INFORMATION SECURITY INSIDER THREAT VISUALIZATION: THEFT OF INTELLECTUAL PROPERTY
1National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), Russia, Moscow
2Financial University under the Government of the Russian Federation, Russia, Moscow
Anthony.Zaytsev@gmail.com, AAMalyuk@mephi.ru
Contents
2. Development of information security insider threat system dynamics models
3. Visualization of theft of intellectual property for business advantages
4. Visualization of theft of intellectual property for business advantages with accomplices.
Abstract
Paper deals with the problem of insider threat visualization. An insider threat classification is adduced, method of visualization of insider threats using system dynamics modeling is considered and forecasting behavioral models for threats of theft of intellectual property for business advantages alone and with accomplices are developed.
Key words: system dynamics, behavioral models, scientific visualization, imitation modeling, insider threat, intellectual property
Researches in the field of information security in Russia were recently concentrated in outsider threat countermeasures. Therefore there is considerable armory of countermeasures to outsider threats, including standards and best practices, which had undergone some improvement cycles and provide sufficient level of information assurance if implemented right.
Problem of information assets and IT-infrastructure assurance from insider threat does not have solution in technology sphere only and can be solved with the help of organizational measures. In view of this fact, there are no widely accepted common practices to secure information assets and IT-infrastructure from insider threats nowadays.
Information assurance from insider threat is the most complicated problem in information security because it depends on psychological and behavioral aspects, which can be hardly assessed and forecasted by managers. For an instance, manager supposes that sanctioning his subordinate would cause diminishing of the insider threat and quite the contrary it often leads to conflict’s escalation and rises the probability of information system sabotage (IT-sabotage). Thus, support of decision for potential insider threat countermeasure with the help of behavioral models is a problem of a very high importance. For effective decisions a manager might surely take the aid of visual information, which is easy to perceive and allows to better understand the dynamics of further trend of potential insider information security incident (if quality of visual information is considerable).
System dynamics is an expedient approach for insider’s behavior visualization [1]. Carnegie Mellon University Software Engineering Institute CERT Insider Threat Team (CERT) firstly applied this approach for insider threats research in 2003 [2]. They collected open-source information about insider threat incidents, developed a classification of insider threats and casual loop diagrams (CLD) for all the classes of insider threats they picked out. The diagrams they created can help better understanding insider’s behavior, but the CLD cannot be used to run simulation and get visual information for further analysis and decision-making.
Independently of CERT system dynamics approach was used as a method for insider threats research in [3]. In this work, one flow diagram (FD) for all classes of insider threats was developed, but this FD also can not be used for simulation and computer visualization.
This paper considers a method of getting visual information about potential insider’s behavior with the help of system dynamics modeling. Forecasting models for theft of intellectual property (IP) are developed and visual information of test imitation is adduced.
A system dynamics modeling of every system including behavior of insider contains of further sequence of steps:
1. Building of a common relationship diagram, which represents interconnections between main elements of the modeling system. At this step, behavior of insider should be studied and the main clusters of factors that influence the dynamics of the insider threat should be figured out.
2. Development of a CLD. At this step, main elements of the modeling system should be considered in details and their relationship should be depicted in form of causal relationship (CR). The aggregation of this parameters and CR forms an oriented graph. CR should be considered as positive if increase (diminishing) of an influencing parameter causes increase (diminishing) of an influenced parameter. If increase of influencing parameter causes diminishing of influenced parameter, CR should be considered as negative. System’s parameters and CR form casual loops (CL) that determine insider’s behavior. CL can be also divided into positive (re-enforcing) and negative (balancing) according to its influence on system’s behavior. Balancing CL flattens out system’s dynamics and re-enforcing CL amplifies dynamics of system’s behavior. Type of CL depends on the quantity of negative CR: odd quantity of negative CR forms a balancing CL and even quantity of negative CR forms a re-enforcing CL. Elements not included in CL are exogenous and should be determined by analytic during simulation.
3. Development of FD. At this step, CLD should be transformed into FD. A parameter, influenced by a lot of other parameters by use of positive and negative CR should be picked out as a level. Special FD parameters called flaws cause levels to change. Extra FD parameters can be used if needed: constants, flows, tables etc.
4. Determination of parameters and test simulation. At this step analytic should determine parameters of the modeling system. It is viable to determine relative magnitude of the main CL and set model’s parameters based on it. It is also appropriate to check system’s behavior with the boundary values of parameters because insider’s behavior is often obvious with this edge values. Sometimes it is viable to debug the model at the level of one or several elements. Then a test simulation should be carried out. This simulation should give visual information, depiction of insider’s potential behavior, which approves or refutes model’s adequateness.
Insider’s behavior is quite different for different threats. Therefore every threat should be modeled separately.
Insider threats classification based upon [2, 4-7] is listed in Table 1.
Table 1 – Insider threats classification
Insider threat |
Insider’s motivation |
Insider’s suppose of dismissal |
Internal collusion |
External collusion |
IT-sabotage |
Disgruntlement |
Sometimes |
No |
No |
IT-espionage |
Money Disgruntlement |
No |
No |
Yes |
Manager fraud |
Money |
No |
No Social engineering |
No |
Non-manager fraud |
Money |
Not |
No |
Sometimes |
Theft of IP for business advantages |
Business advantages Disgruntlement |
Yes |
No |
Yes |
Theft of IP for business advantages with accomplices |
Business advantages
|
Yes |
Yes |
Yes |
Unintentional negligent insider |
No |
No |
No |
No |
Unintentional manipulated insider |
No |
No |
No |
Social engineering |
Some definitions should be introduced.
Insider – a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and who, through action or inaction causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information assets, IT-infrastructure, or financial systems [2, 7]. Intentional insider causes harm with intent and is motivated. Unintentional insider causes harm unintentionally.
IT-sabotage – information security threat, an insider’s use of information systems of organization to direct specific harm at an organization or an individual [2].
Theft of IP for business advantages – information security threat, an insider’s use of information systems of organization to steal confidential or proprietary information from organization to use to take to new job, to get a new job, or to start a business [6].
IT-fraud – information security threat, and insider’s use of information systems of organization for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft or credit card fraud) [5].
IT-espionage – information security threat, an insider’s use of information systems of organization to collect and pass confidential information to an external party (competitive organization or foreing contry) for advantage of external party without an intend to leave the ogranization. If external patry is a competitive organization, a term «industry espionage» should be used. If external party is a foreign country, a term «international espionage» should be used.
On basis of researches [2-8] and information about insider threat incidents from the other open sources a typical scenario of insider crime and common relationship diagram of insider threat are developed.
Motivation is a key element for crime’s commitment. Motivation is interconnected with collusion for IT-espionage, theft of IP for business advantages alone and with accomplices and part of non-manager fraud threats. Insider checks if the privileges he possesses enough to carry out the crime and resorts to internal collusion (for theft of IP for business advantages with accomplices) or manipulating subordinates (for manager fraud). Insider’s behavior can cause a harm to organization but gives an opportunity to get an information about crime’s commitment. Organization can response to potential or committed crime in different ways. One of sanctioning ways is to dismiss insider. But dismissal can be a motive for commitment of the crime for such threats as IT-sabotage and theft of IP for business advantages alone or with accomplices.
Main elements of the modeling systems are listed in Table 2 and common relationship diagram in Fig.1.
Table 2 – Main elements of the modeling system and their relationship
¹ |
Element |
Influencing elements |
1 |
Insider’s motivation |
Organization’s reaction Collusion Insider’s dismissal |
2 |
Organization’s reaction |
Organization receiving information |
3 |
Organization receiving information |
Insider’s behavior |
4 |
Insider’s technical privileges |
Organization’s reaction Collusion Insider’s dismissal Insider’s behavior |
5 |
Collusion |
Insider’s motivation Insider’s technical privileges |
6 |
Organization’s damage |
Insider’s behavior |
7 |
Insider’s dismissal |
Insider’s motivation Organization’s reaction |
8 |
Insider’s behavior |
Insider’s motivation Insider’s technical privileges |
Fig. 1. Common relationship diagram for insider treats
On basis of [6] and information about insider threat incidents from the other open sources an insider’s portrait (Table 3) and common features of theft of IP for business advantages (Table 4) were developed.
Table 3 – Insider’s portrait for theft of IP threat
¹ |
Attribute |
Description |
1 |
Position held |
Software developer, researcher, client manager, manager (thieves usually hold technical position but don’t appear to be privileged users) |
2 |
Attack methods |
Technically simple within legal privileges |
3 |
Nature of actions |
Stealing of confidential information: IP, software, khow-how, business plans, client bases, physical equipment |
4 |
Crime’s duration |
1 (uncommonly 2 or more) month before disposal |
5 |
Crime’s disclosure |
Message from clients Message from non-technical employees Sudden appearance of competitive organization Information security monitoring and audit Data loss protection systems |
Table 4 – Common features of theft of IP treat
¹ |
Common feature |
Element |
1 |
The majority of thieves steal information related to their work; frequently they have taken part in this information development. As far as investment of insider into information and organization grows, feeling of entitlement grows too. |
Insider’s motivation |
2 |
Disgruntlement is typical for thief of IP for business advantage, who acts alone |
Insider’s motivation |
3 |
Insider typically doesn’t carry out any planning or preparation |
Insider’s motivation |
4 |
The majority of thieves had signed a non-disclosure agreement. Organization should remind employees about non-disclosure agreements and responsibility for theft of IP during periodic information security training. |
Insider’s motivation |
5 |
Insiders typically do not consider theft of IP for business advantages as a crime. The theft happens during one month before discharge and insider typically does not have some specific plane for usage of the stolen information. |
Insider’s motivation Insider’s dismissal Insider’s behavior |
6 |
Insider acts alone and can make an attempt to cover up his tracks |
Insider’s behavior Organization receiving information |
7 |
Copy of a large amount of information to external network or to remote device can be an indicator of ongoing crime. Sudden appearance of competitive organization can be an indicator of a committed crime. Organization can get an information about ongoing or committed crime from its employees, insider’s colleagues or manager, or clients, which insider can use for his advantage. |
Organization receiving information |
8 |
Volume of theft tends to recede if insider gets to know about organization’s suspicions |
Insider’s motivation Insider’s behavior Organization receiving information Organization’s reaction |
9 |
Volume of theft tends to grow if insider covers up his tracks |
Insider’s motivation Organization receiving information Insider’s behavior |
Simulation environment Vensim PLE was used to develop CLD and FD. Vensim is intended for complex dynamic system’s investigation and is free for scientific needs. Vensim notation is listed in Table 5.
Table 5 – Systems dynamics diagram notation
Parameter’s notation |
Explanation |
Variable or constant |
|
Level |
|
Flow, causing change of level |
|
Positive CR |
|
Negative CR |
|
Logical CR – Logical dependence expressed as a logical function |
|
«Ghost» variable. Auxiliary element, link to a variable given in brackets. Should be used to simplify diagram’s exterior. |
CLD for theft of IP for business advantages is represented on Fig.2.
Fig. 2. CLD for theft of IP for business advantages
The following parameters were transformed into levels after analysis: «Insider’s investment into information», «Insider’s willingness to commit theft», «Insider’s feeling of entitlement», «Employees awareness about information security», «Organization’s trust in insider», «Organization’s awareness about insider’s behavior».
FD for theft of IP for business advantages is depicted on Fig. 3.
Fig. 3. FD for theft of IP for business advantages
Let us run a simulation with getting of visual information for theft of IP for business advantages threat alone. Firstly, let us set a low value for the Insider’s disgruntlement parameter. Insider’s willingness to retire (external collusion of foundation of own company) appears on the 30 day of simulation. Nevertheless, despite of the fact that insider’s feeling of entitlement achieves its maximum value on the 53 day of simulation, the theft has not been committed due to high level of insider’s loyalty (Fig. 4).
Fig. 4. Willingness to commit theft and feeling of entitlement with low value of disgruntlement
Let us run a simulation again using high value of insider’s disgruntlement. This time, despite of insider’s feeling of entitlement does not reach its top, theft is being committed due to insider’s low loyalty. (Fig. 5).
Fig. 5. Willingness to commit theft and feeling of entitlement with high value of disgruntlement
On basis of [6] and information about insider threat incidents from the other open sources an insider’s portrait (Table 3) and common features of theft of IP for business advantages with accomplices (Table 4) are developed.
Table 6. Insider’s portrait for IP theft with accomplices threat
¹ |
Attribute |
Description |
1 |
Position held |
Software developer, researcher, client manager, manager (thieves usually hold technical position but don’t appear to be privileged users) |
2 |
Attack methods |
Insider does not have sufficient privileges to get access to the information. This causes him to hire accomplices. |
3 |
Nature of actions |
Stealing of confidential information: IP, software, khow-how, business plans, client bases, physical equipment |
4 |
Crime’s duration |
1 (uncommonly 2 or more) month before disposal |
5 |
Crime’s disclosure |
Message from clients Message from non-technical employees Sudden appearance of competitive organization Information security monitoring and audit Data loss protection systems News about usage of stolen information |
Table 7. Common features of theft of IP with accomplices treat
¹ |
Common feature |
Element |
1 |
The majority of thieves steal information related to their work; frequently they have taken part in this information development. As far as investment of insider into information and organization grows, feeling of entitlement grows too. |
Insider’s motivation |
2 |
Disgruntlement is not typical for thief of IP for business advantage with accomplices |
Insider’s motivation |
3 |
Volume of theft tends to recede if insider gets to know about organization’s suspicions |
Insider’s motivation Insider’s behavior Organization receiving information Organization’s reaction |
4 |
Volume of theft tends to grow if insider covers up his tracks |
Insider’s motivation Organization receiving information Insider’s behavior |
5 |
Volume of theft tends to recede in case of long planning since probability of disclosure by organization increases |
Insider’s motivation Insider’s behavior Organization receiving information |
6 |
The more insider invest into planning the harder is for insider to resist from stealing |
Insider’s motivation
|
7 |
If insider has a lack of privileges, he tries to hide accomplices. Before it he typically tries to get access himself. |
Collusion Insider’s behavior |
8 |
Copy of a large amount of information to external network or to remote device can be an indicator of ongoing crime. Sudden appearance of competitive organization can be an indicator of a committed crime. Organization can get an information about ongoing or committed crime from its employees, insider’s colleagues or manager, or clients, which insider can use for his advantage. |
Organization receiving information |
9 |
The majority of thieves had signed a non-disclosure agreement. Organization should remind employees about non-disclosure agreements and responsibility for theft of IP during periodic information security training. |
Insider’s motivation |
CLD for theft of IP for business advantages is represented on Fig.6.
Fig. 6. CLD for theft of IP for business advantages with accomplices
The following parameters were transformed into levels after analysis: «Insider’s investment into information», «Insider’s willingness to commit theft», «Insider’s feeling of entitlement», «Employees awareness about information security», «Organization’s trust in insider», «Organization’s awareness about insider’s behavior», «Number of accomplices».
FD for theft of IP for business advantages with accomplices is depicted on Fig. 7.
Fig. 7. FD for theft of IP for business advantages with accomplices
Let us run a simulation with getting of visual information for theft of IP for business advantages with accomplices threat. Willingness to retire (external collusion or foundation of own company) appears on the 30 day of simulation, unsuccessful attempt to access information by himself happens on 33 day of simulation and stealing of IP with accomplices happens on 46 day of simulation. These events are depicted as step functions on Fig. 8, 9 and 10.
Hiring of accomplices is depicted on Fig. 8. Within the simulation insider succeeds to hire 3 accomplices.
Fig. 8. Hiring accomplices
Organization’s trust in insider demonstrates constant growth during first 40 days of simulation. Organization’s awareness about insider’s behavior reaches significant level only after insider’s usage of stolen information (Fig. 9).
Fig. 9. Organization’s trust in insider and awareness about his behavior
The crime appeared to happen due to high initial level of trust in insider by organization. It caused lack of technical control upon insider’s actions and lack of employees’ awareness about information security (Fig. 10).
Fig. 10. Level of technical control and employees’ awareness about information security
Let us carry out another simulation using low initial level of organization’s trust in insider. This time organization succeeded in adequate suspicious activity detection and taking countermeasures such as amplify technical control level and conducting information security training. No crime was committed (Fig.11).
Fig. 11. Theft of IP with accomplices visualization with low value of trust in insider
The paper considers a method of decision -making support in field of countermeasure to insider threats with the help of insider’s behavior visializaion with system dynamics modeling appliance. A common relationship diagram for insider threats and forecasting behavioral models for theft of intellectual property threats for business advantages alone and with accomplices are developed. Designed visual information is obtained with the help of models. Visual information can help manager to make a decision for insider threat countermeasure with minimum damage for an organization.
1. J. Forrester. Osnovy kibernetiki predprijatija [Fundamentals of Cybernetics of the enterprise]. - M .: Progress, 1971 [In Russian]
2. Silowash G., Cappelli D., Moore A., Trzeciak R., Shimeall T.J., Flynn L. Common Sense Guide to Mitigating Insider Treats 4th Edition. – Software Engineering Institute. CERT Program, 2012;
3. Zajcev A.S., Maljuk A.A. Issledovanie problemy vnutrennego narushitelja [Study of the problem insider]. - M .: Herald RSUH. - 2012. - N 14. - pp. 114-134 [In Russian]
4. Band S.R., Cappelli D.M., Moore A.P., Shaw E.D., Trzeciak R.F. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. – Software Engineering Institute. CERT Program,2006;
5. Cummings A., Lewellen T., McIntire D., Moore A.P., Trzeciak R. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector. – Software Engineering Institute. CERT Program,2012;
6. Moore A.P., Cappelli D.M., Caron T.C., Shaw E., Trzeciak R.F. Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model. – First International Workshop on Manager Insider Security Threats (MIST 2009), Purdue University, West Lafayette, 2009
7. The CERT Insider Threat Team. Unintentional Insider Threats: A Foundational Study. – Software Engineering Institute, CERT Division, 2013;
8. PERSEREC. Espionage and Other Compromises of National Security. Case Summaries from 1975 to 2008. – Monterey, CA: Defense Personnel Security Research Center, 2009.