to prioritize higher-risk employees. In this regard, non-technical indicators help programs to get ahead of
            insider threat problems, rather than simply react to them.



            Using Non-Technical Risk Indicators

            Non-technical  indicators  are  available  within  most  company  systems.  For  example,  human  resource
            information systems will contain data about promotions, demotions, suspensions, performance ratings,
            training records and previous employers. Security information systems may have records of violations,
            anomalous attempts to gain access to unauthorized areas and, in the case of the defense and aerospace
            industry, security-clearance denials.

            Facilitating the identification and reporting of additional kinds of non-technical behaviors can be more
            challenging. For example, ‘See Something, Say Something” programs have limited utility for multiple
            reasons. First, co-workers often do not consciously recognize the indicators until they are significant or
            until something bad happens. Second, if they do recognize a concern, they rarely report it because they
            do not see it as significant, or they do not want to get someone they like in trouble.

            To overcome these challenges, insider threat programs need to repeatedly communicate that the goal of
            the program is to mitigate risks in a proactive and positive manner, helping employees while protecting
            company assets. As this goal is accomplished, stakeholders, supervisors and employees will take notice,
            which will increase compliance and participation in the reporting program.

            Next, insider threat programs need to facilitate the reporting of anomalous activity by supervisors. This
            can be accomplished via direct conversations, indirectly through human resources or by using surveys.
            The results of this reporting should then inform the insider threat program threat detection capability.



            Temporal Analysis

            The importance of integrating and analyzing indicators over time cannot be overstated. Let’s consider a
            fictitious scenario where there are non-technical behavioral indicators that increase the threat level of an
            employee:
                   Jolene has been with her company for three years. Initially she was a good performer but that has
                   changed over the past two years. She has grown increasingly unhappy with her job as a database
                   administrator and her personal life is in shambles. She finds her role trivial and she feels the
                   company  is  not  treating  her  fairly  compared  to  others,  which  she  has  expressed  to  human
                   resources. She applied for a position in another department but was not selected, which made
                   her even more angry and frustrated. She has access to mission-critical systems with authorization
                   to create and destroy databases, tables and records. Her supervisor works from another office
                   location, and does not meet with her more than once every two weeks. Outside of work, Jolene
                   barely has enough money to pay rent for a two-bedroom apartment since her boyfriend left town.










            Cyber Defense eMagazine –July 2020 Edition                                                                                                                                                                                                                         47
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.