Organizational Sensing for Insider Threat Detection Jeffrey M. Stanton Syracuse University School of Information Studies
May 29, 2015
Organizational Sensing for Insider Threat Detection
Jeffrey M. StantonSyracuse University
School of Information Studies
IT Organization as Sensor
Amazon Rank: #784,784 in Books
Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in
Malicious ----------- Intentions ----------- Benevolent
Expert -------- E
xpertise ---------N
ovice
Unintentional
Insecurity
Unintentional
Insecurity
NaïveMistakes
Detrimental Misuse
BasicHygiene
Aware Assurance
Intentional Destruction
DangerousTinkering
*110 Information Security professionals generated lists of behaviors and rated them.
Social Network as Sensor
Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior
(Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)
Other Organizational Sensor Types
HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals
Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results
Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement
Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering,
response, and feedback tends to improve system performance
John Seely Brown and Paul Duguid (1991):
Organizational Learning and Communities-of-Practice Learning in organizations occurs primarily within
communities of practice (COPs) – interacting groups sharing a common base of professional “stories”
Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP
Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting)
Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets
Enhancing Organizational Learning for Improved Sensing
Legitimize Peripheral ParticipationBake-in cross-training, cross-functional
teams, shadowing, externshipsEnable, reward, and celebrate
“maverick” communities