Advanced analytic techniques are key to conducting a whole-person continuous evaluation of an employee but there are a host of challenges to implementing this type of insider threat system.
The continuous evaluation process for predicting insider threats suggested in Carnegie Mellon’s 2015 Software Engineering Institute report and in other sources—and required by the National Insider Threat Task Force, National Background Investigative Bureau and Department of Defense Insider Threat Mitigation and Analysis Center—demands the application of advanced techniques to achieve the desired whole-person risk rating.
Aside from the network analysis tools described previously, insider threat continuous evaluation assessment programs will require some or all of the follow techniques to effectively predict insider threats (as described by an April 2017 Intelligence and National Security Alliance report):
In addition, recent advances in the broader artificial intelligence and cognitive computing fields will likely have impacts for Insider threat analysis.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Five challenges to automating insider threat evaluations
Though big data analytics and the whole-person concept of continuous evaluations can provide the opportunity to more quickly and automatically identify potential insider threats, such evaluations are not without several related challenges.
Insider threats pose a significant danger to government—and commercial—organizations. The access and trust afforded to employees, while necessary for mission accomplishment, expose organizational vulnerabilities to malicious insiders. Three government organizations— the National Insider Threat Task Force, the National Background Investigative Bureau, and the Department of Defense Insider Threat Management and Analysis Center— are key to achieving the goal of detecting and preventing insider threat attacks. These organizations are guiding efforts to shift insider threat programs from current, IT-based efforts to automated, whole-person risk-rating systems. The automated systems will enable organizational insider threat programs to quickly identify and react to the indicators of potential insider threats, thus mitigating their effects or preventing them altogether. These automated systems will require the implementation of advanced analytic techniques to discern a potential insider threat from benign employee behavior. The challenges of implementing such systems are many—not the least of which are the significant technological requirements and statutory limitations.
Though this blog series focused on the automated detection of potential insider threats, a key component of any insider threat program is the employee. A common theme among the research conducted for this blog series has been the ever-increasing importance for all employees to be engaged in the organization’s mission to prevent insider threats from harming the organization. Just as ongoing cyberattacks require all employees to be vigilant in their network activity, so too does the potential for insider threats. As a recent IBM Center blog noted, cybersecurity must be “a positive part of the culture—an integral element of an organizational standard way of operating, not a separate silo.” This premise is equally true regarding insider threats.
Disclaimer: The ideas and opinions presented in this paper are those of the author and do not represent an official statement by the U.S. Department of Defense, U.S. Army or other government entity.
Major Tom McMurtrie is an operations research/systems analyst in the U.S. Army currently serving as a research fellow in the Army’s Training with Industry (TWI) Program.