Education Editors: Matt Bishop, [email protected] Deborah A. Frincke, [email protected] Combating the insider Cyber threat T he penetration of US national security by foreign and technical issues underlying Frank L. insider threats, training on insider Greitzer agents as well as American citizens is a historical threat awareness and mitigation Pacific must be flexible and customiz­ Northwest and current reality that’s a persistent and increas­ able to different roles and respon­ National sibilities. It should also be highly Laboratory ing phenomenon. Surveys, such as the E-Crime relevant and realistic and address privacy and legal issues. The ques­ andrew P. Watch Survey (www.cert.org/archive/pdf/2004eCrimeWatch tion of how to effectively convey Moore and such complex knowledge and skills dawn M. Summary.pdf), reveal that current an unauthorized act that benefits is tied to fundamental instruction­ CaPPeLLi or former employees and contrac­ the individual. A 1997 US Depart­ al systems design (ISD) issues with Software tors are the second greatest cy­ ment of Defense (DoD) Inspec­ philosophical and theoretical roots Engineering bersecurity threat, exceeded only tor General report1 found that 87 to theorists such as Jean Piaget, Institute by hackers, and that the number percent of identified intruders into John Dewey, and Lev Vygotsky,2 of security incidents has increased DoD information systems were ei­ who argued that learning contexts dee H. geometrically in recent years. The ther employees or others internal should be coupled with multiple andrews insider threat is manifested when to the organization. More gener­ opportunities for the learner to Air Force human behavior departs from com­ ally, recent studies of cybercrime “construct” or discover meaning Research pliance with established policies, (such as the 2004 through 2006 in the material (a constructivist Laboratory regardless of whether it results E-Crime Watch Surveys; www.cert. or student­centered instructional from malice or a disregard for se­ org/archive/) in both government philosophy) in contrast with the Lynn a. curity policies. The types of crimes and commercial sectors reveal that behaviorist or instructor­centered CarroLL and abuse associated with insider although the proportion of insid­ approach associated with tradi­ Karta threats are significant; the most se­ er events is declining (31 percent tional expository instruction. Technologies rious include espionage, sabotage, in 2004 and 27 percent in 2006), Ongoing research at each of terrorism, embezzlement, extor­ the financial impact and operat­ our institutions attempts to raise tHoMas d. tion, bribery, and corruption. Ma­ ing losses due to insider intrusions the bar in both training and insid­ HuLL licious activities include an even are increasing. Of those compa­ er research and development. Oak Ridge broader range of exploits, such as nies experiencing security events, Institute for copyright violations, negligent use the majority (55 percent) report at Pacific Northwest Science and of classified data, fraud, unauthor­ least one insider event (up from 39 National Laboratory Education ized access to sensitive informa­ percent in 2005). PNNL has focused on interactive tion, and illicit communications In this article, we’ll focus on training in a variety of domains with unauthorized recipients. the need for effective training to and predictive modeling for insid­ raise staff awareness about insider er threat detection. Specifically, its The “insider” is an individual threats and the need for organi­ researchers have developed com­ currently or at one time authorized zations to adopt a more effective plex, cognitive­based instruction to access an organization’s infor­ approach to identifying potential to produce workshops and hands­ mation system, data, or network; risks and then taking proactive on training, interactive computer­ such authorization implies a de­ steps to mitigate them. based training systems, and serious gree of trust in the individual. THIS PAGE Public 4 unclassified unclassified unclassified Release Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 Education formation and Infrastructure In­ Training vious empirical research on in­ tegrity Initiative) is advancing solutions in the sider threats conducted at CERT research on predictive and adap­ insider threat domain and elsewhere. tive systems, including a project The MERIT workshop focus­ devoted specifically to cyber and Recently, the authors of this ar­ es on insider IT sabotage and has behavioral modeling approaches ticle came together to advance the following structure: The MERIT workshop is an initial step • overview of empirical research on insider threat; toward more effective training about • interactive discussion of the instructional case of insider IT insider threat risk awareness and mitigation. sabotage; • general observations from case to mitigate or predict malicious their collective approaches and data; insider exploits.6 ideas to suggest innovative train­ • system dynamics model (prob­ ing solutions for the insider threat lem, prevention, and mitiga­ Carnegie Mellon problem; an initial outcome is tion); and University/Software the preparation of this article. As • recommendations for counter­ Engineering Institute we noted earlier, there’s currently ing threats. CERT Program a paucity of training on insider CERT has examined more than threat for individuals with dif­ Our case study research and 200 cases of insider cybercrimes ferent roles and responsibilities system dynamics modeling ap­ across US critical infrastructure within organizations. Although proach have helped to broaden sectors, focusing on both techni­ this problem is increasingly ac­ our understanding of the insider cal and behavioral aspects.7,8 On­ knowledged within government threat problem and possible lever­ going work at CERT attempts and industry, much remains to be age points for its mitigation. We to find effective mechanisms for done. At the very least, the field therefore characterize our offer­ communicating the results of this needs more workshops and train­ ing as a workshop, rather than research to practitioners in govern­ ing courses to raise the awareness training, to emphasize that it fo­ ment and industry through inte­ of management and human re­ cuses on interactive education and grative models of the problem,9,10 sources personnel about behavior­ raising awareness of how organi­ case studies and assessment of best al indicators and how to decrease zations can mitigate the problem. practices,11 and interactive instruc­ risk; policies must be established tional cases and games in which to provide guidance for staff and Games players are challenged to identify management alike; and effective The MERIT workshop is an insider threat risks and take steps training is needed. initial step toward more ef­ to mitigate them.12 (See www.cert. fective training about insider org/insider_threat/ for a fuller de­ Workshops threat risk awareness and mitiga­ scription of CERT’s insider threat Past research on insider threats tion. As Figure 1 shows, CERT research.) has shown that managing insider also aims to bring the benefits threat risks within an organiza­ of serious game technology to US Air Force tion is an extremely complex task bear on the challenge of insider Research Laboratory characterized by limited infor­ threat education. In collabora­ The AFRL has conducted con­ mation, complex feedback rela­ tion with Carnegie Mellon’s En­ siderable research into different tionships, conflicting goals, and tertainment Technology Center, approaches to training cognitive uncertain causal relationships. To CERT built a proof­of­concept skills, to define better methods address this, CERT developed game, called MERIT Interac­ for measuring job skills as well as an insider threat education and tive, that immerses players in a evaluate training programs. Ad­ awareness workshop called realistic business setting from ditionally, it recently conducted MERIT (Management and Ed­ which they make decisions about a workshop to examine ways to ucation of the Risks of Insider how to prevent, detect, and re­ incorporate storytelling into in­ Threat)9 and the materials pre­ spond to insider actions and see struction, the results of which sented at the Computer Security how their decisions impact key could help those who want to Institute’s conference in Novem­ performance metrics. It provides instruct managers about insider ber 2006 (www.cert.org/archive/ a team­oriented, role­playing threats via games. pdf/CSInotes.pdf) based on pre­ experience using model­based 62 ieee seCurity & PrivaCy n January/February 2008 Education simulation of critical aspects of insider threat risk management Case analysis in a realistic organizational con­ text. Team orientation is critical because organizations typically Empirical data Scenarios identify these problems at an or­ Development of case-based ganizational enterprise level rath­ training simulation er than an individual manager or Modeling Training simulation department level. Role playing Learning objectives is also crucial because solutions generally require collaboration among multiple stakeholders; role Figure 1. The MERIT Interactive approach provides a team-oriented, role-playing experience playing helps players understand using model-based simulation of critical aspects of insider threat risk management. Informed by and acquire the necessary skills. actual case studies, the simulated scenarios challenge players to understand and solve relevant CERT is currently modifying problems in a realistic organizational context. the MERIT system dynamics mod­ el to serve as a back­end engine for MERIT Interactive. This should organizational responses to insider 4. F.L. Greitzer et al., “Learning help transfer any insights the model threat that might affect employee to Pull the Thread: Applica­ provides into MERIT Interactive’s morale, or legal and privacy con­ tion of Guided­Discovery Prin­ learning objectives. Then, experi­ siderations associated with planned ciples to the Inquiry Process,” ments will be carried out to assess policies and IT measures. Ulti­ Proc. Interservice/Industry Training, the extent to which players have mately, an organization must find Simulation, and Education Conf. (I/ learned important lessons about the solutions that provide a proper ITSEC 05), 2005; www.simsysinc. insider threat domain. We believe balance among the three system com/IITSEC/ED2005.htm# MERIT Interactive will ultimately components of its response to in­ _Toc118714554. help decision­makers better un­ sider threats (IT tools for predictive 5. F.L. Greitzer, O.A. Kuchar, and K. derstand the effects their decisions defense, organizational policies Huston, “Cognitive Science Im­ have on risk—both its promotion and practices, and management/ plications for Enhancing Training and mitigation. staff training). Effectiveness in a Serious Gam­ Clearly, a critical need exists ing Context,” ACM J. Educational for more effective organizational References Resources in Computing, vol. 7, no. strategies to combat and prevent 1. DoD Office of the Inspector 3, Article 2, August 2007; http:// insider abuses. A complete and General, DoD Management of In- portal.acm.org/citation.cfm?id= effective insider threat mitigation formation Assurance Efforts to Pro- 1281320.1281322&coll=&dl=AC strategy must take into account tect Automated Information Systems, M&idx=J814&part=journal&Want human motivations and behaviors tech. report no. PO 97­049, US Type=Journals&title=Journal% along with organizational factors Dept. of Defense, Sept. 1997. 20on%20Educational%20Resources such as policies, hiring, and train­ 2. P.E. Doolittle and W.G. Camp, %20in%20Computing%20(JERIC). ing practices, and the technical “Constructivism: The Career and 6. F.L. Greitzer et al., Predictive Adap- vulnerabilities and best practices Technical Education Perspective,” tive Classification Model for Analysis for prevention or early detection J. Vocational and Technical Educa- and Notification: Internal Threat, of unauthorized insider activity. tion, vol. 16, no. 1, 1999; http:// tech. report PNNL­16713, Pacific We must conduct program evalu­ scholar.lib.vt.edu/ejournals/ Northwest National Lab., 2007. ations to verify that we’re teaching JVTE/v16n1/doolittle.html. 7. M. Keeney et al., Insider Threat the right lessons, that staff behavior 3. F.L. Greitzer, D.J. Pond, and M. Study: Computer System Sabotage in and attitudes reflect those training Jannotta, “Scenario­Based Train­ Critical Infrastructure Sectors, tech. objectives, and that organizations ing on Human Errors Contribut­ report, U.S. Secret Service and ultimately benefit from these or­ ing to Security Incidents,” Proc. Carnegie Mellon Univ., Software ganizational strategies. Interservice/Industry Training, Simu- Eng. Inst., 2005; www.secret We must also recognize poten­ lation, and Education Conf. (I/IT­ service.gov/ntac/its_report tial consequences and ethical issues SEC 04), 2004; http://ntsa.meta _050516.pdf. surrounding possible mitigation press.com/app/home/contribution. 8. M.R. Randazzo et al., Insider Threat strategies that could constrain us­ asp?referrer=parent&backto=issue, Study: Illicit Cyber Activity in the ers or systems or negatively im­ 130,174;journal,4,8;linkingpublic Banking and Finance Sector, tech. re­ pact productivity—for example, ationresults,1:113340,1. port no. CME/SEI­2004­TR­021, www.computer.org/security/ n ieee seCurity & PrivaCy 63 Education Carnegie Mellon Univ., Software Dynamics Society, 2006; www. Dawn M. Cappelli is senior member of Eng. Inst., 2004; www.sei.cmu. cert.org/archive/pdf/merit.pdf. the technical staff in CERT at Carnegie edu/publications/documents/ Mellon University’s Software Engineer- 04.reports/04tr021.html. Frank L. Greitzer is a chief scientist at ing Institute (SEI). She is technical lead 9. A.P. Moore et al., “An Experience the Pacific Northwest National Labo- of CERT’s insider threat research and Using System Dynamics Model­ ratory (PNNL). His research interests is also adjunct professor in Carnegie ing to Facilitate an Insider Threat include human behavior modeling, sys- Mellon’s Heinz School of Public Policy Workshop,” Proc. 25th Conf. System tem evaluation methods and metrics, and Management. Cappelli has a BS Dynamics Soc., The System Dy­ and modeling human cyber behavior in mathematics and computer sci- namics Society, 2007; www.cert. with application to identifying malicious ence from the University of Pittsburgh. org/archive/pdf/ISDC2007.pdf. insider activities. Greitzer has a a BS in Contact her at [email protected]. 10.S.R. Band et al., Comparing In- mathematics from Harvey Mudd College sider IT Sabotage and Espionage: A and a PhD in mathematical psychology Dee H. Andrews is senior scientist at the Model-Based Analysis, tech. report with specialization in memory and cog- Human Effectiveness Directorate at the CMU/SEI­2006­TR­026, Carn­ nition from the University of California, Air Force Research Laboratory in Mesa, egie­Mellon Univ., Software Eng. Los Angeles. He is an editorial board Arizona. His research interests include Inst., 2006. member of the Journal of Cognitive In- training in distributed environments, 11.D.M. Cappelli, A.P. Moore, and formatics & Natural Intelligence. Con- instructor-operator station design, per- T.J. Shimeall, Common Sense tact him at [email protected]. formance measurement, command and Guide to Prevention/Detection of control, cost effectiveness, and decay Insider Threats, tech. report, Carn­ Andrew P. Moore is a senior member of and retention of higher order cognitive egie Mellon Univ., CyLab and the the technical staff of CERT at the Soft- skills. Andrews has a PhD in instruc- Internet Security Alliance, July ware Engineering Institute at Carnegie tional systems from Florida State Uni- 2006; www.cert.org/archive/pdf/ Mellon University. His interests include versity. Contact him at dee.andrews@ CommonSenseInsiderThreats improving security, survivability, and mesa.afmc.af.mil. V2.1­1­070118.pdf. resiliency of enterprise systems through 12.D. Cappelli et al., “Management attack and defense modeling, and in- Lynn A. Carroll is a consultant with and Education of the Risk of In­ cident processing and analysis. Moore Karta Technologies. Previously, he was sider Threat (MERIT): System has a BA in mathematics from the Col- a fighter pilot the US Air Force, and Dynamics Modeling of Computer lege of Wooster and an MA in computer served in Thailand and the Republic of System Sabotage,” Proc. 24th Conf. science from Duke University. Contact Korea where he commanded the 604th System Dynamics Soc., The System him at [email protected]. Direct Air Support Squadron and served at the Pentagon, where he oversaw Air Force simulation and training pro- grams. He is the author of Entertaining Thank you to our 2007 reviewers! War: Let the Games Begin. Contact him at [email protected]. IEEE Security & Privacy provides excellent peer-reviewed articles Thomas D. Hull is a graduate fellow through the diligent efforts of with the Oak Ridge Institute for Sci- our volunteers. Our reviewers ence and Education and works jointly not only help identify the best of with the Human Effectiveness Direc- our submissions but also provide torate at the Air Force Research Labo- detailed reviews to help authors ratory in Mesa, Arizona. His research improve their manuscripts. Peer focuses on the use of storytelling as review is a demanding process, instruction in computer simulation and we’d like to publicly express and problem-based learning envi- our gratitude to our reviewers for ronments, training management for their gracious efforts throughout insider threat and cybersecurity risks 2007. To view the complete within a dynamic models framework, list of reviewers, please visit and current trends in instructional www.computer.org/security/ system design models. Hull has a BA 2007reviewers. in anthropology from Northern Arizo- — Carl E. Landwehr, Editor in Chief na University. Contact him at thomas. [email protected]. 64 ieee seCurity & PrivaCy n January/February 2008

