A Risk Management Approach to the “Insider Threat”

  • Matt BishopEmail author
  • Sophie Engle
  • Deborah A. Frincke
  • Carrie Gates
  • Frank L. Greitzer
  • Sean Peisert
  • Sean Whalen
Part of the Advances in Information Security book series (ADIS, volume 49)


Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an “insider;” indeed, manydefine it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policyin a form that can be implemented on a computer system or network, createsgaps in enforcement. This paper defines “insider” precisely, in termsof thesegaps, andexploresan access-based modelfor analyzing threats that include those usually termed “insider threats.” This model enables an organization to order its resources based on thebusinessvalue for that resource andof the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which usersareatthe greatestriskofacting inappropriately. We concludebyexamining how to merge this model with one of forensic logging and auditing.


Security Policy System Administrator Covert Channel Risk Management Approach Insider Threat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Accelerated learning through serious game technology (2008). URL =34520 SBIR OSD08-CR8: Human Systems
  2. 2.
    Band, S.R., Cappelli, D.M., Fischer, L.F., Moore, A.P., Shaw, E.D., Trzeciak, R.F.: Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Tech. Rep. CMU/SEI-2006-TR-026, Carnegie Mellon University Software Engineering Institute (2006)Google Scholar
  3. 3.
    Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and Multics Interpretation. Tech. Rep. EST-TR-75-306, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA (1975)Google Scholar
  4. 4.
    Bishop, M.: Computer Security: Art and Science. Addison-Wesley Professional, Boston, MA (2003)Google Scholar
  5. 5.
    Bishop, M., Engle, S., Gates, C., Peisert, S., Whalen, S.: We Have Met the Enemy and He is Us. In: Proceedings of the 2008 New Security Paradigms Workshop (NSPW). Lake Tahoe, CA (2008)Google Scholar
  6. 6.
    Bishop, M., Engle, S., Gates, C., Peisert, S., Whalen, S.: Case Studies of an Insider Framework. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS), Cyber Security and Information Intelligence Research Minitrack. Waikoloa, HI (2009)Google Scholar
  7. 7.
    Bishop, M., Gates, C.: Defining the insider threat. In: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW), pp.1–3. ACM, New York, NY, USA (2008). DOI / 1413140.1413158 Google Scholar
  8. 8.
    Bishop, M., Peisert, S., Hoke, C., Graff, M., Jefferson, D.: E-Voting and Forensics: Prying Open the Black Box. In: Proceedings of the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Computing (EVT/WOTE ’09). Montreal, Canada (2009)Google Scholar
  9. 9.
    Brackney, R.P., Anderson, R.H.: Understanding the Insider Threat: Proceedings of a March 2004 Workshop. Tech. rep., RAND Corporation, Santa Monica, CA (2004)Google Scholar
  10. 10.
    Brewer, D.F., Nash, M.J.: The Chinese Wall Security Policy. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 206–214. Oakland, CA (1989)Google Scholar
  11. 11.
    Burdick, E., Wheeler, H.: Fail-Safe. Dell Puiblishing (1963)Google Scholar
  12. 12.
    Carlson, A.: The Unifying Policy Hierarchy Model. Master’s thesis, University of California, Davis (2006)Google Scholar
  13. 13.
    Denning, D.E.: Secure Statistical Databases with Random Sample Queries. ACM Transactions on Database Systems 5(3), 291–315 (1980)zbMATHCrossRefGoogle Scholar
  14. 14.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  15. 15.
    Denning, D.E., Akl, S.G., Heckman, M., Lunt, T.F., Morgenstern, M., Neumann, P.G., Schell, R.R.: Views for multilevel database security. IEEE Transactions on Software Engineering SE-13(2), 129–140 (1987)CrossRefGoogle Scholar
  16. 16.
    Director of Central Intelligence/Intelligence Community Staff Memorandum ICS 0858-90: Project SLAMMER Interim Report (U). Project Slammer is a CIA-sponsored study of Americans convicted of espionage against the United States. A declassified interim report is available at: and (1990)Google Scholar
  17. 17.
    Ferraiolo, D.F., Kuhn, D.R.: Role Based Access Control. In: Proceedings of the Fifteenth National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  18. 18.
    Garfinkel, R., Gopal, R., Goes, P.: Privacy Protection of Binary Confidential Data Against Deterministic, Stochastic, and Insider Threat. Management Science 48(6), 749–644 (2002)CrossRefGoogle Scholar
  19. 19.
    Gelles, M.: Exploring the mind of the spy. In: Employees’ guide to security responsibilities: Treason 101. Texas A&M University Research Foundation (2005)Google Scholar
  20. 20.
    Greitzer and Kangas. (personal communication)Google Scholar
  21. 21.
    Greitzer, F.L., Frincke, D.A., Zabriskie, M.M.: Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives (in review). In: M.J. Dark (ed.) Social/Ethical Issues in Predictive Insider Threat Monitoring. IGI Global, Hershey, Pennsylvania (2009)Google Scholar
  22. 22.
    Greitzer, F.L., Paulson, P., Kangas, L., Edgar, T., Zabriskie, M.M., Franklin, L., Frincke, D.A.: Predictive modelling for insider threat mitigation. Pacific Northwest National Laboratory, Richland, WA, Tech. Rep. PNNL Technical Report PNNL-60737 (2008)Google Scholar
  23. 23.
    Jones, A.K., Lipton, R.J.: The Enforcement of Security Policies for Computation. In: Proceedings of the Fifth Symposium on Operating System Principles (SOSP), pp. 197–206 (1975)Google Scholar
  24. 24.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution Monitoring of Security-Critical Programs in Distributed Systems: a Specification-Based Approach. In: SP ’97: Proceedings of the 1997 IEEE Symposium on Security and Privacy, p. 175. IEEE Computer Society, Washington, DC, USA (1997)Google Scholar
  25. 25.
    Krofcheck, J.L., Gelles, M.G.: Behavioral consultation in personnel security: Training and reference manual for personnel security professionals (2005)Google Scholar
  26. 26.
    Kubrick, S.: Dr. Strangelove or: How I learned to stop worrying and love the bomb. Distributed by Columbia Pictures (1964)Google Scholar
  27. 27.
    Lampson, B.W.: Protection. ACM Operating Systems Review 8(1), 18–24 (1974)CrossRefGoogle Scholar
  28. 28.
    Lunt, T.F., Jagannathan, R.: A Prototype Real-Time Intrusion-Detection Expert System (IDES). In: Proceedings of the 1988 IEEE Symposium on Security and Privacy, pp. 59–66. Oakland, CA (1988). DOI Google Scholar
  29. 29.
    Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of Insider IT Sabotage Across US Critical Infrastructures (2008)Google Scholar
  30. 30.
    Ning, P., Sun, K.: How to Misuse AODV: A Case Study of Insider Attacks Against Mobile Ad-Hoc Routing Protocols. Ad Hoc Networks 3(6), 795–819 (2005)CrossRefGoogle Scholar
  31. 31.
    Parker, D.: Fighting computer crime: A new framework for protecting information. John Wiley & Sons, Inc. New York, NY, USA (1998)Google Scholar
  32. 32.
    Patzakis, J.: New Incident Response Best Practices: Patch and Proceed Is No Longer Acceptable Incident Response. Tech. rep., Guidance Software, Pasadena, CA (2003)Google Scholar
  33. 33.
    Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions on Dependable and Secure Computing (TDSC) 4(2), 137–150(2007)CrossRefGoogle Scholar
  34. 34.
    Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Toward Models for Forensic Analysis. In: Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), pp. 3–15. Seattle, WA (2007)Google Scholar
  35. 35.
    Peisert, S., Bishop, M., Marzullo, K.: Computer Forensics In Forensis. In: Proceedings of the Third International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE-SADFE), pp. 102–122. Oakland, CA (2008)Google Scholar
  36. 36.
    Peisert, S., Bishop, M., Yasinsac, A.: Vote Selling, Voter Anonymity, and Forensic Logging of Electronic Voting Machines. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS), Digital Forensics - Pedagogy and Foundational Research Activity Minitrack. Waikoloa, HI (2009)Google Scholar
  37. 37.
    Peisert, S.P.: A Model of Forensic Analysis Using Goal-Oriented Logging. Ph.D. thesis, Department of Computer Science and Engineering, University of California, San Diego (2007)Google Scholar
  38. 38.
    Schneider, F.B.: Enforceable Security Policies. ACM Transactions on Information and System Security (TISSEC) 3(1), 30–50 (2000)CrossRefGoogle Scholar
  39. 39.
    Schultz, E.: A Framework for Understanding and Predicting Insider Attacks. Computers and Security 21(6), 526–531 (2002)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Matt Bishop
    • 1
    Email author
  • Sophie Engle
    • 1
  • Deborah A. Frincke
    • 2
  • Carrie Gates
    • 3
  • Frank L. Greitzer
    • 2
  • Sean Peisert
    • 1
  • Sean Whalen
    • 1
  1. 1.Dept. of Computer ScienceUniversity of California at Davis  
  2. 2.Pacific Northwest National Laboratory  
  3. 3.CA Labs., Inc.  

Personalised recommendations