Professional Documents
Culture Documents
To cite this article: Anna Georgiadou, Spiros Mouzakitis & Dimitris Askounis (2022) Detecting
Insider Threat via a Cyber-Security Culture Framework, Journal of Computer Information
Systems, 62:4, 706-716, DOI: 10.1080/08874417.2021.1903367
ABSTRACT KEYWORDS
Insider threat has been recognized by both scientific community and security professionals as one Insider threat; cyber-security
of the gravest security hazards for private companies, institutions, and governmental organizations. culture framework; security
Extended research on the types, associated internal and external factors, detection approaches and assessment; behavioral
mitigation strategies has been conducted over the last decades. Various frameworks have been indicators; detection
introduced in an attempt to understand and reflect the danger posed by this threat, whereas
multiple identified cases have been classified in private or public databases. This paper aims to
present how a cyber-security culture framework with a clear focus on the human factor can assist in
detecting possible threats of both malicious and unintentional insiders. We link current insider
threat categories with specific security domains of the framework and introduce an assessment
methodology of the core contributing parameters. Specific approach takes into consideration
technical, behavioral, cultural, and personal indicators and assists in identifying possible security
perils deriving from privileged individuals.
CONTACT Anna Georgiadou ageorgiadou@epu.ntua.gr Decision Support Systems Laboratory, National Technical University of Athens, Iroon
Polytechniou 9, Zografou 15780, Greece.
© 2021 International Association for Computer Information Systems
JOURNAL OF COMPUTER INFORMATION SYSTEMS 707
This paper presents a methodology for evaluating the the earliest classifications was proposed by Anderson in
insider threat based on a cyber-security culture frame 1980 who distinguished three types of illicit inside users19:
work with emphasis on the aspects of the human factor. Masquerader: who can be either an external pene
Section 2 presents background information regarding trator who has succeeded in bypassing security controls,
current research related to the insider threat. Building or an employee with full access to a computer system
upon the wide range of these studies, a security culture who intends to exploit another legitimate user’s
framework is presented in Section 3, in an attempt to credentials.
evaluate the insider peril for an organization. Thus, we Legitimate User: who does not masquerade, but
relate each of the identified categories and related vari instead abuses his/her own privileges in order to misuse
ables with specific security parameters of the individual the system, and
and organization level of the presented framework. In Clandestine User: who has or can seize supervisory
Section 4, we present how our framework could detect controls staying under the radar of security
different insider threat scenarios if applied in practice. In countermeasure.
Section 5, we outline a number of considerations and A much similar approach was presented by Salem
limitations regarding the proposed methodology. et al. many years later, in 2008, distinguishing two
Finally, Section 6 concludes with the importance and categories of insider attacks: masqueraders and
impact of the proposed framework for enterprises as traitors.20 Masqueraders were defined as attackers
well as areas of further research and potential future who succeed in stealing legitimate users’ identity
applications. and impersonate other users for malicious purposes
whereas traitors are legitimate users within an orga
nization who have been granted access to systems
Background
and information resources, but whose actions are
nsider Threat has been attributed numerous definitions counter to policy, and whose goal is to negatively
over the years. A workshop report in 2004 defined the affect confidentially, integrity, or availability of some
insider threat as actions of “a malicious insider, acting either information asset.
alone or in concert with someone ‘on the outside’ of these Numerous similar approaches exist clearly underlin
systems”.13(p1) Bishop defines insider threat as an event ing motivation behind the insiders’ behavior and actions
occurring when “a trusted entity abuses the given power to differentiating deliberate from unintentional security
violate one or more rules in a given security policy”.14(p77) violations.9,21–23 Granted privileges, technical knowl
According to Greitzer et al., “insider threat refers to harmful edge, and security policies’ familiarity is also
acts that trusted insiders might carry out; for example, some emphasized.24–26 Many researchers progressed further
thing that causes harm to the organization, or an unauthor by suggesting classifications of the insiders based on
ized act that benefits the individual.”15(p61) Hunker and different criteria such as professional relationship with
Probst argue that “an insider threat is [posed by] an indivi or potential consequences and harm to the violated
dual with privileges who misuses them or whose access organization or even based on the target system at
results in misuse”.16(p7) CERT National Insider Threat which an attack may be detected.9,27,28
Center proceeds in defining both malicious insider, One of the most recognizable and commonly
“a current or former employee, contractor, or business part accepted insider threat categorization is the one pro
ner who has or had authorized access to an organization’s posed by the “Insider Threat Study”, a joint project
network, system, or data and has intentionally exceeded or conducted by the Secret Service and the Software
intentionally used that access in a manner that negatively Engineering Institute CERT Program at Carnegie
affected the confidentiality, integrity, availability, or physical Mellon University.29–36 Since 2001, the CERT
well-being of the organization’s information, information National Insider Threat Center has conducted
systems, or workforce”, and unintentional insider, a variety of research projects on insider threat based
“a current or former employee, contractor, or other business on an expanded corpus of more than 1,500 cases from
partner who has or had authorized access to an organiza organizations across all industries.17,37–39 Their scien
tion’s network, system, or data and who, through their tific contribution is demonstrated via a variety of pub
action/inaction without malicious intent causes harm or lications throughout their long-standing presence in
substantially increases the probability of future serious the domain.40–44 Though the attack methods vary
harm to the confidentiality, integrity, or availability of the depending on the industry, they have identified, ana
organization’s information or information systems”.17(p3) lyzed, and presented via several technical reports the
Not surprisingly, a proportional variety of insider main insider threat types and their subcategories
threat taxonomies can be found in literature.18 One of (Figure 1):
708 GEORGIADOU ET AL.
Insider Threat
Entitled Independent
Ambitious Leader
Information Technology (IT) Sabotage: Use of IT to security culture framework. In the following paragraphs
direct specific harm toward an organization or an we shall unfold a methodology which, starting from the
individual.11 CERT Insider Threat types and their key contributing
Intellectual Property (IP) Theft: Purposely abuse factors, progresses to an evaluation process of the key
one’s credentials to steal confidential or proprietary elements responsible for a robust cyber-security culture.
information from the organization.45,46
analyzing which parameters, how and why have been Enterprise role
clustered. The position an insider holds within an organization (e.g.
technical, managerial) along with the special skills, knowl
edge, privileges (e.g. domain or system administrator,
Dissatisfaction
advanced user), and access granted may seriously differ
Stressful events, either work-related or personal, typi
entiate both the possibility as well as the type of insider
cally precede insider attacks.23,37,38,49 Examples of such
threat posed against the enterprise he/she works
events include employee dismissal, disputes with
for.13,37,48,50,51
employers, perceived injustices, transfers or demotions,
salary reductions, family problems.60,61 Dissatisfaction
resulting from stressful events triggers concerning beha Concerning behavior
viors in individuals predisposed to malicious acts. Concerning behaviors, including personnel and secur
ity violations, precede the vast majority of insider cases
prior to their attacks.49 Examples of such behaviors
Personality predispositions
include tardiness, truancy, arguments with coworkers,
Personality predispositions include serious mental
poor job performance, security violations.13,38,49,50,56
health disorders, personality issues (e.g. self-esteem def
icits, patterns of biased perceptions of self and others),
addictions, social skills, and decision-making deficits, Employee profile
history of legal, security, or procedural rule Employee profile, built based on a number of human
violations.13,55,57,58 Specific personality traits, such as attributes such as age, gender, tenure, level of seniority,
openness, extraversion, agreeableness, conscientious have been examined in many cases of insider incidents
ness, risk perception, and tolerance, which have been and credited with a contributing role to the overall insider
identified as related to specific security behaviors, have threat predisposition.38,48 Since these attributes are only
also been included in this umbrella term.57,59 parameters in a multidimensional issue, it is only fair to
710 GEORGIADOU ET AL.
approach suggests taking advantage of a more generic social point of view. As such, it sets the basis for assisting
security framework, used to evaluate and assess the secur companies in the development of assessment instru
ity culture of both individuals and organization, in order ments and tools using a holistic approach toward infor
to measure, analyze and suggest possible insider perils. mation security. By doing so, it contributes to properly
During the last period, we have developed a cyber- targeting and adjusting training programs to the needs
security culture framework for assessing and evaluating of the organizations’ workforce enforcing and improv
the current security readiness of an organization’s ing their commitment and overall performance.
workforce.62 It is founded on a model divided into two Suggested evaluation methodology utilizes several
levels: organizational, referring to all security technolo assessment techniques varying from simple surveys
gical infrastructure, operations and countermeasures, and tests to sophisticated simulations and serious gam
and individual, targeting employees’ characteristics, ing. It has been designed so as to adjust to any size and
behavior, attitude and performance. Each level is con kind of organization regardless of its operation, specia
sisted of different dimensions analyzed further into lization, and domain. Alongside, the proposed scoring
domains as presented in Figure 2. methodology, respecting the dynamic nature of the fra
Specific framework examines how external environ mework, varies from simple weighted average/sum
mental and organizational factors interact with indivi methods to multi-criteria analysis techniques.
dual features and traits affecting, inducing, and finally
dictating the overall cyber-security culture of an organi
zation. It bridges the siloed information security Insider threat assessment
approaches, focusing on the technical infrastructure, Our ultimate goal being to identify possible insider
frameworks and standards, with the academic research threats to an organization based on its cyber-security
attempts, trying to understand the anthropological and culture assessment, we proceeded in identifying the
712 GEORGIADOU ET AL.
security domains of our framework directly related to identify possible insider vulnerabilities, we apply it
the 11 key insider threat factors presented in the pre to two case studies.
vious paragraphs. Evaluation results from these security
domains could assist in pinpointing potential insider
risks when examined in combination as presented in Case 1 – tax office manager engaged in fraud
Table 3.
“A tax office employed the insider as a manager. The
As anticipated, insider threat risk is mainly addressed
insider had detailed knowledge of the organization’s
by the individual level of the suggested framework which
computer systems and helped design the organiza
relates with the employee attitude, awareness, compe
tion’s newly implemented computer system. The insi
tency, and behavior. In order to address the detailed
der convinced management that her department’s
personality predispositions dictated by the insider threat
activities should be processed outside of this new
factors and link them directly with the “Behavior” of the
system. All records for the insider’s department were
individuals, we enriched the controls used for the eva
maintained manually, on paper, and were easily
luation of this security dimension of our framework.
manipulated. Over 18 years, the insider issued more
More specifically, we enhanced the “Security Agent
than 200 fraudulent checks, totaling millions of dol
Persona” and the “Security Behavior” domains by
lars. The insider had at least nine accomplices, insi
including measurement instruments exploring a variety
ders and outsiders, with unspecified roles in the
of psychological constructs related to security behavior,
scheme. One of the insider’s external accomplices,
such as Domain-Specific Risk-Taking Scale,63 General
her niece, deposited checks into the bank accounts
Decision-Making Style,64 Consideration for Future
of the fake companies and then distributed the
Consequences,65 Barratt Impulsiveness Scale,66 Need
funds to various members of the conspiracy. The
for Cognition,67 Security Behavior Intentions Scale.68
incident was detected when a bank teller reported
The few organizational dimensions and domains
a suspicious check for more than $400,000. The insider
which contribute to the overall insider risk assessment
was arrested, convicted, and ordered to pay $48 million in
are directly linked to the physical and digital access
restitution, $12 million in federal taxes, and $3.2 million
control management along with the security compliance
in state taxes. She was also sentenced to 17.5 months of
auditing, monitoring, and incident response manage
imprisonment. One of the insider’s motivations was that
ment. Consequently, proposed framework may indeed
she enjoyed acting as a benefactor, giving coworkers
identify, among other possible cyber-threats or deficien
money for things like private school tuition, funerals,
cies, insider perils given a specific working reality.
and clothing. The insider avoided suspicion by telling
her coworkers that she had received a substantial family
inheritance. The generous insider also spent a substantial
Application
amount of money on multiple homes, each valued at
To demonstrate how based on our cyber-security several million dollars, luxury cars, designer clothing
culture framework’s assessment results one can and accessories, jewelry, and other lavish items. At the
JOURNAL OF COMPUTER INFORMATION SYSTEMS 713
time of her arrest, the insider had $8 million in her bank his warning individual scores, would have identified him
account. The insider apparently endured a traumatic as an employee requesting attention. Most importantly,
childhood, leading her to abuse drugs and alcohol and security culture campaigns (iterative evaluation proce
develop a substantial gambling habit”.17(p60) dures described within our cyber-security culture frame
This fraud case study is detectable both by individual work) would have assisted in proactively engaging both
and organizational level domains’ evaluation. Starting parties and possibly preventing this incident.
from the latter, Access Management, Audit Logs
Management and Information Security Policy &
Considerations and limitations
Compliance domains would bear a critical alerting
score for the specific department since no control over Insider threat is tightly connected to individual’s person
the information, access, elaboration, and work results of ality traits, behavior, attitude, beliefs, and skills. Security
that employee unit was possible using technological indicators, which need to be assessed, closely rely on
means by the company. Additionally, Employee psychological evaluations, auditing of digital footprint
Profiling results for the insider orchestrating this sophis within the working environment (actual or electronic)
ticated fraud plan would also be crossing warning and/or simple observation and reporting techniques.69
thresholds as a senior manager with a good technical Consequently, legal and ethical issues arise and need to
knowledge. And, although not common in fraud case be treated with proper respect in order to protect employ
scenarios, Security Agent Persona scores would have ees’ rights against discrimination and privacy violation.70
underlined concerning findings regarding the personal Enterprises ought to carefully examine the “why, how
ity predispositions of specific individual. and when” security policies and procedures apply and,
most importantly, ensure employees willingly consent to
any auditing and monitoring technology or techniques
Case 2 – an electronic warfare signals specialist for
used. Investing time, effort and funds on educating
the Army committed espionage
human resources on the topics of information security
“An electronic warfare signals specialist for the Army, fled and insider risk is most probably the best way to cultivate
to East Germany with a laptop computer and military a deep and robust cyber-security culture founded on
secrets on 20 February and voluntarily returned mutual respect between the employer and the employee.
4 March 1989 to plead guilty to espionage. He was sen
tenced to 30 years in a military prison. Even after his court-
Conclusion and future work
martial, authorities were at a loss to explain what had
happened. He said he made an impulsive mistake, that he Insider Threat is a lasting and, more importantly, under-
felt overworked and unappreciated in his job for the 11th addressed cybersecurity threat in the working reality.
Armored Cavalry Regiment in Fulda, West Germany. His Understanding what motivates and transforms
work involved operating equipment that detects enemy a reliable insider to an intentionally or unintentionally
radar and other signals. He had been described as ‘a malicious one has been troubling researchers for many
good, clean-cut soldier’ with a ‘perfect record.’ During his decades triggering countless scientific attempts deriving
tour of duty in Germany he had been promoted and twice from human resource management, working psychol
was nominated for a soldier of the month award.”49(p86) ogy, information technology and security sciences.
This case could have easily been detected by our In this paper, we have presented an approach based on
framework since it exhibits almost all of the security a cyber-security framework aiming to assess dimensions
factors contributing to an espionage scenario. and domains directly related to the key indicators formu
Employee Satisfaction and Security Agent Persona lating fertile ground for insider mistakes or attacks. We
domains’ assessment would have revealed his emotional identify, classify and analyze security factors related to the
state and apparent dissatisfaction, his decision-making different insider threat types based on a literature review.
biases and possible personality predispositions, which We then proceed in linking them with the suggested cyber-
based on testimonies and coworkers’ observations were security culture framework attributes aiming in assessing
not easily detectable. And, although he exhibited good the insider risk and revealing under-addressed security
behavior prior to the incident (therefore Security facets in the corporate environment which might facilitate,
Behavior and Policies and Procedures Compliance encourage or even trigger human-related cyber-attacks.
domain would probably bear a non-alerting score), the Our final goal is to assist both organizations and
lack of proper physical access controls and detection of employees in understanding the threat and to cultivate
rule violations in the organization level (corresponding a robust and vigorous security culture that prevents
to alerting organizational domains’ scores), along with dissatisfaction, emotional stress as well as any financial,
714 GEORGIADOU ET AL.
legal, and ethical issues that afflict both parties. 7. Luckey D, Stebbins D, Orrie R, Rebhan E, Bhatt SD,
Diminishing the insider threat benefits both employees, Beaghley S. Assessing continuous evaluation approaches
arming them against continuously evolving cyber-crime for insider threats: how can the security posture of the U.
S. Departments and Agencies be improved? Santa
and enforcing their professional skills and profile, and Monica (CA): RAND Corporation; 2019. https://www.
organizations, reducing the security perils by one. rand.org/pubs/research_reports/RR2684.html.
Our next steps focus on utilizing the presented insi 8. Ko LL, Divakaran DM, Liau YS, Thing VL. Insider threat
der threat prediction schema on the electrical power and detection and its future directions. Int J Secur Netw. 2017;12
energy systems supply chain, in the context of the (3):168–87. doi:10.1504/IJSN.2017.084391.
EnergyShield research project’s ongoing pilot 9. Cole E, Ring S. Insider threat: protecting the enterprise
from sabotage, Spying, and Theft. Rockland (MA):
applications.71 Results and feedback obtained from
Syngress; 2005.
these application scenarios shall assist us in further 10. Kim A, Oh J, Ryu J, Lee J, Kwon K, Lee K. SoK:
evolving our insider threat evaluation effort, possibly a systematic review of insider threat detection. J Wirel
revealing unexploited security facets. Mob Netw. 2019;10:46–67.
11. Greitzer FL, Purl J, Leong YM, Sticha PJ. Positioning your
organization to respond to insider threats. IEEE Eng
Acknowledgments Manag Rev. 2019;47(2):75–83. doi:10.1109/EMR.2019.291
4612.
This project has received funding from the European Union’s 12. Tessian. The state of Data Loss Prevention (DLP) 2020.
Horizon 2020 research and innovation programme under Tessian; 2020.
grant agreement No 832907. 13. Anderson RH, Brackney R. Understanding the insider
threat: proceedings of a March 2004 workshop. Santa
Monica (CA): RAND Corporation; 2004. https://www.
Funding rand.org/pubs/conf_proceedings/CF196.html.
14. Bishop M. Position: “insider” is relative. Proceedings of
This work was supported by the European Union’s Horizon the 2005 Workshop on New Security Paradigms; 2005;
2020 research and innovation programme under the Lake Arrowhead, California.
EnergyShield project “Integrated Cybersecurity Solution for 15. Greitzer FL, Moore AP, Cappelli DM, Andrews DH,
the Vulnerability Assessment, Monitoring and Protection of Carroll LA, Hull TD. Combating the insider cyber
Critical Energy Infrastructures” under Grant [832907]. threat. IEEE Secur Priv. 2008;6(1):61–64. doi:10.1109/
MSP.2008.8.
16. Hunker J, Probst CW. Insiders and insider threats - an
ORCID overview of definitions and mitigation techniques.
J Wirel Mob Netw Ubiquitous Comput Dependable
Anna Georgiadou http://orcid.org/0000-0002-0078-6969 Appl. 2011;2:4–27.
Spiros Mouzakitis http://orcid.org/0000-0001-9616-447X 17. Theis M, Trzeciak RF, Costa DL, Moore AP, Miller S,
Dimitris Askounis http://orcid.org/0000-0002-2618-5715 Cassidy T, Claycomb WR. Common sense guide to
mitigating insider threats. 6th ed. Pittsburgh (PA):
Carnegie Mellon University; 2020.
Conflicts of interest 18. Homoliak I, Toffalini F, Guarnizo J, Elovici Y, Ochoa M.
Insight into insiders and IT: a survey of insider threat
The authors declare that they have no known competing taxonomies, analysis, modeling, and countermeasures.
financial interests or personal relationships that could have ACM Comput Surv. 2019;52(2):1–40. doi:10.1145/3303
appeared to influence the work reported in this paper. 771.
19. Anderson JP. Computer security threat monitoring and
surveillance. Fort Washington (PA): James P Anderson
References
Company; 1980.
1. Ponemon Insitute. 2020 cost of insider threats: global 20. Salem MB, Hershkop S, Stolfo SJ. A survey of insider
report. Ponemon Insitute; 2020. attack detection research. In: Stolfo SJ, Bellovin SM,
2. Verizon. 2020 data breach investigations report. Verizon; Keromytis AD, Hershkop S, Smith SW, Sinclair S, edi
2020. tors. Insider attack and cyber security. Advances in
3. Tessian. Securing the future of hydrid working. Tessian; information security. Vol. 39. Boston (MA): Springer;
2020. 2008. p. 69–90. https://doi.org/10.1007/978-0-387-
4. The 2020 state of remote work. Buffer & AngelList; 2020. 77322-3_5.
5. Gheyas IA, Abdallah AE. Detection and prediction of 21. Bellovin SM. The insider attack problem nature and
insider threats to cyber security: a systematic literature scope. In: Stolfo SJ, Bellovin SM, Keromytis AD,
review and meta-analysis. Big Data Anal. 2016;1(6). Hershkop S, Smith SW, Sinclair S, editors. Insider attack
doi:10.1186/s41044-016-0006-0. and cyber security. Advances in information security.
6. Schulze H. 2020 insider threat survey report. Gurucul; Vol. 39. Boston (MA): Springer; 2008. p. 1–4. https://
2020. doi.org/10.1007/978-0-387-77322-3_1.
JOURNAL OF COMPUTER INFORMATION SYSTEMS 715
22. Hayden MV. The insider threat to US government infor 37. Cappelli D, Moore AP, Randazzo MR, Keeney M,
mation systems. National Security Telecommunications Kowalski E. Insider threat study: illicit cyber activity in
And Information Systems Security Committee; 1999; the banking and finance sector. Pittsburgh (PA):
Fort Meade. Software Engineering Institute; 2004.
23. Shaw E, Fischer LF. Ten tales of betrayal: the threat to 38. Conway T, Keverline S, Keeney M, Kowalski E,
corporate infrastructure by information technology. Williams M, Cappelli D, Moore AP, Rogers S,
Monterey (CA): Defense Personnel Security Research Shimeall TJ. Insider threat study: computer system
Center; 2005. sabotage in critical infrastructure sectors. Pittsburgh
24. Myers J, Grimaila MR, Mills RF. Towards insider threat (PA): Software Engineering Institute; 2005.
detection using web server logs. Proceedings of the 5th 39. Cummings A, Lewellen T, McIntire D, Moore AP,
Annual Workshop on Cyber Security and Information Trzeciak RF. Insider threat study: illicit cyber activity
Intelligence Research: Cyber Security and Information involving fraud in the U.S. Financial services sector.
Intelligence Challenges and Strategies; 2009; Oak Ridge Pittsburgh (PA): Software Engineering Institute; 2012.
Tennessee. 40. Cappelli DM, Desai AG, Moore AP, Shimeall TJ,
25. Claycomb WR, Nicoll A. Insider threats to cloud com Weaver EA, Willke BJ. Management and Education of
puting: directions for new research challenges. IEEE the Risk of Insider Threat (MERIT): system dynamics
36th Annual Computer Software and Applications modeling of computer system sabotage. Carnegie-
Conference; 2012; Izmir. Mellon Univ Pittsburgh PA Software Engineering Inst;
26. Bishop M, Gates C. Defining the insider threat. 2008.
Proceedings of the 4th annual workshop on Cyber security 41. Moore AP, Cappelli DM, Trzeciak RF. The “big picture”
and information intelligence research: developing strate of insider IT sabotage across U.S. Critical infrastruc
gies to meet the cyber security and information intelli tures. In: Stolfo SJ, Bellovin SM, Keromytis AD,
gence challenges ahead; 2008; Oak Ridge, Tennessee. Hershkop S, Smith SW, Sinclair S, editors. Insider attack
27. Magklaras G, Furnell S. Insider threat prediction tool: and cyber security. Advances in Information Security.
evaluating the probability of IT misuse. Comput Secur. Vol. 39. Boston (MA): Springer; 2008. https://doi.org/
2002;21(1):62–73. doi:10.1016/S0167-4048(02)00109-8. 10.1007/978-0-387-77322-3_3.
28. Phyo AH, Furnell S. A detection-oriented classification 42. Andersen D, Cappelli D, Gonzalez J, Mojtahedzadeh M,
of insider it misuse. Third Security Conference; 2004; Moore A, Rich E, Sarriegui J, Shimeall T, Stanton J,
Las Vegas, Nevada, USA. Weaver E, et al. Preliminary system dynamics maps of
29. Cappelli D, Moore A, Trzeciak R. The CERT guide to the insider cyber-threat problem. Proceedings of the
insider threats: how to prevent, detect, and respond to 22nd International Conference of the System dynamics
information technology crimes (Theft, Sabotage, Society; 2004 July 25–29; Oxford, England.
Fraud). Boston (MA): Addison-Wesley Professional; 43. Claycomb WR, Huth CL, Flynn L, McIntire DM,
2012. Lewellen TB. Chronological examination of insider threat
30. Kim A, Oh J, Ryu J, Lee K. A review of insider threat sabotage: preliminary observations. J Wirel Mob Netw
detection approaches. IEEE Access. 2020;8:78847–67. Ubiquitous Comput Dependable Appl. 2012;3:4–20.
doi:10.1109/ACCESS.2020.2990195. 44. Costa DL, Collins ML, Perl SJ, Albrethsen MJ,
31. Greitzer FL. Insider threats: it’s the HUMAN, stupid! Silowash GJ, Spooner DL. An ontology for insider
Proceedings of the Northwest Cybersecurity Symposium; threat indicators development and applications. CEUR
2019; Richland, WA. Workshop Proceedings. 1304. 48–53. Proceedings of
32. Maasberg M, Beebe NL. The enemy within the insider: the Ninth Conference on Semantic Technologies for
detecting the insider threat. J Inf Privacy Secur. 2014;10 Intelligence, Defense, and Security (STIDS 2014); 2014
(2):59–70. doi:10.1080/15536548.2014.924807. November 18–21, Fairfax VA, USA. http://ceur-ws.org/
33. Kim A, Oh J, Ryu J, Lee K. A review of insider threat Vol-1304/.
detection approaches with IoT perspective. IEEE 45. Moore AP, Cappelli D, Caron TC, Shaw ED, Spooner D,
Access. 2020;8:78847–67. Trzeciak RF. A preliminary model of insider theft of intel
34. Greitzer FL, Frincke DA. Combining traditional cyber lectual property. Pittsburgh (PA): Software Engineering
security audit data with psychosocial data: towards pre Institute; 2011.
dictive modeling for insider threat mitigation. In: 46. Moore AP, Cappelli D, Caron TC, Shaw ED,
Probst C, Hunker J, Gollmann D, Bishop M, editors. Trzeciak RF. Insider theft of intellectual property for
Insider threats in cyber security. Advances in informa business advantage: a preliminary model. Pittsburgh
tion security. Vol. 49. Boston (MA): Springer; 2010. p. (PA): Software Engineering Institute; 2009.
85–113. https://doi.org/10.1007/978-1-4419-7133-3_5. 47. CERT Insider Threat Team. Unintentional insider
35. Ophoff J, Jensen A, Sanderson-Smith J, Porter M, threats: a foundational study. Pittsburgh (PA): Software
Johnston K. A descriptive literature review and classifica Engineering Insitute; 2013.
tion of insider threat research. Proceedings of Informing 48. Cappelli D, Moore A, Trzeciak R, Shimeall TJ. Common
Science & IT Education Conference (InSITE) 2014; 2014; sense guide to prevention and detection of insider
Wollongong. threats 3rd edition – Version 3.1. Pittsburgh (PA):
36. Oladimeji TO, Ayo CK, Adewumi S. Review on insider Software Engineering Institute; 2008.
threat detection techniques. J Phys Conf Ser. 2019;1299: 49. Band SR, Cappelli D, Fischer LF, Moore AP, Shaw ED,
012046. Trzeciak RF. Comparing insider IT sabotage and
716 GEORGIADOU ET AL.
espionage: a model-based analysis. Pittsburgh (PA): 60. Marcus B, Schuler H. Antecedents of counterproductive
Software Engineering Institute; 2006. behavior at work: a general perspective. J Appl Psychol.
50. Cappelli D, Desai AG, Moore AP, Shimeall TJ, Weaver EA, 2004;89(4):647–60. doi:10.1037/0021-9010.89.4.647.
Willke BJ. Management and Education of the Risk of Insider 61. Martinko MJ, Gundlach MJ, Douglas SC. Toward an
Threat (MERIT): mitigating the risk of sabotage to employ integrative theory of counterproductive workplace beha
ers information, systems, or networks. Pittsburgh (PA): vior: a causal reasoning perspective. Int J Sel Assess.
Software Engineering Institute; 2007. 2002;10(1–2):36–50. doi:10.1111/1468-2389.00192.
51. Legg P, Moffat N, Nurse JR, Happa J, Agrafiotis I, 62. Georgiadou A, Mouzakitis S, Bounas K, Askounis D. A
Goldsmith M, Creese S. Towards a conceptual model and cyber-security culture framework for assessing organi
reasoning structure for insider threat detection. J Wirel zation readiness. J Comput Inf Syst. 2020;1–11.
Mob Netw Ubiquitous Comput Dependable Appl. doi:10.1080/08874417.2020.1845583.
2013;4:20–37. 63. Blais A-R, Weber EU. A Domain-Specific Risk-Taking
52. Hanley M. Deriving candidate technical controls and (DOSPERT) scale for adult populations. Judgm Decis
indicators of insider attack from socio-technical models Mak. 2006;1:33–47.
and data. Pittsburgh (PA): Software Engineering 64. Scott SG, Bruce RA. Decision-making style: the
Institute; 2011. development and assessment of a new measure.
53. Shaw ED, Stock HV. Behavioral risk indicators of mal Educ Psychol Meas. 1995;5(5):818–31. doi:10.1177/
icious insider theft of intellectual property: misreading 0013164495055005017.
the writing on the wall. California: Symantec; 2011. 65. Strathman A, Gleicher F, Boninger DS, Edwards S. The
54. Hanley M, Dean T, Schroeder W, Houy M, Trzeciak RF, consideration of future consequences: weighing immedi
Montelibano J. An analysis of technical observations in ate and distant outcomes of behavior. J Pers Soc Psychol.
insider theft of intellectual property cases. Pittsburgh 1994;66(4):742–52. doi:10.1037/0022-3514.66.4.742.
(PA): Software Engineering Institute; 2011. 66. Patton JH, Stanford MS, Barratt ES. Factor structure of
55. Kennedy KA. Management and mitigation of insider the Barratt impulsiveness scale. J Clin Psychol. 1995;51
threats. In: Van Hasselt V, Bourke M, editors. Handbook (6):768–74. doi:10.1002/1097-4679(199511)51:6<768::
of behavioral criminology. Cham: Springer; 2017. p. AID-JCLP2270510607>3.0.CO;2-1.
485–99. https://doi.org/10.1007/978-3-319-61625-4_28. 67. Cacioppo JT, Petty RE. The need for cognition. J Pers
56. Greitzer FL, Strozer J, Cohen S, Bergey J, Cowley J, Soc Psychol. 1982;42(1):116–31. doi:10.1037/0022-
Moore A, Mundie D. Unintentional insider threat: con 3514.42.1.116.
tributing factors, observables, and mitigation. 47th 68. Egelman S, Peer E. Scaling the security wall: devel
Hawaii International Conference on System Sciences; oping a Security Behavior Intentions Scale (SeBIS).
2014; Waikoloa. 33rd Annual ACM Conference on Human Factors
57. Hadlington L. The “human factor” in cybersecurity: in Computing Systems; 2015; Seoul Republic of
exploring the accidental insider. In: McAlaney J, Korea.
Frumkin LA, Benson V, editors. Psychological and 69. Kiser AIT, Porter T, Vequist D. Employee monitoring and
behavioral examinations in cyber security. Hershey ethics: can they co-exist? Int J Digital Literacy Digital
(PA): IGI Global; 2018. p. 46–63. doi:10.4018/978-1- Competence. 2010;1(4):30–45. doi:10.4018/jdldc.2010100
5225-4053-3.ch003. 104.
58. Greitzer FL, Kangas LJ, Noonan C, Dalton A. Identifying 70. Greitzer FL, Frincke D, Zabriskie M. Social/ethical
at-risk employees: a behavioral model for predicting poten issues in predicitve insider threat monitoring. In: Dark
tial insider threats. Richland (WA): Pacific Northwest MJ, editor. Information assurance and security ethics in
National Lab; 2010. https://doi.org/10.2172/1000159 . complex systems: interdisciplinary perspectives.
59. Greitzer F, Purl J, Leong YM, Becker DS. SOFIT: socio Hershey (PA): IGI Global; 2011. p. 132–61.
technical and organizational factors for insider threat. doi:10.4018/978-1-61692-245-0.ch007
2018 IEEE Security and Privacy Workshops (SPW); 71. Energy Shield. Energy Shield; 2019 [accessed 2020 Mar
2018; San Francisco. 25]. https://energy-shield.eu/.