Prof. Angela Sasse University College London

advertisement
Prof. Angela Sasse
University College London
Understanding & Identifying the Insider
Threat
CPNI - Personnel Security &
Behavioural Assessment
Content
• Introduction to CPNI & Personnel Security
framework
• Insider behaviour & activities
• Research
•Factors increasing likelihood
•Triggers
•Behaviours of concern
Introduction - CPNI
•
Holistic protective security advice to the national infrastructure
to reduce vulnerability to terrorism and other threats
PHYSICAL
SECURITY
CPNI
ELECTRONIC
SECURITY
PERSONNEL
SECURITY &
BEHAVIOURAL
ASSESSMENT
•
Reducing vulnerability
to Insider threat
The Critical National Infrastructure:
Telecommunications
Energy
Finance
Government & Public Services
Water
Health
Emergency Services
Transport
Food
Holistic view of Protective Security
Elements of a good personnel security regime
Ensure only staff
who are unlikely to
present a security
Good security &
concern are
organisational
employed
culture
Pre-employment screening
Uses personnel
security
measures in a
way that is
proportionate to
the insider risk
Risk assessment Ongoing security
management
Help minimise
likelihood of
employees
becoming a
security concern
Prevent,
identify and
manage
employees who
may become a
security
concern
Definition of an Insider
An Insider is someone who exploits, or has the intention
to exploit, their legitimate access to assets for
unauthorised purposes
Insider activities …..
Facilitation of 3rd
party access to
sites/information
Direct sabotage
(electronic or physical)
Unauthorised
disclosure of
information
Financial &
Process
corruption
Theft of materials
or information
Consequences of Insider activity
Corporate
• Commercial & financial
impact
• Damage to
• Reputation
• Competitor advantage
• Relationships
• Buildings &
assets
• Disruption to
• Processes &
procedures
• IT systems
National security
• Denial or restriction of a key
service
• Facilitation of criminal &
terrorist activity
• Compromising protectively
marked information
• Loss of life/harm to life
Types of Insider Behaviour
Deliberate penetration
with intention of abusing
position
Opportunistic
exploitation of access
once in post
Insider
Ex-employees
Exploited by others once
in post
Unwitting/
unintentional
insider
Who might be undertaking
Insider activity?
•
•
•
•
•
•
Terrorists or their associates
Foreign Intelligence services
Disaffected employees
Single-issue groups
Commercial competitors
Journalists
Motivations of Insiders?
• Financial gain
• Revenge
• Status/recognition
• Friendship/loyalty
• Ideological
• Fear/coercion
Likelihood, Triggers, Opportunity &
Behaviours of concern
Current thinking…
Current thinking
• Review of US Insider research
• Literature review of Disaffection
• CPNI Insider study
• case study approach – range of past cases
• identify common trends
• develop guidance on reducing vulnerability
• concludes 2009
Likelihood of Insider Activity
Specific
triggers
Personality
Individual
vulnerabilities
Personal
circumstances
Management
culture
Organisational
climate
Direct
approaches
Negative work
events
World events
+/Organisational
vulnerabilities
Security
culture
Creating the climate
Disaffection
Life events
Negative
life events
Individual Vulnerabilities
• Life events – history of:
• Poor or chequered employment
• Excessive or addictive use of alcohol, drugs or gambling
• Petty crime
• Financial weaknesses
• Personal circumstances
• Familial ties to countries of concern (competing identities)
• Sympathy to specific causes/adversarial mindset
• Difficult family circumstances
• Change in financial situation
• Personality predispositions
• Low self esteem - desire for recognition/status
• ‘Thrill seeker’ - desire for excitement
• Overinflated sense of worth/abilities – desire for revenge when not recognised
• Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived
injustices
Organisational vulnerabilities
Certain situations have potential to increase vulnerability:
Poor organisational
culture &
management
practices
• High level of disaffection & staff
grievance
• failure to address grievances
• failure to identify & manage personnel
issues
• Employee disengagement (or lack of
initial engagement)
• Lower levels of loyalty and commitment
Specific types of
organisational
climate
• Organisation undergoing
significant change
•
Re-structuring
•
Downsizing
•
Relocation
• Impact on morale/ties with
organisation
Possible triggers?
• Major life events
• Bereavement
• Divorce / marital problems
• Change in financial circumstances
• Work stressors
• Organisational change
• Demotion / lack of promotion
• Perceived injustices
• World events / crisis of conscience
• Direct approaches
Likelihood in terms of Opportunity
Opportunity
Specific
triggers
Individual
vulnerabilities
Inadequate
Personnel Security
measures
Poor security
culture
Organisational
vulnerabilities
………>
Opportunity
Insider activity can be facilitated by:
Inadequate
personnel
security
measures
Lack of strong
security
culture
• Ease of obtaining employment
• Lack of appreciation of threats/risks
• Ease of obtaining information or
access during employment
• Lack of awareness of security
policies & practices
• Ease of remaining undetected
• Low level of ownership &
responsibility
• Low level of compliance with security
measures & easier to manipulate
Current thinking…
Possible Indicators of Insider threat
Possible Indicators of Insider Threat
• Not one single factor
• Clusters & specific combinations
• Alternative explanations
• Changes from normal behaviour
• Assessed in context of employee’s role
• opportunity and capability to cause
harm
• Legality & discrimination
Possible Indicators of Insider Threat
– Behaviours of concern
Individual
vulnerabilities
Changes in
lifestyle &
work
behaviours
Unauthorised
behaviours
Greater the number of indicators present, greater the risk
Some indicator groups are of more concern
Combinations and clusters
Suspicious
behaviours
Examples of possible Indicators
• Relatives / close friends in countries known to
target UK citizens to obtain sensitive information
and/or is associated with a risk of terrorism
Individual
vulnerabilities
• Sympathy to specific causes/adversarial mindset
(particularly if in conflict with nature of
work/position)
• Financial difficulties
• Addictions
• Specific personality traits
• On their own, not necessarily an indication of Insider activity
• Alternative explanations
Examples of possible Indicators
• Obvious changes in financial status with no
rational explanation
Changes in
lifestyle & work
behaviours
• Sudden or marked changes in religious, political
or social affiliation or practice which has an
adverse impact on performance or attitude to
security
• Poor timekeeping / excessive absenteeism
• Decreased quantity & quality of work
• Deteriorating relationships with colleagues/line
managers (inc complaints)
• On their own, not necessarily an indication of Insider activity
• Alternative explanations
Examples of possible Indicators
• Unusually high interest in security measures or
history of unusually high security violations
Suspicious
behaviours
• Visiting classified areas of work after normal hours,
for no logical reason
• Unusual questioning of co-workers about
information/areas which do not have access to
• Abusing access to databases
• On their own, not necessarily an indication of Insider activity
• But alternative explanations becoming less likely…..
Examples of possible Indicators
• Accessing or attempting to access or download
information for which not authorised
Unauthorised
behaviours
• Intentionally photocopying sensitive material for
which no logical reason
• Taking protected or sensitive materials home
without proper authorisation
• A serious security risk
• Alternative explanations unlikely……
Detection
• Utilisation of existing personnel security measures
• Protective monitoring
• automated alerts and audits to detect unauthorised
entry/abnormal usage of IT systems or work areas
• Aim -> development of practical and reliable tools to support decision
making about Insiders
• Case studies have shown there was:
• evidence of behaviours of concern about Insiders
BUT
• not collected together in one place so that an individual could
make an informed judgement
• lacked a framework to understand potential warning signs
Detection
• We aim to develop checklists that could be:
• applied to an application form at recruitment stage to check
past history and capture potential individual vulnerabilities
• used to support appraisal and/or security interviews,
whether by security professionals or line managers
• used to structure confidential employee reporting schemes
Prevention & Deterrence is key…
• Prevent those
with intent
• Identify those
who could be
vulnerable
• Appreciate
threat &
responsibilities
• Compliance
• Awareness to
signs
• Willing to
report
Robust preemployment
screening
Strong
security
culture
Comprehensive
on-going
security
measures
Positive
management
practices
• Limit
opportunity
• Maximise
deterrence
• Provide means
to report
concerns
• Reduce
disaffection
• Promote loyalty
& commitment
• Address
grievances
Summary – Key messages
• Inter-relationships between factors in ‘creating’ Insider
events:
• Individual ‘v’ Organisational ‘v’ Triggers
• Reducing cause & opportunity is key (prevention)
• Detection more complicated
• Insider research is on-going
• findings 2009
• development of tools & checklists to help identify those
who may merit further attention
Download