Environment Systems and Decisions

, Volume 35, Issue 4, pp 504–510 | Cite as

Percolation Model of insider threats to assess the optimum number of rules



Rules, regulations, and policies are the basis of civilized society and are used to coordinate the activities of individuals who have a variety of goals and purposes. History has taught that over-regulation (too many rules) makes it difficult to compete and under-regulation (too few rules) can lead to crisis. This implies an optimal number of rules that avoids these two extremes. Rules create boundaries that define the latitude at which an individual has to perform their activities. This paper creates a Toy Model of a work environment and examines it with respect to the latitude provided to a normal individual and the latitude provided to an insider threat. Simulations with the Toy Model illustrate four regimes with respect to an insider threat: under-regulated, possibly optimal, tipping point, and over-regulated. These regimes depend upon the number of rules (N) and the minimum latitude (L min) required by a normal individual to carry out their activities. The Toy Model is then mapped onto the standard 1D Percolation Model from theoretical physics, and the same behavior is observed. This allows the Toy Model to be generalized to a wide array of more complex models that have been well studied by the theoretical physics community and also show the same behavior. Finally, by estimating N and L min, it should be possible to determine the regime of any particular environment.


Insider Threat Percolation Security Strategy Modeling Simulation Regulation Policy 



This work is sponsored by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, recommendations, and conclusions are those of the authors and are not necessarily endorsed by the United States Government.


  1. Aizenman J (2009) Financial crisis and the paradox of under- and over-regulation. National Bureau of Economic ResearchGoogle Scholar
  2. Antoniou G et al (1999) On the analysis of regulations using defeasible rules. In: HISCC-32 Proceedings of the international conference on systems sciencesGoogle Scholar
  3. Barro RJ (1986) Recent developments in the theory of rules versus discretion. Econ J 96:23–37CrossRefGoogle Scholar
  4. Binney JJ et al (1992) The theory of critical phenomena: an introduction to the renormalization group. Oxford University Press, OxfordGoogle Scholar
  5. Bishop M, Gates C (2008) Defining the insider threat. In: Proceedings of the 4th annual workshop on cyber security and information intelligence researchGoogle Scholar
  6. Boyd JR (1996) The essence of winning and losing. J Boyd. Unpublished lecture notesGoogle Scholar
  7. Brennan G, Buchanan JM (1988) The reason of rules. Cambridge University Press, CambridgeGoogle Scholar
  8. Casey C, Sheth K (2013) The ethical grey zone. Nature 503(7476):427–428Google Scholar
  9. Christensen K (2002) Percolation theory. Course NotesGoogle Scholar
  10. Claycomb WR et al (2013) Identifying indicators of insider threats: insider IT sabotage. In: 47th international carnahan conference on security technology (ICSST)Google Scholar
  11. Hale A et al (2011) Regulatory overload: a behavioral analysis of regulatory compliance. Mercatus Center at George Mason University, ArlingtonGoogle Scholar
  12. Hohenberg PC, Halperin BI (1977) Theory of dynamic critical phenomena. Rev Mod Phys 49(3):435Google Scholar
  13. Karasek RA (1979) Job demands, job decision latitude, and mental strain: implications for job redesign. Adm Sci Q 24(2):285–308Google Scholar
  14. Kepner J et al (2014) Computing on masked data: a high performance method for improving big data veracity. In: IEEE HPECGoogle Scholar
  15. Klieman C (1996) Secretaries often face ethical dilemma on job: many follow their bosses’ orders to lie or violate rules, fearing for their jobs if they refuse. Orange County RegisterGoogle Scholar
  16. Kuper H, Marmot M (2003) Job strain, job demands, decision latitude, and risk of coronary heart disease within the Whitehall II study. J Epidemiol Commun Health 57(2):147–153Google Scholar
  17. Li W et al (2015) Law is code: a software engineering approach to analyzing the United States code. J Bus Technol Law 10(2):297 (Article 6) Google Scholar
  18. Mendeloff J (1988) The dilemma of toxic substance regulation: how overregulation causes underregulation at OSHA, vol 17, MIT Press, Cambridge, MAGoogle Scholar
  19. Myers J et al (2009) Towards insider threat detection using web server logs. In: ACM proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategiesGoogle Scholar
  20. Schauer F (1991) Playing by the rules: a philosophical examination of rule-based decision-making in law and in life. Oxford University Press, OxfordGoogle Scholar
  21. Shore B (1998) IT strategy: the challenge of over-regulation, culture, and large-scale collaborations. In: Shore B (ed) Taylor & FrancisGoogle Scholar
  22. Silowesh G, Nicoll A (2013) Best practices and controls for mitigating insider threats. CMU Software Engineering Institute, DTICGoogle Scholar
  23. Sinai YG (1982) Theory of phase transitions: rigorous results. Pergamon Press, OxfordGoogle Scholar
  24. Stauffer D, Aharony A (1991) Introduction to percolation theory. Taylor & Francis, New YorkGoogle Scholar
  25. Umphress EE, Bingham JB (2011) When employees do bad things for good reasons: examining unethical pro-organizational behaviors. Organ Sci 22(3):621–640Google Scholar
  26. Verkuyten M et al (1994) Rules for breaking formal rules: social representations and everyday rule-governed behavior. J Psychol 128(5):485–497Google Scholar
  27. Wilson K (1975) The renormalization group: critical phenomena and the Kondo problem. Rev Mod Phys 47(4):773Google Scholar
  28. Yakoubov S et al (2014) A survey of cryptographic approaches to securing big-data analytics in the cloud. In: IEEE HPECGoogle Scholar

Copyright information

© Springer Science+Business Media New York (outside the USA) 2015

Authors and Affiliations

  1. 1.MIT Lincoln LaboratoryLexingtonUSA

Personalised recommendations