Organizational Sensing for Insider Threat Detection

Jeffrey M. StantonSyracuse University

School of Information Studies

IT Organization as Sensor

Amazon Rank: #784,784 in Books

Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in

Malicious ----------- Intentions ----------- Benevolent

Expert -------- E

xpertise ---------N

ovice

Unintentional

Insecurity

Unintentional

Insecurity

NaïveMistakes

Detrimental Misuse

BasicHygiene

Aware Assurance

Intentional Destruction

DangerousTinkering

*110 Information Security professionals generated lists of behaviors and rated them.

Social Network as Sensor

Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior

(Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)

Other Organizational Sensor Types

HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals

Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results

Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement

Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering,

response, and feedback tends to improve system performance

John Seely Brown and Paul Duguid (1991):

Organizational Learning and Communities-of-Practice Learning in organizations occurs primarily within

communities of practice (COPs) – interacting groups sharing a common base of professional “stories”

Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP

Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting)

Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets

Enhancing Organizational Learning for Improved Sensing

Legitimize Peripheral ParticipationBake-in cross-training, cross-functional

teams, shadowing, externshipsEnable, reward, and celebrate

“maverick” communities