Prof. Angela Sasse University College London

Understanding & Identifying the Insider Threat

CPNI - Personnel Security & Behavioural Assessment

Slides not to be reproduced without prior permission

Content

• Introduction to CPNI & Personnel Security framework

• Insider behaviour & activities

• Research

•Factors increasing likelihood

•Triggers

•Behaviours of concern

CPNI

PHYSICAL SECURITY

PERSONNELSECURITY &

BEHAVIOURAL ASSESSMENT

ELECTRONICSECURITY

• Reducing vulnerability to Insider threat

Introduction - CPNI• Holistic protective security advice to the national infrastructure

to reduce vulnerability to terrorism and other threats

The Critical National Infrastructure:

TelecommunicationsEnergyFinanceGovernment & Public ServicesWater Health Emergency ServicesTransportFood

Holistic view of Protective Security

Pre-employment screening

Ensure only staff who are unlikely to present a security

concern are employed

Elements of a good personnel security regime

Good security & organisational

culture

Help minimise likelihood of employees becoming a

security concern

Ongoing security management

Prevent, identify and

manage employees who may become a

security concern

Risk assessmentUses personnel security measures in a way that is proportionate to the insider risk

Definition of an Insider

An Insider is someone who exploits, or has the intention

to exploit, their legitimate access to assets for

unauthorised purposes

Insider activities …..

Unauthorised disclosure of information

Direct sabotage (electronic or physical)

Facilitation of 3rd party access to sites/information

Financial & Process

corruption

Theft of materials or information

Consequences of Insider activity

• Damage to • Reputation

• Relationships

• Buildings & assets

• Disruption to • Processes & procedures

• IT systems

• Commercial & financial impact

• Competitor advantage

• Loss of life/harm to life

• Denial or restriction of a key service

• Facilitation of criminal & terrorist activity

• Compromising protectively marked information

Corporate

National security

Types of Insider Behaviour

Insider

Exploited by others once in post

Deliberate penetration with intention of abusing

position

Opportunistic exploitation of access

once in post

Ex-employeesUnwitting/

unintentional insider

Who might be undertaking Insider activity?

• Terrorists or their associates• Foreign Intelligence services• Disaffected employees• Single-issue groups• Commercial competitors• Journalists

Motivations of Insiders?

• Financial gain

• Revenge

• Status/recognition

• Friendship/loyalty

• Ideological

• Fear/coercion

Likelihood, Triggers, Opportunity & Behaviours of concern

Current thinking…

Current thinking

• Review of US Insider research

• Literature review of Disaffection

• CPNI Insider study

• case study approach – range of past cases

• identify common trends

• develop guidance on reducing vulnerability

• concludes 2009

Specific triggers

Likelihood of Insider Activity

Personality

Life events

Personalcircumstances

World events

Direct approaches

Negative work events

Negative life events

Dis

affe

ctio

n

Individual vulnerabilities

Organisational vulnerabilities

+/-

Creating the climate

Management culture

Organisational climate

Securityculture

Individual Vulnerabilities• Life events – history of:

• Poor or chequered employment

• Excessive or addictive use of alcohol, drugs or gambling

• Petty crime

• Financial weaknesses

• Personal circumstances• Familial ties to countries of concern (competing identities)

• Sympathy to specific causes/adversarial mindset

• Difficult family circumstances

• Change in financial situation

• Personality predispositions• Low self esteem - desire for recognition/status

• ‘Thrill seeker’ - desire for excitement

• Overinflated sense of worth/abilities – desire for revenge when not recognised

• Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices

Organisational vulnerabilitiesCertain situations have potential to increase vulnerability:

• High level of disaffection & staff grievance

• failure to address grievances

• failure to identify & manage personnel issues

• Employee disengagement (or lack of initial engagement)

• Lower levels of loyalty and commitment

Poor organisational

culture &

management

practices

• Organisation undergoing significant change

• Re-structuring

• Downsizing

• Relocation

• Impact on morale/ties with organisation

Specific types of organisational

climate

Possible triggers?

• Major life events

• Bereavement

• Divorce / marital problems

• Change in financial circumstances

• Work stressors

• Organisational change

• Demotion / lack of promotion

• Perceived injustices

• World events / crisis of conscience

• Direct approaches

Opportunity

Inadequate Personnel Security

measures

Poor security culture

Likelihood in terms of Opportunity

Specific triggers

………>

Individual vulnerabilities

Organisational vulnerabilities

OpportunityInsider activity can be facilitated by:

• Lack of appreciation of threats/risks

• Lack of awareness of security policies & practices

• Low level of ownership & responsibility

• Low level of compliance with security measures & easier to manipulate

Lack of strong

security

culture

• Ease of obtaining employment

• Ease of obtaining information or access during employment

• Ease of remaining undetected

Inadequate personnel

security measures

Current thinking…

Possible Indicators of Insider threat

• Not one single factor

• Clusters & specific combinations

• Alternative explanations

• Changes from normal behaviour

• Assessed in context of employee’s role

• opportunity and capability to cause harm

• Legality & discrimination

Possible Indicators of Insider Threat

Possible Indicators of Insider Threat – Behaviours of concern

Individual vulnerabilities

Unauthorised behaviours

Suspicious behaviours

Changes in lifestyle &

work behaviours

Greater the number of indicators present, greater the riskSome indicator groups are of more concern

Combinations and clusters

Examples of possible Indicators

Individual vulnerabilities

• Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism

• Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position)

• Financial difficulties

• Addictions

• Specific personality traits

• On their own, not necessarily an indication of Insider activity

• Alternative explanations

Changes in lifestyle & work

behaviours

• Obvious changes in financial status with no rational explanation

• Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security

• Poor timekeeping / excessive absenteeism

• Decreased quantity & quality of work

• Deteriorating relationships with colleagues/line managers (inc complaints)

• On their own, not necessarily an indication of Insider activity

• Alternative explanations

Examples of possible Indicators

Examples of possible Indicators

Suspicious behaviours

• Unusually high interest in security measures or history of unusually high security violations

• Visiting classified areas of work after normal hours, for no logical reason

• Unusual questioning of co-workers about information/areas which do not have access to

• Abusing access to databases

• On their own, not necessarily an indication of Insider activity

• But alternative explanations becoming less likely…..

Examples of possible Indicators

• A serious security risk

• Alternative explanations unlikely……

Unauthorised behaviours

• Accessing or attempting to access or download information for which not authorised

• Intentionally photocopying sensitive material for which no logical reason

• Taking protected or sensitive materials home without proper authorisation

Detection

• Utilisation of existing personnel security measures

• Protective monitoring

• automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas

• Aim -> development of practical and reliable tools to support decision making about Insiders

• Case studies have shown there was:

• evidence of behaviours of concern about Insiders

BUT

• not collected together in one place so that an individual could make an informed judgement

• lacked a framework to understand potential warning signs

Detection

• We aim to develop checklists that could be:

• applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities

• used to support appraisal and/or security interviews, whether by security professionals or line managers

• used to structure confidential employee reporting schemes

Prevention & Deterrence is key…

Comprehensive on-going security measures

• Limit opportunity

• Maximise deterrence

• Provide means to report concerns

Positive management

practices

• Reduce disaffection

• Promote loyalty & commitment

• Address grievances

Strong security culture

• Appreciate threat & responsibilities

• Compliance • Awareness to

signs• Willing to

report

Robust pre-employment

screening

• Prevent those with intent

• Identify those who could be vulnerable

• Inter-relationships between factors in ‘creating’ Insider events:

• Individual ‘v’ Organisational ‘v’ Triggers

• Reducing cause & opportunity is key (prevention)

• Detection more complicated

• Insider research is on-going

• findings 2009

• development of tools & checklists to help identify those who may merit further attention

Summary – Key messages