Aug 22, 2023

The Psychology of Insider Risk Management

4

In the second episode of Conversations from the Inside: The Psychology of Insider Risk Management: Time and Place Matters, renowned intelligence and security expert Christopher Burgess sat down with MITRE’s Chief Scientist for Insider Threat Research & Solutions and Senior Principal Behavioral Scientist for Insider Threat, Dr. Deanna Caputo, to discuss the role of human behavior and psychology in insider risk management.

In this blog post, we’ll explore some key takeaways from the discussion. You can also watch the full episode replay below:

Leveraging Behavioral Sciences: Patterns of Behavior are Key

When monitoring human behavior, organizations often look for a personality trait or even disorder to indicate an individual shouldn’t be hired or trusted. However, no data indicates specific personality types can explain insider threat activities.

For today’s digital and distributed enterprise, successful insider risk management (IRM) requires visibility into insiders’ past behavior patterns to help organizations anticipate and mitigate future risks.

IRM programs need to focus less on an individual’s internal motivations and more on the types of behaviors that security teams will see. For example, what does ‘normal’ or ‘baseline’ behavior look like to you in your program? What does it look like for your colleagues?  Trying to determine a root cause isn’t something you can measure with certainty, which is what makes understanding the behaviors that manifest so integral to mitigating insider risks before an incident occurs.

Focusing on patterns of behaviors enables security teams to gain insight into how employees do their work (baseline performance) and monitor whether subtle changes occur over time or whether there is a dramatic shift. To determine whether individuals’ behaviors are truly concerning, organizations must examine them within the context of other data sources to determine whether a real risk or another explanation is causing the shift. For example, a dramatic change in employee behavior may result from taking on a new role at a company, going on vacation, a financial debt, an illness in the family, etc.

The Role of HR: Communication is Key

Collaboration with HR is critical to establishing an effective IRM program. The biggest hurdle to getting HR specialists and leaders’ buy-in is usually their lack of knowledge about what security teams are not doing with data collected by an insider risk management program. An essential stakeholder engagement includes offering HR additional visibility into how the data that is being collected is and is not used.

Analysts don’t have time to comb through every piece of data for every employee. In fact, most insider risk programs spend most of their time showing that there isn’t insider risk within an organization. These data points are collected to provide historical context to alert an organization to risky behavior.

Leveraging Behavioral Sciences

Understanding human behavior is the key to developing an effective insider risk program. Every employee presents a risk to an organization, but not all will turn into threats. Labeling individuals is the most significant risk enterprises should be wary of when leveraging behavioral sciences in cybersecurity, making it critical that extensive due diligence is conducted before engaging an employer/employee on potential risks.

An effective and efficient insider risk program will protect employee privacy while providing the real-time contextual behavioral intelligence needed to answer the Who, What, When, Where, Why and How related to any potential insider situation.

If you enjoyed this topic, be sure to read Busted: The Misconceptions of Insider Risk Programs, also featuring insights from Dr. Deanna Caputo.

The Importance of Quality Data

Amassing data is crucial, but drowning in excessive data can be counterproductive. Instead, focus on data quality. Data should be collected, processed, and stored in a well-structured manner. User Behavior Analytics are vital in this context, as they utilize machine learning to detect anomalies in behavior. However, the success of UBA hinges on the quality of the data fed into it. Planning, precision, and a deep understanding of the desired outcomes are necessary when dealing with data.

Addressing Human Factors

Insider risks primarily stem from human behavior, making it imperative to understand and address this aspect. Technology alone cannot fix the problem; a holistic approach is required. Organizations must recognize that insider risk is a business-wide issue, and understand that technological solutions are only effective when they are integrated into a comprehensive program focused on people’s behaviors and intentions.

Transitioning from Reactive to Proactive

A successful insider risk program should evolve from a reactive stance to a proactive one. This journey involves creating use cases that add immediate value while simultaneously building capabilities for long-term proactive risk mitigation. Identifying and developing skill sets within the existing team, focusing on behavioral indicators, and correlating data are all crucial steps in this transition.

Collaborative Engagement

The success of an insider risk program hinges on collaboration across various stakeholders. Engaging legal, HR, IT, security, privacy, and other relevant departments ensures that all perspectives are considered and aligned. Establishing documented guidelines for engagement, particularly with privacy regulations, helps to ensure smooth program implementation and gain critical support.

Redefining Insider Threat

Insider risks should not be categorized solely as malicious actions. Negligence and mistakes by employees can also create vulnerabilities that malicious actors exploit. The key is to identify vulnerabilities and create a culture of support and improvement rather than blame.

Insider Vs Outsider Threat

Insider threats differ significantly from external attacks and require a distinct framework. A collaborative effort is underway to develop an insider threat framework based on real data and case studies. Building this framework requires community involvement and transparency to address this unique challenge effectively.

Building a human-centric insider risk program demands a holistic approach that integrates people, processes, technology, and governance. By adhering to these key takeaways, organizations can create sustainable and effective insider risk programs that protect sensitive information, prevent data breaches, and ensure the overall security of their operations.

Subscribe today to stay informed and get regular updates from DTEX Systems