A Risk Management Approach to the "Insider Threat"
Abstract Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an insider; indeed, many define it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policy in a form that can be implemented on a computer system or network, creates gaps in enforcement. This paper defines insider precisely, in terms of these gaps, and explores an access-based model for analyzing threats that include those usually termed insider threats. This model enables an organization to order its resources based on the business value for that resource and of the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which users are at the greatest risk of acting inappropriately.We conclude by examining how to merge this model with one of forensic logging and auditing.
- Research Organization:
- Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC05-76RL01830
- OSTI ID:
- 1000628
- Report Number(s):
- PNNL-SA-69376; TRN: US201101%%425
- Resource Relation:
- Related Information: Insider Threats in Cyber Security, Advances in Information Security, 49:115-137
- Country of Publication:
- United States
- Language:
- English
Similar Records
Microbial Forensics: A Scientific Assessment
Domestic Extremism: Countering the Threat Posed to Critical Assets