Dr. Fatima Hussain

Behavior Analytics and Insider Threat, RBC Editor, IEEE Newsletter


According to the global database breach level index for cybercrimes 38.8 % incidents are unintentional breaches, followed by 33.62 % incidents intended by insiders and only 5.25 % are with malicious intent. Insider threats are because of employees, who have access to resource, and is exploited intentionally or unintentionally. These are the most prominent and difficult to tackle threats in cyber security domain. Malicious behavior of insiders can have dire consequences for the organization reputation by disrupting critical infrastructure systems and services, exfiltration of confidential data and thus-forth loss of revenue.

Insider threat detection is mainly an anomaly detection and is driven by the available data and is biased towards network activity analysis. These activities include analysis of file access logs, web and application access, emails (with a primary focus on the device such as laptop and workstations). Whereas research systems focus on data obtained from various devices including portable devices. There are also many models and existing systems that analyze behavioral aspects and motivation of attackers during these attacks from the psychological perspective. However, models and systems that incorporate both the device and network activity and user behavior into the risk analysis and threat prediction, are limited due to the challenges associated with linking personality traits and behaviors to the cyber and network behaviors.

These insiders may or may not be aware of the vulnerabilities of the deployed systems, platforms, and processes. The insiders and potential insider attacks are more difficult to tap as compared to the external attacks in which footprints for attacker can be found out with little or no effort. Essentially, four categories, sabotage, data and financial fraud, espionage, and Intellectual Property (IP) theft are identified as different forms insider threats:

  • Sabotage is defined as the harm, or a problem created for a person or an organization.
  • Fraud is defined as an identity crime because of unauthorized change in the data of an organization.
  • Theft of IP is the stealing of organization’s IP.
  • Espionage is the spying on an organization data to obtain proprietary information for outsiders.

There are three types of common insider threats. The first type is unintentional and non-malicious, where the users unintentionally or carelessly expose their organization to risk. This may happen when employees download a document to their computer because they are unaware of the organization policies (regarding content download) and procedures prohibiting this kind of act. The second type is intentional but non-malicious, such as when an employee copies personal information to an open shared directory to speed up his/her work, despite policies and procedures prohibiting such practice. Finally, the third type is the intentional and malicious insider threats such as when an employee copies confidential information to a personal USB storage, knowing that this violates the existing policies and procedures and doing so for personal gain, revenge, or as a form of protest.

Few of the popular publically available insider threat detection tools are Splunk, ManageEngine Endpoint DLP Plus, Datadog Security Monitoring, ActivTrak etc. Enterprise level efforts are done, and millions of dollars are spent every year to combat against insider threats but still it’s a long way to go.