As a leading developer of the SOFIT (Sociotechnical and Organizational Factors for Insider Threat) taxonomy of insider risk indicators or PRIs (potential risk indicators), I always appreciate hearing about experiences from users of SOFIT – successes or challenges – in operational settings.
Originally developed for the IARPA SCITE program in the 2016-2020 timeframe, SOFIT has been used in many diverse insider risk management programs. Recently, with Cogility Software I created a streamlined version of this knowledge base that has a simplified hierarchical structure and that accommodates some of the recent risk modeling efforts that Cogility Software has applied to its Cogynt decision intelligence platform with an integrated SOFIT taxonomy. The new, derivative version of the taxonomy, which is available to download from Cogility’s website as the SOFIT2.0 taxonomy, provides an updated listing of individual and organizational insider threat PRIs using a simplified, three-level hierarchy. The new taxonomy also provides suggested mappings of PRIs to risk behaviors, which serves as an initial framework that organizations can tailor or build upon by specifying risk indicator weights to be used by quantitative risk assessment models such as Cogynt.
After we made the taxonomy available from the Cogility website, I was pleased to hear from members of the counter insider threat community who examined the new knowledge base. I’m especially grateful for substantial feedback from Dr. Vincent Verdult, who leads the Insider Threat Intelligence team for the Netherlands Police. Dr. Verdult's team has been actively using the SOFIT framework for both insider threat detection rules and case analysis. He expressed satisfaction with the new SOFIT2.0 structure after having migrated his team's internal descriptions and analyzed cases to the updated version.
In an extended conversation with me, Dr. Verdult provided valuable feedback on specific aspects of SOFIT2.0. For example, Dr. Verdult noticed that the important subclass of major life events was overlooked in the migration of PRIs from the original SOFIT framework. He pointed to “… a study done in the Netherlands showing that personal stressors played a role in 45% of 117 cases of unauthorized disclosure of sensitive information in 2015/2016, and similar findings reported in a 2013 CPNI study in the UK.” This oversight has been corrected by re-instating the inadvertent omission of a personal stressors subclass in SOFIT2.0. Here’s a list of key refinements and improvements that were inspired by my exchange with Dr. Verdult:
- Consolidation of similar PRIs: PRI 128 ("Accessing systems and applications at off-hours") was merged into PRI 121 ("Working at Unusual Hours") due to the reduced distinction in modern work environments. Similarly, there was too much overlap between PRI 962 “Copy large amount of data offline” and PRI 968 “Anomalous volume of data transferred to removable media,” so PRI 968 was changed to “Excessive Printing of Documents.”
- Clarification of PRI scope: While PRI 168 ("Misuse of organization’s IT system") was retained, its focus was clarified to emphasize compliance issues.
- Reclassification of PRIs: PRI 746 ("Enabling or facilitating an extremist or terrorist group") was moved from the "Belief" subclass to "Affiliations" (now PRI 723), as it represents an action rather than a belief. Consequently, PRI 747 was renumbered to PRI 746.
- Correction of typos and redundancies: A typo was corrected, clarifying that PRI 959 is "Encrypted Protocols" and PRI 963 is "Excessively large downloads." The description for PRI 982 “Data System Corruption” was refined to distinguish it from PRI 981 “Delete or Edit Audit Logs.”
- Integration of overlooked categories: The crucial "Major Life Events" category was reinstated as a new sub-class 850 "Personal Stressors," with new PRIs for relationship break-up, death of a family member/close friend, and significant personal injury. "Orphaned account" was also re-instated as PRI 985.
- Refinement of threat types and labels: "Unintentional Insider Threat" was added as an associated threat type for PRI 221 ("Lost security badge"), and "Espionage" was added for PRI 223 ("Travel policy violation"). PRI 992's title was simplified to "Excessive number of VPN or web Browse sessions to or from foreign locations."
- Internationalization of language: The terminology was updated to use "foreign" instead of "non-US" and "government" instead of "U.S. government" to enhance global applicability.
- Improved clarity of organizational factors: PRI 1911 was renamed "Deficient security awareness training," merging its description with "Inadequate security awareness training." The "Hiring-firing practices" (PRI 1957) were reclassified into a distinct sub-class, 1990 "Hiring/Firing Practices," encompassing 1991 "Failing to identify a candidate’s suspicious behavior" and 1992 "Mishandling a contentious employee termination."
In thanking Dr. Verdult for his comments, I reiterated that user feedback is warmly appreciated. He replied “I am convinced the new 2.0 structure is an improvement: Much easier to navigate and interpret. It is good to know that SOFIT is still actively maintained.”
The updated version of SOFIT2.0 is available here.
