Page 47 - Cyber Defense eMagazine for July 2020
P. 47
to prioritize higher-risk employees. In this regard, non-technical indicators help programs to get ahead of
insider threat problems, rather than simply react to them.
Using Non-Technical Risk Indicators
Non-technical indicators are available within most company systems. For example, human resource
information systems will contain data about promotions, demotions, suspensions, performance ratings,
training records and previous employers. Security information systems may have records of violations,
anomalous attempts to gain access to unauthorized areas and, in the case of the defense and aerospace
industry, security-clearance denials.
Facilitating the identification and reporting of additional kinds of non-technical behaviors can be more
challenging. For example, ‘See Something, Say Something” programs have limited utility for multiple
reasons. First, co-workers often do not consciously recognize the indicators until they are significant or
until something bad happens. Second, if they do recognize a concern, they rarely report it because they
do not see it as significant, or they do not want to get someone they like in trouble.
To overcome these challenges, insider threat programs need to repeatedly communicate that the goal of
the program is to mitigate risks in a proactive and positive manner, helping employees while protecting
company assets. As this goal is accomplished, stakeholders, supervisors and employees will take notice,
which will increase compliance and participation in the reporting program.
Next, insider threat programs need to facilitate the reporting of anomalous activity by supervisors. This
can be accomplished via direct conversations, indirectly through human resources or by using surveys.
The results of this reporting should then inform the insider threat program threat detection capability.
Temporal Analysis
The importance of integrating and analyzing indicators over time cannot be overstated. Let’s consider a
fictitious scenario where there are non-technical behavioral indicators that increase the threat level of an
employee:
Jolene has been with her company for three years. Initially she was a good performer but that has
changed over the past two years. She has grown increasingly unhappy with her job as a database
administrator and her personal life is in shambles. She finds her role trivial and she feels the
company is not treating her fairly compared to others, which she has expressed to human
resources. She applied for a position in another department but was not selected, which made
her even more angry and frustrated. She has access to mission-critical systems with authorization
to create and destroy databases, tables and records. Her supervisor works from another office
location, and does not meet with her more than once every two weeks. Outside of work, Jolene
barely has enough money to pay rent for a two-bedroom apartment since her boyfriend left town.
Cyber Defense eMagazine –July 2020 Edition 47
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.