Insiders who seek to destroy, steal, or leak sensitive information pose a serious threat to enterprises. An insider threat is an individual with authorized access to an organization’s network, system, or data and who intentionally (or unintentionally) misuses that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems. Annual industry surveys consistently show that insiders pose the second greatest cybersecurity threat, exceeded only by hackers, and that insider attacks are the costliest to organizations. Spanning nearly two decades of research, a strong theme of my research has been to develop insider threat models that integrate relevant human behavioral and psychological factors with technical factors associated with host and network cybersecurity monitoring systems.
This lecture will discuss research on sociotechnical factors for insider threat and continuing challenges to identify, integrate, and validate cyber and behavioral indicators of insider threat risk into effective detection and mitigation approaches. I will describe a comprehensive ontology of sociotechnical and organizational factors for insider threat (SOFIT) and the current state of research attempting to define qualitative and quantitative models for insider threat assessment. Also discussed are several possible tech-transfer application concepts to show how the ontology may be used by the insider threat research and operational communities.