survey

Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures

Authors:
Ivan Homoliak

STE-SUTD Cyber Security Laboratory and Brno University of Technology, Czech Republic

STE-SUTD Cyber Security Laboratory and Brno University of Technology, Czech Republic

0000-0002-0790-0875
View Profile

,
Flavio Toffalini

STE-SUTD Cyber Security Laboratory, Singapore

STE-SUTD Cyber Security Laboratory, Singapore
View Profile

,
Juan Guarnizo

STE-SUTD Cyber Security Laboratory, Singapore

STE-SUTD Cyber Security Laboratory, Singapore
View Profile

,
Yuval Elovici

Ben-Gurion University of the Negev

Ben-Gurion University of the Negev
View Profile

,
Martín Ochoa

STE-SUTD Cyber Security Laboratory and Cyxtera Technologies

STE-SUTD Cyber Security Laboratory and Cyxtera Technologies
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 52 Issue 2Article No.: 30pp 1–40https://doi.org/10.1145/3303771

Published:02 April 2019Publication History

ACM Computing Surveys

Abstract

Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders’ behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

Supplemental Material

Available for Download

zip

homoliak.zip (1.4 MB)

Supplemental movie, appendix, image and software files for, Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures

References

A. Abdallah, M. A. Maarof, and A. Zainal. 2016. Fraud detection system: A survey. Journal of Network and Computer Applications 68 (2016), 90--113. Google ScholarDigital Library
S. Achleitner, T. La Porta, P. McDaniel, S. Sugrim, S. V. Krishnamurthy, and R. Chadha. 2016. Cyber deception: Virtual networks to defend insider reconnaissance. In Proceedings of the International Workshop on Managing Insider Security Threats. ACM, New York, NY, 57--68. Google ScholarDigital Library
I. Agrafiotis, A. Erola, M. Goldsmith, and S. Creese. 2016. A tripwire grammar for insider threat detection. In Proceedings of the International Workshop on Managing Insider Security Threats. ACM, New York, NY, 105--108. Google ScholarDigital Library
B. Aleman-Meza, P. Burns, M. Eavenson, D. Palaniswami, and A. Sheth. 2005. An ontological approach to the document access problem of insider threat. In Proceedings of the International Conference on Intelligence and Security Informatics. 486--491. Google ScholarDigital Library
G. AlGhamdi, K. B. Laskey, E. J. Wright, D. Barbará, and K. Chang. 2006. Modeling insider behavior using multi-entity Bayesian networks. In Proceedings of the International Command and Control Research and Technology Symposium.Google Scholar
G. Ali, N. A. Shaikh, and Z. A. Shaikh. 2008. Towards an automated multiagent system to monitor user activities against insider threat. In Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE, Los Alamitos, CA, 1--5.Google Scholar
S. Alneyadi, E. Sithirasenan, and V. Muthukkumarasamy. 2016. A survey on data leakage prevention systems. Journal of Network and Computer Applications 62 (2016), 137--152. Google ScholarDigital Library
Q. Althebyan and B. Panda. 2007. A knowledge-base model for insider threat prediction. In Proceedings of the Information Assurance and Security Workshop (IAW’07). IEEE, Los Alamitos, CA, 239--246.Google Scholar
Q. Althebyan and B. Panda. 2008. Performance analysis of an insider threat mitigation model. In Proceedings of the International Conference on Digital Information Management. IEEE, Los Alamitos, CA, 703--709.Google Scholar
M. L. Ambrose, M. A. Seabright, and M. Schminke. 2002. Sabotage in the workplace: The role of organizational injustice. Organizational Behavior and Human Decision Processes 89, 1 (2002), 947--965.Google ScholarCross Ref
D. F. Andersen, D. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. Moore, E. Rich, et al. 2004. Preliminary system dynamics maps of the insider cyber-threat problem. In Proceedings of the International Conference of the System Dynamics Society. 25--29.Google Scholar
J. P. Anderson. 1980. Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson Company.Google Scholar
E. T. Axelrad, P. J. Sticha, O. Brdiczka, and J. Shen. 2013. A Bayesian network model for predicting insider threats. In Proceedings of the Scurity and Privacy Workshops. IEEE, Los Alamitos, CA, 82--89. Google ScholarDigital Library
A. Azaria, A. Richardson, S. Kraus, and V. S. Subrahmanian. 2014. Behavioral analysis of insider threat: A survey and bootstrapped prediction in imbalanced data. Transactions on Computational Social Systems 1, 2 (2014), 135--155.Google ScholarCross Ref
S. R. Band, D. M. Cappelli, L. F. Fischer, A. P. Moore, E. D. Shaw, and R. F. Trzeciak. 2006. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Technical Report. DTIC Document.Google Scholar
J. Banks. 1998. Handbook of Simulation: Principles, Methodology, Advances, Applications, and Practice. John Wiley 8 Sons.Google Scholar
N. Baracaldo and J. Joshi. 2012. A trust-and-risk aware RBAC framework: Tackling insider threat. In Proceedings of the Symposium on Access Control Models and Technologies. ACM, New York, NY, 167--176. Google ScholarDigital Library
S. M. Bellovin. 2008. The insider attack problem nature and scope. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 1--4.Google Scholar
M. Bertacchini and P. Fierens. 2008. A survey on masquerader detection approaches. In Congreso Iberoamericano de Seguridad Informática, Universidad de la República de Uruguay. 46--60.Google Scholar
E. Bertino and G. Ghinita. 2011. Towards mechanisms for detection and prevention of data exfiltration by insiders: Keynote talk paper. In Proceedings of the Symposium on Information, Computer, and Communications Security. ACM, New York, NY, 10--19. Google ScholarDigital Library
D. Bhilare, A. Ramani, and S. Tanwani. 2009. Protecting intellectual property and sensitive information in academic campuses from trusted insiders: Leveraging active directory. In Proceedings of the SIGUCCS Fall Conference. ACM, New York, NY, 99--104. Google ScholarDigital Library
M. Bishop. 2005. Position: Insider is relative. In Proceedings of the Workshop on New Security Paradigms. ACM, New York, NY, 77--78. Google ScholarDigital Library
M. Bishop, H. M. Conboy, H. Phan, B. I. Simidchieva, G. S. Avrunin, L. A. Clarke, et al. 2014. Insider threat identification by process analysis. In Proceedings of the Security and Privacy Workshops. IEEE, Los Alamitos, CA, 251--264. Google ScholarDigital Library
M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. 2008. We have met the enemy and he is us. In Proceedings of the Workshop on New Security Paradigms. ACM, New York, NY, 1--12. Google ScholarDigital Library
M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. 2009. Case studies of an insider framework. In Proceedings of the Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA, 1--10. Google ScholarDigital Library
M. Bishop and C. Gates. 2008. Defining the insider threat. In Proceedings of the Workshop on Cyber Security and Information Intelligence Research. ACM, New York, NY, 15. Google ScholarDigital Library
R. C. Brackney and R. H. Anderson. 2004. Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation.Google Scholar
O. Brdiczka, J. Liu, B. Price, J. Shen, A. Patil, R. Chow, et al. 2012. Proactive insider threat detection through graph learning and psychological context. In Proceedings of the Security and Privacy Workshops. 142--149. Google ScholarDigital Library
J. F. Buford, L. Lewis, and G. Jakobson. 2008. Insider threat detection using situation-aware MAS. In Proceedings of the International Conference on Information Fusion. IEEE, Los Alamitos, CA, 1--8.Google Scholar
CALO Project. 2015. Enron Email Dataset. Retrieved February 7, 2019 from http://www.cs.cmu.edu/&sim;enron/.Google Scholar
B. Camiña, C. Hernández-Gracidas, R. Monroy, and L. Trejo. 2014. The Windows-Users and Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms. Expert Systems With Applications 41, 3 (2014), 919--930. Google ScholarDigital Library
B. Camiña, R. Monroy, L. A. Trejo, and M. A. Medina-Pérez. 2016. Temporal and spatial locality: An abstraction for masquerade detection. IEEE Transactions on Information Forensics and Security 11, 9 (2016), 2036--2051. Google ScholarDigital Library
B. Camiña, R. Monroy, L. A. Trejo, and E. Sánchez. 2011. Towards building a masquerade detection method based on user file system navigation. In Proceedings of the Mexican International Conference on Artificial Intelligence. 174--186. Google ScholarDigital Library
D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley. Google ScholarDigital Library
M. Chagarlamudi, B. Panda, and Y. Hu. 2009. Insider threat in database systems: Preventing malicious users’ activities in databases. In Proceedings of the International Conference on Information Technology: New Generations. IEEE, Los Alamitos, CA, 1616--1620. Google ScholarDigital Library
T. Chen, F. Kammüller, I. Nemli, and C. W. Probst. 2015. A probabilistic analysis framework for malicious insider threats. In Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189. Google ScholarDigital Library
R. Chinchani, D. Ha, A. Iyer, H. Q. Ngo, and S. Upadhyaya. 2010. Insider threat assessment: Model, analysis and tool. In Network Security. Springer, 143--174.Google Scholar
W. R. Claycomb, C. L. Huth, L. Flynn, D. M. McIntire, and T. B. Lewellen. 2012. Chronological examination of insider threat sabotage: Preliminary observations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3, 4 (2012), 4--20.Google Scholar
W. R. Claycomb and A. Nicoll. 2012. Insider threats to cloud computing: Directions for new research challenges. In Proceedings of the Annual Computer Software and Applications Conference. IEEE, Los Alamitos, CA, 387--394. Google ScholarDigital Library
W. R. Claycomb and D. Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the Workshop on Insider Threats. ACM, New York, NY, 29--36. Google ScholarDigital Library
E. Cole and S. Ring. 2005. Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress. Google ScholarDigital Library
M. L. Collins, M. C. Theis, R. F. Trzeciak, J. R. Strozer, J. W. Clark, D. L. Costa, et al. 2016. Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.). CERT, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
J. Crampton and M. Huth. 2010. Towards an access-control framework for countering insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 173--195.Google Scholar
A. Cummings, T. Lewellen, D. McIntire, A. P. Moore, and R. Trzeciak. 2012. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Technical Report. CERT.Google Scholar
Y. Desmedt and A. Shaghaghi. 2016. Function-based access control (FBAC): From access control matrix to access control tensor. In Proceedings of the International Workshop on Managing Insider Security Threats. ACM, New York, NY, 89--92. Google ScholarDigital Library
T. Dimkov, W. Pieters, and P. Hartel. 2010. Portunes: Representing attack scenarios spanning through the physical, digital and social domain. In Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129. Google ScholarDigital Library
W. Eberle, J. Graves, and L. Holder. 2010. Insider threat detection using a graph-based approach. Journal of Applied Security Research 6, 1 (2010), 32--81.Google ScholarCross Ref
W. Eberle and L. Holder. 2009. Mining for insider threats in business transactions and processes. In Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM’09). IEEE, Los Alamitos, CA, 163--170.Google Scholar
M. E. Edge and P. R. F. Sampaio. 2009. A survey of signature based methods for financial fraud detection. Computers and Security 28, 6 (2009), 381--394. Google ScholarDigital Library
N. Einwechter. 2010. Preventing and Detecting Insider Attacks Using IDS. Retrieved February 7, 2019 from https://www.symantec.com/connect/articles/preventing-and-detecting-insider-attacks-using-ids.Google Scholar
A. El Masri, H. Wechsler, P. Likarish, and B. B. Kang. 2014. Identifying users with application-specific command streams. In Proceedings of the International Conference on Privacy, Security, and Trust. IEEE, Los Alamitos, CA, 232--238.Google Scholar
J. Eom, M. Park, S. Park, and T. Chung. 2011. A framework of defense system for prevention of insider’s malicious behaviors. In Proceedings of the International Conference on Advanced Communication Technology. IEEE, Los Alamitos, CA, 982--987.Google Scholar
F. Farahmand and E. H. Spafford. 2009. Insider behavior: An analysis of decision under risk. In Proceedings of the International Workshop on Managing Insider Security Threats. 22.Google Scholar
F. Farahmand and E. H. Spafford. 2013. Understanding insiders: An analysis of risk-taking behavior. Information Systems Frontiers 15, 1 (2013), 5--15. Google ScholarDigital Library
L. F. Fischer. 2003. Characterizing information systems insider offenders. In Proceedings of the Conference of the International Military Testing Association.Google Scholar
V. N. Franqueira, A. van Cleeff, P. van Eck, and R. Wieringa. 2010. External insider threat: A real security challenge in enterprise value webs. In Proceedings of the International Conference on Availability, Reliability, and Security. 446--453.Google Scholar
R. Garfinkel, R. Gopal, and P. Goes. 2002. Privacy protection of binary confidential data against deterministic, stochastic, and insider threat. Management Science 48, 6 (2002), 749--764.Google ScholarDigital Library
R. Garfinkel, R. Gopal, and D. Rice. 2006. New approaches to disclosure limitation while answering queries to a database: Protecting numerical confidential data against insider threat based on data or algorithms. In Proceedings of the Hawaii International Conference on System Sciences, Vol. 6. IEEE, Los Alamitos, CA, 125a. Google ScholarDigital Library
A. Garg, R. Rahalkar, S. Upadhyaya, and K. Kwiat. 2006. Profiling users in GUI based systems for masquerade detection. In Proceedings of the 2006 IEEE Information Assurance Workshop. IEEE, Los Alamitos, CA, 48--54.Google Scholar
I. A. Gheyas and A. E. Abdallah. 2016. Detection and prediction of insider threats to cyber security: A systematic literature review and meta-analysis. Big Data Analytics 1, 1 (2016), 6.Google ScholarCross Ref
J. Glasser and B. Lindauer. 2013. Bridging the gap: A pragmatic approach to generating insider threat data. In Proceedings of the Security and Privacy Workshops. IEEE, Los Alamitos, CA, 98--104. Google ScholarDigital Library
I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, et al. 2014. Generative adversarial nets. In Proceedings of the Conference on Advances in Neural Information Processing Systems. 2672--2680. Google ScholarDigital Library
R. Gopal, R. Garfinkel, and P. Goes. 2002. Confidentiality via camouflage: The CVC approach to disclosure limitation when answering queries to databases. Operations Research 50, 3 (2002), 501--516.Google ScholarCross Ref
S. Greenberg. 1988. Using Unix: Collected Traces of 168 Users. Technical Report. Department of Computer Science, University of Calgary, Calgary, Canada.Google Scholar
F. L. Greitzer and D. A. Frincke. 2010. Combining traditional cyber security audit data with psychosocial data: Towards predictive modeling for insider threat mitigation. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 85--113.Google Scholar
F. L. Greitzer, D. A. Frincke, and M. Zabriskie. 2010. Social/ethical issues in predictive insider threat monitoring. In Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives. IGI Global, Hershey, PA, 132--161.Google Scholar
F. L. Greitzer, L. J. Kangas, C. F. Noonan, C. R. Brown, and T. Ferryman. 2013. Psychosocial modeling of insider threat risk based on behavioral and word use analysis. e-Service Journal 9, 1 (2013), 106--138.Google Scholar
F. L. Greitzer, J. Strozer, S. Cohen, J. Bergey, J. Cowley, A. Moore, et al. 2014. Unintentional insider threat: Contributing factors, observables, and mitigation strategies. In Proceedings of the Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA, 2025--2034. Google ScholarDigital Library
D. Gritzalis, V. Stavrou, M. Kandias, and G. Stergiopoulos. 2014. Insider threat: Enhancing BPM through social media. In Proceedings of the International Conference on New Technologies, Mobility, and Security. IEEE, Los Alamitos, CA, 1--6.Google Scholar
M. Hanley and J. Montelibano. 2011. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. Technical Report. DTIC Document.Google Scholar
A. Harilal, F. Toffalini, J. Castellanos, J. Guarnizo, I. Homoliak, and M. Ochoa. 2017. TWOS: A dataset of malicious insider threat behavior based on a gamified competition. In Proceedings of the Workshop on Managing Insider Security Threats. ACM, New York, NY, 35--46. Google ScholarDigital Library
Athul Harilal, Flavio Toffalini, Ivan Homoliak, John Castellanos, Juan Guarnizo, Soumik Mondal, et al. 2018. The wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 9, 1 (March 2018), 54--85.Google Scholar
M. Hayden. 1999. The Insider Threat to US Government Information Systems. Technical Report. DTIC Document.Google Scholar
S. Ho, J. Hancock, C. Booth, M. Burmester, X. Liu, and S. Timmarajus. 2016. Demystifying insider threat: Language-action cues in group dynamics. In Proceedings of the Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA, 2729--2738. Google ScholarDigital Library
S. M. Ho. 2008. Attribution-based anomaly detection: Trustworthiness in an online community. In Social Computing, Behavioral Modeling, and Prediction. Springer, 129--140.Google Scholar
J. Hunker and C. W. Probst. 2011. Insiders and insider threats: An overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2, 1 (2011), 4--27.Google Scholar
G. Jabbour and D. Menascé. 2009a. Stopping the insider threat: The case for implementing autonomic defense mechanisms in computing systems. In Proceedings of the International Conference of Information Security and Privacy.Google Scholar
G. G. Jabbour and D. A. Menascé. 2009b. The insider threat security architecture: A framework for an integrated, inseparable, and uninterrupted self-protection mechanism. In Proceedings of the International Conference on Computational Science and Engineering. IEEE, Los Alamitos, CA, 244--251. Google ScholarDigital Library
R. V. Johnson, J. Lass, and W. M. Petullo. 2016. SimpleFlow. In Proceedings of the International Workshop on Managing Insider Security Threats. ACM, New York, NY, 35--46. Google ScholarDigital Library
F. Kammüller, J. R. C. Nurse, and C. W. Probst. 2016. Attack tree analysis for insider threats on the IoT using Isabelle. In Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust. 234--246.Google Scholar
M. Kandias, K. Galbogini, L. Mitrou, and D. Gritzalis. 2013a. Insiders trapped in the mirror reveal themselves in social media. In Proceedings of the International Conference on Network and System Security. 220--235.Google Scholar
M. Kandias, A. Mylonas, N. Virvilis, M. Theoharidou, and D. Gritzalis. 2010. An insider threat prediction model. In Trust, Privacy, and Security in Digital Business. Lecture Notes in Computer Science, Vol. 6264. Springer, 26--37. Google ScholarDigital Library
M. Kandias, V. Stavrou, N. Bozovic, L. Mitrou, and D. Gritzalis. 2013b. Can we trust this user? Predicting insider’s attitude via YouTube usage profiling. In Proceedings of the International Conference on Ubiquitous Intelligence and Computing. IEEE, Los Alamitos, CA, 347--354. Google ScholarDigital Library
M. Kandias, N. Virvilis, and D. Gritzalis. 2011. The insider threat in cloud computing. In Proceedings of the International Workshop on Critical Information Infrastructures Security. 93--103.Google Scholar
I. Kantzavelou and S. Katsikas. 2010. A game-based intrusion detection mechanism to confront internal attackers. Computers and Security 29, 8 (2010), 859--874. Google ScholarDigital Library
M. Keeney, E. Kowalski, D. Cappelli, A. Moore, T. Shimeall, S. Rogers, et al. 2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Technical Report. National Threat Assessment Center, Washington DC.Google Scholar
Andrew Kellett. 2015. Trends and Future Directions in Data Security—2015 Vormetric Insider Threat Report. Technical Report. Vormetric Data Security.Google Scholar
E. Kowalski, T. Conway, S. Keverline, M. Williams, D. Cappelli, B. Willke, et al. 2008. Insider Threat Study: Illicit Cyber Activity in the Government Sector. U.S. Secret Service, SEI CMU.Google Scholar
T. Lane and C. E. Brodley. 1997. An application of machine learning to anomaly detection. In Proceedings of the National Information Systems Security Conference, Vol. 377. 366--380.Google Scholar
T. Lane and C. E. Brodley. 1998. Approaches to online learning and concept drift for user identification in computer security. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD’98). 259--263. Google ScholarDigital Library
A. Lazouski, F. Martinelli, and P. Mori. 2010. Usage control in computer security: A survey. Computer Science Review 4, 2 (2010), 81--99. http://www.sciencedirect.com/science/article/pii/S1574013710000146. Google ScholarDigital Library
J. Leach. 2003. Improving user security behaviour. Computers and Security 22, 8 (2003), 685--692. Google ScholarDigital Library
J. Lee and Y. Lee. 2002. A holistic model of computer abuse within organizations. Information Management and Computer Security 10, 2 (2002), 57--63.Google ScholarCross Ref
P. Legg, N. Moffat, J. R. C. Nurse, J. Happa, I. Agrafiotis, M. Goldsmith, et al. 2013. Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 4 (2013), 20--37.Google Scholar
P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese. 2017. Automated insider threat detection system using user and role-based profile assessment. IEEE Systems Journal 11, 2 (June 2017), 503--512.Google ScholarCross Ref
F. Linton, D. Joy, H. Schaefer, and A. Charron. 2000. OWL: A recommender system for organization-wide learning. Educational Technology and Society 3, 1 (2000), 62--76.Google Scholar
R. P. Lippman, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung, et al. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’00), Vol. 2. IEEE, Los Alamitos, CA, 12--26.Google Scholar
A. Liu, C. Martin, T. Hetherington, and S. Matzner. 2005. A comparison of system call feature for insider threat detection. In Proceedings of the 6th Annual IEEE Systems, Man and Cybernetics, Information Assurance Workshop. 341--347.Google Scholar
D. Liu, X. Wang, and J. Camp. 2008. Game-theoretic modeling and analysis of insider threats. International Journal of Critical Infrastructure Protection 1 (2008), 75--80.Google ScholarCross Ref
D. Liu, X. Wang, and L. J. Camp. 2009b. Mitigating inadvertent insider threats with incentives. In Proceedings of the International Conference on Financial Cryptography and Data Security. 1--16. Google ScholarDigital Library
Y. Liu, C. Corbett, K. Chiang, R. Archibald, B. Mukherjee, and D. Ghosal. 2009a. SIDD: A framework for detecting sensitive data exfiltration by an insider attack. In Proceedings of the Hawaii International Conference on System Sciences. IEEE, Los Alamitos, CA, 1--10. Google ScholarDigital Library
K. D. Loch, H. H. Carr, and M. E. Warkentin. 1992. Threats to information systems: Today’s reality, yesterday’s understanding. MIS Quarterly 16, 2 (June 1992), 173--186.Google ScholarCross Ref
M. Maasberg, J. Warren, and N. L. Beebe. 2015. The dark side of the insider: Detecting the insider threat through examination of dark triad personality traits. In Proceedings of the International Conference on System Sciences. IEEE, Los Alamitos, CA, 3518--3526. Google ScholarDigital Library
G. Magklaras and S. Furnell. 2002. Insider threat prediction tool: Evaluating the probability of IT misuse. Computers and Security 21, 1 (2002), 62--73. Google ScholarDigital Library
G. Magklaras and S. Furnell. 2005. A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers and Security 24, 5 (2005), 371--380. Google ScholarDigital Library
G. Magklaras and S. Furnell. 2012. The insider threat prediction and specification language. In IProceedings of the 9th International Network Conference (INC’12). 51--61.Google Scholar
M. A. Maloof and G. D. Stephens. 2007. Elicit: A system for detecting insiders who violate need-to-know. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. 146--166. Google ScholarDigital Library
T. Markham and C. Payne. 2001. Security at the network edge: A distributed firewall architecture. In Proceedings of the DARPA Information Survivability Conference and Exposition, Vol. 1. IEEE, Los Alamitos, CA, 279--286.Google Scholar
I. Martinez-Moyano, E. Rich, S. Conrad, D. Andersen, and T. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Transactions on Modeling and Computer Simulation 18, 2 (2008), Article 7. Google ScholarDigital Library
I. J. Martinez-Moyano, S. H. Conrad, and D. F. Andersen. 2011. Modeling behavioral considerations related to information security. Computers and Security 30, 6 (2011), 397--409. Google ScholarDigital Library
S. Mathew, M. Petropoulos, H. Q. Ngo, and S. J. Upadhyaya. 2010. A data-centric approach to insider attack detection in database systems. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID’10). 382--401. Google ScholarDigital Library
S. Mathew, S. Upadhyaya, D. Ha, and H. Q. Ngo. 2008. Insider abuse comprehension through capability acquisition graphs. In Proceedings of the International Conference on Information Fusion. IEEE, Los Alamitos, CA, 1--8.Google Scholar
R. A. Maxion and T. N. Townsend. 2002. Masquerade detection using truncated command lines. In Proceedings of the International Conference on Dependable Systems and Networks. IEEE, Los Alamitos, CA, 219--228. Google ScholarDigital Library
M. Maybury, P. Chase, B. Cheikes, D. Brackney, S. Matzner, T. Hetherington, et al. 2005. Analysis and Detection of Malicious Insiders. Technical Report. DTIC Document.Google Scholar
M. Mayhew, M. Atighetchi, A. Adler, and R. Greenstadt. 2015. Use of machine learning in big data analytics for insider threat detection. In Proceedings of the 2015 IEEE Military Communications Conference (MILCOM’15). IEEE, Los Alamitos, CA, 915--922.Google Scholar
J. McHugh. 2000. Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3, 4 (2000), 262--294. Google ScholarDigital Library
C. Melara, J. M. Sarriegui, J. J. Gonzalez, A. Sawicka, and D. L. Cooke. 2003. A system dynamics model of an insider attack on an information system. In Proceedings of the International Conference of the System Dynamics Society. 20--24.Google Scholar
D. Moher, A. Liberati, J. Tetzlaff, and D. G. Altman. 2009. Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. Annals of Internal Medicine 151, 4 (2009), 264--269.Google ScholarCross Ref
A. P. Moore, D. M. Cappelli, T. C. Caron, E. Shaw, D. Spooner, and R. F. Trzeciak. 2011. A Preliminary Model of Insider Theft of Intellectual Property. Technical Report. CERT.Google Scholar
A. P. Moore, D. M. Cappelli, and R. F. Trzeciak. 2008. The “Big Picture” of Insider IT Sabotage Across US Critical Infrastructures. Technical Report. Carnegie Mellon University, Pittsburgh, PA.Google Scholar
M. Moore. 2016. Cybersecurity Breaches and Issues Surrounding Online Threat Protection. IGI Global, Hershey, PA.Google Scholar
J. Myers, M. Grimaila, and R. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. ACM, New York, NY. Google ScholarDigital Library
R. B. Myerson. 1997. Game Theory. Harvard University Press, Cambridge, MA.Google Scholar
P. M. Nasr and A. Y. Varjani. 2014. Alarm based anomaly detection of insider attacks in SCADA system. In Proceedings of the 2014 Smart Grid Conference (SGC’14). IEEE, Los Alamitos, CA, 1--6.Google Scholar
P. G. Neumann. 2010. Combatting insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 17--44.Google Scholar
J. R. C. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. T. Wright, et al. 2014. Understanding insider threat: A framework for characterising attacks. In Proceedings of the Workshop on Research for Insider Threat. IEEE, Los Alamitos, CA, 214--228. Google ScholarDigital Library
J. S. Okolica, G. L. Peterson, and R. F. Mills. 2008. Using PLSI-U to detect insider threats by datamining e-mail. International Journal of Security and Networks 3, 2 (2008), 114--121. Google ScholarDigital Library
J. Ophoff, A. Jensen, J. Sanderson-Smith, M. Porter, and K. Johnston. 2014. A Descriptive Literature Review and Classification of Insider Threat Research. Technical Report. Department of Information Systems, University of Cape Town, Cape Town, South Africa.Google Scholar
S. Panigrahi, S. Sural, and A. K. Majumdar. 2013. Two-stage database intrusion detection by combining multiple evidence and belief update. Information Systems Frontiers 15, 1 (2013), 35--53. Google ScholarDigital Library
J. S. Park and S. M. Ho. 2004. Composite Role-Based Monitoring (CRBM) for Countering Insider Threats. Springer, 201--213.Google Scholar
P. Parveen, Z. R. Weger, B. Thuraisingham, K. Hamlen, and L. Khan. 2011. Supervised learning for insider threat detection using stream mining. In Proceedings of the International Conference on Tools With Artificial Intelligence. IEEE, Los Alamitos, CA, 1032--1039. Google ScholarDigital Library
S. L. Pfleeger, J. B. Predd, J. Hunker, and C. Bulford. 2010. Insiders behaving badly: Addressing bad actors and their actions. IEEE Transactions on Information Forensics and Security 5, 1 (2010), 169--179. Google ScholarDigital Library
A. H. Phyo and S. M. Furnell. 2004. A detection-oriented classification of insider IT misuse. In Proceedings of the 3rd Security Conference.Google Scholar
C. Posey, R. J. Bennett, and T. L. Roberts. 2011. Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers and Security 30, 6 (2011), 486--497. Google ScholarDigital Library
S. Pramanik, V. Sankaranarayanan, and S. Upadhyaya. 2004. Security policies to mitigate insider threat in the document control domain. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 304--313. Google ScholarDigital Library
J. Predd, S. L. Pfleeger, J. Hunker, and C. Bulford. 2008. Insiders behaving badly. IEEE Security and Privacy 6, 4 (2008), 66--70. Google ScholarDigital Library
C. W. Probst, R. R. Hansen, and F. Nielson. 2006. Where can an insider attack? In Proceedings of the International Workshop on Formal Aspects in Security and Trust. 127--142. Google ScholarDigital Library
C. W. Probst and J. Hunker. 2010. The risk of risk analysis and its relation to the economics of insider threats. In Economics of Information Security and Privacy. Springer, 279--299.Google Scholar
C. W. Probst, J. Hunker, M. Bishop, and D. Gollmann. 2008. Summary—Countering insider threats. In Countering Insider Threats (Dagstuhl Seminar). Leibniz-Zentrum fuer Informatik, Germany.Google Scholar
C. W. Probst, J. Hunker, D. Gollmann, and M. Bishop. 2010. Aspects of insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 1--15.Google Scholar
PWC. 2017. Global Economic Crime Survey 2016: US Results. Retrieved February 7, 2019 from https://www.pwc.com/us/en/forensic-services/economic-crime-survey-us-supplement.html.Google Scholar
M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore. 2005. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. Technical Report. CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
V. Raskin, J. M. Taylor, and C. F. Hempelmann. 2010. Ontological semantic technology for detecting insider threat and social engineering. In Proceedings of the Workshop on New Security Paradigms. ACM, New York, NY, 115--128. Google ScholarDigital Library
I. Ray and N. Poolsapassit. 2005. Using attack trees to identify malicious attacks from authorized insiders. In Proceedings of the European Symposium on Research in Computer Security. 231--246. Google ScholarDigital Library
J. Reason. 1990. Human Error. Cambridge University Press.Google Scholar
E. Rich, I. J. Martinez-Moyano, S. Conrad, D. M. Cappelli, et al. 2005. Simulating insider cyber-threat risks: A model-based case and a case-based model. In Proceedings of the International Conference of the System Dynamics Society. 17--21.Google Scholar
G. P. Richardson. 2001. System dynamics. Encyclopedia of Operations Research and Management Science. Springer US, 807–810.Google Scholar
P. R. Sackett. 2002. The structure of counterproductive work behaviors: Dimensionality and relationships with facets of job performance. International Journal of Selection and Assessment 10, 1--2 (2002), 5--11.Google ScholarCross Ref
M. B. Salem, S. Hershkop, and S. J. Stolfo. 2008. A survey of insider attack detection research. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 69--90.Google Scholar
M. B. Salem and S. J. Stolfo. 2009. Masquerade Attack Detection Using a Search-Behavior Modeling Approach. Technical Report CUCS-027-09. Computer Science Department, Columbia University, New York, NY.Google Scholar
M. B. Salem and S. J. Stolfo. 2011. Modeling user search behavior for masquerade detection. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. 181--200. Google ScholarDigital Library
V. Sankaranarayanan, S. Pramanik, and S. Upadhyaya. 2006. Detecting masquerading users in a document management system. In Proceedings of the International Conference on Communications, Vol. 5. IEEE, Los Alamitos, CA, 2296--2301.Google Scholar
E. Santos, H. Nguyen, F. Yu, K. Kim, D. Li, J. T. Wilkinson, et al. 2008. Intent-driven insider threat detection in intelligence analyses. In Proceedings of the Conference on Web Intelligence and Intelligent Agent Technology. IEEE, Los Alamitos, CA, 345--349. Google ScholarDigital Library
A. Sanzgiri and D. Dasgupta. 2016. Classification of insider threat detection techniques. In Proceedings of the Annual Cyber and Information Security Research Conference. ACM, New York, NY, 25. Google ScholarDigital Library
M. Schonlau, W. DuMouchel, W. Ju, A. F. Karr, M. Theus, and Y. Vardi. 2001. Computer intrusion: Detecting masquerades. Statistical Science 16, 1 (2001), 58--74.Google ScholarCross Ref
E. Schultz. 2002. A framework for understanding and predicting insider attacks. Computers and Security 21, 6 (2002), 526--531. Google ScholarDigital Library
E. Schultz and R. Shumway. 2001. Incident Response: A Strategic Guide to Handling System and Network Security Breaches. SAMS. Google ScholarDigital Library
T. E. Senator, H. G. Goldberg, A. Memory, W. T. Young, B. Rees, R. Pierce, et al. 2013. Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the International Conference on Knowledge Discovery and Data Mining. ACM, New York, NY, 1393--1401. Google ScholarDigital Library
D. Servos and S. L. Osborn. 2017. Current research and open problems in attribute-based access control. ACM Computing Surveys 49, 4 (2017), 65. Google ScholarDigital Library
A. Shabtai, Y. Elovici, and L. Rokach. 2012. A Survey of Data Leakage Detection and Prevention Solutions. Springer Science 8 Business Media. Google ScholarDigital Library
N. Shalev, I. Keidar, Y. Moatti, and Y. Weinsberg. 2016. WatchIT: Who watches your IT guy? In Proceedings of the International Workshop on Managing Insider Security Threats. ACM, New York, NY, 93--96. Google ScholarDigital Library
E. Shaw, K. Ruby, and J. Post. 1998. The insider threat to information systems: The psychology of the dangerous insider. Security Awareness Bulletin 2, 98 (1998), 1--10.Google Scholar
E. D. Shaw. 2006. The role of behavioral research and profiling in malicious cyber insider investigations. Digital Investigation 3, 1 (2006), 20--31. Google ScholarDigital Library
E. D. Shaw and L. F. Fischer. 2005. Ten Tales of Betrayal: The Threat to Corporate Infrastructure by Information Technology Insiders Analysis and Observations. Technical Report. DTIC Document.Google Scholar
F. M. Sibai and D. A. Menascé. 2011. Defeating the insider threat via autonomic network capabilities. In Proceedings of the International Conference on Communication Systems and Networks. IEEE, Los Alamitos, CA, 1--10.Google Scholar
S. Sinclair and S. W. Smith. 2008. Preventative directions for insider threat mitigation via access control. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 165--194.Google Scholar
S. J. Stolfo, M. B. Salem, and A. D. Keromytis. 2012. Fog computing: Mitigating insider data theft attacks in the cloud. In Proceedings of the Security and Privacy Workshops. IEEE, Los Alamitos, CA, 125--128. Google ScholarDigital Library
D. W. Straub and R. J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22, 4 (1998), 441--469. Google ScholarDigital Library
K. Tang, M. Zhao, and M. Zhou. 2011. Cyber insider threats situation awareness using game theory and information fusion-based user behavior predicting algorithm. Journal of Information and Computational Science 8, 3 (2011), 529--545.Google Scholar
M. Theoharidou, S. Kokolakis, M. Karyda, and E. Kiountouzis. 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers and Security 24, 6 (2005), 472--484. Google ScholarDigital Library
F. Toffalini, I. Homoliak, A. Harilal, A. Binder, and M. Ochoa. 2018. Detection of masqueraders based on graph partitioning of file system access events. In Proceedings of the Security and Privacy Workshops. IEEE, Los Alamitos, CA, 217--227.Google Scholar
R. F. Trzeciak. 2017. SEI Cyber Minute: Insider Threats. Retrieved February 7, 2019 from http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=496626.Google Scholar
A. Vance, B. Molyneux, and P. B. Lowry. 2012. Reducing unauthorized access by insiders through user interface design: Making end users accountable. In Proceedings of the Hawaii International Conference on System Science. IEEE, Los Alamitos, CA, 4623--4632. Google ScholarDigital Library
D. S. Wall. 2013. Enemies within: Redefining the insider threat in organizational security policy. Security Journal 26, 2 (2013), 107--124.Google ScholarCross Ref
R. Willison and M. Siponen. 2009. Overcoming the insider: Reducing employee computer crime through situational crime prevention. Communications of the ACM 52, 9 (2009), 133--137. Google ScholarDigital Library
R. Willison and M. Warkentin. 2009. Motivations for employee computer crime: Understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Workshop on Information Systems Security Research. 127--144.Google Scholar
R. Willison and M. Warkentin. 2013. Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly 37, 1 (2013), 1--20. Google ScholarDigital Library
J. F. Wolfswinkel, E. Furtmueller, and C. P. Wilderom. 2013. Using grounded theory as a method for rigorously reviewing literature. European Journal of Information Systems 22, 1 (2013), 45--55.Google ScholarCross Ref
B. Wood. 2000. An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems 2 (2000), 1--3.Google Scholar
J. Wu, J. Zhou, J. Ma, S. Mei, and J. Ren. 2011. An active data leakage prevention model for insider threat. In Proceedings of the International Symposium on Intelligence Information Processing and Trusted Computing. IEEE, Los Alamitos, CA, 39--42. Google ScholarDigital Library
L. Yang, Z. Hu, J. Long, and T. Guo. 2011. 5W1H-based conceptual modeling framework for domain ontology and its application on STPO. In Proceedings of the International Conference on Semantics Knowledge and Grid. IEEE, Los Alamitos, CA, 203--206. Google ScholarDigital Library
Q. Yaseen and B. Panda. 2011. Enhanced insider threat detection model that increases data availability. In Proceedings of the International Conference on Distributed Computing and Internet Technology. 267--277. Google ScholarDigital Library
N. Zhang, W. Yu, X. Fu, and S. K. Das. 2010. Maintaining defender’s reputation in anomaly detection against insider attacks. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics) 40, 3 (2010), 597--611. Google ScholarDigital Library

Index Terms

Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures
1. General and reference
  1. Document types
    1. Surveys and overviews

Recommendations

Insiders Behaving Badly

This column goes beyond previous insider analyses to identify a framework for a taxonomy of insider threats including both malicious and inadvertent actions by insiders that put organizations or their resources at some risk. The framework includes ...
Read More
Insiders behaving badly: addressing bad actors and their actions

We present a framework for describing insiders and their actions based on the organization, the environment, the system, and the individual. Using several real examples of unwelcome insider action (hard drive removal, stolen intellectual property, tax ...
Read More
Mitigation of malicious modifications by insiders in databases
ICISS'11: Proceedings of the 7th international conference on Information Systems Security

Insider threat is considered as a serious issue in all organizations. Sophisticated insiders can override threat prevention tools and carry on their attacks with new techniques. One such technique which remains to be an advantage for insiders to attack ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 52, Issue 2
March 2020
770 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3320149
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 April 2019
- Accepted: 1 January 2019
- Revised: 1 November 2018
- Received: 1 January 2018
Published in csur Volume 52, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
5W1H questions
Insider threat
grounded theory for rigorous literature review
malicious insider threat
masqueraders
traitors
unintentional insider threat
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 130
  Total Citations
  View Citations
- 4,207
  Total Downloads
- Downloads (Last 12 months)702
- Downloads (Last 6 weeks)102
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures

ACM Computing Surveys

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

Insiders Behaving Badly

Insiders behaving badly: addressing bad actors and their actions

Mitigation of malicious modifications by insiders in databases