Early work in countering insider threats was influenced by cybersecurity defenses that focused on detecting technical violations identified by monitoring audit data from host/ network cyber activities. The incorporation of behavioral factors provides an opportunity to recognize at-risk individuals early — i.e., “left of harm” — before they would otherwise be identified by more reactive methods that only examine technical indicators. Unfortunately, many insider risk programs are reluctant to adopt a more holistic, “whole person” approach.
By focusing merely on physical/host/network/cloud audit data that is more readily obtained, insider threat programs miss the human side of the problem. Compared with typical reactive programs that limit analysis to technical data, programs that incorporate behavioral data monitoring and analytics (deriving from Human Resources, Security, Performance Reviews, Financial, Criminal, etc.) can gain insight about personal predispositions, precipitating events (stressors), or concerning behaviors that reveal at-risk individuals who show behavioral signs weeks or months prior to the incident.
The Federal Insider Threat Program was established in 2012 by Presidential Executive Order (EO) 13587. The National Insider Threat Task Force was also established to provide guidance and promote best practices. Present day this September, the Under Secretary of Defense for Intelligence and Security (USD (I&S), the National Insider Threat Task Force (NITTF), and the Defense Counterintelligence and Security Agency (DCSA) have partnered with other organizations to promote National Insider Threat Awareness Month. Beyond insider threat awareness, organizations are encouraged to establish a Counter-Insider Threat (C-InT) program. If you have a program in place, you should examine its features to identify any possible improvements including establishing a whole-person approach to insider threat assessment.
Consider the following ingredients to support an effective C-InT program:
- Organize a team with broad knowledge of your operations, mission, and vulnerabilities.
- Identify the organization’s critical assets; physical, virtual and human.
- Audit your systems and protective strategies that guard against insider threats. This includes specifying and fine-tuning insider risk indicators, their association with insider threat types, and the scope of data sources to support insider threat monitoring and mitigation.
- Incorporate integrated technical solutions that provide real-time monitoring and streaming data analysis of a wide range of insider threat data sources and respective potential risk indicators (PRIs). To meet or exceed best practices, the approach should evaluate behavioral and technical indicators and apply evidence-based behavioral science findings.
The Sociotechnical and Organizational Factors for Insider Threat (SOFIT) ontology is a knowledge base of more than 300 PRIs that includes hundreds of technical (cybersecurity), behavioral, and psychological indicators that may contribute to insider threats, organized into a hierarchy of classes and sub-classes. SOFIT is uniquely positioned to support a more proactive, whole-person approach to insider risk mitigation and has been applied within Cogility’s C-InT solution.
To achieve a more proactive, positive insider risk program, management must foster a change in organizational culture that promotes sharing of information across stakeholder departments (HR, Security) and adoption of supportive rather than punitive methods to proactively mitigate insider risk. The characteristics of the most effective, Whole Person C-InT programs include:
- Discourage silos and encourage participation of all stakeholders in the C-InT program.
- Instilling a security culture that acknowledges everyone’s role in maintaining a successful security posture.
- Adopt a supportive, not punitive approach to insider threat mitigation that encourages identifying at-risk individuals, preventing threats, and helping troubled individuals find “offramps” prior to insider incidents.
- Embrace a whole-person C-InT approach to C-InT that goes beyond technical controls and enables the sharing of behavioral data (HR and other public sources).
Read the complete white paper to explore more on Whole-Person C-InT Approach to Get Left of Harm – or – watch a video presentation to explore more on Whole-Person C-InT Approach to Get Left of Harm. For more information on Counter Insider Threat Management, visit our C-InT Academy.