Prof. Angela Sasse University College London Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Content • Introduction to CPNI & Personnel Security framework • Insider behaviour & activities • Research •Factors increasing likelihood •Triggers •Behaviours of concern Introduction - CPNI • Holistic protective security advice to the national infrastructure to reduce vulnerability to terrorism and other threats PHYSICAL SECURITY CPNI ELECTRONIC SECURITY PERSONNEL SECURITY & BEHAVIOURAL ASSESSMENT • Reducing vulnerability to Insider threat The Critical National Infrastructure: Telecommunications Energy Finance Government & Public Services Water Health Emergency Services Transport Food Holistic view of Protective Security Elements of a good personnel security regime Ensure only staff who are unlikely to present a security Good security & concern are organisational employed culture Pre-employment screening Uses personnel security measures in a way that is proportionate to the insider risk Risk assessment Ongoing security management Help minimise likelihood of employees becoming a security concern Prevent, identify and manage employees who may become a security concern Definition of an Insider An Insider is someone who exploits, or has the intention to exploit, their legitimate access to assets for unauthorised purposes Insider activities ….. Facilitation of 3rd party access to sites/information Direct sabotage (electronic or physical) Unauthorised disclosure of information Financial & Process corruption Theft of materials or information Consequences of Insider activity Corporate • Commercial & financial impact • Damage to • Reputation • Competitor advantage • Relationships • Buildings & assets • Disruption to • Processes & procedures • IT systems National security • Denial or restriction of a key service • Facilitation of criminal & terrorist activity • Compromising protectively marked information • Loss of life/harm to life Types of Insider Behaviour Deliberate penetration with intention of abusing position Opportunistic exploitation of access once in post Insider Ex-employees Exploited by others once in post Unwitting/ unintentional insider Who might be undertaking Insider activity? • • • • • • Terrorists or their associates Foreign Intelligence services Disaffected employees Single-issue groups Commercial competitors Journalists Motivations of Insiders? • Financial gain • Revenge • Status/recognition • Friendship/loyalty • Ideological • Fear/coercion Likelihood, Triggers, Opportunity & Behaviours of concern Current thinking… Current thinking • Review of US Insider research • Literature review of Disaffection • CPNI Insider study • case study approach – range of past cases • identify common trends • develop guidance on reducing vulnerability • concludes 2009 Likelihood of Insider Activity Specific triggers Personality Individual vulnerabilities Personal circumstances Management culture Organisational climate Direct approaches Negative work events World events +/Organisational vulnerabilities Security culture Creating the climate Disaffection Life events Negative life events Individual Vulnerabilities • Life events – history of: • Poor or chequered employment • Excessive or addictive use of alcohol, drugs or gambling • Petty crime • Financial weaknesses • Personal circumstances • Familial ties to countries of concern (competing identities) • Sympathy to specific causes/adversarial mindset • Difficult family circumstances • Change in financial situation • Personality predispositions • Low self esteem - desire for recognition/status • ‘Thrill seeker’ - desire for excitement • Overinflated sense of worth/abilities – desire for revenge when not recognised • Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices Organisational vulnerabilities Certain situations have potential to increase vulnerability: Poor organisational culture & management practices • High level of disaffection & staff grievance • failure to address grievances • failure to identify & manage personnel issues • Employee disengagement (or lack of initial engagement) • Lower levels of loyalty and commitment Specific types of organisational climate • Organisation undergoing significant change • Re-structuring • Downsizing • Relocation • Impact on morale/ties with organisation Possible triggers? • Major life events • Bereavement • Divorce / marital problems • Change in financial circumstances • Work stressors • Organisational change • Demotion / lack of promotion • Perceived injustices • World events / crisis of conscience • Direct approaches Likelihood in terms of Opportunity Opportunity Specific triggers Individual vulnerabilities Inadequate Personnel Security measures Poor security culture Organisational vulnerabilities ………> Opportunity Insider activity can be facilitated by: Inadequate personnel security measures Lack of strong security culture • Ease of obtaining employment • Lack of appreciation of threats/risks • Ease of obtaining information or access during employment • Lack of awareness of security policies & practices • Ease of remaining undetected • Low level of ownership & responsibility • Low level of compliance with security measures & easier to manipulate Current thinking… Possible Indicators of Insider threat Possible Indicators of Insider Threat • Not one single factor • Clusters & specific combinations • Alternative explanations • Changes from normal behaviour • Assessed in context of employee’s role • opportunity and capability to cause harm • Legality & discrimination Possible Indicators of Insider Threat – Behaviours of concern Individual vulnerabilities Changes in lifestyle & work behaviours Unauthorised behaviours Greater the number of indicators present, greater the risk Some indicator groups are of more concern Combinations and clusters Suspicious behaviours Examples of possible Indicators • Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism Individual vulnerabilities • Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position) • Financial difficulties • Addictions • Specific personality traits • On their own, not necessarily an indication of Insider activity • Alternative explanations Examples of possible Indicators • Obvious changes in financial status with no rational explanation Changes in lifestyle & work behaviours • Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security • Poor timekeeping / excessive absenteeism • Decreased quantity & quality of work • Deteriorating relationships with colleagues/line managers (inc complaints) • On their own, not necessarily an indication of Insider activity • Alternative explanations Examples of possible Indicators • Unusually high interest in security measures or history of unusually high security violations Suspicious behaviours • Visiting classified areas of work after normal hours, for no logical reason • Unusual questioning of co-workers about information/areas which do not have access to • Abusing access to databases • On their own, not necessarily an indication of Insider activity • But alternative explanations becoming less likely….. Examples of possible Indicators • Accessing or attempting to access or download information for which not authorised Unauthorised behaviours • Intentionally photocopying sensitive material for which no logical reason • Taking protected or sensitive materials home without proper authorisation • A serious security risk • Alternative explanations unlikely…… Detection • Utilisation of existing personnel security measures • Protective monitoring • automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas • Aim -> development of practical and reliable tools to support decision making about Insiders • Case studies have shown there was: • evidence of behaviours of concern about Insiders BUT • not collected together in one place so that an individual could make an informed judgement • lacked a framework to understand potential warning signs Detection • We aim to develop checklists that could be: • applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities • used to support appraisal and/or security interviews, whether by security professionals or line managers • used to structure confidential employee reporting schemes Prevention & Deterrence is key… • Prevent those with intent • Identify those who could be vulnerable • Appreciate threat & responsibilities • Compliance • Awareness to signs • Willing to report Robust preemployment screening Strong security culture Comprehensive on-going security measures Positive management practices • Limit opportunity • Maximise deterrence • Provide means to report concerns • Reduce disaffection • Promote loyalty & commitment • Address grievances Summary – Key messages • Inter-relationships between factors in ‘creating’ Insider events: • Individual ‘v’ Organisational ‘v’ Triggers • Reducing cause & opportunity is key (prevention) • Detection more complicated • Insider research is on-going • findings 2009 • development of tools & checklists to help identify those who may merit further attention