This study focuses on the threat to information security posed by insiders (i.e., insider threat) as the recent cases of Edward Snowden, Chelsea Manning, and Herman Simm have highlighted the significant risks of “good guys gone bad” within a defence structure. Insider threat has to, in particular, be explored as most security frameworks focus on intrusions by external actors. But what happens if the malicious user is able utilise internal channels to access your systems? What if the perpetrator is someone who you trust? How do you detect and deal with a destructive and hostile insider with a security clearance?
Our work provides a comprehensive overview of insider threat, examines a selection of high-profile incidents and existing research. The analysis takes an interdisciplinary approach, discussing insider threat from technical, legal, and behavioural perspectives. The authors outline the key components of an Insider Threat Programme and propose guidelines to assist organisations that are planning to implement their own programme. Additionally, the study provides legal analysis of seven scenarios that combine the questions and concerns that surfaced during the study. In order to understand what drives different insiders to malicious deeds, it is essential to establish profile types.
An Insider Threat Programme is not a product that can be bought off the shelf, but rather a continuous process. The programme offers the organization the ability to identify and prevent changing risks, detect an incident as it occurs, and once an incident has occurred, respond to the incident in an efficient manner. The analysis and lessons learned from incidents will feed information back into the planning phase, allowing to continuously develop and improve the programme. The main idea is to notice various technical and non-technical detection indicators that can lead to incidents. We propose six different categories of detection indicators – three are related to behavioural aspects, while the remaining three are more technical. For every indicator, we assess its relevance to each of the insider profiles. Most importantly, when analysed and handled properly, these indicators act as precursors that accompany different threats. Early or timely detection allows to minimise the damage, or in best case prevent the incident altogether.