Understanding & Identifying the Insider Threat
CPNI - Personnel Security & Behavioural Assessment
Slides not to be reproduced without prior permission
Content
• Introduction to CPNI & Personnel Security framework
• Insider behaviour & activities
• Research
•Factors increasing likelihood
•Triggers
•Behaviours of concern
CPNI
PHYSICAL SECURITY
PERSONNELSECURITY &
BEHAVIOURAL ASSESSMENT
ELECTRONICSECURITY
• Reducing vulnerability to Insider threat
Introduction - CPNI• Holistic protective security advice to the national infrastructure
to reduce vulnerability to terrorism and other threats
The Critical National Infrastructure:
TelecommunicationsEnergyFinanceGovernment & Public ServicesWater Health Emergency ServicesTransportFood
Pre-employment screening
Ensure only staff who are unlikely to present a security
concern are employed
Elements of a good personnel security regime
Good security & organisational
culture
Help minimise likelihood of employees becoming a
security concern
Ongoing security management
Prevent, identify and
manage employees who may become a
security concern
Risk assessmentUses personnel security measures in a way that is proportionate to the insider risk
Definition of an Insider
An Insider is someone who exploits, or has the intention
to exploit, their legitimate access to assets for
unauthorised purposes
Insider activities …..
Unauthorised disclosure of information
Direct sabotage (electronic or physical)
Facilitation of 3rd party access to sites/information
Financial & Process
corruption
Theft of materials or information
Consequences of Insider activity
• Damage to • Reputation
• Relationships
• Buildings & assets
• Disruption to • Processes & procedures
• IT systems
• Commercial & financial impact
• Competitor advantage
• Loss of life/harm to life
• Denial or restriction of a key service
• Facilitation of criminal & terrorist activity
• Compromising protectively marked information
Corporate
National security
Types of Insider Behaviour
Insider
Exploited by others once in post
Deliberate penetration with intention of abusing
position
Opportunistic exploitation of access
once in post
Ex-employeesUnwitting/
unintentional insider
Who might be undertaking Insider activity?
• Terrorists or their associates• Foreign Intelligence services• Disaffected employees• Single-issue groups• Commercial competitors• Journalists
Motivations of Insiders?
• Financial gain
• Revenge
• Status/recognition
• Friendship/loyalty
• Ideological
• Fear/coercion
Current thinking
• Review of US Insider research
• Literature review of Disaffection
• CPNI Insider study
• case study approach – range of past cases
• identify common trends
• develop guidance on reducing vulnerability
• concludes 2009
Specific triggers
Likelihood of Insider Activity
Personality
Life events
Personalcircumstances
World events
Direct approaches
Negative work events
Negative life events
Dis
affe
ctio
n
Individual vulnerabilities
Organisational vulnerabilities
+/-
Creating the climate
Management culture
Organisational climate
Securityculture
Individual Vulnerabilities• Life events – history of:
• Poor or chequered employment
• Excessive or addictive use of alcohol, drugs or gambling
• Petty crime
• Financial weaknesses
• Personal circumstances• Familial ties to countries of concern (competing identities)
• Sympathy to specific causes/adversarial mindset
• Difficult family circumstances
• Change in financial situation
• Personality predispositions• Low self esteem - desire for recognition/status
• ‘Thrill seeker’ - desire for excitement
• Overinflated sense of worth/abilities – desire for revenge when not recognised
• Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices
Organisational vulnerabilitiesCertain situations have potential to increase vulnerability:
• High level of disaffection & staff grievance
• failure to address grievances
• failure to identify & manage personnel issues
• Employee disengagement (or lack of initial engagement)
• Lower levels of loyalty and commitment
Poor organisational
culture &
management
practices
• Organisation undergoing significant change
• Re-structuring
• Downsizing
• Relocation
• Impact on morale/ties with organisation
Specific types of organisational
climate
Possible triggers?
• Major life events
• Bereavement
• Divorce / marital problems
• Change in financial circumstances
• Work stressors
• Organisational change
• Demotion / lack of promotion
• Perceived injustices
• World events / crisis of conscience
• Direct approaches
Opportunity
Inadequate Personnel Security
measures
Poor security culture
Likelihood in terms of Opportunity
Specific triggers
………>
Individual vulnerabilities
Organisational vulnerabilities
OpportunityInsider activity can be facilitated by:
• Lack of appreciation of threats/risks
• Lack of awareness of security policies & practices
• Low level of ownership & responsibility
• Low level of compliance with security measures & easier to manipulate
Lack of strong
security
culture
• Ease of obtaining employment
• Ease of obtaining information or access during employment
• Ease of remaining undetected
Inadequate personnel
security measures
• Not one single factor
• Clusters & specific combinations
• Alternative explanations
• Changes from normal behaviour
• Assessed in context of employee’s role
• opportunity and capability to cause harm
• Legality & discrimination
Possible Indicators of Insider Threat
Possible Indicators of Insider Threat – Behaviours of concern
Individual vulnerabilities
Unauthorised behaviours
Suspicious behaviours
Changes in lifestyle &
work behaviours
Greater the number of indicators present, greater the riskSome indicator groups are of more concern
Combinations and clusters
Examples of possible Indicators
Individual vulnerabilities
• Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism
• Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position)
• Financial difficulties
• Addictions
• Specific personality traits
• On their own, not necessarily an indication of Insider activity
• Alternative explanations
Changes in lifestyle & work
behaviours
• Obvious changes in financial status with no rational explanation
• Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security
• Poor timekeeping / excessive absenteeism
• Decreased quantity & quality of work
• Deteriorating relationships with colleagues/line managers (inc complaints)
• On their own, not necessarily an indication of Insider activity
• Alternative explanations
Examples of possible Indicators
Examples of possible Indicators
Suspicious behaviours
• Unusually high interest in security measures or history of unusually high security violations
• Visiting classified areas of work after normal hours, for no logical reason
• Unusual questioning of co-workers about information/areas which do not have access to
• Abusing access to databases
• On their own, not necessarily an indication of Insider activity
• But alternative explanations becoming less likely…..
Examples of possible Indicators
• A serious security risk
• Alternative explanations unlikely……
Unauthorised behaviours
• Accessing or attempting to access or download information for which not authorised
• Intentionally photocopying sensitive material for which no logical reason
• Taking protected or sensitive materials home without proper authorisation
Detection
• Utilisation of existing personnel security measures
• Protective monitoring
• automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas
• Aim -> development of practical and reliable tools to support decision making about Insiders
• Case studies have shown there was:
• evidence of behaviours of concern about Insiders
BUT
• not collected together in one place so that an individual could make an informed judgement
• lacked a framework to understand potential warning signs
Detection
• We aim to develop checklists that could be:
• applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities
• used to support appraisal and/or security interviews, whether by security professionals or line managers
• used to structure confidential employee reporting schemes
Prevention & Deterrence is key…
Comprehensive on-going security measures
• Limit opportunity
• Maximise deterrence
• Provide means to report concerns
Positive management
practices
• Reduce disaffection
• Promote loyalty & commitment
• Address grievances
Strong security culture
• Appreciate threat & responsibilities
• Compliance • Awareness to
signs• Willing to
report
Robust pre-employment
screening
• Prevent those with intent
• Identify those who could be vulnerable
• Inter-relationships between factors in ‘creating’ Insider events:
• Individual ‘v’ Organisational ‘v’ Triggers
• Reducing cause & opportunity is key (prevention)
• Detection more complicated
• Insider research is on-going
• findings 2009
• development of tools & checklists to help identify those who may merit further attention
Summary – Key messages