Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Angela Sasse University College London. Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides.

Similar presentations

Presentation on theme: "Prof. Angela Sasse University College London. Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides."— Presentation transcript:

1 Prof. Angela Sasse University College London


3 Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides not to be reproduced without prior permission

4 Content Introduction to CPNI & Personnel Security framework Insider behaviour & activities Research Factors increasing likelihood Triggers Behaviours of concern

5 CPNI PHYSICAL SECURITY PERSONNEL SECURITY & BEHAVIOURAL ASSESSMENT ELECTRONIC SECURITY Reducing vulnerability to Insider threat Introduction - CPNI Holistic protective security advice to the national infrastructure to reduce vulnerability to terrorism and other threats

6 The Critical National Infrastructure: Telecommunications Energy Finance Government & Public Services Water Health Emergency Services Transport Food

7 Holistic view of Protective Security

8 Pre-employment screening Ensure only staff who are unlikely to present a security concern are employed Elements of a good personnel security regime Good security & organisational culture Help minimise likelihood of employees becoming a security concern Ongoing security management Prevent, identify and manage employees who may become a security concern Risk assessment Uses personnel security measures in a way that is proportionate to the insider risk

9 Definition of an Insider An Insider is someone who exploits, or has the intention to exploit, their legitimate access to assets for unauthorised purposes

10 Insider activities ….. Unauthorised disclosure of information Direct sabotage (electronic or physical) Facilitation of 3rd party access to sites/information Financial & Process corruption Theft of materials or information

11 Consequences of Insider activity Damage toReputation Relationships Buildings & assets Disruption toProcesses & procedures IT systems Commercial & financial impact Competitor advantage Loss of life/harm to life Denial or restriction of a key service Facilitation of criminal & terrorist activity Compromising protectively marked information Corporate National security

12 Types of Insider Behaviour Insider Exploited by others once in post Deliberate penetration with intention of abusing position Opportunistic exploitation of access once in post Ex-employees Unwitting/ unintentional insider

13 Who might be undertaking Insider activity? Terrorists or their associates Foreign Intelligence services Disaffected employees Single-issue groups Commercial competitors Journalists

14 Motivations of Insiders? Financial gain Revenge Status/recognition Friendship/loyalty Ideological Fear/coercion

15 Likelihood, Triggers, Opportunity & Behaviours of concern Current thinking…

16 Current thinking Review of US Insider research Literature review of Disaffection CPNI Insider study case study approach – range of past cases identify common trends develop guidance on reducing vulnerability concludes 2009

17 Specific triggers Likelihood of Insider Activity Personality Life events Personal circumstances World events Direct approaches Negative work events Negative life events Disaffection Individual vulnerabilities Organisational vulnerabilities + / - Creating the climate Management culture Organisational climate Security culture

18 Individual Vulnerabilities Life events – history of: Poor or chequered employment Excessive or addictive use of alcohol, drugs or gambling Petty crime Financial weaknesses Personal circumstances Familial ties to countries of concern (competing identities) Sympathy to specific causes/adversarial mindset Difficult family circumstances Change in financial situation Personality predispositions Low self esteem - desire for recognition/status ‘Thrill seeker’ - desire for excitement Overinflated sense of worth/abilities – desire for revenge when not recognised Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices

19 Organisational vulnerabilities Certain situations have potential to increase vulnerability: High level of disaffection & staff grievance failure to address grievances failure to identify & manage personnel issues Employee disengagement (or lack of initial engagement) Lower levels of loyalty and commitment Poor organisational culture & management practices Organisation undergoing significant change Re-structuring Downsizing Relocation Impact on morale/ties with organisation Specific types of organisational climate

20 Possible triggers? Major life events Bereavement Divorce / marital problems Change in financial circumstances Work stressors Organisational change Demotion / lack of promotion Perceived injustices World events / crisis of conscience Direct approaches

21 Opportunity Inadequate Personnel Security measures Poor security culture Likelihood in terms of Opportunity Specific triggers ……… > Individual vulnerabilities Organisational vulnerabilities

22 Opportunity Insider activity can be facilitated by: Lack of appreciation of threats/risks Lack of awareness of security policies & practices Low level of ownership & responsibility Low level of compliance with security measures & easier to manipulate Lack of strong security culture Ease of obtaining employment Ease of obtaining information or access during employment Ease of remaining undetected Inadequate personnel security measures

23 Current thinking… Possible Indicators of Insider threat

24 Not one single factor Clusters & specific combinations Alternative explanations Changes from normal behaviour Assessed in context of employee’s role opportunity and capability to cause harm Legality & discrimination Possible Indicators of Insider Threat

25 Possible Indicators of Insider Threat – Behaviours of concern Individual vulnerabilities Unauthorised behaviours Suspicious behaviours Changes in lifestyle & work behaviours Greater the number of indicators present, greater the risk Some indicator groups are of more concern Combinations and clusters

26 Examples of possible Indicators Individual vulnerabilities Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position) Financial difficulties Addictions Specific personality traits On their own, not necessarily an indication of Insider activity Alternative explanations

27 Changes in lifestyle & work behaviours Obvious changes in financial status with no rational explanation Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security Poor timekeeping / excessive absenteeism Decreased quantity & quality of work Deteriorating relationships with colleagues/line managers (inc complaints) On their own, not necessarily an indication of Insider activity Alternative explanations Examples of possible Indicators

28 Suspicious behaviours Unusually high interest in security measures or history of unusually high security violations Visiting classified areas of work after normal hours, for no logical reason Unusual questioning of co-workers about information/areas which do not have access to Abusing access to databases On their own, not necessarily an indication of Insider activity But alternative explanations becoming less likely…..

29 Examples of possible Indicators A serious security risk Alternative explanations unlikely…… Unauthorised behaviours Accessing or attempting to access or download information for which not authorised Intentionally photocopying sensitive material for which no logical reason Taking protected or sensitive materials home without proper authorisation

30 Detection Utilisation of existing personnel security measures Protective monitoring automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas Aim -> development of practical and reliable tools to support decision making about Insiders Case studies have shown there was: evidence of behaviours of concern about Insiders BUT not collected together in one place so that an individual could make an informed judgement lacked a framework to understand potential warning signs

31 Detection We aim to develop checklists that could be: applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities used to support appraisal and/or security interviews, whether by security professionals or line managers used to structure confidential employee reporting schemes

32 Prevention & Deterrence is key… Comprehensive on-going security measures Limit opportunity Maximise deterrence Provide means to report concerns Positive management practices Reduce disaffection Promote loyalty & commitment Address grievances Strong security culture Appreciate threat & responsibilities Compliance Awareness to signs Willing to report Robust pre- employment screening Prevent those with intent Identify those who could be vulnerable

33 Inter-relationships between factors in ‘creating’ Insider events: Individual ‘v’ Organisational ‘v’ Triggers Reducing cause & opportunity is key (prevention) Detection more complicated Insider research is on-going findings 2009 development of tools & checklists to help identify those who may merit further attention Summary – Key messages


Download ppt "Prof. Angela Sasse University College London. Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides."

Similar presentations

Ads by Google