Author(s)

DANIEL BILUSICH, LEUNG CHIM, RICK A. NUNES-VAZ, STEVEN LORD

Abstract

The threat posed by insiders deliberately or inadvertently misusing their knowledge and access to sensitive information is a major security challenge. Finding effective, acceptable and affordable ways to manage the insider threat is non-trivial, involving the use of controls that range from technical to procedural. To make matters worse, insider activities range from inadvertent or accidental disclosure, through deliberate damage caused by disgruntled employees, to the pre-positioned mole who may undermine the organisation’s viability or purpose. The same controls will have different levels of effectiveness for each of these insider types. Based on these factors, attempting to find a single, optimised, universal solution to insider threats is illogical. However, the literature still contains statements such as ’deterrence is the best approach for insiders’. There are dangers for security managers in drawing broad conclusions across the insider threat spectrum based on statements like these. Insider threats typically have a distribution of incidents where there are many of small consequence coexisting with a small number of incidents with very large consequences. This suggests that risk management techniques are a relevant, and arguably the most appropriate, framework for insider management. We have developed and applied a risk-based framework to model the spectrum of insider threat types, to enable the decision maker to determine the relative security effectiveness of alternative solutions. It allows decision makers to prioritise security investment to achieve the greatest benefit-cost using residual risk as the performance metric. Our framework provides a traceable and accountable method for organisations to balance their investments in controls, according to the complex spectrum of insider activity they are dealing with. They may also extend the approach, using robust analysis, to manage their uncertainties. Our framework supports security managers in customising security for their organisation based on its unique requirements.

Keywords

insider threat, risk management, risk-based framework, investment prioritisation