Abstract
Two modeling approaches were integrated to address the problem of predicting the risk of an attack by a particular insider. We present a system dynamics model that incorporates psychological factors including personality, attitude and counterproductive behaviors to simulate the pathway to insider attack. Multiple runs of the model that sampled the population of possible personalities under different conditions resulted in simulated cases representing a wide range of employees of an organization. We then structured a Bayesian belief network to predict attack risk, incorporating important variables from the system dynamics model and learning the conditional probabilities from the simulated cases. Three scenarios were considered for comparison of risk indicators: An average employee (i.e., one who scores at the mean of a number of personality variables), an openly disgruntled malicious insider, and a disgruntled malicious insider who decides to conceal bad behaviors. The counterintuitive result is that employees who act out less than expected, given their particular level of disgruntlement, can present a greater risk of being malicious than other employees who exhibit a higher level of counterproductive behavior. This result should be tempered, however, considering the limited grounding of some of the model parameters. Nevertheless, this approach to integrating system dynamics modeling and Bayesian belief networks to address an insider threat problem demonstrates the potential for powerful prediction and detection capability in support of insider threat risk mitigation.
Similar content being viewed by others
References
Andersen DF, Cappelli DM, Gonzalez JJ, Mojtahedzadeh M, Moore AP, Rich E, Sarriegui JM, Shimeall TJ, Stanton JM, Weaver E, Zagonel A (2004). Preliminary system dynamics maps of the insider cyber-threat problem. Proceedings of the 22nd International Conference of the System Dynamics Society. Oxford, England, 2004. http://www.cert.org/archive/pdf/InsiderThreatSystemDynamics.pdf
Axelrad ET, Sticha PJ, Brdiczka O, Shen J (2013). A Bayesian network model for predicting insider threats. Paper presented at the Workshop on Research for Insider Threat (WRIT) 2013, San Francisco
Band SR, Cappelli DM, Fischer LF, Moore AP, Shaw ED, Trzeciak RF (2006) Comparing insider IT sabotage and espionage: a model-based analysis (Technical Report cmu/sei-2006-tr-026; esc-tr-2006-091). Carnegie Mellon University Software Engineering Institute, CERT Program
Brehm JW (1966) A theory of psychological reactance. Academic Press, New York
Brehm SS, Brehm JW (1981) Psychological reactance: a theory of freedom and control. Academic Press, New York
Cappelli DM, Desai AG, Moore AP, Shimeall T J, Weaver EA, Willke BJ (2006). Management and Education of the Risk of Insider Threat (MERIT): mitigating the risk of sabotage to employers’ information, systems, or networks. Proceedings of the 24th International System Dynamics Conference. Nijmegen, Netherlands. http://www.albany.edu/cpr/sds/conf2006/proceed/proceed.pdf
Cappelli DM, Moore AP, Trzeciak RF (2012) The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud), SEI series in software engineering. Pearson Education Inc, Upper Saddle River
Castillo E, Gutiérrez JM, Hadi AS (1998) Modeling probabilistic networks of discrete and continuous variables. J Multivar Anal 64(1):48–65
Conrad SH, Durán FA, Conrad GN, Duggan DP, Held EB (2009). Modeling the employee life cycle to address the insider threat. In Proc. 27th Int’l Conference of Sys Dynamics Society. Albuquerque, NM
Dawes RM, Faust D, Meehl P (1989) Clinical versus actuarial judgment. Science 243:1668–1674
Defense Personnel and Security Research Center (2014) Adjudicative desk reference (version 4). Author, Seaside
Director of Central Intelligence (1990). Project SLAMMER Interim Report. Intelligence Community Staff Memorandum ICS 0858‐90. A declassified interim report is available at: https://antipolygraph.org/documents/slammer-12-04-1990.pdf
Greitzer FL, Frincke DA (2010) Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In: Probst CW, Hunker J, Bishop M, Gollmann D (eds) Insider threats in cyber security. Springer, US, pp 85–113
Herbig KL, Wiskoff MF (2002) Espionage against the United States by American citizens 1947–2001 (Technical Report 02-5). Defense Personnel Security Research Center, Monterey CA
Hilbig BE, Zettler I (2015) When the cat’s away, some mice will play: a basic trait account of dishonest behavior. J Res Pers 57:72–88
Jakobwitz S, Egan V (2006) The ‘dark triad’ of psychopathy and normal personality traits. Pers Individ Differ 40:331–339
Korb KB, Nicholson AE (2010) Bayesian artificial intelligence, 2nd edn. CRC Press, Boca Raton
Maloof MA, Stephens GD (2007). ELICIT: A system for detecting insiders who violate need-to-know. Recent Advances in Intrusion Detection, 146–166. Lecture notes in computer science, Volume 4637. Berlin: Springer
Martinez-Moyano I, Rich E, Conrad SH, Andersen D (2006). Modeling the emergence of insider threat vulnerabilities. Informs Winter Simulation Conference, Monterey, CA
Martinez-Moyano IJ, Rich E, Conrad S, Andersen DF, Stewart TR (2008). A behavioral theory of insider threat risks: a system dynamics approach. ACM Transactions on Modeling and Computer Simulation, 18(2), 7:1–26
Melara C, Sarriegui JM, Gonzalez J, Sawicka A, Cooke DL (2003) A system dynamics model of an insider attack on an information system. In: Gonzalez JJ (ed) From modeling to managing security: a system dynamics approach. Norwegian Academic Press, Kristiansand, pp 9–36
Moore AP, Cappelli DM, Joseph H, Trzeciak RF (2007). An experience using system dynamics to facilitate an insider threat workshop. In Proceedings of the 25th International Conference of the System Dynamics Society, July 29-August 2, 2007, Boston MA, USA
Moshagen M, Hilbig BE, Musch J (2011) Defection in the dark? A randomized response investigation of cooperativeness in social dilemma games. Euro J Soc Psychol 41:638–644
Mount M, Ilies R, Johnson E (2006) Relationship of personality traits and counterproductive work behaviors: the mediating effects of job satisfaction. Pers Psychol 59:591–622
O’Connor BP, Dyce JA (2002) Tests of general and specific models of personality disorder configuration. In: Costa PT, Widiger TA (eds) Personality disorders and the five-factor model of personality. American Psychological Association, Washington, DC, pp 223–246
Paulhus DL, Williams KM (2002) The dark triad of personality: narcissism, machiavellianism and psychopathy. J Res Pers 36:556–563
Rich E, Martinez-Moyano IJ, Conrad S, Cappelli DM, Moore AP, Gonzalez JJ, Ellison RJ, Lipson HF, Mundie DA, Sarriegui JM, Sawicka A, Stewart TR, Weaver EA, Wiik J (2005). Simulating insider cyber-threat risks: a model-based case and a case-based model. In Proceedings of the 23rd International Conference of the System Dynamics Society, July 17–21, 2005, Boston MA, USA
Robinson SL (1996). Trust and breach of the psychological contract. Administrative Science Quarterly, 574–599
Russell SS, Cullen MJ, Bosshardt MJ, Juraska SE, Stellmack AL, Duehr EE, Jeansonne KR (2009) Cyber behavior and personnel security (Institute Report#661). Personnel Decisions Research Institutes Inc, Minneapolis
Solomon RL, Corbitt JD (1974) An opponent-process theory of motivation: i. Temporal Dyn Affect Psychol Rev 81:119–145
Tulupyev AL, Nikolenko SI (2005) Directed cycles in Bayesian belief networks: probabilistic semantics and consistency checking complexity. In MICAI, 2005 advances in artificial intelligence. Springer, Berlin Heidelberg, pp 214–223
Van Gelder JL (2013) Beyond rational choice: the hot/cool perspective of criminal decision making. Psychol Crime Law 19(9):745–763
Vancouver JB, Weinhardt JM (2012) Modeling the mind and the milieu: computational modeling for micro-level organizational researchers. Organ Res Methods 15(4):602–623
Werner KB, Few LR, Bucholz KK (2015) Epidemiology, comorbidity, and behavioral genetics of antisocial personality disorder and psychopathy. Psychiatric Annals 45(4):195
Zhao HAO, Wayne SJ, Glibkowski BC, Bravo J (2007) The impact of psychological contract breach on work-related outcomes: a meta-analysis. Pers Psychol 60(3):647–680
Zuckerman M (1994). Behavioral expressions and biosocial bases of sensation seeking. Cambridge university press
Zuckerman M (2007) Sensation seeking and risky behavior. American Psychological Association, Washington, DC
Acknowledgments
We thank Andrew Moore, Kirk Kennedy, and Thomas Dover for helpful comments on drafts of our paper, and for inviting us to the Insider Threat Modeling and Simulation Research Meeting held at the Software Engineering Institute at Carnegie Mellon University. These ideas also benefited from some discussions conducted at Sandia National Laboratory. Finally, we thank the Human Resources Research Organization for supporting parts of this work.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sticha, P.J., Axelrad, E.T. Using dynamic models to support inferences of insider threat risk. Comput Math Organ Theory 22, 350–381 (2016). https://doi.org/10.1007/s10588-016-9209-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10588-016-9209-1