Understanding insider threat: a framework for characterising attacks

Jason R.C. Nurse; Oliver Buckley; Philip A. Legg; Michael Goldsmith; Sadie Creese; Gordon R.T. Wright; Monica Whitty

doi:10.1109/SPW.2014.38

Understanding insider threat: a framework for characterising attacks

Jason R.C. Nurse, Oliver Buckley, Philip A. Legg, Michael Goldsmith, Sadie Creese, Gordon R.T. Wright, Monica Whitty

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

129 Citations (Scopus)

Abstract

The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.

Original language	English
Title of host publication	Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	214-228
Number of pages	15
ISBN (Electronic)	9781479951031
DOIs	https://doi.org/10.1109/SPW.2014.38
Publication status	Published - 2014
Externally published	Yes
Event	IEEE Security and Privacy Workshops 2014 - San Jose, United States of America Duration: 17 May 2014 → 18 May 2014 https://ieeexplore.ieee.org/xpl/conhome/6954698/proceeding (Proceedings)

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2014-January
ISSN (Print)	1081-6011

Conference

Conference	IEEE Security and Privacy Workshops 2014
Abbreviated title	SPW 2014
Country/Territory	United States of America
City	San Jose
Period	17/05/14 → 18/05/14
Internet address	https://ieeexplore.ieee.org/xpl/conhome/6954698/proceeding (Proceedings)

Keywords

Attack chain
Case studies
Insider threat
Psychological indicators
Technical
Threat framework

Access to Document

10.1109/SPW.2014.38

Cite this

Nurse, J. R. C., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R. T., & Whitty, M. (2014). Understanding insider threat: a framework for characterising attacks. In Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014 (pp. 214-228). (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2014-January). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/SPW.2014.38

@inproceedings{a25c3915d5c34cd898a68881a65864ed,

title = "Understanding insider threat: a framework for characterising attacks",

abstract = "The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.",

keywords = "Attack chain, Case studies, Insider threat, Psychological indicators, Technical, Threat framework",

author = "Nurse, {Jason R.C.} and Oliver Buckley and Legg, {Philip A.} and Michael Goldsmith and Sadie Creese and Wright, {Gordon R.T.} and Monica Whitty",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.; IEEE Security and Privacy Workshops 2014, SPW 2014 ; Conference date: 17-05-2014 Through 18-05-2014",

year = "2014",

doi = "10.1109/SPW.2014.38",

language = "English",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

pages = "214--228",

booktitle = "Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014",

address = "United States of America",

url = "https://ieeexplore.ieee.org/xpl/conhome/6954698/proceeding",

}

Nurse, JRC, Buckley, O, Legg, PA, Goldsmith, M, Creese, S, Wright, GRT & Whitty, M 2014, Understanding insider threat: a framework for characterising attacks. in Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014. Proceedings - IEEE Symposium on Security and Privacy, vol. 2014-January, IEEE, Institute of Electrical and Electronics Engineers, pp. 214-228, IEEE Security and Privacy Workshops 2014, San Jose, California, United States of America, 17/05/14. https://doi.org/10.1109/SPW.2014.38

Understanding insider threat : a framework for characterising attacks. / Nurse, Jason R.C.; Buckley, Oliver; Legg, Philip A. et al.

Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014. IEEE, Institute of Electrical and Electronics Engineers, 2014. p. 214-228 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2014-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Understanding insider threat

T2 - IEEE Security and Privacy Workshops 2014

AU - Nurse, Jason R.C.

AU - Buckley, Oliver

AU - Legg, Philip A.

AU - Goldsmith, Michael

AU - Creese, Sadie

AU - Wright, Gordon R.T.

AU - Whitty, Monica

PY - 2014

Y1 - 2014

N2 - The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.

AB - The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.

KW - Attack chain

KW - Case studies

KW - Insider threat

KW - Psychological indicators

KW - Technical

KW - Threat framework

UR - http://www.scopus.com/inward/record.url?scp=84939515124&partnerID=8YFLogxK

U2 - 10.1109/SPW.2014.38

DO - 10.1109/SPW.2014.38

M3 - Conference Paper

AN - SCOPUS:84939515124

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 214

EP - 228

BT - Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014

PB - IEEE, Institute of Electrical and Electronics Engineers

Y2 - 17 May 2014 through 18 May 2014

ER -

Nurse JRC, Buckley O, Legg PA, Goldsmith M, Creese S, Wright GRT et al. Understanding insider threat: a framework for characterising attacks. In Proceedings - 2014 IEEE Security and Privacy Workshops, SPW 2014. IEEE, Institute of Electrical and Electronics Engineers. 2014. p. 214-228. (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SPW.2014.38

Understanding insider threat: a framework for characterising attacks

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Cite this