I recently gave an address to the National Insider Threat Special Interest Group’s Symposium and Expo (NITSIG ITS&E), held on March 4 at the Johns Hopkins University Applied Physics Laboratory (JHU-APL, Laurel, Maryland). My talk, titled “Advanced Behavioral Analytics for Predictive Insider Threat Mitigation,” covered my research on insider risk indicators, the SOFIT knowledge base, and the whole-person insider risk mitigation approach that has been implemented and deployed by Cogility in its continuous intelligence platform, Cogynt, which integrates artificial intelligence (AI), streaming analytics, and case management to augment IRM decision-making.
At the foundation of this work is the by now well-documented and highly promoted whole person approach to insider threat assessment. In my early work, I developed a “shredded puzzle” graphic to convey a conceptual model for a threat assessment approach that integrates behavioral data and streaming cyber/network data (referred to as technical data) to yield a comprehensive, whole-person predictive analytics model. This hierarchical, pattern based perspective still guides my thinking and development of advanced analytic models for insider threat assessment, and this led to the development of the SOFIT (Sociotechnical and Organizational Factors for Insider Threat) integrated framework for modeling insider risk based on behavioral, technical, and organizational factors.
As discussed in an earlier blog, traditional approaches focusing only on technical indicators will most often alert us only during or after the attack: The whole person approach helps us to get left of harm. SOFIT was built to facilitate the implementation of this whole-person insider risk mitigation approach. Several features distinguish SOFIT from other PRI frameworks: First, SOFIT provides a comprehensive set of behavioral/psychosocial as well as technical potential risk indicators for insider threats. Second, we work with insider threat analysts to map the set of defined PRIs to the various threat behaviors of interest (e.g., data exfiltration, sabotage, workplace violence, etc.). Cogility works with its growing client base to tailor the PRIs in the SOFIT knowledge base to fit the organization’s mission and priorities.
The model-building process maps individual PRIs to individual threat behaviors, with the recognition that any PRI will have varying degrees of association with different types of insider threats.
There is a wide range of modeling approaches for implementing insider risk tools. The most effective risk assessment tools must have sophisticated modeling capabilities while also enabling the human analyst to easily understand the rationale behind its findings. AI/ML tools and mathematical models like Bayesian networks are highly sophisticated but may seem like “black boxes” to the subject-matter experts. Simpler models like the Counting model (which merely counts the observed PRIs) and the Sum-of-Risk model (which simply adds the risk “weights” of observed PRIs) are less capable, but more understandable. Cogility’s Cogynt model excels by not only being highly capable of representing complexity but also by being very transparent.
Indeed, Cogility has employed an approach that’s conceptually equivalent to the shredded puzzle idea that I described years ago. Cogynt implements a pattern-based, hierarchical complex event processing system that performs top-down and bottom-up analyses like those envisioned in the SOFIT framework and that reflects the way experts see the problem.
An an illustrative example of how this model works, consider the case of Gabriel Romero – a Navy Machinist Mate Auxiliary Fireman who performed Dry-Dock patrol for Fast Attack Submarine USS Columbia at Pearl Harbor Naval Shipyard. In December 2019, without provocation, he began firing his M-4 rifle at civilians, killing two and wounding a third, before shooting himself with his M-9 pistol. The incident only lasted a few seconds from beginning to end.
Given the compressed timeline, one might conclude that this murder/suicide incident was unavoidable. But further consideration of behavioral and personal history “red flags” suggests otherwise, if only these indicators had been carefully examined. To be sure, Romero was qualified and had authorized access to weapons. But consider this: He had been passed over for promotion and was formally disciplined for repeated tardiness and dereliction of duty. He complained to a shipmate that he was tired of work; and about people calling him stupid. In anger, he punched a locker and yelled at a shipmate who suggested that Romero should seek counseling to deal with stress. While not all these incidents were reported, there was sufficient concern about his behavior to refer him to a Force Psychologist, who assessed him as suffering from a “Phase of Life Problem” and problems relating to “psychosocial circumstances.” Clearly, Romero exhibited numerous PRIs—and while each individually may not have been significant enough to alert insider threat analysts, together they paint a serious picture of a troubled, at-risk individual.
The Cogynt model, based on the SOFIT 2.0 framework, identifies this workplace violence threat at least one week before the incident occurred—allowing time for mitigating action to reduce the risk or prevent the attack.
I have used Cogility’s threat assessment approach to examine illustrative examples of many such insider threat incidents and have found that the Cogynt model’s performance is consistently superior. The presentation slides summarize the findings based on several performance measures, including the True Positive rate, False Positive rate, Precision, Recall, and an aggregated F1 score. The Precision score specifies the percentage of all the cases predicted by the model to be threats, that are in fact TRUE threats. The Recall score indicates the percentage of cases that are predicted to be threats, out of all the actual threats. The F1 score is the harmonic mean of precision and recall scores and represents a general measure of detection performance. In these studies, I have found that the Cogynt model performs substantially better than other models that were examined—for example, I obtain F1 scores for Cogynt that are above 0.90, which represents excellent performance. This contrasts with scores in the range of 0.50 to 0.80 for other methods, which leave much room for improvement.
In summary, here are five take-aways:
- First, PRIs should reflect concerning behaviors or events along the critical pathway so you can adopt a proactive, positive mitigation strategy
- Second, it’s best to distinguish the threat behavior types that you are interested in when mapping and calibrating PRIs
- Third, your risk modeling approach should reflect patterns of PRIs, instead of merely independently computing the separate risks of observed PRIs
- Fourth, the SOFIT ontology provides a solid framework for doing this…
- And fifth, the Cogynt platform is uniquely suited to implementing this behavioral analytic approach, and its threat analysis and case management capabilities represent a “force multiplier.”
