Presentation is loading. Please wait.

Presentation is loading. Please wait.

University College London

Similar presentations


Presentation on theme: "University College London"— Presentation transcript:

1 University College London
Prof. Angela Sasse University College London 1

2 2

3 Understanding & Identifying the Insider Threat CPNI - Personnel Security & Behavioural Assessment Slides not to be reproduced without prior permission

4 Content Introduction to CPNI & Personnel Security framework
Insider behaviour & activities Research Factors increasing likelihood Triggers Behaviours of concern Started in Winter 2007 Concludes 2009 Case study approach Terrorism (international & domestic) Espionage Disaffected employees

5 SECURITY & BEHAVIOURAL ASSESSMENT
Introduction - CPNI Holistic protective security advice to the national infrastructure to reduce vulnerability to terrorism and other threats PHYSICAL SECURITY ELECTRONIC SECURITY CPNI PERSONNEL SECURITY & BEHAVIOURAL ASSESSMENT Reducing vulnerability to Insider threat

6 The Critical National Infrastructure:
Telecommunications Energy Finance Government & Public Services Water Health Emergency Services Transport Food

7 Holistic view of Protective Security

8 Elements of a good personnel security regime
Good security & organisational culture Help minimise likelihood of employees becoming a security concern Pre-employment screening Ensure only staff who are unlikely to present a security concern are employed Risk assessment Uses personnel security measures in a way that is proportionate to the insider risk Ongoing security management Prevent, identify and manage employees who may become a security concern

9 Definition of an Insider
An Insider is someone who exploits, or has the intention to exploit, their legitimate access to assets for unauthorised purposes

10 Insider activities ….. Direct sabotage (electronic or physical)
Facilitation of 3rd party access to sites/information Direct sabotage (electronic or physical) Unauthorised disclosure of information Theft of materials or information Financial & Process corruption

11 Consequences of Insider activity
Commercial & financial impact Competitor advantage Loss of life/harm to life Denial or restriction of a key service Facilitation of criminal & terrorist activity Compromising protectively marked information Corporate National security Damage to Reputation Relationships Buildings & assets Disruption to Processes & procedures IT systems

12 Types of Insider Behaviour
Deliberate penetration with intention of abusing position Opportunistic exploitation of access once in post Insider Ex-employees Unwitting/ unintentional insider Unwitting insider – through failure to observe security practices, carelessness eg, unguarded talk, leaving sensitive material unattended, displaying passwords by computer, failure to observe clear desk policy Exploited by others once in post

13 Who might be undertaking Insider activity?
Terrorists or their associates Foreign Intelligence services Disaffected employees Single-issue groups Commercial competitors Journalists

14 Motivations of Insiders?
Financial gain Revenge Status/recognition Friendship/loyalty Ideological Fear/coercion

15 Likelihood, Triggers, Opportunity & Behaviours of concern Current thinking…

16 Current thinking Review of US Insider research
Literature review of Disaffection CPNI Insider study case study approach – range of past cases identify common trends develop guidance on reducing vulnerability concludes 2009

17 Likelihood of Insider Activity
World events Direct approaches Negative work events Negative life events Specific triggers Personality Life events Personal circumstances Individual vulnerabilities Organisational vulnerabilities + / - Disaffection Creating the climate Management culture Organisational climate Security

18 Individual Vulnerabilities
Life events – history of: Poor or chequered employment Excessive or addictive use of alcohol, drugs or gambling Petty crime Financial weaknesses Personal circumstances Familial ties to countries of concern (competing identities) Sympathy to specific causes/adversarial mindset Difficult family circumstances Change in financial situation Personality predispositions Low self esteem - desire for recognition/status ‘Thrill seeker’ - desire for excitement Overinflated sense of worth/abilities – desire for revenge when not recognised Brittle - oversensitive, unable to accept criticism – desire for revenge for perceived injustices

19 Organisational vulnerabilities
Certain situations have potential to increase vulnerability: High level of disaffection & staff grievance failure to address grievances failure to identify & manage personnel issues Employee disengagement (or lack of initial engagement) Lower levels of loyalty and commitment Poor organisational culture & management practices Organisation undergoing significant change Re-structuring Downsizing Relocation Impact on morale/ties with organisation Specific types of organisational climate

20 Possible triggers? Major life events Bereavement
Divorce / marital problems Change in financial circumstances Work stressors Organisational change Demotion / lack of promotion Perceived injustices World events / crisis of conscience Direct approaches

21 Individual vulnerabilities Organisational vulnerabilities
Likelihood in terms of Opportunity Specific triggers ……… > Individual vulnerabilities Organisational vulnerabilities Opportunity Inadequate Personnel Security measures Poor security culture

22 Opportunity Insider activity can be facilitated by:
Ease of obtaining employment Ease of obtaining information or access during employment Ease of remaining undetected Inadequate personnel security measures Lack of appreciation of threats/risks Lack of awareness of security policies & practices Low level of ownership & responsibility Low level of compliance with security measures & easier to manipulate Lack of strong security culture

23 Current thinking… Possible Indicators of Insider threat

24 Possible Indicators of Insider Threat
Not one single factor Clusters & specific combinations Alternative explanations Changes from normal behaviour Assessed in context of employee’s role opportunity and capability to cause harm Legality & discrimination

25 Possible Indicators of Insider Threat – Behaviours of concern
Changes in lifestyle & work behaviours Individual vulnerabilities Unauthorised behaviours Suspicious behaviours Greater the number of indicators present, greater the risk Some indicator groups are of more concern Combinations and clusters

26 Examples of possible Indicators
Relatives / close friends in countries known to target UK citizens to obtain sensitive information and/or is associated with a risk of terrorism Sympathy to specific causes/adversarial mindset (particularly if in conflict with nature of work/position) Financial difficulties Addictions Specific personality traits Individual vulnerabilities On their own, not necessarily an indication of Insider activity Alternative explanations

27 Examples of possible Indicators
Obvious changes in financial status with no rational explanation Sudden or marked changes in religious, political or social affiliation or practice which has an adverse impact on performance or attitude to security Poor timekeeping / excessive absenteeism Decreased quantity & quality of work Deteriorating relationships with colleagues/line managers (inc complaints) Changes in lifestyle & work behaviours On their own, not necessarily an indication of Insider activity Alternative explanations

28 Examples of possible Indicators
Unusually high interest in security measures or history of unusually high security violations Visiting classified areas of work after normal hours, for no logical reason Unusual questioning of co-workers about information/areas which do not have access to Abusing access to databases Suspicious behaviours On their own, not necessarily an indication of Insider activity But alternative explanations becoming less likely…..

29 Examples of possible Indicators
Unauthorised behaviours Accessing or attempting to access or download information for which not authorised Intentionally photocopying sensitive material for which no logical reason Taking protected or sensitive materials home without proper authorisation A serious security risk Alternative explanations unlikely……

30 Detection Utilisation of existing personnel security measures
Protective monitoring automated alerts and audits to detect unauthorised entry/abnormal usage of IT systems or work areas Aim -> development of practical and reliable tools to support decision making about Insiders Case studies have shown there was: evidence of behaviours of concern about Insiders BUT not collected together in one place so that an individual could make an informed judgement lacked a framework to understand potential warning signs

31 Detection We aim to develop checklists that could be:
applied to an application form at recruitment stage to check past history and capture potential individual vulnerabilities used to support appraisal and/or security interviews, whether by security professionals or line managers used to structure confidential employee reporting schemes

32 Prevention & Deterrence is key…
Robust pre-employment screening Prevent those with intent Identify those who could be vulnerable Comprehensive on-going security measures Limit opportunity Maximise deterrence Provide means to report concerns Strong security culture Appreciate threat & responsibilities Compliance Awareness to signs Willing to report Positive management practices Reduce disaffection Promote loyalty & commitment Address grievances Particularly in times of change

33 Summary – Key messages Inter-relationships between factors in ‘creating’ Insider events: Individual ‘v’ Organisational ‘v’ Triggers Reducing cause & opportunity is key (prevention) Detection more complicated Insider research is on-going findings 2009 development of tools & checklists to help identify those who may merit further attention

34


Download ppt "University College London"

Similar presentations


Ads by Google