organizational learning for insider threat detection
TRANSCRIPT
Organizational Sensing for Insider Threat Detection
Jeffrey M. StantonSyracuse University
School of Information Studies
IT Organization as Sensor
Amazon Rank: #784,784 in Books
Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in
Malicious ----------- Intentions ----------- Benevolent
Expert -------- E
xpertise ---------N
ovice
Unintentional
Insecurity
Unintentional
Insecurity
NaïveMistakes
Detrimental Misuse
BasicHygiene
Aware Assurance
Intentional Destruction
DangerousTinkering
*110 Information Security professionals generated lists of behaviors and rated them.
Social Network as Sensor
Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior
(Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)
Other Organizational Sensor Types
HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals
Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results
Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement
Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering,
response, and feedback tends to improve system performance
John Seely Brown and Paul Duguid (1991):
Organizational Learning and Communities-of-Practice Learning in organizations occurs primarily within
communities of practice (COPs) – interacting groups sharing a common base of professional “stories”
Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP
Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting)
Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets
Enhancing Organizational Learning for Improved Sensing
Legitimize Peripheral ParticipationBake-in cross-training, cross-functional
teams, shadowing, externshipsEnable, reward, and celebrate
“maverick” communities