Professional Documents
Culture Documents
by
W
VANESSA WOOD, EdD, Committee Member
Capella University
April 2020
ProQuest Number: 27956335
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
W
IE
EV
ProQuest 27956335
Published by ProQuest LLC ( 2020 ). Copyright of the Dissertation is held by the Author.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Senica M. Woodruff, Sr., 2020
W
IE
EV
PR
Abstract
This qualitative Delphi study examined the perspectives of cybersecurity and information
technology experts to build consensus and develop a proactive model for defending the corporate
infrastructure from the insider threat and protecting intellectual property and proprietary data.
The study is responsive to the growing threat of insider threat technology which creates a
significant business technology problem. A panel of 16 cybersecurity and IT experts, each have
achieved a CISSP certification, currently hold ISSO/ISSM positions, and have more than 10
years of cybersecurity and or IT experience, were assembled for this study. Experts were
interviewed in multiple iterative rounds until consensus and data saturation were achieved.
W
Experts reached consensus on four themes: the definition of the term insider threat; third-party
IE
software that can be used to identify, mitigate, and prevent insider threat; security controls that
can be used to identify, mitigate, and prevent insider threat, the most common security controls
EV
implemented to the corporate infrastructure. From these themes, the insider threat model for
proactive cybersecurity defense against intentional and unintentional threats was developed. The
insider threat model focuses on four simple cyber strategies: implementation of security controls;
PR
implement third-party insider threat software; insider threat program and training for employees,
implement cybersecurity policies and procedures, and increase funding for cybersecurity for the
I dedicate the research to my two sons Senica Jr. and Khalil Woodruff. One of my
motivations to pursue a doctorate was to show my sons who are attending Arizona State
University and San Diego State University, that it can be done. If your old dad can do it, you can
too.
W
IE
EV
PR
iii
Acknowledgments
I would like to acknowledge the staff at Capella, specifically Dr. Vu Tran. Dr. Vu spent
numerous hours dragging me kicking and screaming through the dissertation process by
tirelessly reviewing and providing suggestions on ways to improve my dissertation. Dr. Vu met
with me weekly even after he was injured and on pain killers after being rear ended in a car
accident. That is the definition of dedication to your students. Thank you Dr. Vu.
W
IE
EV
PR
iv
Table of Contents
Acknowledgments.................................................................................................. iv
Introduction ..............................................................................................................1
Rationale ..................................................................................................................9
W
Theoretical Framework ..........................................................................................10
IE
Significance of the Study .......................................................................................12
Definition of Terms................................................................................................13
EV
Assumptions and Limitations ................................................................................15
Summary ................................................................................................................17
PR
Introduction ............................................................................................................19
v
Risk Management Framework (RMF) ...................................................................45
Abnormality Detection...........................................................................................61
Encryption ..............................................................................................................62
W
Insider Threat Deterrence, Detection, Prevention, and Training ...........................63
IE
Insider Threat Conferences ....................................................................................69
Summary ................................................................................................................75
Introduction ............................................................................................................80
Participants .............................................................................................................82
vi
CHAPTER 4. RESULTS .......................................................................................97
Introduction ............................................................................................................97
Summary ..............................................................................................................112
Introduction ..........................................................................................................113
W
Fulfillment of Research Purpose ..........................................................................118
IE
Contribution to Business Technical Problem ......................................................118
References ............................................................................................................122
PR
vii
List of Tables
W
IE
EV
PR
viii
CHAPTER 1. INTRODUCTION
Introduction
The 2018 Cybersecurity Insider Threat Report found that 90% of organizations feel
vulnerable to a threat from insiders (Schulze, 2018). The threats from insiders are frequently
regarded as the greatest cybersecurity threat to organizations and the confidentiality, integrity,
and availability (CIA) of proprietary corporate data and intellectual property (Boss, Kirsch,
Angermeier, Shingler, & Boss, 2009; Holmlund, Mucisko, Lynch, & Freyre, 2011). In one
survey conducted by Holmlund et al. (2011), from the more than 600 organizations selected,
insider threats were suspected in 21% of electronic crimes. Of the companies in the survey
W
experiencing security breaches within the last 12 months, 81% have reported an insider threat
IE
data compromise increase (Holmlund et al., 2011). The same survey found 46% of the
companies reported that insider attacks contributed more damage than outsider attacks
EV
(Holmlund et al., 2011).
hackers, organized crime, or nation-states (McNerney & Papadopoulos, 2013). One of the major
PR
tasks of information technology (IT) and cybersecurity professionals is to detect, mitigate, and
prevent insiders from conducting activities that can lead to potential intellectual proprietary data
professional’s main purpose is to ensure the CIA of proprietary corporate data across clients,
servers, as well as network devices routers, switches, and bridges (Zimba & Chama, 2018).
Pursuant to National Institute of Standards and Technology (NIST, 2018a), the job of these
professionals is to protect the organization against unapproved usage of the organization data by
1
Evidence from previous insider breaches demonstrated that the financial cost to
organizations because of insider threats is high. According to an article by Gogan (2017), 53% of
companies report estimated remediation costs of $100,000 and more, with 12% estimating a cost
of more than $1 million. In a separate report, within the last seven years, the cost of the insider
threat has increased to $206,000 per insider incident (Kohen, 2017). In a 2016 study from
Ponemon Institute, covering 874 incidents, reported by companies for the 2016 Cost of Data
Breach Study, 568 incidents were caused by a company employee or subcontractor security
failure, 85 incidents were caused by the adversary using stolen company credentials, and 191
were incidents caused by insider threats and cyber criminals (Ponemon Institute, 2016). Based on
W
Kohen’s estimation, 191 incidents of insider threat would cost $40 million for a company.
IE
Throughout the course of a year, the cost of an insider threat incident averaged $4.3 million per
company. Kohen (2017) found large companies spending the most to resolve an insider incident
EV
at $7.8 million. To combat this $460 billion-dollar problem (Klara, 2017), commercial and
Department of Defense (DoD) contractors have invested significant capital into insider threat
According to Marrow (2017), the 2017 federal fiscal budget for information security was
$19 billion and a single cybersecurity contract cost up to $1 billion. Marrow (2017) also found
these contracts were awarded to federal contractors so that the contractor could build custom
cyber solutions for specific agencies. According to GovWin (2017), $2.891 billion was spent in
2017 on insider threat protection efforts and solutions. This was a budget increase from $2.281
This study investigated the most common security controls which can be used for, or in
conjunction with, advanced detection, tracking, mitigation, and prevention of the insider threat
2
within the information system. Specifically, using the qualitative Delphi to conduct a group
interview, this study documented which commonly implemented security control measures were
installed and configured on the infrastructure. This study included the use of commercial off-the-
shelf security software to safeguard an organization’s information systems from the insider
threat.
Chapter 1 explained the background, the business technical problem, and identified the
research purpose and research question. Chapter 1 also included the assumptions, limitations,
and definitions. Chapter 1 concluded with a discussion of the theoretical concepts behind the
study.
W
Background of the Study
IE
Recent high-profile data compromises within the defense and commercial sectors have
brought public awareness to the issue of insider threat. Within the defense sector, high-profile
EV
leaks such as one committed by former National Security Agency contractor Edward Snowden
demonstrated that despite years of efforts invested in protecting military assets, the efforts to
defend against insider threat within the military sector remains insufficient (Richman, 2017).
PR
Multiple high-profile incidents of theft of sensitive data within the commercial sector have
forced commercial companies to acknowledge the risks insiders can pose to their proprietary
data and intellectual property, as well as the personally identifiable data of their customers
(Armerding, 2018). According to Bailey, Kolo, Rajagopalan, and Ware (2018), attacks by
3
Research by Giandomenico and de Groot (2018) found the threats to a company’s IT
infrastructure and proprietary data that originate from insiders are more difficult to prevent and
detect using the traditional security one-size-fits-all methodology. The security methodology
must be customized to fit the nature of the threat. According to Balakrishnan (2015), methods for
mitigating insider threat include mitigation approach should have a structured program. These
methods include senior management support addressed by policies, procedures, and technical
controls. The NIST 53v4 specification has provided a list of security measures that organizations
can adopt and customize to fit their needs. Additionally, the specification identifies the need for
integrating these security measures across the information systems, the business processes, and
W
the organization to ensure implementation of a consistent information security strategy meets the
IE
security needs, and is aligned with, the business strategy of the organization (NIST, 2018a).
employees, protected against illegal access from unauthorized employees, and removed from
former employees. Management of data access privilege consists of deploying a set of custom
PR
security measures designed to prevent and detect and recover from illegal access. According to a
study conducted by Rouse (2018), many companies do not have adequate user auditing policies
and procedures to properly monitor employee’s behaviors when using company owned
information systems and accessing proprietary data. The same study also found that many
organizations do not have adequate insider threat programs, security compliance policies with
established most common security practices, employee training, security spyware scanning and
4
The phenomenon of insider threat has affected every aspect of defense and commercial
sectors (Bailey et al., 2018; Richman, 2017), as well. Insider attacks have significantly impacted
national defense, infrastructure, and human safety (Rose, 2016). According to Gogan (2017),
remediation of an insider attack costs an organization more than $100,000 on average and more
than $1 million in the extreme cases. The same research found that 74% of participating
vulnerable. Yet, according to Rose (2016), despite 55% of reported cyber-attacks were
W
Business Technical Problem
IE
Despite the recommendations provided by NIST and SEI, there is no clear data on how
organizations are implementing the specific security recommendations to prevent or mitigate the
EV
insider threat. Research by Almehmadi and El-Khatib (2017) found current access control
models, including discretionary access control (DAC) and non-discretionary access control, fail
to detect and prevent insider threats. CERT (2016) ffound the problem of improper infrastructure
PR
configuration to combat insider theft of intellectual property, sabotage, fraud, and espionage
remain a serious challenge for organizations, including commercial companies and military
contractors. The specific problem that was addressed in this study is a lack of a consensus on the
most common security practices currently implemented by companies to deter, prevent, detect,
and remediate the threat and impact of the insider attack (Agrafiotis, Erola, Happa, Goldsmith, &
Creese, 2016; Claycomb & Nicoll, 2012; Hunker & Probst, 2011).
The insider threat has a direct impact on a company’s revenue. According to Thompson
5
resulted in the loss of $800 million in revenue. According to Cisco’s (2017) Annual
Cybersecurity Report, nearly one-third of businesses that suffered a breach lost more than 20%
of their revenue. According to the Ponemon Institute’s (2018) report, the average cost of an
insider threat annually is $8.76 million. The insider threat is also hard to detect. According to
Keanini (2015), a survey conducted found 61% of the companies could not deter insider attacks,
and 59% admitted the organization was unable to even detect an insider threat. This is because of
lack of common security controls monitored to defend against the insider threat. According to
Cappelli, Moore, and Trzeciak (2012), the impacts of insider theft of intellectual property can be
devastating to a company. Trade secrets worth hundreds of millions of dollars have been lost to
W
foreign countries and competing products have been brought to market by former employees and
IE
contractors. The authors also found invaluable proprietary and confidential information impacts
have been stolen by insider threats and been given to competitors. Cappelli et al. (2012) also
EV
found more than half of theft of IP cases involved company trade secrets.
There are numerous studies dedicated to the phenomenon of insider threat. A prevalent
issue raised that has not received significant attention is the lack of documented real-world
PR
information on how to combat insider threat (Agrafiotis et al., 2016; Claycomb & Nicoll, 2012;
Hunker & Probst, 2011). While security standards such as NIST define clearly what an insider
threat is, many studies continue to use different definitions that fit their specific use for their
study (Blackwell, 2009; Costa, 2017; Eldardiry et al., 2013; Hunker & Probst, 2011; Sanzgiri &
Desgupta, 2016). It is not clear if there is an agreement on the definition of the term insider threat
characteristics, and motivation associated with, potentially harmful insiders (Bradley, Chambers,
Davenport, & Saner, 2017; Siber, 2018; Stolfo et al., 2008). Additional studies concluded that it
6
is unclear which security controls are frequently adopted by organizations to counter insider
By interviewing industrial experts, this study addressed the problem of the lack of real-
world information on the most common security practices frequently adopted by organizations to
counter insider threats. Specifically, this study investigated how organization experts define
insider threat, which security controls are commonly implemented in organizations, and which
third-party security technologies are often adopted to support implementation of these security
controls. This collected data allowed cybersecurity practitioners a solid foundation to identify
W
Research Purpose
IE
The purpose of this qualitative Delphi research was to leverage practicing IT and
cybersecurity experts to facilitate the identification and gathering of a set of commonly used
EV
security control implementations against insider threat. Each expert originated from an
organization with his or her own set of experiences dealing with the insider threat problem.
Through the Delphi process of consensus building, this study sought to identify a list of
PR
commonly practiced security measures that today’s organizations have implemented to combat
the threat of insider attack. To find the answer to this question, there were three related aspects
this study focused on: (a) How industrial experts define insider threat, (b) What security controls
companies frequently implemented, and (c) Which off-the-shelf security technologies companies
understanding of the practice of mitigating and preventing insider threat. This scholarly research
gives the research community additional information on the state of the practice of insider threat
7
prevention and mitigation. As raised by Balakrishnan (2015), documented information regarding
the current state of the practice of insider threat management continues to be limited. The
findings of this study complemented the published security control practices recommendations
provided by NIST (2013a) by focusing on how much of these recommendations are adopted in
practice. This study identified current practices that may not be aligned with those proposed by
NIST.
The importance of this scholarly research for a security practitioner was to provide a
summary of the common insider threat practices adopted by organizations and the challenges or
issues associated with, if any, the implementation of each practice. Once properly selected and
W
implemented, the security practices can serve as a deterrent and provide the company
IE
infrastructure a forensic capability to track potential insiders. This forensic capability is in
The primary research question for this study was as follows: Which recommended
security control practices are most often adopted in countering the threat of the insider, either
PR
The purpose of this research question was to explore which of the most commonly
implemented security measures are most often implemented and/or are considered most effective
to combat the threat of an insider attack, according to a panel of information security experts.
The list of security controls recommended by NIST (2013a) were used as the starting point of
this panel interview (Blackwell, 2009; Costa, 2017; Eldardiry et al., 2013; Hunker & Probst,
2011). The NIST security controls were used as a reference for developing the responses to the
interview questions.
8
Rationale
varies in cost for organizations. The cost of an insider threat incident has ranged from $206,000
(Kohen, 2017) to $8.7 million per incident (Ponemon Institute, 2018) depending on the size of
the organization, the scope of the security incident, and the incident handling. The creation of a
model that consists of scholarly and practitioner data on NIST security controls and most
common security practices are invaluable to IT and cybersecurity professionals fighting the
Research conducted by Hunker and Probst (2011) found there is insufficient real-world
W
data about the insider threat, and there is a significant gap in the existing body of knowledge on
IE
critical security vulnerability. The insider threat is one of the most serious security issues for
companies. This threat has the potential to cause damage to the data, an organization’s
EV
information system, infrastructure, loss of proprietary data, and intellectual property. This study
identified security controls and most common practices that can be used to protect proprietary
requirements, create product models, and create products to sell domestically and globally. This
product development life cycle costs millions of dollars and provides the company a competitive
advantage in their industry by producing either new products not currently on the market or
products that have better quality and technology options (Kambanou & Lindahl, 2016). This is a
critical financial reason for companies to implement cybersecurity controls and associated
techniques.
9
The outcome of the study conducted provided the most common security practices from
cybersecurity professionals which, if applied, have aided in the security of the corporate
strategies to mitigate insider threat, defense in depth, documentation, and training assist to ensure
there are fewer threat vectors for cyber-attack and provide a better understanding of the security
policies and procedures by employees. The literature review and research conducted in this study
contribute to a better understanding of how insider threat affects companies around the world.
The next section relates to theories of preventing or mitigating the insider threat, defense-in-
depth and risk management. These two principals are important when developing a corporate
W
strategy for cybersecurity.
IE Theoretical Framework
The goal of this qualitative research was to examine which commonly implemented
EV
security measures should be selected and implemented specifically to mitigate and prevent the
insider threat. Once security controls and security software have been selected and implemented,
the company’s infrastructure has the capability to defend itself from the insider threat and
PR
forensically track users’ actions on their company issued electronic devices (NIST, 2019). This
capability for an information system is critical for mitigating or preventing the insider threat.
The theoretical framework implemented for this study was the technology adoption
theory (TAM). Created by Fred Davis, TAM adapted the theories of reasoned action, planned
behavior, and proposed the TAM. According to Taherdoost (2017), technology adoption theory,
a technology acceptance model (TAM), is used as an information systems theory that was
created to model how users arrive to accept and use a technology. Taherdoost found the common
question of practitioners and researchers is why companies or people accept new technologies
10
(2017). Answering this question provides companies the tools to implement methods for
designing, evaluating, and predicting the response of the users to the new technologies. In a
corroborating article by Marangunic and Granic (2014), TAM has taken a leading role in
explaining users’ behavior toward technology. Marangunic and Granic (2014) found without
understanding the origins, development, modifications, and limitations of the model, there can be
Taherdoost’s (2017) research found TAM is one of the most widely cited models in the
technology acceptance. During the past decades, TAM received substantial 974 empirical
support. TAM links the adoption motivation of users by three factors; the perceived usefulness,
W
perceived ease of use, and the users’ attitude toward the technologies use (2017). TAM’s two
IE
primary theories of perceived usefulness and ease of use have considerable impact on attitude of
the user. These theories can be used to determine the positive or negative attitude toward the new
EV
system. Other factors known as external variables include user training, system characteristics,
user participation in design, and the implementation process nature are also considered in the
TAM model.
PR
practice, is typically based on key factors such as perceived usefulness and perceived ease-of-use
of these recommended controls. The most common practices are not necessarily the best
practices (based on NIST). As a result, this exploratory study using qualitative method sought to
11
Significance of the Study
The rationale and justification for the present study underlined the significance of the
academia. The significance of the study is to help advance the body of knowledge in research
and practices of insider threat management by providing IT and cybersecurity professionals a list
of commonly implemented security controls that help the infrastructure to defend against the
insider threat. As a result, the study provided most common security practices to counter an
insider threat in organizations and protect company proprietary data and intellectual property.
The study provided the key applications adopted by organizations to counter insider threats. As
W
an organization proactively moves to mitigate insider threat, a solid security infrastructure and
IE
system documentation to help to ensure small attack vectors for cyber-attack.
This study provided the most common security practices from cybersecurity
EV
professionals, if applied, will aid in the security of the infrastructure. As a company’s
documentation will help ensure a smaller information system attack surface, better understanding
PR
of the security policies and procedures by employees, and an understanding of how the adversary
This study expanded on the literature and body of knowledge on information security and
threat. The study defined the term insider threat, provided the company with security controls
and most common security practices to detect, mitigate, and ultimately prevent the loss of
company proprietary data (Balakrishnan, 2015) and intellectual property. Additionally, this study
is of great significance to organizations and has the potential to provide corporate leaders insight
12
on the adoption of security controls, security processes, and procedures that are critical to
Definition of Terms
Audit: An audit is the independent review of information system logs and user activities
to make an assessment the effectiveness of implemented security controls and ensure compliance
W
Characteristics: A characteristic is feature or quality belonging typically to a person,
IE
place, or thing and serving to identify it (Dictionary, 2019b).
information systems and infrastructure from cyber-attacks from internal and external adversaries
(NIST, 2018e).
the company’s operations capabilities to create security barriers across multiple security layers
Encryption: Encryption is a process of changing plaintext into cipher text for the purpose
controls that are designed and implemented to protect data and the information system by
(NIST, 2018i).
Insider Threat: An insider is an individual who will use their information system
authorized access to do harm to the information security of the U.S. (NIST, 2018j).
products that assist in the intrusion monitoring and analysis process (NIST, 2018k).
W
monitors a network for malicious activities such as security threats or policy violations. The IPS
IE
can identify suspicious activity, log information, attempt to block the activity, and report the
department within a company that is charged with establishing, monitoring and maintaining
that can be used to distinguish or trace an individual's identity, such as name, social security
number, biometric records, etc. alone, combined with other personal or identifying information
14
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.