Cyber Espionage and Insider Threat: House of Commons Panel Discussion
Social Network Dynamics of Insider Threats: How do Job ... · How do Job Engagement & Insider...
Transcript of Social Network Dynamics of Insider Threats: How do Job ... · How do Job Engagement & Insider...
SEI Research Review 2015
Social Network Dynamics of Insider Threats:How do Job Engagement & Insider Espionage Relate?
Empirical analysis of insider espionage incidents (non-moles) show spy disengagement at work and home. A system dynamics (SD) model explains social network changes & helps analyze bene�ts of greater job engagement.
Approach:
• Disincentive espionage by attracting cooperation through positive incentives, complementing coercive approaches
• Indicators of disengagement alert �rst-line managers to sustain productivity/retention (lessens impact of false positives)
• Serious or continuing disengagement reviewed by investigators for action
• Social network analysis of spy incidents with SD model providing link to theory
Key Challenge: Distinguish employee engaged in job from spy gathering intel
Preliminary Finding: Spying decreases with greater employee job engagement, but other sociotechnical measures likely needed.
Future Work: Re�ne & Validate Model
• Measure level of spy disengagement
• Interview orgs to determine relationship among engagement, practices, & theft
• Develop a disengagement analysis and response tool based on SD model/ORA
Contact: Andrew P. Moore [email protected] Kathleen M. Carley [email protected]
Distribution Statement A:Approved for Public Release;Distribution is Unlimited
An Emerging Physics of Job Engagement and Insider Espionage
Social Network Dynamics of Spy Disengagement with Work and Family Two-Dimensional Spy Motivation Space
Social Network within Organization Social Network with Adversary
Social Network with Family
perceived success of insider’s organizational
activities (breeding trust) insider’s cooperative activities engaged in
organization
Reinforcing Social Capital in Organization
Limits to Social Capital Growth in Organization
Reinforcing Social Capital with Adversary
Limits to Social Capital Growth with Adversary
Declining Social Capital within FamilyDisgruntlement Due to
Policies/Rules
rigidity of policies/rules of operation mandated by
context
rigidity of local policies/rules of operation
average social connections per person
within organization
insider’s espionage activities engaged with
adversaryperceived success of
insider’s spying activities (breeding trust)
perceived value of connections with
adversary
insider’s disaffection with
family
strength of insider’s connections with family
insider’s �nancial desperation
insider’s social connections within
organization
perceived value of connections within
organization
employee engagement
people in organization
espionage threshold
organization allegiance
insider’s motivation
to spy
coercion of insider
insider’s ideological motivation
insider’s social connection with
adversary
insider’s disaffection with organization
professional stressors
employee resilience
R1a
B1a
B2
B1b
R1b
R2
–
–
–
–
–
–
–
–
–
––
+
+
++
++
+
+
++
+
+
+
+
+
+ ++
+
+
+
+
+
+
Engagement levelsfairly constant over years. (OPM 2014)Gallup 2013)
hiring engaged employees
hiring employees
disengaged employees
A stock (grouping)
A �ow between stocks.
engaging employees
departing engaged employees
departing disengaged employees
departing employees
changingdisengagement
hiring disengaged employees
starting to spy
fraction engagement improvement at month 3
percent actively disengaged starting to spy per year
~65% of USG workforce
~20% of USG workforce
~15% of USG workforce
Simulation shows espionage not very sensitive to extent of engagement at hiring
percent actively disengaged starting
to spy per year
fraction engagement improvement at month 3
EngagedEmployees
MildlyDisengagedEmployees
FormerEmployees
InsiderSpies
Actively Disengaged Employees
–
+ +
Gener
ally O
rient
ed to
Self
Gener
ally O
rient
ed to
Oth
er
Disaffection
Coercion
All variables range 0 to 1:Let X = Max(Money, Ideology)Let Y = Max(Disaffection, Coercion)
Motivation = X+(1–X)*YMotivation to Spy = Motivation * (1 – Org Allegiance) * (1 – Family Connection)
IdeologyMoney
Neal W. Altman, Matthew L. Collins
0 1
-1 .5 1
5
Characteristics Proxy Source Aggressive Repeated Interrogatives ??? Behavior Aggressive Repeated Exclamations !!! Behavior Aggressive Sentiment Behavior Aggressive Email Length (Short) Behavior Smart Characters Per Word Behavior Smart Characters Per Sentence Behavior Smart Sentence Length Behavior Smart AVG Reading Ease Behavior Chameleon Variability of Behavior Network Chameleon High Shared Symbols across
groups Network
Compartmentalization Local Betweenness Network Compartmentalization High Variability in
Reciprocity Network
Compartmentalization High Number of External Connections
Network
Dynamic network metrics can be used to identify those people who are potential insider threats. The key: they grow structural holes and have unusual betweenness.
Approach• Dynamic meta-networks—linking people,
personality traits, organizational role traits
• Case Studies: 9 espionage cases
• Extract dynamic networks
• Compare networks using graph techniques
• Email Studies: Enron corpus
• Use machine learning to characterize insiders based on network metrics
• Use machine learning to characterize insiders using other features derived from case studies
• Identify commonalities across two sub-studies Key FindingsCharacteristics of Insider threatsDisengagement with work and family, increasing ties outside• Network features • Build structural holes • NOT: degree centrality • Member of multiple local clusters • Increasing betweenness at “group” level • Decreasing ties to family or break with signi�cant other• Social or Organizational features • Access • Had or was in military service • Minimal supervision• Psychological features • Intelligent • Wanted to “use-the-system” for own gain • Wanted change (money/psych change)• Network features similar to other covert actors• Complimentary patterns in case studies and email• Not testable• To be tested
Espionage Case StudiesExtracted people, traits, and task featuresPeople classi�ed as in organization, external, or family
ENRON EmailORA for Network metrics, JRIP for ML
Future Work: Add “psychological” features to “network
Contact: Andrew Moore [email protected], Kathleen M. Carley [email protected] Morgan, Neal Altman, Matt Collins
SEI Research Review 2015Distribution Statement A:Approved for Public Release;Distribution is Unlimited
Dynamic Networks of Insider Threats – Growing Holes
Individual Level Network Metrics
Group Level Network Metrics
Dynamic Networks
Behavioral Characteristics
TRUE50%
FALSE60%
TRUE50%
FALSE60%
TRUE50%
FALSE60%
(InverseClosenessCentrality_TO HI
OR CliqueCount_TO LO
& (CorrelationResemblace_TO LO
OR May2001_InDegree_TO_Internal) HI
& (CognitiveSimilarity_TO HI
OR ClusteringCoef�cient_TO LO
OR AuthorityCentrality_TO) LO
& (Constraint_TO Not VERY HI
ColumnGiniMeansDifference_TO POS
OR InverseClosenessCentrality_TO LO
&
(InverseClosenessCentrality_BCC HI
OR InverseClosenessCentrality_TO LO
& (Oct01_InDegree_TO_Internal POS
OR WeakComponentMembers_BCC) VERY HI
&
(ColumnGiniMeansDifference_TO POS
OR WeakComponentMembers_BCC HI
& May2001_InDegree_TO_All Not VERY LO
TRUE86%
FALSE18%
TRUE76%
FALSE11%
TRUE29%
FALSE4%
Frequency of “CC” Messages to Employees LOW
& Median “TO” Connections to Employees HI
Variance in “CC” Connections to Outsiders LOW
Variance in “TO” Connections to Employees V HI
& Variance in “CC” Messages to Employees LOW
Average “CC” Messages to Employees HI
& Total “CC” Messages to Employees LOW
Variance in “TO” Connections to Employees HI
& Total “CC” Connections to Employees LOW
Variance in “CC” Connections to Employees LOW
Median “TO” Connections to Employees LOW
& Frequency of “TO” Messages to Outsiders HI
Total “TO” Connections to Employees HI
Variance in “TO” Connections to Employees HI
00
0.1
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
ROC Curve, Enron October ’01
False Positive Rate
True
Pos
itiv
e R
ate
00
0.1
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Connections and Messages - Enron ROC Curve
False Positive Rate
True
Pos
itiv
e R
ate
Cleaning
NetworkAnalysis
DataFusion
Prediction
ORA
Network Dynamics Poster
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
* These restrictions do not apply to U.S. government entities.
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0002735
Social Network Dynamiss Poster
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON
AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS
TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY
WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the
copyright and “No Warranty” statements are included with all reproductions and derivative works.
External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without
requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to
the Software Engineering Institute at [email protected].
* These restrictions do not apply to U.S. government entities.
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0002734