1 / 34

Prof. Angela Sasse

Prof. Angela Sasse. University College London. Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides not to be reproduced without prior permission. Content. Introduction to CPNI & Personnel Security framework Insider behaviour & activities

bgarceau
Télécharger la présentation

Prof. Angela Sasse

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Prof. Angela Sasse University College London

  2. Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides not to be reproduced without prior permission

  3. Content • Introduction to CPNI & Personnel Security framework • Insider behaviour & activities • Research • Factors increasing likelihood • Triggers • Behaviours of concern

  4. Introduction - CPNI CPNI • Holistic protective security advice to the national infrastructure to reduce vulnerability to terrorism and other threats PHYSICAL SECURITY ELECTRONIC SECURITY PERSONNEL SECURITY & BEHAVIOURAL ASSESSMENT • Reducing vulnerability to Insider threat

  5. The Critical National Infrastructure: Telecommunications Energy Finance Government & Public Services Water Health Emergency Services Transport Food

  6. Holistic view of Protective Security

  7. Ensure only staff who are unlikely to present a security concern are employed Help minimise likelihood of employees becoming a security concern Good security & organisational culture Pre-employment screening Prevent, identify and manage employees who may become a security concern Risk assessment Ongoing security management Uses personnel security measures in a way that is proportionate to the insider risk Elements of a good personnel security regime

  8. Definition of an Insider An Insider is someone who exploits, or has the intention to exploit, their legitimate access to assets for unauthorised purposes

  9. Direct sabotage (electronic or physical) Facilitation of 3rd party access to sites/information Unauthorised disclosure of information Theft of materials or information Financial & Process corruption Insider activities …..

  10. Corporate • Commercial & financial impact • Competitor advantage National security • Denial or restriction of a key service • Facilitation of criminal & terrorist activity • Compromising protectively marked information • Loss of life/harm to life Consequences of Insider activity • Damage to • Reputation • Relationships • Buildings & assets • Disruption to • Processes & procedures • IT systems

  11. Deliberate penetration with intention of abusing position Opportunistic exploitation of access once in post Unwitting/ unintentional insider Ex-employees Exploited by others once in post Types of Insider Behaviour Insider

  12. Who might be undertaking Insider activity? • Terrorists or their associates • Foreign Intelligence services • Disaffected employees • Single-issue groups • Commercial competitors • Journalists

  13. Motivations of Insiders? • Financial gain • Revenge • Status/recognition • Friendship/loyalty • Ideological • Fear/coercion

  14. Likelihood, Triggers, Opportunity & Behaviours of concern Current thinking…

  15. Current thinking • Review of US Insider research • Literature review of Disaffection • CPNI Insider study • case study approach – range of past cases • identify common trends • develop guidance on reducing vulnerability • concludes 2009

  16. Negative life events Direct approaches Negative work events Management culture Personality World events Life events Organisational climate Individual vulnerabilities Personal circumstances Security culture Disaffection + / - Organisational vulnerabilities Creating the climate Likelihood of Insider Activity Specific triggers

  17. Individual Vulnerabilities • Life events – history of: • Poor or chequered employment • Excessive or addictive use of alcohol, drugs or gambling • Petty crime • Financial weaknesses • Personal circumstances • Familial ties to countries of concern (competing identities) • Sympathy to specific causes/adversarial mindset • Difficult family circumstances • Change in financial situation • Personality predispositions • Low self esteem - desire for recognition/status • ‘Thrill seeker’ - desire for excitement • Overinflated sense of worth/abilities – desire for revenge when not recognised • Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices

  18. Specific types of organisational climate • High level of disaffection & staff grievance • failure to address grievances • failure to identify & manage personnel issues • Employee disengagement (or lack of initial engagement) • Lower levels of loyalty and commitment • Organisation undergoing significant change • Re-structuring • Downsizing • Relocation • Impact on morale/ties with organisation Organisational vulnerabilities Certain situations have potential to increase vulnerability: Poor organisational culture & management practices

  19. Possible triggers? • Major life events • Bereavement • Divorce / marital problems • Change in financial circumstances • Work stressors • Organisational change • Demotion / lack of promotion • Perceived injustices • World events / crisis of conscience • Direct approaches

  20. Specific triggers Individual vulnerabilities ……… Organisational vulnerabilities > Likelihood in terms of Opportunity Opportunity Inadequate Personnel Security measures Poor security culture

  21. Inadequate personnel security measures Lack of strong security culture • Lack of appreciation of threats/risks • Lack of awareness of security policies & practices • Low level of ownership & responsibility • Low level of compliance with security measures & easier to manipulate • Ease of obtaining employment • Ease of obtaining information or access during employment • Ease of remaining undetected Opportunity Insider activity can be facilitated by:

  22. Current thinking…Possible Indicators of Insider threat

  23. Possible Indicators of Insider Threat • Not one single factor • Clusters & specific combinations • Alternative explanations • Changes from normal behaviour • Assessed in context of employee’s role • opportunity and capability to cause harm • Legality & discrimination

  24. Possible Indicators of Insider Threat – Behaviours of concern Changes in lifestyle & work behaviours Individual vulnerabilities Suspicious behaviours Unauthorised behaviours Greater the number of indicators present, greater the risk Some indicator groups are of more concern Combinations and clusters

  25. On their own, not necessarily an indication of Insider activity • Alternative explanations Examples of possible Indicators • Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism • Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position) • Financial difficulties • Addictions • Specific personality traits Individual vulnerabilities

  26. On their own, not necessarily an indication of Insider activity • Alternative explanations Examples of possible Indicators • Obvious changes in financial status with no rational explanation • Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security • Poor timekeeping / excessive absenteeism • Decreased quantity & quality of work • Deteriorating relationships with colleagues/line managers (inc complaints) Changes in lifestyle & work behaviours

  27. On their own, not necessarily an indication of Insider activity • But alternative explanations becoming less likely….. Examples of possible Indicators • Unusually high interest in security measures or history of unusually high security violations • Visiting classified areas of work after normal hours, for no logical reason • Unusual questioning of co-workers about information/areas which do not have access to • Abusing access to databases Suspicious behaviours

  28. Accessing or attempting to access or download information for which not authorised • Intentionally photocopying sensitive material for which no logical reason • Taking protected or sensitive materials home without proper authorisation Unauthorised behaviours • A serious security risk • Alternative explanations unlikely…… Examples of possible Indicators

  29. Detection • Utilisation of existing personnel security measures • Protective monitoring • automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas • Aim -> development of practical and reliable tools to support decision making about Insiders • Case studies have shown there was: • evidence of behaviours of concern about Insiders • BUT • not collected together in one place so that an individual could make an informed judgement • lacked a framework to understand potential warning signs

  30. Detection • We aim to develop checklists that could be: • applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities • used to support appraisal and/or security interviews, whether by security professionals or line managers • used to structure confidential employee reporting schemes

  31. Limit opportunity • Maximise deterrence • Provide means to report concerns • Prevent those with intent • Identify those who could be vulnerable Comprehensive on-going security measures Robust pre-employment screening • Appreciate threat & responsibilities • Compliance • Awareness to signs • Willing to report • Reduce disaffection • Promote loyalty & commitment • Address grievances Strong security culture Positive management practices Prevention & Deterrence is key…

  32. Summary – Key messages • Inter-relationships between factors in ‘creating’ Insider events: • Individual ‘v’ Organisational ‘v’ Triggers • Reducing cause & opportunity is key (prevention) • Detection more complicated • Insider research is on-going • findings 2009 • development of tools & checklists to help identify those who may merit further attention

More Related