Earlier this month, I presented a portion of the Institute of Analytic Interviewing’s (IAI) course Insider Threat Hunting — Track, Elicit, Interview, and Mitigate at Black Hat 2019.  Cybersecurity professionals are becoming increasingly aware of the need to develop insider threat detection procedures that go beyond the traditional technical measures.  In response to this, we presented a couple of two-day courses to provide low-tech solutions to a high-tech problem.

Intelligent Communication as an Integrated Model

In our training, we approached the idea of identifying insider threats as a three-legged stool.  The three legs of this stool are personality, precipitating stressors, and counterproductive work behaviors.  These three legs are significant contributors to someone becoming an insider threat and therefore are important indicators for identifying insider threats “left of bang,” before a significate insider threat event occurs.

It is important to bring these three key areas (personality, precipitating stressors, and counterproductive work behaviors) together, since together they help provide early warning of a potential insider threat event.  When we bring these three key areas together, what does this look like? We have found that it looks much like the Intelligent Communication model. This is significant; for the same model we use for effectively communicating with potential sources of information can be a guide to understanding the potential insider threat. 

Insider Threat Integrated Model
Insider Threat Integrated Model

Personality

Due to a significant amount of research, we can use personality to help us identify those who exhibit one of the three legs of our insider threat stool.  It is important to note that most of those people who exhibit these personality traits will never develop into a malicious insider. Remember, personality is only one of the three legs.

To help us understand personality traits, we provide an overview of the Five-Factor Model (FFM).  This popular and well-researched model divides personality into five domains: openness, conscientiousness, extraversion, agreeableness, and neuroticism (sometimes labeled emotional stability).  These traits are present in everyone’s personality make-up and are rated on a high-low scale. Our integrated model helps us to identify personality traits.

Research into insider threats has shown that three of personality domains particularly correlate with insider threats.  To remember these traits you need only remember that they CAN contribute to someone developing into a malicious insider.  In this case, CAN stands for conscientiousness, agreeableness, and neuroticism.

Precipitating Stressors

Stressors often function as triggers  If these stressors persist in a person’s life, they may wear them down.  Further, the stressors may contribute to a more direct motive for becoming a malicious insider.  While many of these stressors are easy to identify, such as financial stressors, relationship stressors, and health stressors, we also can reach out to research that correlates specific stressors with the development of a malicious insider intent.

Counterproductive Work Behaviors

The third leg of our insider threat stool is counterproductive work behaviors (CWB).  What do we know about CWB? Some of the fundamentals of CWB are that they frequently co-occur, they usually escalate, and they seldom occur spontaneously.  The last of these three fundamentals reminds us that CWB, like personality and precipitating stressors, is only a single type of insider threat indicator.

Identifying and Mitigating Insider Threats

As depicted above, all of these key indicators can be identified and analyzed within a single integrated model and this model guides our approach to identifying malicious insiders.  If you or your organization are interested in improving your ability to identify insider threats left of bang and apply mitigating strategies, contact me or my friends at IAI and let’s chat about making your organization more secure from insider threats.

In the meantime, remember to be quick to hear,

rjm