Computational and Mathematical Organization Theory

, Volume 22, Issue 3, pp 350–381 | Cite as

Using dynamic models to support inferences of insider threat risk

  • Paul J. Sticha
  • Elise T. Axelrad
Special Issue - Insider Threat


Two modeling approaches were integrated to address the problem of predicting the risk of an attack by a particular insider. We present a system dynamics model that incorporates psychological factors including personality, attitude and counterproductive behaviors to simulate the pathway to insider attack. Multiple runs of the model that sampled the population of possible personalities under different conditions resulted in simulated cases representing a wide range of employees of an organization. We then structured a Bayesian belief network to predict attack risk, incorporating important variables from the system dynamics model and learning the conditional probabilities from the simulated cases. Three scenarios were considered for comparison of risk indicators: An average employee (i.e., one who scores at the mean of a number of personality variables), an openly disgruntled malicious insider, and a disgruntled malicious insider who decides to conceal bad behaviors. The counterintuitive result is that employees who act out less than expected, given their particular level of disgruntlement, can present a greater risk of being malicious than other employees who exhibit a higher level of counterproductive behavior. This result should be tempered, however, considering the limited grounding of some of the model parameters. Nevertheless, this approach to integrating system dynamics modeling and Bayesian belief networks to address an insider threat problem demonstrates the potential for powerful prediction and detection capability in support of insider threat risk mitigation.


Insider threat Insider sabotage System dynamics Bayesian belief network Dynamic simulation 



We thank Andrew Moore, Kirk Kennedy, and Thomas Dover for helpful comments on drafts of our paper, and for inviting us to the Insider Threat Modeling and Simulation Research Meeting held at the Software Engineering Institute at Carnegie Mellon University. These ideas also benefited from some discussions conducted at Sandia National Laboratory. Finally, we thank the Human Resources Research Organization for supporting parts of this work.


  1. Andersen DF, Cappelli DM, Gonzalez JJ, Mojtahedzadeh M, Moore AP, Rich E, Sarriegui JM, Shimeall TJ, Stanton JM, Weaver E, Zagonel A (2004). Preliminary system dynamics maps of the insider cyber-threat problem. Proceedings of the 22nd International Conference of the System Dynamics Society. Oxford, England, 2004.
  2. Axelrad ET, Sticha PJ, Brdiczka O, Shen J (2013). A Bayesian network model for predicting insider threats. Paper presented at the Workshop on Research for Insider Threat (WRIT) 2013, San FranciscoGoogle Scholar
  3. Band SR, Cappelli DM, Fischer LF, Moore AP, Shaw ED, Trzeciak RF (2006) Comparing insider IT sabotage and espionage: a model-based analysis (Technical Report cmu/sei-2006-tr-026; esc-tr-2006-091). Carnegie Mellon University Software Engineering Institute, CERT ProgramGoogle Scholar
  4. Brehm JW (1966) A theory of psychological reactance. Academic Press, New YorkGoogle Scholar
  5. Brehm SS, Brehm JW (1981) Psychological reactance: a theory of freedom and control. Academic Press, New YorkGoogle Scholar
  6. Cappelli DM, Desai AG, Moore AP, Shimeall T J, Weaver EA, Willke BJ (2006). Management and Education of the Risk of Insider Threat (MERIT): mitigating the risk of sabotage to employers’ information, systems, or networks. Proceedings of the 24th International System Dynamics Conference. Nijmegen, Netherlands.
  7. Cappelli DM, Moore AP, Trzeciak RF (2012) The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud), SEI series in software engineering. Pearson Education Inc, Upper Saddle RiverGoogle Scholar
  8. Castillo E, Gutiérrez JM, Hadi AS (1998) Modeling probabilistic networks of discrete and continuous variables. J Multivar Anal 64(1):48–65CrossRefGoogle Scholar
  9. Conrad SH, Durán FA, Conrad GN, Duggan DP, Held EB (2009). Modeling the employee life cycle to address the insider threat. In Proc. 27th Int’l Conference of Sys Dynamics Society. Albuquerque, NMGoogle Scholar
  10. Dawes RM, Faust D, Meehl P (1989) Clinical versus actuarial judgment. Science 243:1668–1674CrossRefGoogle Scholar
  11. Defense Personnel and Security Research Center (2014) Adjudicative desk reference (version 4). Author, SeasideGoogle Scholar
  12. Director of Central Intelligence (1990). Project SLAMMER Interim Report. Intelligence Community Staff Memorandum ICS 0858‐90. A declassified interim report is available at:
  13. Greitzer FL, Frincke DA (2010) Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In: Probst CW, Hunker J, Bishop M, Gollmann D (eds) Insider threats in cyber security. Springer, US, pp 85–113CrossRefGoogle Scholar
  14. Herbig KL, Wiskoff MF (2002) Espionage against the United States by American citizens 1947–2001 (Technical Report 02-5). Defense Personnel Security Research Center, Monterey CAGoogle Scholar
  15. Hilbig BE, Zettler I (2015) When the cat’s away, some mice will play: a basic trait account of dishonest behavior. J Res Pers 57:72–88CrossRefGoogle Scholar
  16. Jakobwitz S, Egan V (2006) The ‘dark triad’ of psychopathy and normal personality traits. Pers Individ Differ 40:331–339CrossRefGoogle Scholar
  17. Korb KB, Nicholson AE (2010) Bayesian artificial intelligence, 2nd edn. CRC Press, Boca RatonGoogle Scholar
  18. Maloof MA, Stephens GD (2007). ELICIT: A system for detecting insiders who violate need-to-know. Recent Advances in Intrusion Detection, 146–166. Lecture notes in computer science, Volume 4637. Berlin: SpringerGoogle Scholar
  19. Martinez-Moyano I, Rich E, Conrad SH, Andersen D (2006). Modeling the emergence of insider threat vulnerabilities. Informs Winter Simulation Conference, Monterey, CAGoogle Scholar
  20. Martinez-Moyano IJ, Rich E, Conrad S, Andersen DF, Stewart TR (2008). A behavioral theory of insider threat risks: a system dynamics approach. ACM Transactions on Modeling and Computer Simulation, 18(2), 7:1–26Google Scholar
  21. Melara C, Sarriegui JM, Gonzalez J, Sawicka A, Cooke DL (2003) A system dynamics model of an insider attack on an information system. In: Gonzalez JJ (ed) From modeling to managing security: a system dynamics approach. Norwegian Academic Press, Kristiansand, pp 9–36Google Scholar
  22. Moore AP, Cappelli DM, Joseph H, Trzeciak RF (2007). An experience using system dynamics to facilitate an insider threat workshop. In Proceedings of the 25th International Conference of the System Dynamics Society, July 29-August 2, 2007, Boston MA, USAGoogle Scholar
  23. Moshagen M, Hilbig BE, Musch J (2011) Defection in the dark? A randomized response investigation of cooperativeness in social dilemma games. Euro J Soc Psychol 41:638–644CrossRefGoogle Scholar
  24. Mount M, Ilies R, Johnson E (2006) Relationship of personality traits and counterproductive work behaviors: the mediating effects of job satisfaction. Pers Psychol 59:591–622CrossRefGoogle Scholar
  25. O’Connor BP, Dyce JA (2002) Tests of general and specific models of personality disorder configuration. In: Costa PT, Widiger TA (eds) Personality disorders and the five-factor model of personality. American Psychological Association, Washington, DC, pp 223–246CrossRefGoogle Scholar
  26. Paulhus DL, Williams KM (2002) The dark triad of personality: narcissism, machiavellianism and psychopathy. J Res Pers 36:556–563CrossRefGoogle Scholar
  27. Rich E, Martinez-Moyano IJ, Conrad S, Cappelli DM, Moore AP, Gonzalez JJ, Ellison RJ, Lipson HF, Mundie DA, Sarriegui JM, Sawicka A, Stewart TR, Weaver EA, Wiik J (2005). Simulating insider cyber-threat risks: a model-based case and a case-based model. In Proceedings of the 23rd International Conference of the System Dynamics Society, July 17–21, 2005, Boston MA, USAGoogle Scholar
  28. Robinson SL (1996). Trust and breach of the psychological contract. Administrative Science Quarterly, 574–599Google Scholar
  29. Russell SS, Cullen MJ, Bosshardt MJ, Juraska SE, Stellmack AL, Duehr EE, Jeansonne KR (2009) Cyber behavior and personnel security (Institute Report#661). Personnel Decisions Research Institutes Inc, MinneapolisGoogle Scholar
  30. Solomon RL, Corbitt JD (1974) An opponent-process theory of motivation: i. Temporal Dyn Affect Psychol Rev 81:119–145Google Scholar
  31. Tulupyev AL, Nikolenko SI (2005) Directed cycles in Bayesian belief networks: probabilistic semantics and consistency checking complexity. In MICAI, 2005 advances in artificial intelligence. Springer, Berlin Heidelberg, pp 214–223Google Scholar
  32. Van Gelder JL (2013) Beyond rational choice: the hot/cool perspective of criminal decision making. Psychol Crime Law 19(9):745–763CrossRefGoogle Scholar
  33. Vancouver JB, Weinhardt JM (2012) Modeling the mind and the milieu: computational modeling for micro-level organizational researchers. Organ Res Methods 15(4):602–623CrossRefGoogle Scholar
  34. Werner KB, Few LR, Bucholz KK (2015) Epidemiology, comorbidity, and behavioral genetics of antisocial personality disorder and psychopathy. Psychiatric Annals 45(4):195CrossRefGoogle Scholar
  35. Zhao HAO, Wayne SJ, Glibkowski BC, Bravo J (2007) The impact of psychological contract breach on work-related outcomes: a meta-analysis. Pers Psychol 60(3):647–680CrossRefGoogle Scholar
  36. Zuckerman M (1994). Behavioral expressions and biosocial bases of sensation seeking. Cambridge university pressGoogle Scholar
  37. Zuckerman M (2007) Sensation seeking and risky behavior. American Psychological Association, Washington, DCCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Human Resources Research Organization (HumRRO)AlexandriaUSA

Personalised recommendations