A multiple-perspective approach for insider-threat risk prediction in cyber-security

2018-11-27T12:31:21Z (GMT) by Nebrase Elmrabit
Currently governments and research communities are concentrating on insider threat matters more than ever, the main reason for this is that the effect of a malicious insider threat is greater than before. Moreover, leaks and the selling of the mass data have become easier, with the use of the dark web. Malicious insiders can leak confidential data while remaining anonymous. Our approach describes the information gained by looking into insider security threats from the multiple perspective concepts that is based on an integrated three-dimensional approach. The three dimensions are human issue, technology factor, and organisation aspect that forms one risk prediction solution. In the first part of this thesis, we give an overview of the various basic characteristics of insider cyber-security threats. We also consider current approaches and controls of mitigating the level of such threats by broadly classifying them in two categories: a) technical mitigation approaches, and b) non-technical mitigation approaches. We review case studies of insider crimes to understand how authorised users could harm their organisations by dividing these cases into seven groups based on insider threat categories as follows: a) insider IT sabotage, b) insider IT fraud, c) insider theft of intellectual property, d) insider social engineering, e) unintentional insider threat incident, f) insider in cloud computing, and g) insider national security. In the second part of this thesis, we present a novel approach to predict malicious insider threats before the breach takes place. A prediction model was first developed based on the outcomes of the research literature which highlighted main prediction factors with the insider indicator variables. Then Bayesian network statistical methods were used to implement and test the proposed model by using dummy data. A survey was conducted to collect real data from a single organisation. Then a risk level and prediction for each authorised user within the organisation were analysed and measured. Dynamic Bayesian network model was also proposed in this thesis to predict insider threats for a period of time, based on data collected and analysed on different time scales by adding time series factors to the previous model. Results of the verification test comparing the output of 61 cases from the education sector prediction model show a good consistence. The correlation was generally around R-squared =0.87 which indicates an acceptable fit in this area of research. From the result we expected that the approach will be a useful tool for security experts. It provides organisations with an insider threat risk assessment to each authorised user and also organisations can discover their weakness area that needs attention in dealing with insider threat. Moreover, we expect the model to be useful to the researcher's community as the basis for understanding and future research.