Journal of Computer Information Systems

ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/ucis20

Detecting Insider Threat via a Cyber-Security

Culture Framework

Anna Georgiadou, Spiros Mouzakitis & Dimitris Askounis

To cite this article: Anna Georgiadou, Spiros Mouzakitis & Dimitris Askounis (2022) Detecting
Insider Threat via a Cyber-Security Culture Framework, Journal of Computer Information
Systems, 62:4, 706-716, DOI: 10.1080/08874417.2021.1903367

To link to this article: https://doi.org/10.1080/08874417.2021.1903367

Published online: 05 May 2021.

Submit your article to this journal

Article views: 1605

View related articles

View Crossmark data

Citing articles: 6 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=ucis20
JOURNAL OF COMPUTER INFORMATION SYSTEMS
2022, VOL. 62, NO. 4, 706–716
https://doi.org/10.1080/08874417.2021.1903367

Detecting Insider Threat via a Cyber-Security Culture Framework

Anna Georgiadou , Spiros Mouzakitis , and Dimitris Askounis
National Technical University of Athens, Zografou, Greece

ABSTRACT KEYWORDS
Insider threat has been recognized by both scientific community and security professionals as one Insider threat; cyber-security
of the gravest security hazards for private companies, institutions, and governmental organizations. culture framework; security
Extended research on the types, associated internal and external factors, detection approaches and assessment; behavioral
mitigation strategies has been conducted over the last decades. Various frameworks have been indicators; detection
introduced in an attempt to understand and reflect the danger posed by this threat, whereas
multiple identified cases have been classified in private or public databases. This paper aims to
present how a cyber-security culture framework with a clear focus on the human factor can assist in
detecting possible threats of both malicious and unintentional insiders. We link current insider
threat categories with specific security domains of the framework and introduce an assessment
methodology of the core contributing parameters. Specific approach takes into consideration
technical, behavioral, cultural, and personal indicators and assists in identifying possible security
perils deriving from privileged individuals.

Introduction external pressure.4 Circumstances appear not only to

According to a recent report released by the Ponemon
Institute at the beginning of 2020, the frequency of
incidents related to insider threats has spiked by 47%
since 2018 increasing the average global cost by 31% to
an amount of $11.45 million.1 IT security practitioners
in 204 organizations in North America (United States
and Canada), Europe, Middle East & Africa and Asia-
Pacific were interviewed only to underline that insider
threats are still a lingering, under-estimated, and often
under-addressed cybersecurity threat within
organizations.
Incidents may vary by industry in terms of type,
frequency, patterns, actions, and assets.2 Nevertheless,
both negligent and malicious insiders are considered
responsible for more cyber-security incidents than
expected, detected, reported or, even, classified. What
is even more troubling is that insider attacks are foreseen
to increase within the imminent future.
Cybersecurity firm Tessian conducted a research,
during the COVID-19 pandemic, revealing that over
three-quarters of IT leaders (78%) think their orga­
nization is at a higher risk of insider threats when
employees work remotely.3 Business trend and cur­
rent reality (including but not limited to COVID-19
crisis) lead to a “remote” or “hybrid” working struc­
ture where individuals are under more internal and
favor but, in many cases, facilitate insider threat
incidents by formulating required technical, social,
economic, and psychological conditions.5
Insider security breaches become a greater busi­
ness risk due to lack of detection, slow response, and
inconsistent remediation practices.6–8 Time acts
against an organization leaking precious assets:
money, intellectual property, sensitive
information.9,10 Consequently, businesses invest on
security awareness training programs along with
numerous security policies, procedures, and technical
solutions.11 Yet, incidents actually happen more fre­
quently in organizations that offer training. While the
majority of employees say they understand company
policies and procedures, comprehension doesn’t help
to prevent malicious behavior.12
Security awareness, consciousness, and compliance
derive from a deeper process. They require a robust cyber-
security culture cultivated via a long and fastidious pro­
cedure requiring both organizational and individual con­
tributions. The underlying research presents a cyber-
security culture framework able to evaluate the insider
threat peril for an organization. Specific security domains
of the proposed framework are associated to insider threat
categories and an assessment methodology is introduced
to evaluate the core contributing factors.

CONTACT Anna Georgiadou ageorgiadou@epu.ntua.gr Decision Support Systems Laboratory, National Technical University of Athens, Iroon
Polytechniou 9, Zografou 15780, Greece.
© 2021 International Association for Computer Information Systems

This paper presents a methodology for evaluating the
insider threat based on a cyber-security culture frame­
work with emphasis on the aspects of the human factor.
Section 2 presents background information regarding
current research related to the insider threat. Building
upon the wide range of these studies, a security culture
framework is presented in Section 3, in an attempt to
evaluate the insider peril for an organization. Thus, we
relate each of the identified categories and related vari­
ables with specific security parameters of the individual
and organization level of the presented framework. In
Section 4, we present how our framework could detect
different insider threat scenarios if applied in practice. In
Section 5, we outline a number of considerations and
limitations regarding the proposed methodology.
Finally, Section 6 concludes with the importance and
impact of the proposed framework for enterprises as
well as areas of further research and potential future
applications.
Background
nsider Threat has been attributed numerous definitions
over the years. A workshop report in 2004 defined the
insider threat as actions of “a malicious insider, acting either
alone or in concert with someone ‘on the outside’ of these
systems”.13(p1) Bishop defines insider threat as an event
occurring when “a trusted entity abuses the given power to
violate one or more rules in a given security policy”.14(p77)
According to Greitzer et al., “insider threat refers to harmful
acts that trusted insiders might carry out; for example, some­
thing that causes harm to the organization, or an unauthor­
ized act that benefits the individual.”15(p61) Hunker and
Probst argue that “an insider threat is [posed by] an indivi­
dual with privileges who misuses them or whose access
results in misuse”.16(p7) CERT National Insider Threat
Center proceeds in defining both malicious insider,
“a current or former employee, contractor, or business part­
ner who has or had authorized access to an organization’s
network, system, or data and has intentionally exceeded or
intentionally used that access in a manner that negatively
affected the confidentiality, integrity, availability, or physical
well-being of the organization’s information, information
systems, or workforce”, and unintentional insider,
“a current or former employee, contractor, or other business
partner who has or had authorized access to an organiza­
tion’s network, system, or data and who, through their
action/inaction without malicious intent causes harm or
substantially increases the probability of future serious
harm to the confidentiality, integrity, or availability of the
organization’s information or information systems”.17(p3)
Not surprisingly, a proportional variety of insider
threat taxonomies can be found in literature.18 One of
JOURNAL OF COMPUTER INFORMATION SYSTEMS 707
the earliest classifications was proposed by Anderson in
1980 who distinguished three types of illicit inside users19:
Masquerader: who can be either an external pene­
trator who has succeeded in bypassing security controls,
or an employee with full access to a computer system
who intends to exploit another legitimate user’s
credentials.
Legitimate User: who does not masquerade, but
instead abuses his/her own privileges in order to misuse
the system, and
Clandestine User: who has or can seize supervisory
controls staying under the radar of security
countermeasure.
A much similar approach was presented by Salem
et al. many years later, in 2008, distinguishing two
categories of insider attacks: masqueraders and
traitors.20 Masqueraders were defined as attackers
who succeed in stealing legitimate users’ identity
and impersonate other users for malicious purposes
whereas traitors are legitimate users within an orga­
nization who have been granted access to systems
and information resources, but whose actions are
counter to policy, and whose goal is to negatively
affect confidentially, integrity, or availability of some
information asset.
Numerous similar approaches exist clearly underlin­
ing motivation behind the insiders’ behavior and actions
differentiating deliberate from unintentional security
violations.9,21–23 Granted privileges, technical knowl­
edge, and security policies’ familiarity is also
emphasized.24–26 Many researchers progressed further
by suggesting classifications of the insiders based on
different criteria such as professional relationship with
or potential consequences and harm to the violated
organization or even based on the target system at
which an attack may be detected.9,27,28
One of the most recognizable and commonly
accepted insider threat categorization is the one pro­
posed by the “Insider Threat Study”, a joint project
conducted by the Secret Service and the Software
Engineering Institute CERT Program at Carnegie
Mellon University.29–36 Since 2001, the CERT
National Insider Threat Center has conducted
a variety of research projects on insider threat based
on an expanded corpus of more than 1,500 cases from
organizations across all industries.17,37–39 Their scien­
tific contribution is demonstrated via a variety of pub­
lications throughout their long-standing presence in
the domain.40–44 Though the attack methods vary
depending on the industry, they have identified, ana­
lyzed, and presented via several technical reports the
main insider threat types and their subcategories
(Figure 1):
708 GEORGIADOU ET AL.
Insider Threat
Information Technology Intellectual Property (IP)
Fraud
(IT) Sabotage Theft
Entitled Independent
Ambitious Leader
Figure 1. CERT insider threat types.
Information Technology (IT) Sabotage: Use of IT to
direct specific harm toward an organization or an
individual.11
Intellectual Property (IP) Theft: Purposely abuse
one’s credentials to steal confidential or proprietary
information from the organization.45,46
● Entitled Independent: An insider acting primarily
alone to steal information to take to a new job or to
his/her own side business.
● Ambitious Leader: A leader of an insider crime who
recruits insiders to steal information for some larger
purpose.
Fraud: Unauthorized modification, addition, or dele­
tion of an organization’s data for personal gain, or theft
of information that leads to an identity crime (e.g.,
identity theft, credit card fraud).31
Espionage: Obtaining, delivering, transmitting, com­
municating, or receiving information about the national
defense with an intent, or reason to believe, that the
information may be used to the injury of own’s country
or to the advantage of any foreign nation.29
Unintentional Insider Threat: Negatively affect the
confidentiality, availability, or integrity of an organiza­
tion’s information or information systems, via action or
inaction without malicious intent.47
The aforementioned categorization has succeeded in
classifying a continuously evolving database of insider
threat incidents maintained by the Software Engineering
Institute. At the same time, many researchers have relied
on this enduring attempt to further investigate, analyze
and study the Insider Threat phenomenon.30–32,34,36
This paper focuses on identifying possible insider
threats of this model using a domain agnostic cyber-
Unintentional Insidet
Espionage
Threat (UIT)
security culture framework. In the following paragraphs
we shall unfold a methodology which, starting from the
CERT Insider Threat types and their key contributing
factors, progresses to an evaluation process of the key
elements responsible for a robust cyber-security culture.
Methodology
Insider threat factors
First, we conducted a critical review of the scientific
community research approaches, the available
empirical literature findings and the corporate secur­
ity professionals’ testimonies. This review resulted in
a number of behavioral and technical, individual and
organizational, qualitative and quantitative indicators
practically affecting and formulating fertile ground
for increased insider threat probability. Table 1 pre­
sents the key identified security factors contributing
to each CERT Insider Threat type based on the
referenced resources.
The next logical step was to classify the identified
insider threat factors into umbrella terms unifying them
and limiting them down to measurable security indicators
which can be addressed by a cyber-security culture frame­
work. Based on the semantic and contextual interpreta­
tion of the initially identified security factors, we
proceeded in closely studying their definitions and analy­
sis based on the referenced research studies (presented in
the third column of Table 1). We investigated the assess­
ment approaches and validation techniques used by the
aforementioned references in order to identify overlaps
and relationships among these factors leading to unifica­
tions and classifications. In the following paragraphs we
briefly describe the finalized enumerated list created while
 JOURNAL OF COMPUTER INFORMATION SYSTEMS 709

Table 1. Insider threat types and contributing factors.

Insider Threat Type Factor References
Information Technology Sabotage (ITS) Dissatisfaction 38,48–50
Personality predispositions 47,49,50
Type of position (Access, Knowledge, Privileges, Skills) 13,38,48,50,51
Gender 38,48
Concerning behaviors 13,38,49,50
Lack of Physical and Electronic Access Controls 49
Intellectual Property Theft (IPT) Dissatisfaction (only for Entitled Independent) 29,46,52,53
Type of position 13,46,51,54
Gender 46,54
Sense of ownership/entitlement 46,52
Fraud Enterprise Role (Access, Knowledge, Privileges, Skills) 39
Age, tenure & level of seniority 39
Policy violation 39
Lack of Physical and Electronic Access Controls 39
Lack of Auditing 39
Espionage Personality predispositions 49,55
Concerning behaviors 49,55
Rule violation 49
Stressful Events 13,49,55
Lack of Physical and Electronic Access Controls 49
Lack of Detection of Rule Violations 49
Unintentional Insider Threat (UIT) Fatigue or sleepiness 47,56
High Subjective mental workload 47,56
Lack of situation awareness 47,56
Mind wandering 47,56
Framing 47,56
Cognitive limitations, biases, or faulty reasoning 47,56
Personality predispositions 13,47,55–58
Concerning behaviors 13,47,56,58,59
Age, gender, culture 47,56,57
Mood 47
Influence of physical states, drugs or hormone imbalances 13,47,56
Business processes and environment (work planning and control, data flow, work setting) 47,56

analyzing which parameters, how and why have been
clustered.
Dissatisfaction
Stressful events, either work-related or personal, typi­
cally precede insider attacks.23,37,38,49 Examples of such
events include employee dismissal, disputes with
employers, perceived injustices, transfers or demotions,
salary reductions, family problems.60,61 Dissatisfaction
resulting from stressful events triggers concerning beha­
viors in individuals predisposed to malicious acts.
Personality predispositions
Personality predispositions include serious mental
health disorders, personality issues (e.g. self-esteem def­
icits, patterns of biased perceptions of self and others),
addictions, social skills, and decision-making deficits,
history of legal, security, or procedural rule
violations.13,55,57,58 Specific personality traits, such as
openness, extraversion, agreeableness, conscientious­
ness, risk perception, and tolerance, which have been
identified as related to specific security behaviors, have
also been included in this umbrella term.57,59
Enterprise role
The position an insider holds within an organization (e.g.
technical, managerial) along with the special skills, knowl­
edge, privileges (e.g. domain or system administrator,
advanced user), and access granted may seriously differ­
entiate both the possibility as well as the type of insider
threat posed against the enterprise he/she works
for.13,37,48,50,51
Concerning behavior
Concerning behaviors, including personnel and secur­
ity violations, precede the vast majority of insider cases
prior to their attacks.49 Examples of such behaviors
include tardiness, truancy, arguments with coworkers,
poor job performance, security violations.13,38,49,50,56
Employee profile
Employee profile, built based on a number of human
attributes such as age, gender, tenure, level of seniority,
have been examined in many cases of insider incidents
and credited with a contributing role to the overall insider
threat predisposition.38,48 Since these attributes are only
parameters in a multidimensional issue, it is only fair to
710 GEORGIADOU ET AL.

group them and examine them in combination. In other Situation awareness

words, simply being a male senior engineer does not
make one more prone to cyber-attacking your employer
compared to a woman holding the same position.
Access controls
Physical access controls (restrictions on gaining access
to organizational facilities) and/or remote access con­
trols (restrictions to computing and network enterprise
resources) enforce organizational defense against the
insider threat.49 However, lack of those controls or pos­
sible deficiencies in their enforcement encourage insider
incidents allowing their prolong occurrence.39
Sense of entitlement
This factor is being met only in cases of intellectual prop­
erty theft and refers to the degree to which insiders felt
entitled to information they stole.46,52 Information in these
cases refers to work results produced by the insiders during
their occupation in the victimized enterprise regardless of
having or not signed relevant agreements or contracts.
Policy violation
Policy violations may be behavioral or technical in
nature.49 This indicator is used to evaluate employees’
compliance with the security policies and procedures in
place.
Auditing
Auditing is used to describe and assess the ability and
means an organization utilizes to detect, evaluate and
react against policy violations, technical or not, in order
to prevent actual insider attack cases via positive or
negative framing techniques.39,49
Policies and roles awareness
Enterprise policies and procedures awareness along with
roles and responsibilities knowledge differentiate delib­
erate to unintentional security violations.47,56
Unintentional insider incidents often result from infor­
mation technology and security unfamiliarity and una­
wareness. Simple examples of this category include
trusting a phishing e-mail, visiting an unreliable website,
downloading an executable file which contains more
than it supposed to.47,56
This final insider threat indicator list was then dis­
cussed and validated in a series of workshops with
security professionals and academic experts.
Representatives of different business domains (cyberse­
curity agencies, university departments in the field of
information security) discussed, argued and dynamically
contributed to finalizing our insider threat indicator
classification while offering useful insights and consul­
tancy in how to proceed with their assessment.
Having formulated this security factor enumeration,
we then proceeded in reforming Table 1, using the
security clustered factors as rows and the insider threat
categories as columns, reaching to the results presented
in Table 2. Our goal was to comparatively present the
security indicators assisting in the identification of pos­
sible insider threats and their types.
Based on Table 2, “1 – Dissatisfaction” appears in all
cases of insider threat types with the interesting excep­
tion of the “Entitled Independent” whereas awareness
related factors, such as “10 – Policies and roles aware­
ness” and “11 – Situation awareness” are only met in
“Unintentional Insider Threat” cases. Distinctive char­
acteristics and combination of security factors for each
insider threat category facilitates prediction schemas
and assessment methodologies in identifying and
defending against this cyber-security peril.
Security culture framework
There have been many attempts in the past in developing
frameworks aiming to model, evaluate the risk, detect
and, finally, prevent insider threat incidents.52,58,61 Our

Table 2. Insider threat types and final contributing security factors.

Information Technology Sabotage Unintentional Insider Threat
(ITS) Intellectual Property Theft (IPT) Fraud Espionage (UIT)
1 – Dissatisfaction ● ● (only for Entitled ● ●
Independent)
2 – Personality predispositions ● ● ●
3 – Enterprise role ● ● ●
4 – Concerning behavior ● ● ●
5 – Employee profile ● ● ● ●
6 – Access Controls ● ● ●
7 – Sense of entitlement ●
8 – Policy violation ● ●
9 – Auditing ● ●
10 – Policies and roles ●
awareness
11 – Situation awareness ●

Assets
•Application Software Security
•Data Security and Privacy
•Hardware Assets
Management
•Hardware Configuration
Management
•Information Resources
Management
•Network Configuration
Organizational Level Management
•Network Infrastructure
Management
•Software Assets Management
•Personnel Security
•Physical Safety and Security
Operations
•Compliance Review
•Documentation Fulfillness
•Efficient Distinction of
Development, Testing and
Operational Environments
•Operating Procedures
•Organizational Culture and
Top Management Support
•Risk Assessment
Attitude
Individual Level
•Employee Climate
•Employee Profiling
•Employee
Satisfaction
Figure 2. Cyber-security culture framework.
approach suggests taking advantage of a more generic
security framework, used to evaluate and assess the secur­
ity culture of both individuals and organization, in order
to measure, analyze and suggest possible insider perils.
During the last period, we have developed a cyber-
security culture framework for assessing and evaluating
the current security readiness of an organization’s
workforce.62 It is founded on a model divided into two
levels: organizational, referring to all security technolo­
gical infrastructure, operations and countermeasures,
and individual, targeting employees’ characteristics,
behavior, attitude and performance. Each level is con­
sisted of different dimensions analyzed further into
domains as presented in Figure 2.
Specific framework examines how external environ­
mental and organizational factors interact with indivi­
dual features and traits affecting, inducing, and finally
dictating the overall cyber-security culture of an organi­
zation. It bridges the siloed information security
approaches, focusing on the technical infrastructure,
frameworks and standards, with the academic research
attempts, trying to understand the anthropological and
JOURNAL OF COMPUTER INFORMATION SYSTEMS 711
Continuity Access and Trust
•Backup Mechanisms •Access Management
•Business Continuity & •Account Management
Disaster Recovery •Communication
•Capacity Management •External Environment
•Change Management Connections
•Continuous Vulnerability •Password Robustness and
Management Exposure
•Privileged Account
Management
•Role Segregation
•Third-Party Relationships
•Wireless Access Management
Defense Security Governance
•Boundary Defense •Audit Logs Management
•Cryptography •Incident Response and
•Email and Web Browser Management
Resilience •Penetration Tests and Red
•Information Security Policy Team Exercises
and Compliance •Reporting Mechanisms
•Malware Defense •Security Management
•Security Awareness and Maturity
Training Program
Awareness Behavior Competency
•Policies and •Policies and •Employee
Procedures Procedures Competency
Awareness Compliance •Security Skills
•Roles and •Security Agent Evaluation
Responsibilities Persona •Training Completion
Awareness •Security Behavior and Scoring
social point of view. As such, it sets the basis for assisting
companies in the development of assessment instru­
ments and tools using a holistic approach toward infor­
mation security. By doing so, it contributes to properly
targeting and adjusting training programs to the needs
of the organizations’ workforce enforcing and improv­
ing their commitment and overall performance.
Suggested evaluation methodology utilizes several
assessment techniques varying from simple surveys
and tests to sophisticated simulations and serious gam­
ing. It has been designed so as to adjust to any size and
kind of organization regardless of its operation, specia­
lization, and domain. Alongside, the proposed scoring
methodology, respecting the dynamic nature of the fra­
mework, varies from simple weighted average/sum
methods to multi-criteria analysis techniques.
Insider threat assessment
Our ultimate goal being to identify possible insider
threats to an organization based on its cyber-security
culture assessment, we proceeded in identifying the
712 GEORGIADOU ET AL.

Table 3. Cyber-security culture model relation to insider threat factors.

Level Dimension Domain Insider Threat Factor
Individual Attitude Employee Satisfaction 1 – Dissatisfaction
Employee Profiling 3 – Enterprise role
5 – Employee profile
Awareness Policies and Procedures Awareness 10 – Policies and roles awareness
Roles and Responsibilities Awareness 10 – Policies and roles awareness
Behavior Policies and Procedures Compliance 8 – Policy violation
Security Agent Persona 2 – Personality predispositions
7 – Sense of entitlement
Security Behavior 4 – Concerning behavior
Competency Security Skills Evaluation 11 – Situation awareness
Training Completion and Scoring 11 – Situation awareness
Organizational Assets Personnel Security 6 – Access Controls
Access & Trust Access Management 6 – Access Controls
Defense Information Security Policy & Compliance 9 – Auditing
Security Governance Audit Logs Management 9 – Auditing
Incident Response & Management 9 – Auditing

security domains of our framework directly related to identify possible insider vulnerabilities, we apply it
the 11 key insider threat factors presented in the pre­ to two case studies.
vious paragraphs. Evaluation results from these security
domains could assist in pinpointing potential insider
risks when examined in combination as presented in Case 1 – tax office manager engaged in fraud
Table 3.
“A tax office employed the insider as a manager. The
As anticipated, insider threat risk is mainly addressed
insider had detailed knowledge of the organization’s
by the individual level of the suggested framework which
computer systems and helped design the organiza­
relates with the employee attitude, awareness, compe­
tion’s newly implemented computer system. The insi­
tency, and behavior. In order to address the detailed
der convinced management that her department’s
personality predispositions dictated by the insider threat
activities should be processed outside of this new
factors and link them directly with the “Behavior” of the
system. All records for the insider’s department were
individuals, we enriched the controls used for the eva­
maintained manually, on paper, and were easily
luation of this security dimension of our framework.
manipulated. Over 18 years, the insider issued more
More specifically, we enhanced the “Security Agent
than 200 fraudulent checks, totaling millions of dol­
Persona” and the “Security Behavior” domains by
lars. The insider had at least nine accomplices, insi­
including measurement instruments exploring a variety
ders and outsiders, with unspecified roles in the
of psychological constructs related to security behavior,
scheme. One of the insider’s external accomplices,
such as Domain-Specific Risk-Taking Scale,63 General
her niece, deposited checks into the bank accounts
Decision-Making Style,64 Consideration for Future
of the fake companies and then distributed the
Consequences,65 Barratt Impulsiveness Scale,66 Need
funds to various members of the conspiracy. The
for Cognition,67 Security Behavior Intentions Scale.68
incident was detected when a bank teller reported
The few organizational dimensions and domains
a suspicious check for more than $400,000. The insider
which contribute to the overall insider risk assessment
was arrested, convicted, and ordered to pay $48 million in
are directly linked to the physical and digital access
restitution, $12 million in federal taxes, and $3.2 million
control management along with the security compliance
in state taxes. She was also sentenced to 17.5 months of
auditing, monitoring, and incident response manage­
imprisonment. One of the insider’s motivations was that
ment. Consequently, proposed framework may indeed
she enjoyed acting as a benefactor, giving coworkers
identify, among other possible cyber-threats or deficien­
money for things like private school tuition, funerals,
cies, insider perils given a specific working reality.
and clothing. The insider avoided suspicion by telling
her coworkers that she had received a substantial family
inheritance. The generous insider also spent a substantial
Application
amount of money on multiple homes, each valued at
To demonstrate how based on our cyber-security several million dollars, luxury cars, designer clothing
culture framework’s assessment results one can and accessories, jewelry, and other lavish items. At the

time of her arrest, the insider had $8 million in her bank
account. The insider apparently endured a traumatic
childhood, leading her to abuse drugs and alcohol and
develop a substantial gambling habit”.17(p60)
This fraud case study is detectable both by individual
and organizational level domains’ evaluation. Starting
from the latter, Access Management, Audit Logs
Management and Information Security Policy &
Compliance domains would bear a critical alerting
score for the specific department since no control over
the information, access, elaboration, and work results of
that employee unit was possible using technological
means by the company. Additionally, Employee
Profiling results for the insider orchestrating this sophis­
ticated fraud plan would also be crossing warning
thresholds as a senior manager with a good technical
knowledge. And, although not common in fraud case
scenarios, Security Agent Persona scores would have
underlined concerning findings regarding the personal­
ity predispositions of specific individual.
Case 2 – an electronic warfare signals specialist for
the Army committed espionage
“An electronic warfare signals specialist for the Army, fled
to East Germany with a laptop computer and military
secrets on 20 February and voluntarily returned
4 March 1989 to plead guilty to espionage. He was sen­
tenced to 30 years in a military prison. Even after his court-
martial, authorities were at a loss to explain what had
happened. He said he made an impulsive mistake, that he
felt overworked and unappreciated in his job for the 11th
Armored Cavalry Regiment in Fulda, West Germany. His
work involved operating equipment that detects enemy
radar and other signals. He had been described as ‘a
good, clean-cut soldier’ with a ‘perfect record.’ During his
tour of duty in Germany he had been promoted and twice
was nominated for a soldier of the month award.”49(p86)
This case could have easily been detected by our
framework since it exhibits almost all of the security
factors contributing to an espionage scenario.
Employee Satisfaction and Security Agent Persona
domains’ assessment would have revealed his emotional
state and apparent dissatisfaction, his decision-making
biases and possible personality predispositions, which
based on testimonies and coworkers’ observations were
not easily detectable. And, although he exhibited good
behavior prior to the incident (therefore Security
Behavior and Policies and Procedures Compliance
domain would probably bear a non-alerting score), the
lack of proper physical access controls and detection of
rule violations in the organization level (corresponding
to alerting organizational domains’ scores), along with
JOURNAL OF COMPUTER INFORMATION SYSTEMS 713
his warning individual scores, would have identified him
as an employee requesting attention. Most importantly,
security culture campaigns (iterative evaluation proce­
dures described within our cyber-security culture frame­
work) would have assisted in proactively engaging both
parties and possibly preventing this incident.
Considerations and limitations
Insider threat is tightly connected to individual’s person­
ality traits, behavior, attitude, beliefs, and skills. Security
indicators, which need to be assessed, closely rely on
psychological evaluations, auditing of digital footprint
within the working environment (actual or electronic)
and/or simple observation and reporting techniques.69
Consequently, legal and ethical issues arise and need to
be treated with proper respect in order to protect employ­
ees’ rights against discrimination and privacy violation.70
Enterprises ought to carefully examine the “why, how
and when” security policies and procedures apply and,
most importantly, ensure employees willingly consent to
any auditing and monitoring technology or techniques
used. Investing time, effort and funds on educating
human resources on the topics of information security
and insider risk is most probably the best way to cultivate
a deep and robust cyber-security culture founded on
mutual respect between the employer and the employee.
Conclusion and future work
Insider Threat is a lasting and, more importantly, under-
addressed cybersecurity threat in the working reality.
Understanding what motivates and transforms
a reliable insider to an intentionally or unintentionally
malicious one has been troubling researchers for many
decades triggering countless scientific attempts deriving
from human resource management, working psychol­
ogy, information technology and security sciences.
In this paper, we have presented an approach based on
a cyber-security framework aiming to assess dimensions
and domains directly related to the key indicators formu­
lating fertile ground for insider mistakes or attacks. We
identify, classify and analyze security factors related to the
different insider threat types based on a literature review.
We then proceed in linking them with the suggested cyber-
security culture framework attributes aiming in assessing
the insider risk and revealing under-addressed security
facets in the corporate environment which might facilitate,
encourage or even trigger human-related cyber-attacks.
Our final goal is to assist both organizations and
employees in understanding the threat and to cultivate
a robust and vigorous security culture that prevents
dissatisfaction, emotional stress as well as any financial,
714 GEORGIADOU ET AL.
legal, and ethical issues that afflict both parties.
Diminishing the insider threat benefits both employees,
arming them against continuously evolving cyber-crime
and enforcing their professional skills and profile, and
organizations, reducing the security perils by one.
Our next steps focus on utilizing the presented insi­
der threat prediction schema on the electrical power and
energy systems supply chain, in the context of the
EnergyShield research project’s ongoing pilot
applications.71 Results and feedback obtained from
these application scenarios shall assist us in further
evolving our insider threat evaluation effort, possibly
revealing unexploited security facets.
Acknowledgments
This project has received funding from the European Union’s
Horizon 2020 research and innovation programme under
grant agreement No 832907.
Funding
This work was supported by the European Union’s Horizon
2020 research and innovation programme under the
EnergyShield project “Integrated Cybersecurity Solution for
the Vulnerability Assessment, Monitoring and Protection of
Critical Energy Infrastructures” under Grant [832907].
ORCID
Anna Georgiadou http://orcid.org/0000-0002-0078-6969
Spiros Mouzakitis http://orcid.org/0000-0001-9616-447X
Dimitris Askounis http://orcid.org/0000-0002-2618-5715
Conflicts of interest
The authors declare that they have no known competing
financial interests or personal relationships that could have
appeared to influence the work reported in this paper.
References
1. Ponemon Insitute. 2020 cost of insider threats: global
report. Ponemon Insitute; 2020.
2. Verizon. 2020 data breach investigations report. Verizon;
2020.
3. Tessian. Securing the future of hydrid working. Tessian;
2020.
4. The 2020 state of remote work. Buffer & AngelList; 2020.
5. Gheyas IA, Abdallah AE. Detection and prediction of
insider threats to cyber security: a systematic literature
review and meta-analysis. Big Data Anal. 2016;1(6).
doi:10.1186/s41044-016-0006-0.
6. Schulze H. 2020 insider threat survey report. Gurucul;
2020.
7. Luckey D, Stebbins D, Orrie R, Rebhan E, Bhatt SD,
Beaghley S. Assessing continuous evaluation approaches
for insider threats: how can the security posture of the U.
S. Departments and Agencies be improved? Santa
Monica (CA): RAND Corporation; 2019. https://www.
rand.org/pubs/research_reports/RR2684.html.
8. Ko LL, Divakaran DM, Liau YS, Thing VL. Insider threat
detection and its future directions. Int J Secur Netw. 2017;12
(3):168–87. doi:10.1504/IJSN.2017.084391.
9. Cole E, Ring S. Insider threat: protecting the enterprise
from sabotage, Spying, and Theft. Rockland (MA):
Syngress; 2005.
10. Kim A, Oh J, Ryu J, Lee J, Kwon K, Lee K. SoK:
a systematic review of insider threat detection. J Wirel
Mob Netw. 2019;10:46–67.
11. Greitzer FL, Purl J, Leong YM, Sticha PJ. Positioning your
organization to respond to insider threats. IEEE Eng
Manag Rev. 2019;47(2):75–83. doi:10.1109/EMR.2019.291
4612.
12. Tessian. The state of Data Loss Prevention (DLP) 2020.
Tessian; 2020.
13. Anderson RH, Brackney R. Understanding the insider
threat: proceedings of a March 2004 workshop. Santa
Monica (CA): RAND Corporation; 2004. https://www.
rand.org/pubs/conf_proceedings/CF196.html.
14. Bishop M. Position: “insider” is relative. Proceedings of
the 2005 Workshop on New Security Paradigms; 2005;
Lake Arrowhead, California.
15. Greitzer FL, Moore AP, Cappelli DM, Andrews DH,
Carroll LA, Hull TD. Combating the insider cyber
threat. IEEE Secur Priv. 2008;6(1):61–64. doi:10.1109/
MSP.2008.8.
16. Hunker J, Probst CW. Insiders and insider threats - an
overview of definitions and mitigation techniques.
J Wirel Mob Netw Ubiquitous Comput Dependable
Appl. 2011;2:4–27.
17. Theis M, Trzeciak RF, Costa DL, Moore AP, Miller S,
Cassidy T, Claycomb WR. Common sense guide to
mitigating insider threats. 6th ed. Pittsburgh (PA):
Carnegie Mellon University; 2020.
18. Homoliak I, Toffalini F, Guarnizo J, Elovici Y, Ochoa M.
Insight into insiders and IT: a survey of insider threat
taxonomies, analysis, modeling, and countermeasures.
ACM Comput Surv. 2019;52(2):1–40. doi:10.1145/3303
771.
19. Anderson JP. Computer security threat monitoring and
surveillance. Fort Washington (PA): James P Anderson
Company; 1980.
20. Salem MB, Hershkop S, Stolfo SJ. A survey of insider
attack detection research. In: Stolfo SJ, Bellovin SM,
Keromytis AD, Hershkop S, Smith SW, Sinclair S, edi­
tors. Insider attack and cyber security. Advances in
information security. Vol. 39. Boston (MA): Springer;
2008. p. 69–90. https://doi.org/10.1007/978-0-387-
77322-3_5.
21. Bellovin SM. The insider attack problem nature and
scope. In: Stolfo SJ, Bellovin SM, Keromytis AD,
Hershkop S, Smith SW, Sinclair S, editors. Insider attack
and cyber security. Advances in information security.
Vol. 39. Boston (MA): Springer; 2008. p. 1–4. https://
doi.org/10.1007/978-0-387-77322-3_1.

22. Hayden MV. The insider threat to US government infor­
mation systems. National Security Telecommunications
And Information Systems Security Committee; 1999;
Fort Meade.
23. Shaw E, Fischer LF. Ten tales of betrayal: the threat to
corporate infrastructure by information technology.
Monterey (CA): Defense Personnel Security Research
Center; 2005.
24. Myers J, Grimaila MR, Mills RF. Towards insider threat
detection using web server logs. Proceedings of the 5th
Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information
Intelligence Challenges and Strategies; 2009; Oak Ridge
Tennessee.
25. Claycomb WR, Nicoll A. Insider threats to cloud com­
puting: directions for new research challenges. IEEE
36th Annual Computer Software and Applications
Conference; 2012; Izmir.
26. Bishop M, Gates C. Defining the insider threat.
Proceedings of the 4th annual workshop on Cyber security
and information intelligence research: developing strate­
gies to meet the cyber security and information intelli­
gence challenges ahead; 2008; Oak Ridge, Tennessee.
27. Magklaras G, Furnell S. Insider threat prediction tool:
evaluating the probability of IT misuse. Comput Secur.
2002;21(1):62–73. doi:10.1016/S0167-4048(02)00109-8.
28. Phyo AH, Furnell S. A detection-oriented classification
of insider it misuse. Third Security Conference; 2004;
Las Vegas, Nevada, USA.
29. Cappelli D, Moore A, Trzeciak R. The CERT guide to
insider threats: how to prevent, detect, and respond to
information technology crimes (Theft, Sabotage,
Fraud). Boston (MA): Addison-Wesley Professional;
2012.
30. Kim A, Oh J, Ryu J, Lee K. A review of insider threat
detection approaches. IEEE Access. 2020;8:78847–67.
doi:10.1109/ACCESS.2020.2990195.
31. Greitzer FL. Insider threats: it’s the HUMAN, stupid!
Proceedings of the Northwest Cybersecurity Symposium;
2019; Richland, WA.
32. Maasberg M, Beebe NL. The enemy within the insider:
detecting the insider threat. J Inf Privacy Secur. 2014;10
(2):59–70. doi:10.1080/15536548.2014.924807.
33. Kim A, Oh J, Ryu J, Lee K. A review of insider threat
detection approaches with IoT perspective. IEEE
Access. 2020;8:78847–67.
34. Greitzer FL, Frincke DA. Combining traditional cyber
security audit data with psychosocial data: towards pre­
dictive modeling for insider threat mitigation. In:
Probst C, Hunker J, Gollmann D, Bishop M, editors.
Insider threats in cyber security. Advances in informa­
tion security. Vol. 49. Boston (MA): Springer; 2010. p.
85–113. https://doi.org/10.1007/978-1-4419-7133-3_5.
35. Ophoff J, Jensen A, Sanderson-Smith J, Porter M,
Johnston K. A descriptive literature review and classifica­
tion of insider threat research. Proceedings of Informing
Science & IT Education Conference (InSITE) 2014; 2014;
Wollongong.
36. Oladimeji TO, Ayo CK, Adewumi S. Review on insider
threat detection techniques. J Phys Conf Ser. 2019;1299:
012046.
JOURNAL OF COMPUTER INFORMATION SYSTEMS 715
37. Cappelli D, Moore AP, Randazzo MR, Keeney M,
Kowalski E. Insider threat study: illicit cyber activity in
the banking and finance sector. Pittsburgh (PA):
Software Engineering Institute; 2004.
38. Conway T, Keverline S, Keeney M, Kowalski E,
Williams M, Cappelli D, Moore AP, Rogers S,
Shimeall TJ. Insider threat study: computer system
sabotage in critical infrastructure sectors. Pittsburgh
(PA): Software Engineering Institute; 2005.
39. Cummings A, Lewellen T, McIntire D, Moore AP,
Trzeciak RF. Insider threat study: illicit cyber activity
involving fraud in the U.S. Financial services sector.
Pittsburgh (PA): Software Engineering Institute; 2012.
40. Cappelli DM, Desai AG, Moore AP, Shimeall TJ,
Weaver EA, Willke BJ. Management and Education of
the Risk of Insider Threat (MERIT): system dynamics
modeling of computer system sabotage. Carnegie-
Mellon Univ Pittsburgh PA Software Engineering Inst;
2008.
41. Moore AP, Cappelli DM, Trzeciak RF. The “big picture”
of insider IT sabotage across U.S. Critical infrastruc­
tures. In: Stolfo SJ, Bellovin SM, Keromytis AD,
Hershkop S, Smith SW, Sinclair S, editors. Insider attack
and cyber security. Advances in Information Security.
Vol. 39. Boston (MA): Springer; 2008. https://doi.org/
10.1007/978-0-387-77322-3_3.
42. Andersen D, Cappelli D, Gonzalez J, Mojtahedzadeh M,
Moore A, Rich E, Sarriegui J, Shimeall T, Stanton J,
Weaver E, et al. Preliminary system dynamics maps of
the insider cyber-threat problem. Proceedings of the
22nd International Conference of the System dynamics
Society; 2004 July 25–29; Oxford, England.
43. Claycomb WR, Huth CL, Flynn L, McIntire DM,
Lewellen TB. Chronological examination of insider threat
sabotage: preliminary observations. J Wirel Mob Netw
Ubiquitous Comput Dependable Appl. 2012;3:4–20.
44. Costa DL, Collins ML, Perl SJ, Albrethsen MJ,
Silowash GJ, Spooner DL. An ontology for insider
threat indicators development and applications. CEUR
Workshop Proceedings. 1304. 48–53. Proceedings of
the Ninth Conference on Semantic Technologies for
Intelligence, Defense, and Security (STIDS 2014); 2014
November 18–21, Fairfax VA, USA. http://ceur-ws.org/
Vol-1304/.
45. Moore AP, Cappelli D, Caron TC, Shaw ED, Spooner D,
Trzeciak RF. A preliminary model of insider theft of intel­
lectual property. Pittsburgh (PA): Software Engineering
Institute; 2011.
46. Moore AP, Cappelli D, Caron TC, Shaw ED,
Trzeciak RF. Insider theft of intellectual property for
business advantage: a preliminary model. Pittsburgh
(PA): Software Engineering Institute; 2009.
47. CERT Insider Threat Team. Unintentional insider
threats: a foundational study. Pittsburgh (PA): Software
Engineering Insitute; 2013.
48. Cappelli D, Moore A, Trzeciak R, Shimeall TJ. Common
sense guide to prevention and detection of insider
threats 3rd edition – Version 3.1. Pittsburgh (PA):
Software Engineering Institute; 2008.
49. Band SR, Cappelli D, Fischer LF, Moore AP, Shaw ED,
Trzeciak RF. Comparing insider IT sabotage and
716 GEORGIADOU ET AL.
espionage: a model-based analysis. Pittsburgh (PA):
Software Engineering Institute; 2006.
50. Cappelli D, Desai AG, Moore AP, Shimeall TJ, Weaver EA,
Willke BJ. Management and Education of the Risk of Insider
Threat (MERIT): mitigating the risk of sabotage to employ­
ers information, systems, or networks. Pittsburgh (PA):
Software Engineering Institute; 2007.
51. Legg P, Moffat N, Nurse JR, Happa J, Agrafiotis I,
Goldsmith M, Creese S. Towards a conceptual model and
reasoning structure for insider threat detection. J Wirel
Mob Netw Ubiquitous Comput Dependable Appl.
2013;4:20–37.
52. Hanley M. Deriving candidate technical controls and
indicators of insider attack from socio-technical models
and data. Pittsburgh (PA): Software Engineering
Institute; 2011.
53. Shaw ED, Stock HV. Behavioral risk indicators of mal­
icious insider theft of intellectual property: misreading
the writing on the wall. California: Symantec; 2011.
54. Hanley M, Dean T, Schroeder W, Houy M, Trzeciak RF,
Montelibano J. An analysis of technical observations in
insider theft of intellectual property cases. Pittsburgh
(PA): Software Engineering Institute; 2011.
55. Kennedy KA. Management and mitigation of insider
threats. In: Van Hasselt V, Bourke M, editors. Handbook
of behavioral criminology. Cham: Springer; 2017. p.
485–99. https://doi.org/10.1007/978-3-319-61625-4_28.
56. Greitzer FL, Strozer J, Cohen S, Bergey J, Cowley J,
Moore A, Mundie D. Unintentional insider threat: con­
tributing factors, observables, and mitigation. 47th
Hawaii International Conference on System Sciences;
2014; Waikoloa.
57. Hadlington L. The “human factor” in cybersecurity:
exploring the accidental insider. In: McAlaney J,
Frumkin LA, Benson V, editors. Psychological and
behavioral examinations in cyber security. Hershey
(PA): IGI Global; 2018. p. 46–63. doi:10.4018/978-1-
5225-4053-3.ch003.
58. Greitzer FL, Kangas LJ, Noonan C, Dalton A. Identifying
at-risk employees: a behavioral model for predicting poten­
tial insider threats. Richland (WA): Pacific Northwest
National Lab; 2010. https://doi.org/10.2172/1000159 .
59. Greitzer F, Purl J, Leong YM, Becker DS. SOFIT: socio­
technical and organizational factors for insider threat.
2018 IEEE Security and Privacy Workshops (SPW);
2018; San Francisco.
60. Marcus B, Schuler H. Antecedents of counterproductive
behavior at work: a general perspective. J Appl Psychol.
2004;89(4):647–60. doi:10.1037/0021-9010.89.4.647.
61. Martinko MJ, Gundlach MJ, Douglas SC. Toward an
integrative theory of counterproductive workplace beha­
vior: a causal reasoning perspective. Int J Sel Assess.
2002;10(1–2):36–50. doi:10.1111/1468-2389.00192.
62. Georgiadou A, Mouzakitis S, Bounas K, Askounis D. A
cyber-security culture framework for assessing organi­
zation readiness. J Comput Inf Syst. 2020;1–11.
doi:10.1080/08874417.2020.1845583.
63. Blais A-R, Weber EU. A Domain-Specific Risk-Taking
(DOSPERT) scale for adult populations. Judgm Decis
Mak. 2006;1:33–47.
64. Scott SG, Bruce RA. Decision-making style: the
development and assessment of a new measure.
Educ Psychol Meas. 1995;5(5):818–31. doi:10.1177/
0013164495055005017.
65. Strathman A, Gleicher F, Boninger DS, Edwards S. The
consideration of future consequences: weighing immedi­
ate and distant outcomes of behavior. J Pers Soc Psychol.
1994;66(4):742–52. doi:10.1037/0022-3514.66.4.742.
66. Patton JH, Stanford MS, Barratt ES. Factor structure of
the Barratt impulsiveness scale. J Clin Psychol. 1995;51
(6):768–74. doi:10.1002/1097-4679(199511)51:6<768::
AID-JCLP2270510607>3.0.CO;2-1.
67. Cacioppo JT, Petty RE. The need for cognition. J Pers
Soc Psychol. 1982;42(1):116–31. doi:10.1037/0022-
3514.42.1.116.
68. Egelman S, Peer E. Scaling the security wall: devel­
oping a Security Behavior Intentions Scale (SeBIS).
33rd Annual ACM Conference on Human Factors
in Computing Systems; 2015; Seoul Republic of
Korea.
69. Kiser AIT, Porter T, Vequist D. Employee monitoring and
ethics: can they co-exist? Int J Digital Literacy Digital
Competence. 2010;1(4):30–45. doi:10.4018/jdldc.2010100
104.
70. Greitzer FL, Frincke D, Zabriskie M. Social/ethical
issues in predicitve insider threat monitoring. In: Dark
MJ, editor. Information assurance and security ethics in
complex systems: interdisciplinary perspectives.
Hershey (PA): IGI Global; 2011. p. 132–61.
doi:10.4018/978-1-61692-245-0.ch007
71. Energy Shield. Energy Shield; 2019 [accessed 2020 Mar
25]. https://energy-shield.eu/.