Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model

August 11, 2005 • White Paper

By

Eliot Rich (University at Albany State University of New York), Ignacio J. Martinez-Moyano (University at Albany State University of New York), Paul Conrad, Dawn Cappelli, Andrew P. Moore, Timothy J. Shimeall, David F. Andersen (University at Albany State University of New York), Jose J. Gonzalez (Agder University College Norway), Robert J. Ellison, Howard F. Lipson, Dave Mundie, Jose M. Sarriegui (University of Navarra Spain), Agata Sawicka (Agder University College Norway), Thomas R. Stewart (University at Albany State University of New York), Jose M. Torres (University of Navarra Spain), Elise A. Weaver (Worcester Polytechnic Institute), and Johannes Wiik (Agder University College Norway)

In this paper, the authors identify actions that may inadvertently lead to increased vulnerability to threats from employees, contractors, and clients.

Publisher

Software Engineering Institute

Subjects

Abstract

The growing reliance on technological infrastructures has made organizations increasingly vulnerable to threats from trusted employees, former employees, current or former contractors, and clients. Recent research indicates that successful defense from these threats depends on both technical and behavioral controls. In this paper, we report on our work to identify seemingly reasonable organizational actions that may inadvertently lead to increased risk exposure. We also consider how potential internal attackers may be encouraged or discouraged by monitoring the organization’s responses to probes of its firm’s security systems.

Two interwoven work products are presented: A case study that presents a particular type of insider threat–long-term fraud–and a simulation model that supports the case, the underlying dynamic theory, and examination of policy options. The case and model combine to produce a motivating and useful exercise that illustrates the problems of insider cyber-threats. This material has been used in teaching of insider threat issues with satisfactory results.

Software Engineering Institute