The research provides a method to detect and mitigate the insider threat. Currently insider threat detection is focused only on the malicious person attempting to harm the organization. Most employees seek to assist their employers. Very few people want to hurt the business providing their livelihood. However, many employees take risks (sometimes very serious risks) on the network. We simultaneous help the benevolent employee and detect the malicious one.
Our system helps employees by showing them network risks, and helping them decrease the risk. Sometimes risk-taking is worth it; for example, emailing a document to a superior in dire straights using gmail. Sending documents over gmail is risky. Our system helps the employee mitigate the risks they are taking. In the gmail example, our system automatically changes the settings to encrypt the email. Rather than walking through changing setting (which can be intimidating) or just popping up a confusing and technical dialogue box, we just encrypt the email for the employee. Also, in this case our system shows the employee that choosing not to encrypt the email will be very risky. The document (if it is not encrypted) can be seen by anyone on the Internet.
An important part of our system is that it treats employees as partners to the organization. At the same time our system detects insiders by watching across the organization for the person taking both large one-time risks and small cumulative risks. This proposal is innovative, and a very different approach than industry uses today.
The insider threat has been changed by the Internet. Insiders are more likely to accidentally leak information or be subject to a phishing attack than to undermine the organization purposefully. The idea that the vast majority of employees are aligned with the interests of the organization is not a radical assumption; most nurses would avoid patient harm and few traders seek to break their own banks. In fact, the efficacy of any solution to the insider threat depends on the interest of the employees in protecting the company and its assets, as the plethora of training programs illustrate. Yet even the most benign employees create risks by virtue of handling the information and resources of the organization; and their own access rights at work. To address the insider threat as a range of hazards, including the malicious singleton, we consider four categories of risk-creating insiders: 1) Insiders who are naïve, and inadvertently create risks; 2) Insiders who understand that they are creating risk, but tolerate a high level of risk (i.e. risk seeking); 3) Malicious, trusted insiders (i.e., the classic insider threat); And by design, the system will enable identification of the fourth category: 4) Malicious outsiders who have obtained credentials from 1) or 2), and now can function as malicious insiders. Our innovative approach combines techniques from artificial intelligence to identify risk and anomalies with risk communication to inform the employee. The broader impact is not only to mitigate the insider threat, but also to alter the current approach to the insider threat. Many of the oversight and training models encore distrust, and treat employees as enemies rather than partners of an organization. The economic damage caused by the insider threat is immense; and our work has expanded the understanding of this threat. The results of the research were promising, and opened additional avenues of research. One of the most interesting questions is how to group individuals whose risk behaviors are compared to enable more certainty and efficacy in identifying anomalous behavior.
