Pirko Baylor University 24 April 2012
Overview • Introduction • Case: Cyber City USA • Method (Data Collection and Analysis) • Literature Review • Theory • Findings/Contributions • Limitations/Conclusions • Publication Schedule/Future Work
Motivation for the Study • Frightening Figures from the CSI/FBI (Richardson,2007) • Avg. Losses in 2006: $162,000 • Avg. Losses in 2007: $350,400 • Understatement (Cavusoglu et al, 2004) • Over 2/3 of losses: insider threat
Insider Threats • Original Research Questions: • How do insiders pose an IT/IS threat to an organization? Why does this occur? • Should be there differing strategies to tackle malicious insiders vs negligent ones? Why or why not? • How do employees (malicious, negligent and committed) react to the technical/ procedural computer security measures organizations have in place?
Revised Research Questions • Are the concepts of “Malicious Insider” and “Negligent User” sufficient descriptions of insider threat? How would a knowledgeable respondent describe these terms? • Are “procedural” and “technical” the only terms to describe mitigation and deterrence methods to fight insider threats? What elements are included in these methods? • Which method more effectively deters or mitigates a particular type of insider threat?
Malicious Vs. Negligent • Malicious Insider: “A malicious insider is someone who intends to do harm. He wants to cause the organization…to lose information, to leak information, to make things stop working. He'll gum up the works, destroy the database. He's definitely … well, malicious tells you everything.” • Negilgent User: “Negligent, I categorize those as – the negligent user, I would say that those are the ones that are more ignorant, that don’t really understand security. They tend to click on anything that comes their way or click on different things like fishing emails and stuff like that. They just don’t understand. They’re just dumb to the thought of security. I think they’re more ignorant to the fact of not knowing, more so.”
The Third Dimension • System Abuser: “Now what if I put the term “system abuser” in front of you does that have different connotation to you?” “Interviewee: Yes. A system abuser doesn't necessarily intend to break the system. He doesn't necessarily intend to release information. He's just got something he wants to do…and he's gotta break the rules to do it, big deal, the rules are made to be broken.”
Mitigation/Deterrence • Technical: “…from a technical standpoint you’re actually putting things out on the network, you’re blocking the sites that people can go to, you’re establishing technical controls to do that.” “The market right now, the advertising everything is very focused on technology. It appeals to a lot of people particularly CEOs and companies because it’s an investment line. I spend this kind of money, it provides me this level of protection, I’m done.”
Mitigation/Deterrence • Procedural: “Making sure that everybody has their training. So that we've walked through everybody to ensure…they're supposed to be aware of the insider threat. They're supposed to be aware that they're not able/supposed to go do these things. That they're supposed to change their password every X number of months. Passwords should be structured thus. It should special characters, etc. Administratively make sure that they're made aware of these things.” “it takes a good blend of administrative policies that are written wide enough and broad enough to say this is what we gonna do, and all these go down to policies tighten it up a little bit, standards tighten it up a little bit more and then the procedures. “
Case Study: Cyber City USA • History of Intelligence and Information Warfare work • Cyber security now a focus • Region-wide effort to bringacademia, business, andGovernment cybersecurity interests together
Case Study • Relationships built over time: enables study participation in a short time frame • Trust in place considering a very sensitive topic • Expertise leads tocogent opinions and perspectives
Method – Data Collection • Began with initial RQs • Gained Baylor IRB approval • Developed an initial interview guide • Sent out 24 e-mails to personal contacts in San Antonio • Of these, 10 responded affirmatively • Made two trips to San Antonio for face-to-face interviews • Used teleconference and Skype for one interview each • Recorded each interview
Method: Data Analysis • Had recorded interviews transcribed • Did physical coding of each interview • Used Nvivo v.9 for compilation and analysis • Devised nodes and child nodes to account for the data and findings
Limitations • One case study only • Small number of participants • Needs refinement for further studies
Characteristics of Lit Rev • NO differentiation among types of insiders • ALL (negligent, malicious) are treated as one and the same under IS compliance theme • NO unified framework • NO measure of which type of countermeasure against which type of insider.
Lit Rev: Unified framework • Approaches for Compliance • Deterring non-compliance • Encouraging compliance • Channels for Compliance • Procedural, Technical, Social • Infrastructure for Compliance • Technical and Behavioral
Theory X and Theory Y • Theory X: The Authoritarian Management Style • Assumptions (McGregor, 1960): • The average human being has an inherent dislike of work and will avoid it if he can • Because of this human characteristic most people must be coerced, controlled, directed, threatened with punishment to get them to put forth adequate effort toward the achievement of organizational objectives • The average human being prefers to be directed, wishes to avoid responsibility, has relatively little ambition, wants security above all.
Theory X and Theory Y • Theory Y: The Participatory Management Style • Assumptions (McGregor, 1960): • Man will exercise self-direction and self-control in the service of objectives to which he is committed. Commitment to objectives is a function of the rewards (ie satisfaction and self-actualization) • The capacity to exercise a high degree of ingenuity in the solution of organizational problems is widely, not narrowly, distributed in the population • Under the modern industrial life, the intellectual potentialities of the average human being are only partially utilized.
Reasons for Using Theory • Combines two perceptions toward employee motivation and compliance (Coercive and Enabling). • McGregor preferred Theory Y: The assumptions of this theory “indicate the possibility of human growth and development” (p.48) This resonates with awareness and training amply prevalent in our data. • McGregor didn’t deny the legitimacy of Theory X in some circumstances: “Physical coercion is a legitimate means of social control over certain forms of criminal behavior” (p.18) . This is also prevalent in our data. • Potential of moving from Theory Y to X , while dealing with negligent abusive malicious insiders
IT manager 1 (all): Our role is also to protect the employees from the organization because the organization can overstep itself at times …in order to protect the organization you have to protect the employees sometimes from themselves but most of the time from the organization… IT manager1 (abusive/malicious):Technological controls I think prevent more of that then the other controls because it’s like a lock on the door, it’s like the stop sign if you’re not pushing the break and stop that doesn’t really matter. IT manager 1 (recurring problem): I can write all the policies of the world, if you choose not to follow them, I can have operational people monitoring stuff, but if they don’t respond to it and I know they are not going to, because you tested that, then it falls back into technology who keeps you prevents you going to these things. Change of Mgt Style Blended: XY Negligent Abusive Malicious
IS consultant (Phd):People are abusing the system all the time and no one ever gets punished you can train them all day long that, you know, oops don’t do this. You’ll get punished and then they watch their neighbor do it every day for six months and they kind of loose their deterrent effects from education. You have to have the capability to execute on the threat. Change of Mgt Style Blended: XY Negligent Abusive Malicious
IS senior employee (against abusive):You can make things more difficult for him by locking out ports, monitoring the logs, that type of thing, but also the administrative stuff you can try to convince it ain't worth his efforts because it's gonna cost him his job. IS senior employee (against negligent):Making sure that everybody has their training…Administratively make sure that they're made aware of these things. Change of Mgt Style Blended: XY Negligent Abusive Malicious
IT manager (against abusive acts):It really would depend on what policies, and what we've communicated to our users overall. But if we have communicated that it's not right, to me, that would be a system abuser. And if we haven't communicated, it could be both, a negligent insider, and a system abuser that would be there. Change of Mgt Style Blended: XY Negligent Abusive Malicious
IS Senior Educator/Coordinator:You can educate this person (negligent) , you may be able to educate this person (abuser), but you probably have to, by rule, control that person(abuser), that guy,(malicious)you just don't have – I mean, once somebody has gotten to the point of being that negative about the place they are that they've turned malicious, that's a whole different matter. But this guy (negligent) I can teach. This guy (abuser), maybe I can teach because maybe I'm abusing resources that I don't even realize that I shouldn't be doing it. So maybe I can teach, but I probably have to, by rule, control. Change of MgtStyle Blended: XY Negligent Abusive Malicious
IS senior worker: We also have a proxy where it will detect, but if it sees multiple detections, it’ll say block, block. If you’re going too many times out to a certain site, if you get so many blocks, that also goes to your manager. Interviewer: So, that means you’re attempting several times to do something wrong? IS senior worker: Exactly. Change of MgtStyle Blended: XY Negligent Abusive Malicious
Findings • Three dimensions of insider threat vs. two • Three dimensions of mitigation/deterrence vs. two • Changed mitigation/deterrence methods to “enabling” and “coercive” vs. “procedural” and “technical” • Expansion of Theory X/Theory Y to include Theory X/Y • Coercion vs. enabling is actually a continuum, not specific points • Management role is key
Findings (cont.) • Coercive and enabling methods are legitimate to use to deter insider threat • Which method is most effective? • Enabling method for all • Coercive for abusive and malicious • The trigger to change from enabling to coercive is “deliberate circumvention”
Contributions • Theoretical • Expansion of Theory X/Theory Y to include Theory X-Y blend • Coercion vs. enabling is actually a continuum, not specific points • Introducing Theory X and Y into IS research from Organizational Psychology discipline • Begin with Theory Y (specially expressed by training) since IS is a new environment demanding new skills for old tricks (compliance).
Contributions • Practical • There are some times that it is legitimate to use coercion • Always begin by training; in order to know when to switch from enabling to coercive ask yourself: “is this an error or two after we’ve provided extensive training” • Bonus: Giving to the corporate world all the tested and proven countermeasure tools prior to this study in few paragraphs (the lit rev part)
Publication Schedule/Future Work • Plan to submit to MISQE or EJIS on May 31 • Improve theoretical grounding (Researcher A) • Devise models from the data gathered (Researcher A) • Need to revisit analysis with select respondents to clarify/receive additional insight (Researcher B) • Need to gather additional responses(Researcher B)
Journal Question • What was the value of qualitative research? • The ability to go “behind the numbers” and get in depth perspectives from the participants • The ability to ask follow on questions and dive deeper into the responses to gain a richer understanding • What did you, and your future readers, learn that would not have been learned in a survey or experiment?
Q and A or Comments
Interview Guide • Does your organization have a computer security, cyber security, or IT security policy or program? If so, how the employees are being aware of this policy or program (training programs, certification, manuals, etc.)? • [Card Activity]: From your own understanding, what’s the difference between the following terms? • malicious vs. negligent/abusive • abusive vs. malicious/negligent • negligent vs. malicious/abusive
Interview Guide (cont.) In our understanding: • Technical means to deter insider threats to an organization: includes specialized security software, online activity monitoring, network log analysis, access controls • Procedural means to deter insider threats: includes pre-employment and ongoing training (computer or classroom based), awareness campaigns, specific security policies and procedural manuals __________________________________________________________________ • If your job in your organization was to deter malicious threats which of the following strategies would you choose and why? • Technical • Procedural • A combination (in what proportion?)
Interview Guide (cont.) • If your job in your organization was to deter negligent users which of the following strategies would you choose and why? • Technical • Procedural • A combination (in what proportion?) • If your job was to deter system abusers which of the following strategies would you choose and why? • Technical • Procedural • A combination (in what proportion?) • What are some countermeasures (technical or procedural) that you believe will work with negligent/abusive insiders but not with malicious ones? Why?
Interview Guide (cont.) • Do you think training and security awareness programs makes potential malicious insiders more knowledgeable or capable to breach the security? Why or why not ? • We’ve discussed a number of different insider threats to an organization. Can you think of any personal anecdotes or stories you’ve heard about an insider threat (of any type)? What was the impact to the organization? • What about CyberCity-USA San Antonio? What’s you role in it, if any?