Weighing the Potential Risk Indicators of Insider Threats

Introduction

In December 2019, Machinist Mate Auxiliary Fireman Gabriel Romero reported for watch turnover aboard dry-docked Fast Attack Submarine USS Columbia at Pearl Harbor Naval Shipyard, taking possession of an M-4 rifle and M-9 pistol for use in the roving Dry Dock patrol. Without provocation, he began firing his M-4 rifle at civilians, killing two and wounding a third, before shooting himself with his M-9 pistol. The incident only lasted a few seconds from beginning to end.

Given the compressed timeline, one might conclude that this murder/suicide incident was unavoidable. But further consideration of behavioral and personal history “red flags” suggests otherwise, if only these indicators had been carefully examined. To be sure, Romero was qualified for armed Topside Roving Patrol and therefore had access to weapons. But consider this: He had been passed over for promotion and was formally disciplined for repeated tardiness and dereliction of duty. He complained to a shipmate that he was tired of work; and about people calling him stupid. In anger, he punched a locker and yelled at a shipmate who suggested that Romero should seek counseling to deal with stress. While not all these incidents were reported, there was sufficient concern about his behavior to refer him to a Force Psychologist, who assessed him as suffering from a “Phase of Life Problem” and problems relating to “psychosocial circumstances.” There were also reports about two motor vehicle accidents within a year, as well as a bad family situation. Clearly, Romero exhibited numerous potential risk indicators (PRIs)—and while each individually may not have been significant enough to alert insider threat analysts, together they paint a serious picture of a troubled, at-risk individual.

This workplace violence case—and many other insider threat cases such as Robert Hanssen (espionage) and Chelsea Manning (data exfiltration/unauthorized disclosure)—reveal a pattern of concerning behaviors that occurred prior to the insider threat incident ^1,2. Behavioral indicators in the Manning case include interpersonal conflicts and being bullied, mental health issues, and a demotion. The Hanssen case exposed PRIs relating to job dissatisfaction, a sense of self-importance, excessive debt, and living beyond one’s means.

The challenge is, what are we to make of these concerning behaviors? When are they of sufficient concern to merit the attention of an insider threat analyst? How does one weigh the importance of potential risk indicators (PRIs) that are observed in a risk profile? And how can this be done in a way that is proactive rather than reactive? In this piece, I discuss the challenges of assigning weights to PRIs in building an Insider Risk profile as part of an effective insider risk triage program.

Roots

Modern Counter-Insider Threat programs evolved from the world of cybersecurity, in which network and host monitoring tools generate alerts and analysts react. However, in adopting this legacy tech-centric approach for Insider Threats, the first programs never truly got “left of harm.” Instead, the analyst was always playing a game of catch-up and is quickly overwhelmed by the outputs of a disparate set of analytic tools.

Now, with time, there’s been a growing acknowledgment in the Insider Threat analyst community that behavioral factors also need to be identified and tracked. The resulting social-organizational-technical (“Whole Person”) approach allows the analyst to detect potential threats before they take shape by spotting early red flags. However, this still leaves human analysts with the task of making complex judgments regarding these indicators—exposing the whole process to inconsistency and bias.

Even decision support tools, such as artificial intelligence/machine learning (AI/ML) approaches trained based on outcomes or expert judgments of past events are subject to limitations—and since this predisposes the human-computer team to “fight the last war” rather than the next, the approach is likely to be surprised by never-before-seen scenarios. The problem is ever more complicated because perpetrators of insider crimes act normal most of the time—until they don’t. Thus, ML approaches focusing on anomaly detection may offer the wrong paradigm for proactively identifying insider threats.

Decision support tools are needed for human experts who will always be in-the-loop, but who require added computational power and expert-informed models to overcome their own cognitive limitations. These triage tools need to know what PRIs are important and how to gauge their weights, i.e., the PRI’s degree of association with insider risk.

Characterizing Potential Risk Indicators

Numerous works have attempted to characterize insider risk indicators. An early taxonomy by Wood³ specified attributes relating to malicious insider behavior. Magklaras and Furnell⁴ created a broad taxonomy focusing on misuse, including both accidental and intentional misuse. Based on many case studies revealing that insiders leave a trail of cyber activity, Maybury et al.⁵ developed a taxonomy of cyber events and their associated observables for detecting malicious insider behavior. Costa et al.⁶ developed an ontology of insider threat indicators that focused on cyber events. Building upon this research and taking many case studies into account, I spent many years as a Chief Scientist at the DOE’s Pacific Northwest National Laboratory working with experts in cybersecurity, insider threat, and human resources fields to define a broad, robust set of insider threat PRIs. Later, through my PsyberAnalytix consulting company efforts, I was fortunate to lead a project funded by IARPA that, along with collaborators from George Mason University and HumRRO, produced the SOFIT (Sociotechnical and Organizational Factors for Insider Threat) PRI ontology.⁷ Important features of SOFIT set it apart from other taxonomies:

• SOFIT includes a large set of behavioral indicators in addition to the more traditional technical indicators focusing on cyber/network events
• The PRIs defined in SOFIT are mapped to various insider threat behaviors of concern (e.g., data theft/exfiltration, workplace violence, sabotage, fraud, unintentional insider threats)
• SOFIT also specifies a set of organizational factors (distinct from individual factors) in an effort to account for ways that organizational attributes such as security policies and practices, management styles, and organizational climate can impact the growth of insider threats.

After developing SOFIT, we set about acquiring expert judgments of PRI weights—the degree of association between a PRI and insider threat behaviors of concern.

Modeling PRI Weights

To better understand how PRIs inform the risk analysis process, I developed several alternative models that reflect the association between PRIs and insider threat behaviors. A simple quantitative model using the SOFIT framework served as a basis of comparison to other models: The Counting Model merely uses the number of observed PRIs for a case to assess its level of risk. Because this model implicitly assumes that all PRIs are equivalent, the prioritization of risk is simply based on the PRI count. Even though this simple model represented some current approaches and practice, it is clearly incorrect: My research tapping human expert judgments showed conclusively that expert analysts do not weigh all PRIs as the same, i.e., they do not all represent equal insider threat risks. In fact, the Counting model accounts for only about twenty percent of the variance in expert judgments of the level of risk for insider threat cases.⁷

I also tried an approach that obtained judgments of “level of concern” (on a scale of 0-100). For example, PRIs relating to attendance issues rated in the mid-30s, while low-conscientiousness and unreliability received a modest 50. By contrast, advocating violence rated around 90. Most of the cyber/technical indicators were assigned relatively high weights above 70, and some of the most serious actions (e.g., use of a keystroke logger) rated in the 90s.

These estimated weights were used in more sophisticated models—one of these, called the Sum-of-Risk model, adds the PRI weights observed in a case to derive an estimate of the level of risk. In this research, we also found a way to relate the “level of concern” estimates to probability values, using a likelihood ratio approach.⁸ This allowed us to test additional probabilistic models (e.g., Bayesian belief networks). A strong finding, however, was that while each of the more sophisticated models performed much better than the Counting model, none could account for more than 50-60% of the variance in expert judgments.^7,8

Something was very wrong….

After thinking long and hard about my attempts over many years to acquire expert judgments of PRI weights, I hypothesized that I was dealing with two separate confounding problems. First, obtaining human judgments of probabilistic PRI weights is extremely challenging. People (even experts) are not good at estimating probabilities of rare events and their probability estimates are systematically biased [9]. Also, when engaging with experts, the elicitation method I used likely allowed them to conflate PRI severity and probability. This adds “noise” to the models, increasing error/variability.

The second problem, in my opinion, is that most quantitative models treat PRIs in isolation from one another: i.e., they assume that PRIs contribute independently to an expert’s judgment of risk. On the contrary, some combinations of PRIs represent more than merely the sum of their individual PRI parts; some combinations form patterns that, like clues in a Sherlock Holmes story, point more strongly to an Insider threat.

Another Tactic for Tapping Expert Probability Judgments

By this time, I had joined forces with Cogility Software in which I serve as Chief Behavioral Scientist. To address the first problem, instead of asking experts to estimate probabilities directly, I and my Cogility colleagues now ask them about odds (ratios of probabilities). Research by Daniel Kahneman and Amos Tversky (particularly their Prospect Theory¹⁰) suggests that people are better at estimating odds compared to directly estimating probabilities. Specifically, therefore, we asked experts to compare the baseline or prior odds of observing a given insider threat type (with no PRI observed) with the posterior odds of this threat occurring, given the observation of a particular PRI. For example, if knowledge that a certain PRI is observed has no effect on your assessment of the likelihood of a given threat behavior, then the odds are unchanged (the likelihood ratio is 1:1), reflecting the lack of any relationship between the PRI and the behavior. On the other hand, if knowing that a PRI (such as a past financial crime) significantly increases the likelihood that a threat behavior (say, fraud) might be observed, then the odds would be judged to increase greatly (e.g., the likelihood ratio might increase to 5:1 or 10:1). From these likelihood ratio judgments, we can derive probability weights. This type of rating focuses the expert’s attention on likelihood and strength of association, not contaminated by notions of severity/impact, which helps to reduce the “noise” in the ratings.

Addressing PRI Dependencies

As for the problem of treating PRIs as independent constructs, the solution was to develop more sophisticated models. Now, to an extent, ML approaches can be trained on expert judgments of observed combinations of PRIs, but as noted before, this approach will not generalize easily to novel exploits.

Instead, a pattern-based approach can be applied to identify complex relationships that reflect not only individual combinations of PRIs, but also never-before observed patterns of PRIs that are defined based on higher-order abstractions. I have long espoused the concept of pattern-based inference at increasing levels of abstraction, as illustrated in the “shredded puzzle graphic” that was used in several of my early publications on insider threat assessment.¹¹

This approach is effectively implemented in Cogility’s AI/Expert System based continuous intelligence platform, Cogynt, which uses pattern-based, hierarchical complex event processing (HCEP) to identify patterns of PRIs at increasing levels of abstraction that are associated with insider threat behavior profiles.

To understand how this pattern-based approach works, consider the hypothetical case of “Bob” – an employee who exhibits five PRIs:

• Having been passed over for promotion (PRI-1), Bob expresses feelings of disgruntlement with his current position (PRI-2). He then gains unauthorized access to sensitive data (PRI-3), inserts an external USB drive without authorization (PRI-4), and afterward deletes audit logs to hide evidence of inappropriate data access (PRI-5).

Now, if we were – in retrospect – to simply aggregate all five risk weights of these observed PRIs, this after-the-fact analysis would likely yield a moderate-to-high risk score. But if we were to continuously examine combinations of PRIs as they are observed, we would recognize early on that there is a suspicious combination of PRI-1, PRI-2, and PRI-3 that indicates an elevated risk for data exfiltration. When the observation of PRI-4 occurs, this suspicion would become acute and proactive mitigation would be appropriate.

This demonstrates the utility of assessing risk of PRI patterns, beyond the accumulation of independent PRI weights. Applying this pattern-recognition approach at higher-level abstractions enhances the effectiveness of this triage support by representing and evaluating evidence in ways that more closely reflect how threat analysts think about the problem: A black-box ML approach can learn the specific pattern illustrated above—but suppose that Bob uses an unknown file sharing website to exfiltrate the data instead of event PRI-4 involving a USB stick. If this specific pattern has not previously been observed, then the ML approach will not assign increased risk to it. In contrast, the HCEP approach that defines patterns based on higher-level abstractions would recognize either instance of PRI-4 as an occurrence of a higher-level “Data Transfer” pattern, and thus it would facilitate a proactive response (left of harm).

Conclusion

While some in the Counter-Insider Threat community eschew quantitative approaches in identifying risk, I believe that joint human-computer decision-making offers the best way forward. The challenge is finding the right threat assessment model to aggregate the combined effects of observed PRIs with varying weights. As I have described, the latest efforts that use Likelihood Ratio estimates for PRI weights and a pattern-based hierarchical modeling approach using the SOFIT PRI knowledge base have yielded important insights and advancements that have moved us closer to achieving highly effective Whole Person solutions.

References

1. Shaw, E. D., & Fisher, L. F. (2005). Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technologies Insiders—Analysis and Observations. PERSEREC Technical Report 05-13. https://archive.org/details/DTIC_ADA441293
2. Jaros, S. L., Rhyner, K.J., McGrath, SM, and Gregory, ER. (2019). The Resource Exfiltration Project: Findings from DoD Cases, 1985-2017. PERSEREC Office of People Analytics, Technical Report PERSEREC-TR-1902.
3. Wood, B. (2000). “An Insider Threat Model for Adversary Simulation.” In R.H. Anderson, T. Bozek, T. Longstaff, W. Meitzler, M. Skroch, & K. Van Wyk (Eds.) Rand Corp: Proceedings of the Research on Mitigating the Insider Threat on Information Systems, Appendix B, pp. 41-48. August 30 – September 1, No. 2, Arlington, Virginia.
4. Magklaras, G. B and Furnell, S. M. (2002). Insider threat prediction tool: Evaluating the probability of IT misuse. Computers & Security, 21(1): 62-73.
5. Maybury, M, Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T., Spitzner, L., Haile, J., Copeland, J., and Lewandowski, S. (2005). Analysis and detection of malicious insiders.” In: Proceedings of the 2005 International Conference on Intelligence Analysis, May 2-4, McLean, VA. Conference Paper. The MITRE Corporation.
6. Costa, D. L., Collins, M., Perl, J. S., Albrethsen, J. M., Silowash, J. G., and Spooner, D. (2014). An Ontology for Insider Threat Indicators. In K. B. Laskey, I. Emmons and P C.G. Costa (Eds.), Proceedings of the Ninth Conference on Semantic Technologies for Intelligence, Defense, and Security (STIDS 2014), 2014, 48–53.
7. Greitzer, F. L., Purl, J., Leong, Y. M., & Becker, D. E. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE Security and Privacy Workshops (SPW), Workshop on Research for Insider Threat (WRIT), San Francisco, CA, May 24, 2018, pp. 197-206. DOI: 10.1109/SPW.2018.00035
8. Greitzer, F. L., Purl, J., Sticha, P. J., Yu, M. C., & Lee, J. (2021). Use of Expert Judgments to Inform Bayesian Models of Insider Threat Risk. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 12(2), 3-47. June 2021. DOI:10.22667/JOWUA.2021.06.30.003 https://dx.doi.org/10.22667/JOWUA.2021.06.30.003
9. Harris, A. J. L., Corner, A.A., & Hahn, U. (2009). Estimating the Probability of Negative Events. Cognition, 110(1), 51-64.
10. Kahneman, D. & Tversky, A. (1979). Prospect Theory: An Analysis of Decision under Risk. Econometrica. 47 (2): 263–291. doi:10.2307/1914185.
11. Greitzer, F. L., and Frincke. D. A. (2010). Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation. In: CW Probst, J Hunter, D Gollmann & M Bishop (Eds.), Insider Threats in Cyber Security, New York: Springer, pp. 85-113. Download