To see the other types of publications on this topic, follow the link: Insider threats.
Dissertations / Theses on the topic 'Insider threats'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Insider threats.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Hartline, Cecil L. Jr. "Examination of Insider Threats| A Growing Concern." Thesis, Utica College, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10687276.
Full textAbstract:
<p> The National Infrastructure Advisory Council (NAIC) reports that "...preventing all insider threats is neither possible nor economically feasible..." because the threat is already behind perimeter defenses and often know exactly where vulnerabilities exist within organizations (Cline, 2016). The purpose of this research was to determine the prevalence of malicious and unintentional insider threats. Statistically, the numbers support the idea that insider threats are increasing and occurring more frequently. The true numbers, which only account for the incidents that were reported, may be higher than originally expected. The statistical numbers are likely to much higher because organizations fear reputational damage and client loss. Organizations give reasons such as not enough evidence for conviction or too hard to prove guilt. The result of the paper indicates that companies focus most of their resources on external threats and not the insider threat that is costlier to remediate and considered the most damaging of all threats. The research focuses on malicious and unintentional insider threats and how they are different. A 2018 Crowd Research Partners report found 90% of organizations believe they are vulnerable to insider attacks, while 53% of businesses confirmed they had experienced an insider threat in the past 12 months (Crowd Research Partners, 2017a). The insider threat is hard to manage because an organization not only need worry about their own employees they also must monitor and manage third-party vendors, partners, and contractors. However, with a combination of technical and nontechnical solutions, including an insider threat program, companies can detect, deter, prevent or at least reduce the impacts of insider threats. Abstract The National Infrastructure Advisory Council (NAIC) reports that "...preventing all insider threats is neither possible nor economically feasible..." because the threat is already behind perimeter defenses and often know exactly where vulnerabilities exist within organizations (Cline, 2016). The purpose of this research was to determine the prevalence of malicious and unintentional insider threats. Statistically, the numbers support the idea that insider threats are increasing and occurring more frequently. The true numbers, which only account for the incidents that were reported, may be higher than originally expected. The statistical numbers are likely to much higher because organizations fear reputational damage and client loss. Organizations give reasons such as not enough evidence for conviction or too hard to prove guilt. The result of the paper indicates that companies focus most of their resources on external threats and not the insider threat that is costlier to remediate and considered the most damaging of all threats. The research focuses on malicious and unintentional insider threats and how they are different. A 2018 Crowd Research Partners report found 90% of organizations believe they are vulnerable to insider attacks, while 53% of businesses confirmed they had experienced an insider threat in the past 12 months (Crowd Research Partners, 2017a). The insider threat is hard to manage because an organization not only need worry about their own employees they also must monitor and manage third-party vendors, partners, and contractors. However, with a combination of technical and nontechnical solutions, including an insider threat program, companies can detect, deter, prevent or at least reduce the impacts of insider threats.</p><p>
2
Jenkins, Jeffrey Lyne. "Alleviating Insider Threats: Mitigation Strategies and Detection Techniques." Diss., The University of Arizona, 2013. http://hdl.handle.net/10150/297023.
Full textAbstract:
Insider threats--trusted members of an organization who compromise security--are considered the greatest security threat to organizations. Because of ignorance, negligence, or malicious intent, insider threats may cause security breaches resulting in substantial damages to organizations and even society. This research helps alleviate the insider threat through developing mitigation strategies and detection techniques in three studies. Study 1 examines how security controls--specifically depth-of-authentication and training recency--alleviate non-malicious insider threats through encouraging secure behavior (i.e., compliance with an organization's security policy). I found that `simpler is better' when implementing security controls, the effects of training diminish rapidly, and intentions are poor predictors of actual secure behavior. Extending Study 1's finding on training recency, Study 2 explains how different types of training alleviate non-malicious insider threat activities. I found that just-in-time reminders are more effective than traditional training programs in improving secure behavior, and again that intentions are not an adequate predictor of actual secure behavior. Both Study 1 and Study 2 introduce effective mitigation strategies for alleviating the non-malicious insider threat; however, they have limited utility when an insider threat has malicious intention, or deliberate intentions to damage the organization. To address this limitation, Study 3 conducts research to develop a tool for detecting malicious insider threats. The tool monitors mouse movements during an insider threat screening survey to detect when respondents are being deceptive. I found that mouse movements are diagnostic of deception. Future research directions are discussed to integrate and extend the findings presented in this dissertation to develop a behavioral information security framework for alleviating both the non-malicious and malicious insider threats in organizations.
3
Alawneh, Muntaha. "Mitigating the risk of insider threats when sharing credentials." Thesis, Royal Holloway, University of London, 2012. http://repository.royalholloway.ac.uk/items/aa8e8463-ae05-06f2-ddd9-cc4756a61c86/10/.
Full textAbstract:
This thesis extends DRM schemes which address the problem of unauthorized proprietary content sharing in home networks to address the problem of unauthorized confidential content sharing in organizations. In particular it focuses on how to achieve secure content sharing between employees in a group while limiting content leakage to unauthorized individuals outside the group. The thesis discusses the main organization types, process work ow and requirements. Our main interest is in organizations which consider content sharing between groups of employees as a fundamental requirement. Achieving secure content sharing requires a deep analysis and understanding of security threats affecting such a fundamental requirement. We study and analyze one of the major threats which affect secure content sharing, which is the threat of content leakage. In this thesis we focus on content leakage which happens when authorized employees share their credentials with others not authorized to access content, thus enabling unauthorized users to access confidential content. Leaking content in this way is what we refer to as content leakage throughout this thesis. We found that to limit the content leakage threat effectively we have to split it into two main categories: internal leakage and external leakage. In the thesis we define each category, discuss the intersection between the categories, and consider how they can be realized. Next, we analyze and assess existing content protection schemes, which focus on content sharing and protection from authorized employees misusing their privileges. These mainly include Enterprise Rights Management (ERM) and Digital Rights Management (DRM) schemes. Based on the analysis we identify the weaknesses found in these schemes for mitigating the content leakage threat. Following that we develop a framework, which we use to mitigate the content leakage threat. This framework is based on the authorized domain concept which was first proposed to address DRM threats. We extend the authorized domain concept so that it consists of a group of devices owned by an organization, whose employees need to share a pool of content amongst each other, e.g. a group of individuals working on a project. In other words, we group devices and content together in a controlled and secure environment. In this thesis, we propose two types of domains: the global domain and the dynamic domain that we use to address the identified content leakage threats. The proposed schemes allow secure content sharing between devices in a dynamic and global domain, and limit the leakage of content to devices outside the domain. Next, we extend our study to cover secure information sharing not only within a single organization but also to cover this important requirement within collaborating organizations. We then describe and analyze how the content leakage threat can be realized between collaborating organizations. We propose a scheme to control content sharing and, simultaneously, to limit the effect of content leakage when an organization needs to collaborate with other organizations.
4
Denison, Stephen. "The accessibility of insider threats on a corporate network." Thesis, Utica College, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=1604807.
Full textAbstract:
<p> Corporations try to defend themselves against outsider threats, but insider threats can be just as devastating. Insiders have an understanding of their organization’s critical assets, physical access to computers, and more privileges than their outside counterparts. This paper will outline three different areas of accessibility issues that insiders can take advantage of in order to leak sensitive information; exfiltration methods, encryption, and corporate considerations of best practices. Data exfiltration focuses on the different techniques that insiders can use to transfer sensitive information. The research outlines how exfiltration has evolved into more sophisticated techniques, but concludes that rudimentary methods associated with external storage devices are still prominently used. Data encryption, if applied properly, can protect sensitive information from unauthorized access, but also creates problems that corporations will have to address. Work productivity can be halted by encryption techniques, causing employees to bypass these systems. Historical cyber attacks show that managing encryption keys are equally important as managing encrypted data, but encryption can still be dismantled through brute force attacks. Corporations will have to make decisions on which best practice methods to choose from in order to defend themselves against insider attacks. Some of these considerations include: risk assessments, employee training, monitoring, password management, data management, and BYOD considerations. Improper utilization of these practices can allow information to be stolen by insiders, but if applied properly, can mitigate the accessibility of insiders. Keywords: insider threats; data exfiltration; Cybersecurity; Professor Christopher Riddell; encryption.</p>
5
Elmrabit, Nebrase. "A multiple-perspective approach for insider-threat risk prediction in cyber-security." Thesis, Loughborough University, 2018. https://dspace.lboro.ac.uk/2134/36243.
Full textAbstract:
Currently governments and research communities are concentrating on insider threat matters more than ever, the main reason for this is that the effect of a malicious insider threat is greater than before. Moreover, leaks and the selling of the mass data have become easier, with the use of the dark web. Malicious insiders can leak confidential data while remaining anonymous. Our approach describes the information gained by looking into insider security threats from the multiple perspective concepts that is based on an integrated three-dimensional approach. The three dimensions are human issue, technology factor, and organisation aspect that forms one risk prediction solution. In the first part of this thesis, we give an overview of the various basic characteristics of insider cyber-security threats. We also consider current approaches and controls of mitigating the level of such threats by broadly classifying them in two categories: a) technical mitigation approaches, and b) non-technical mitigation approaches. We review case studies of insider crimes to understand how authorised users could harm their organisations by dividing these cases into seven groups based on insider threat categories as follows: a) insider IT sabotage, b) insider IT fraud, c) insider theft of intellectual property, d) insider social engineering, e) unintentional insider threat incident, f) insider in cloud computing, and g) insider national security. In the second part of this thesis, we present a novel approach to predict malicious insider threats before the breach takes place. A prediction model was first developed based on the outcomes of the research literature which highlighted main prediction factors with the insider indicator variables. Then Bayesian network statistical methods were used to implement and test the proposed model by using dummy data. A survey was conducted to collect real data from a single organisation. Then a risk level and prediction for each authorised user within the organisation were analysed and measured. Dynamic Bayesian network model was also proposed in this thesis to predict insider threats for a period of time, based on data collected and analysed on different time scales by adding time series factors to the previous model. Results of the verification test comparing the output of 61 cases from the education sector prediction model show a good consistence. The correlation was generally around R-squared =0.87 which indicates an acceptable fit in this area of research. From the result we expected that the approach will be a useful tool for security experts. It provides organisations with an insider threat risk assessment to each authorised user and also organisations can discover their weakness area that needs attention in dealing with insider threat. Moreover, we expect the model to be useful to the researcher's community as the basis for understanding and future research.
6
Catrantzos, Nicholas. "No dark corners defending against insider threats to critical infrastructure /." Thesis, Monterey, California : Naval Postgraduate School, 2009. http://edocs.nps.edu/npspubs/scholarly/theses/2009/Sep/09Sep%5FCatrantzos.pdf.
Full textAbstract:
Thesis (M.A. in Security Studies (Homeland Security and Defense))--Naval Postgraduate School, September 2009.<br>Thesis Advisor(s): Tucker, David. "September 2009." Description based on title screen as viewed on November 03, 2009. Author(s) subject terms: Critical infrastructure protection, insider threat, trust betrayers, infiltrators, disgruntled insiders, Defensible Space, Fixing Broken Windows, employee engagement, No Dark Corners. Includes bibliographical references (p. 85-88). Also available in print.
7
Lombardo, Gary. "Predicting the Adoption of Big Data Security Analytics for Detecting Insider Threats." Thesis, Capella University, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10751570.
Full textAbstract:
<p> Increasingly, organizations are at risk of data breaches due to corporate insider threats. Insiders, in fact, are the biggest threat to corporate data assets and are evading traditional cybersecurity countermeasures. The volume of big data makes insider threat detection more difficult. Conversely big data security analytics (BDSA) enables the detection of anomalous behavior patterns within large datasets in real time, offering organizations potentially a more effective cybersecurity countermeasure for detecting insider threats. However, there was a gap in the literature about what was known about information technology (IT) professionals’ behavioral intentions (BIs) to adopt BDSA. The overarching management question of this study was whether IT professionals’ BIs to adopt BDSA were influenced by perceived usefulness (PU) and perceived ease of use (PEOU). This management question led to the investigation of three research questions: The first was if there was a statistically significant relationship between PU and an IT professional’s BI to adopt BDSA. The second was if there was a statistically significant relationship between PEOU and an IT professional’s BI to adopt BDSA. And, the third was does an IT professional’s PEOU of BDSA influence the PU of BDSA. The study used a quantitative, nonexperimental, research design with the technology acceptance model (TAM) as the theoretical framework. Participants included 110 IT professionals with five or more years of experience in the IT field. A Fast Form Approach to Measuring Technology Acceptance and Other Constructs was used to collect data. The instrument had 12 items that used (a) semantic differential scales that ranged in value from -4 to +4 and (b) bipolar labels to measure the two independent variables, PU and PEOU. Multiple linear regression was used to measure the significance of the relationship between PU and BI, and PEOU and BI. Also measured was the moderating effect of the independent variable, PEOU, on the dependent variable, PU. Finally, multivariate adaptive regression splines (MARS) measured the predictive power of the TAM. The findings of this study indicate a statistically significant relationship between PU and an IT professional’s BI to adopt BDSA and a statistically significant relationship between PEOU and PU. However, there was no statistically significant relationship between PEOU and an IT professional’s BI to adopt BDSA. The MARS analysis indicated the TAM had strong predictive power. The practical implications of this study inform IT practitioners on the importance of technology usefulness. In the case of BDSA, the computational outcome must be reliable and provide value. Also, given the challenges of developing and effectively using BDSA, addressing the issue of ease of use may be important for IT practitioners to adopt and use BDSA. Moreover, as an IT practitioner gains experience with BDSA, the ability to extract value from big data influences PEOU and strengthens its relationship with PU.</p><p>
8
Clarke, Karla A. "Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats." Diss., NSUWorks, 2018. https://nsuworks.nova.edu/gscis_etd/1049.
Full textAbstract:
Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems.
Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat.
Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed.
This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs.
9
Almajed, Yasser M. "A framework for an adaptive early warning and response system for insider privacy breaches." Thesis, De Montfort University, 2015. http://hdl.handle.net/2086/11129.
Full textAbstract:
Organisations such as governments and healthcare bodies are increasingly responsible for managing large amounts of personal information, and the increasing complexity of modern information systems is causing growing concerns about the protection of these assets from insider threats. Insider threats are very difficult to handle, because the insiders have direct access to information and are trusted by their organisations. The nature of insider privacy breaches varies with the organisation’s acceptable usage policy and the attributes of an insider. However, the level of risk that insiders pose depends on insider breach scenarios including their access patterns and contextual information, such as timing of access. Protection from insider threats is a newly emerging research area, and thus, only few approaches are available that systemise the continuous monitoring of dynamic insider usage characteristics and adaptation depending on the level of risk. The aim of this research is to develop a formal framework for an adaptive early warning and response system for insider privacy breaches within dynamic software systems. This framework will allow the specification of multiple policies at different risk levels, depending on event patterns, timing constraints, and the enforcement of adaptive response actions, to interrupt insider activity. Our framework is based on Usage Control (UCON), a comprehensive model that controls previous, ongoing, and subsequent resource usage. We extend UCON to include interrupt policy decisions, in which multiple policy decisions can be expressed at different risk levels. In particular, interrupt policy decisions can be dynamically adapted upon the occurrence of an event or over time. We propose a computational model that represents the concurrent behaviour of an adaptive early warning and response system in the form of statechart. In addition, we propose a Privacy Breach Specification Language (PBSL) based on this computational model, in which event patterns, timing constraints, and the triggered early warning level are expressed in the form of policy rules. The main features of PBSL are its expressiveness, simplicity, practicality, and formal semantics. The formal semantics of the PBSL, together with a model of the mechanisms enforcing the policies, is given in an operational style. Enforcement mechanisms, which are defined by the outcomes of the policy rules, influence the system state by mutually interacting between the policy rules and the system behaviour. We demonstrate the use of this PBSL with a case study from the e-government domain that includes some real-world insider breach scenarios. The formal framework utilises a tool that supports the animation of the enforcement and policy models. This tool also supports the model checking used to formally verify the safety and progress properties of the system over the policy and the enforcement specifications.
10
Munshi, Asmaa Mahdi. "A study of insider threat behaviour: developing a holistic insider threat model." Thesis, Curtin University, 2013. http://hdl.handle.net/20.500.11937/1668.
Full textAbstract:
This study investigates the factors that influence the insider threat behaviour. The research aims to develop a holistic view of insider threat behaviour and ways to manage it. This research adopts an Explanatory Mixed Methods approach for the research process. Firstly, the researcher collects the quantitative data and then the qualitative data. In the first phase, the holistic insider threat model is developed; in the second phase, best practices are developed to manage the threat.
11
Black, Alan. "Managing the aviation insider threat." Thesis, Monterey, California. Naval Postgraduate School, 2010. http://hdl.handle.net/10945/5039.
Full textAbstract:
CHDS State/Local<br>Approved for public release; distribution is unlimited<br>Despite enhancements to aviation security since September 11, 2001, there remain vulnerabilities from employees at airports. This threat results from airline/airport employees that have access to sensitive and restricted areas during the normal course of their required duties. This thesis evaluates the threat and the measures in place to prevent attacks from aviation insiders. In addition, it evaluates a measure commonly referred to as 100 percent employee screening. Finally, the thesis derives recommendations to enhance the current methods to reduce the vulnerability, as well as proposes additional measures to further reduce the threat from aviation insiders.
12
Schluderberg, Larry E. "Addressing the cybersecurity Malicious Insider threat." Thesis, Utica College, 2015. http://pqdtopen.proquest.com/#viewpdf?dispub=1571095.
Full textAbstract:
<p> Malicious Insider threats consist of employees, contractors, or business partners who either have current authorized access, or have had authorized access to an organization's critical information and have intentionally misused that access in a manner that compromised the organization. Although incidents initiated by malicious insiders are fewer in number than those initiated by external threats, insider incidents are more costly on average because the threat is already trusted by the organization and often has privileged access to the organization's most sensitive information. In spite of the damage they cause there are indications that the seriousness of insider incidents are underappreciated as threats by management. The purpose of this research was to investigate who constitutes MI threats, why and how they initiate attacks, the extent to which MI activity can be modeled or predicted, and to suggest some risk mitigation strategies. The results reveal that addressing the Malicious Insider threat is much more than just a technical issue. Dealing effectively with the threat involves managing the dynamic interaction between employees, their work environment and work associates, the systems with which they interact, and organizational policies and procedures. Techniques for detecting and mitigating the threat are available and can be effectively applied. Some of the procedural and technical methods include definition of, follow through, and consistent application of corporate, and dealing with adverse events indigenous to the business environment. Other methods include conduct of a comprehensive Malicious Insider risk assessment, selective monitoring of employees in response to behavioral precursors, minimizing unknown access paths, control of the organization's production software baseline, and effective use of peer reporting.</p><p> Keywords: Cybersecurity, Professor Paul Pantani, CERT, insider, threat, IDS, SIEMS. FIM, RBAC, ABAC, behavioral, peer, precursors, access, authentication, predictive, analytics, system, dynamics, demographics.</p>
13
Tell, Markus. "Insiderhot : En systematisk litteraturöversikt av insiderhot som utvärderar administrativa säkerhetsåtgärder." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-19764.
Full textAbstract:
Inom en organisation finns det insiders med direkt tillgång till konfidentiell och känslig information. Insiderhot kan antingen vara avsiktliga eller oavsiktliga och båda typerna kan utgöra förödande konsekvenser. Frågan är egentligen hur organisationer ska säkerställa informationssäkerhet när anställda har en daglig tillgång till information. Det som organisationer behöver implementera är särskilda säkerhetsåtgärder. Förebyggande säkerhetsåtgärder kan delas upp som tekniska och administrativa. Denna uppsats har genomfört en systematisk litteraturöversikt med en tematisk analys för att undersöka vad tidigare forskning rekommenderar för administrativa säkerhetsåtgärder för att tackla problemet. Undersökningens slutsatser kommer fram till att avsiktliga och oavsiktliga insiderhot kräver olika typer av säkerhetsåtgärder, samtidigt som en del åtgärder kan förebygga båda problemen. För att förebygga avsiktliga insiderhot behövs det straffande åtgärder som till exempel sanktioner och det behövs en informationssäkerhetskultur som tar i hänsyn till olika teorier. För att förebygga oavsiktliga insiderhot behöver fokus ligga på utbildning, träning och medvetenhet samt tillämpandet av en informationssäkerhetskultur som reducerar stress. Slutligen behövs det en informationssäkerhetspolicy och en kombination av positiva samt negativa incitament, vilket kan förebygga både avsiktliga och oavsiktliga insiderhot.
14
McKinney, Steven. "Insider Threat: User Identification Via Process Profiling." NCSU, 2008. http://www.lib.ncsu.edu/theses/available/etd-05092008-154325/.
Full textAbstract:
The issue of insider threat is one that organizations have dealt with for many years. Insider threat research began in the early 80's, but has yet to provide satisfactory results despite the fact that insiders pose a greater threat to organizations than external attackers. One of the key issues relating to this problem is that the amount of collectable data is enormous and it is currently impossible to analyze all of it, for each insider, in a timely manner. The purpose of this research is to analyze a portion of this collectable data, process usage, and determine if this data is useful in identifying insiders. Identification of the person controlling the workstation is useful in environments where workstations are left unattended, even for a short amount of time. To do this, we developed an insider threat detection system based on the Naive Bayes method which examines process usage data and creates individual profiles for users. By comparing collected data to these profiles we are able to determine who is controlling the workstation with high accuracy. We are able to achieve true positive rates of 96\% while maintaining fewer than 0.5\% false positives.
15
Magklaras, Georgios Vasilios. "An insider misuse threat detection and prediction language." Thesis, University of Plymouth, 2012. http://hdl.handle.net/10026.1/1024.
Full textAbstract:
Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested.
16
Rocha, Francisco. "Insider threat : memory confidentiality and integrity in the cloud." Thesis, University of Newcastle upon Tyne, 2015. http://hdl.handle.net/10443/2960.
Full textAbstract:
The advantages of always available services, such as remote device backup or data storage, have helped the widespread adoption of cloud computing. However, cloud computing services challenge the traditional boundary between trusted inside and untrusted outside. A consumer’s data and applications are no longer in premises, fundamentally changing the scope of an insider threat. This thesis looks at the security risks associated with an insider threat. Specifically, we look into the critical challenge of assuring data confidentiality and integrity for the execution of arbitrary software in a consumer’s virtual machine. The problem arises from having multiple virtual machines sharing hardware resources in the same physical host, while an administrator is granted elevated privileges over such host. We used an empirical approach to collect evidence of the existence of this security problem and implemented a prototype of a novel prevention mechanism for such a problem. Finally, we propose a trustworthy cloud architecture which uses the security properties our prevention mechanism guarantees as a building block. To collect the evidence required to demonstrate how an insider threat can become a security problem to a cloud computing infrastructure, we performed a set of attacks targeting the three most commonly used virtualization software solutions. These attacks attempt to compromise data confidentiality and integrity of cloud consumers’ data. The prototype to evaluate our novel prevention mechanism was implemented in the Xen hypervisor and tested against known attacks. The prototype we implemented focuses on applying restrictions to the permissive memory access model currently in use in the most relevant virtualization software solutions. We envision the use of a mandatory memory access control model in the virtualization software. This model enforces the principle of least privilege to memory access, which means cloud administrators are assigned with only enough privileges to successfully perform their administrative tasks. Although the changes we suggest to the virtualization layer make it more restrictive, our solution is versatile enough to port all the functionality available in current virtualization viii solutions. Therefore, our trustworthy cloud architecture guarantees data confidentiality and integrity and achieves a more transparent trustworthy cloud ecosystem while preserving functionality. Our results show that a malicious insider can compromise security sensitive data in the three most important commercial virtualization software solutions. These virtualization solutions are publicly available and the number of cloud servers using these solutions accounts for the majority of the virtualization market. The prevention mechanism prototype we designed and implemented guarantees data confidentiality and integrity against such attacks and reduces the trusted computing base of the virtualization layer. These results indicate how current virtualization solutions need to reconsider their view on insider threats.
17
Krause, Elischa [Verfasser], Alfons O. [Akademischer Betreuer] Hamm, Alfons O. [Gutachter] Hamm, and Paul [Gutachter] Pauli. "Threat from the inside: Characterization of defensive responses to interoceptive threats / Elischa Krause ; Gutachter: Alfons O. Hamm, Paul Pauli ; Betreuer: Alfons O. Hamm." Greifswald : Universität Greifswald, 2021. http://d-nb.info/1233428349/34.
Full text
18
Callahan, Christopher J. "Security information and event management tools and insider threat detection." Thesis, Monterey, California: Naval Postgraduate School, 2013. http://hdl.handle.net/10945/37596.
Full textAbstract:
Approved for public release; distribution is unlimited<br>Malicious insider activities on military networks can pose a threat to military operations. Early identification of malicious insiders assists in preventing significant damage and reduces the overall insider threat to military networks. Security Information and Event Management (SIEM) tools can be used to identify potential malicious insider activities. SIEM tools provide the ability to normalize and correlate log data from multiple sources on networks. Personnel background investigations and administrative action information can provide data sources for SIEM tools in order to assist in early identification of the insider threat by correlating this information with the individuals online activities. This thesis provides background information on the components and functionality of SIEM tools, summarizes historic insider threat cases to determine common motivations, provides an overview of military security investigations and administrative actions in order to determine candidate sources for SIEM correlation, and provides an overview of common methods of data exfiltration by malicious insiders. This information is then used to develop an example SIEM architecture that highlights how the military can use a SIEM to identify and prevent potential internal insider threats by correlating an individuals network activities with background investigation and administrative action information.
19
Hashem, Yassir. "Multi-Modal Insider Threat Detection and Prevention based on Users' Behaviors." Thesis, University of North Texas, 2008. https://digital.library.unt.edu/ark:/67531/metadc1248460/.
Full textAbstract:
Insider threat is one of the greatest concerns for information security that could cause more significant financial losses and damages than any other attack. However, implementing an efficient detection system is a very challenging task. It has long been recognized that solutions to insider threats are mainly user-centric and several psychological and psychosocial models have been proposed. A user's psychophysiological behavior measures can provide an excellent source of information for detecting user's malicious behaviors and mitigating insider threats. In this dissertation, we propose a multi-modal framework based on the user's psychophysiological measures and computer-based behaviors to distinguish between a user's behaviors during regular activities versus malicious activities. We utilize several psychophysiological measures such as electroencephalogram (EEG), electrocardiogram (ECG), and eye movement and pupil behaviors along with the computer-based behaviors such as the mouse movement dynamics, and keystrokes dynamics to build our framework for detecting malicious insiders. We conduct human subject experiments to capture the psychophysiological measures and the computer-based behaviors for a group of participants while performing several computer-based activities in different scenarios. We analyze the behavioral measures, extract useful features, and evaluate their capability in detecting insider threats. We investigate each measure separately, then we use data fusion techniques to build two modules and a comprehensive multi-modal framework. The first module combines the synchronized EEG and ECG psychophysiological measures, and the second module combines the eye movement and pupil behaviors with the computer-based behaviors to detect the malicious insiders. The multi-modal framework utilizes all the measures and behaviors in one model to achieve better detection accuracy. Our findings demonstrate that psychophysiological measures can reveal valuable knowledge about a user's malicious intent and can be used as an effective indicator in designing insider threat monitoring and detection frameworks. Our work lays out the necessary foundation to establish a new generation of insider threat detection and mitigation mechanisms that are based on a user's involuntary behaviors, such as psychophysiological measures, and learn from the real-time data to determine whether a user is malicious.
20
Formby, David. "A physical overlay framework for insider threat mitigation of power system devices." Thesis, Georgia Institute of Technology, 2014. http://hdl.handle.net/1853/53107.
Full textAbstract:
Nearly every aspect of modern life today, from businesses, transportation, and healthcare, depends on the power grid operating safely and reliably. While the recent push for a “Smart Grid” has shown promise for increased efficiency, security has often been an afterthought, leaving this critical infrastructure vulnerable to a variety of cyber attacks. For instance, devices crucial to the safe operation of the power grid are left in remote substations with their configuration interfaces completely open, providing a vector for outsiders as well as insiders to launch an attack. This paper develops the framework for an overlay network of gateway devices that provide authenticated access control and security monitoring for these vulnerable interfaces. We develop a working prototype of such a device and simulate the performance of deployment throughout a substation. Our results suggest that such a system can be deployed with negligible impact on normal operations, while providing important security mechanisms. By doing so, we demonstrate that our proposal is a practical
and efficient solution for retro-fitting security onto crucial power system devices.
21
Hashem, Yassir. "A Multi-Modal Insider Threat Detection and Prevention based on Users' Behaviors." Thesis, University of North Texas, 2018. https://digital.library.unt.edu/ark:/67531/metadc1248460/.
Full textAbstract:
Insider threat is one of the greatest concerns for information security that could cause more significant financial losses and damages than any other attack. However, implementing an efficient detection system is a very challenging task. It has long been recognized that solutions to insider threats are mainly user-centric and several psychological and psychosocial models have been proposed. A user's psychophysiological behavior measures can provide an excellent source of information for detecting user's malicious behaviors and mitigating insider threats. In this dissertation, we propose a multi-modal framework based on the user's psychophysiological measures and computer-based behaviors to distinguish between a user's behaviors during regular activities versus malicious activities. We utilize several psychophysiological measures such as electroencephalogram (EEG), electrocardiogram (ECG), and eye movement and pupil behaviors along with the computer-based behaviors such as the mouse movement dynamics, and keystrokes dynamics to build our framework for detecting malicious insiders. We conduct human subject experiments to capture the psychophysiological measures and the computer-based behaviors for a group of participants while performing several computer-based activities in different scenarios. We analyze the behavioral measures, extract useful features, and evaluate their capability in detecting insider threats. We investigate each measure separately, then we use data fusion techniques to build two modules and a comprehensive multi-modal framework. The first module combines the synchronized EEG and ECG psychophysiological measures, and the second module combines the eye movement and pupil behaviors with the computer-based behaviors to detect the malicious insiders. The multi-modal framework utilizes all the measures and behaviors in one model to achieve better detection accuracy. Our findings demonstrate that psychophysiological measures can reveal valuable knowledge about a user's malicious intent and can be used as an effective indicator in designing insider threat monitoring and detection frameworks. Our work lays out the necessary foundation to establish a new generation of insider threat detection and mitigation mechanisms that are based on a user's involuntary behaviors, such as psychophysiological measures, and learn from the real-time data to determine whether a user is malicious.
22
Fagade, Tesleem. "A multi-domain approach for security compliance, insider threat modelling and risk management." Thesis, University of Bristol, 2018. http://hdl.handle.net/1983/c7461605-6493-4413-8835-65847df90a57.
Full textAbstract:
Information security is fundamentally concerned with the confidentiality, integrity and availability of information assets at all times. However, given the ubiquitous nature of information systems and organisations’ growing reliance on large-scale interconnected networks;, it means that the prevalence and impact of cyber-attacks will continue to rise. The problem of cybersecurity risks management in corporate organisations is non-trivial, hence, constructing tools that truly satisfy the holistic management of information security is difficult and not readily available. The work described in this thesis presents a multi-domain approach to support comprehensive security management in organisations. This global objective is achieved through the evaluation of compliant security model and how employees rationalise security behaviour while using some ISO/IEC 27001 certified banking organisations as a regional case study. The study investigates the internal and contextual factors that drive individual security behaviour intentions. Based on the characteristics that have been proven to influence human behaviour, like personality traits, emotional states, psychosocial and cognitive capabilities, this work used values from these attributes in combination with security data breach reports, to develop a conceptual model that represents the possible predictor of malicious insider activities. Also, in order to encapsulate the problems under consideration, this study explores organisations can optimise resource allocation for security investment; a feat that is often affected by intrinsically uncertain variables and disparities in resource allocation decisions. The work presented in this thesis is based on the review of existing theories that are focused on human behaviour within the context of information security and criminology. The findings from this study also identified several factors that could strongly project the intention to violate security protocols, and the results significantly increase our understanding of the elements required in support of holistic security management. This study has implications for security professionals and organisational security management.
23
Cannon, Jennifer Elizabeth. "Strategies for Improving Data Protection to Reduce Data Loss from Cyberattacks." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/7277.
Full textAbstract:
Accidental and targeted data breaches threaten sustainable business practices and personal privacy, exposing all types of businesses to increased data loss and financial impacts. This single case study was conducted in a medium-sized enterprise located in Brevard County, Florida, to explore the successful data protection strategies employed by the information system and information technology business leaders. Actor-network theory was the conceptual framework for the study with a graphical syntax to model data protection strategies. Data were collected from semistructured interviews of 3 business leaders, archival documents, and field notes. Data were analyzed using thematic, analytic, and software analysis, and methodological triangulation. Three themes materialized from the data analyses: people--inferring security personnel, network engineers, system engineers, and qualified personnel to know how to monitor data; processes--inferring the activities required to protect data from data loss; and technology--inferring scientific knowledge used by people to protect data from data loss. The findings are indicative of successful application of data protection strategies and may be modeled to assess vulnerabilities from technical and nontechnical threats impacting risk and loss of sensitive data. The implications of this study for positive social change include the potential to alter attitudes toward data protection, creating a better environment for people to live and work; reduce recovery costs resulting from Internet crimes, improving social well-being; and enhance methods for the protection of sensitive, proprietary, and personally identifiable information, which advances the privacy rights for society.
24
Hueca, Angel L. "Development and Validation of a Proof-of-Concept Prototype for Analytics-based Malicious Cybersecurity Insider Threat in a Real-Time Identification System." Diss., NSUWorks, 2018. https://nsuworks.nova.edu/gscis_etd/1063.
Full textAbstract:
Insider threat has continued to be one of the most difficult cybersecurity threat vectors detectable by contemporary technologies. Most organizations apply standard technology-based practices to detect unusual network activity. While there have been significant advances in intrusion detection systems (IDS) as well as security incident and event management solutions (SIEM), these technologies fail to take into consideration the human aspects of personality and emotion in computer use and network activity, since insider threats are human-initiated. External influencers impact how an end-user interacts with both colleagues and organizational resources. Taking into consideration external influencers, such as personality, changes in organizational polices and structure, along with unusual technical activity analysis, would be an improvement over contemporary detection tools used for identifying at-risk employees. This would allow upper management or other organizational units to intervene before a malicious cybersecurity insider threat event occurs, or mitigate it quickly, once initiated.
The main goal of this research study was to design, develop, and validate a proof-of-concept prototype for a malicious cybersecurity insider threat alerting system that will assist in the rapid detection and prediction of human-centric precursors to malicious cybersecurity insider threat activity. Disgruntled employees or end-users wishing to cause harm to the organization may do so by abusing the trust given to them in their access to available network and organizational resources. Reports on malicious insider threat actions indicated that insider threat attacks make up roughly 23% of all cybercrime incidents, resulting in $2.9 trillion in employee fraud losses globally. The damage and negative impact that insider threats cause was reported to be higher than that of outsider or other types of cybercrime incidents. Consequently, this study utilized weighted indicators to measure and correlate simulated user activity to possible precursors to malicious cybersecurity insider threat attacks. This study consisted of a mixed method approach utilizing an expert panel, developmental research, and quantitative data analysis using the developed tool on simulated data set. To assure validity and reliability of the indicators, a panel of subject matter experts (SMEs) reviewed the indicators and indicator categorizations that were collected from prior literature following the Delphi technique. The SMEs’ responses were incorporated into the development of a proof-of-concept prototype. Once the proof-of-concept prototype was completed and fully tested, an empirical simulation research study was conducted utilizing simulated user activity within a 16-month time frame. The results of the empirical simulation study were analyzed and presented. Recommendations resulting from the study also be provided.
25
Duncan, Gary. "The Inside Threat: European Integration and the European Court of Justice." Thesis, Linköping University, Department of Management and Economics, 2006. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-7122.
Full textAbstract:
<p>The European Court of Justice (ECJ) has long been recognized as a major engine behind the European integration project for its role in passing judgments expanding the powers and scope of the European Community, while member states have consistently reacted negatively to judgments limiting their sovereignty or granting the Community new powers. It is this interplay between the Court and member state interests that cause the ECJ to pose a threat to the future of integration. Using a combined framework of neofunctionalism and rational choice new institutionalism, six landmark cases and the events surrounding them are studied, revealing the motivations behind the Court’s and member states’ actions. From the analysis of these cases is created a set of criteria which can be used to predict when the ECJ will make an activist decision broadening the powers of the Community at the expense of the member states as well as when, and how, member states will respond negatively.</p>
26
Ofori-Duodu, Michael Samuel. "Exploring Data Security Management Strategies for Preventing Data Breaches." ScholarWorks, 2019. https://scholarworks.waldenu.edu/dissertations/7947.
Full textAbstract:
Insider threat continues to pose a risk to organizations, and in some cases, the country at large. Data breach events continue to show the insider threat risk has not subsided. This qualitative case study sought to explore the data security management strategies used by database and system administrators to prevent data breaches by malicious insiders. The study population consisted of database administrators and system administrators from a government contracting agency in the northeastern region of the United States. The general systems theory, developed by Von Bertalanffy, was used as the conceptual framework for the research study. The data collection process involved interviewing database and system administrators (n = 8), organizational documents and processes (n = 6), and direct observation of a training meeting (n = 3). By using methodological triangulation and by member checking with interviews and direct observation, efforts were taken to enhance the validity of the findings of this study. Through thematic analysis, 4 major themes emerged from the study: enforcement of organizational security policy through training, use of multifaceted identity and access management techniques, use of security frameworks, and use of strong technical control operations mechanisms. The findings of this study may benefit database and system administrators by enhancing their data security management strategies to prevent data breaches by malicious insiders. Enhanced data security management strategies may contribute to social change by protecting organizational and customer data from malicious insiders that could potentially lead to espionage, identity theft, trade secrets exposure, and cyber extortion.
27
Lenkart, John J. "The vulnerability of social networking media and the insider threat : new eyes for bad guys." Thesis, Monterey, California. Naval Postgraduate School, 2011. http://hdl.handle.net/10945/5562.
Full textAbstract:
CHDS State/Local<br>Approved for public release; distribution is unlimited<br>Social networking media introduces a new set of vulnerabilities to protecting an organization's sensitive information. Competitors and foreign adversaries are actively targeting U.S. industry to acquire trade secrets to undercut U.S. business in the marketplace. Of primary concern in this endeavor is an insider's betrayal of an organization, witting or unwitting, by providing sensitive information to a hostile outsider that negatively impact an organization. A common existing technique to enable this breach of sensitive information is social engineering the attempt to elicit sensitive information by obscuring the true motivation and/or identity behind the request. Social engineering, when coupled with the new and widespread use of social networking media, becomes more effective by exploiting the wealth of information found on the social networking sites. This information allows for more selective targeting of individuals with access to critical information. This thesis identifies the vulnerabilities created by social networking media and proposes a mitigation and prevention strategy that couples training and awareness with active surveys and monitoring of critical persons within an organization.
28
Dreibelbis, Rachel Christine. "It’s More Than Just Changing Your Password: Exploring the Nature and Antecedents of Cyber-Security Behaviors." Scholar Commons, 2016. http://scholarcommons.usf.edu/etd/6083.
Full textAbstract:
Organizations have become increasingly concerned with developing and protecting their information security systems. Despite attempts to secure the information infrastructure, employees inside of organizations remain the largest source of threat to information cyber-security. While previous research has focused on behavioral and situational factors that influence cyber-security behaviors, the measurement of cyber behaviors and their relationship to other performance variables is poorly understood. The purpose of the present study is to 1) determine the underlying factor structure of a cyber-security behavior scale, 2) assess if individual personality traits predict four types of cyber-security behaviors: security assurance, security compliance, security risk, and security damaging behaviors, and 3) explore the relationship between citizenship and counterproductive work behaviors and cyber-security behaviors. Results indicate that cyber-security behavior can be separated into four distinct dimensions and that personality traits such as conscientiousness, agreeableness, and openness to experience are predictive of these behaviors. Additionally, positive cyber behaviors are related organizational citizenship behaviors, and potentially harmful cyber behaviors related to counterproductive work behaviors. This research has implications for using personality to predict cyber-security behaviors and reduce insider threat in the workplace.
29
Doss, Gary. "An Approach to Effectively Identify Insider Attacks within an Organization." NSUWorks, 2012. http://nsuworks.nova.edu/gscis_etd/138.
Full textAbstract:
The purpose of this research is to identify the factors that influence organizational insiders to violate information security policies. There are numerous accounts of successful malicious activities conducted by employees and internal users of organizations. Researchers and organizations have begun looking at methods to reduce or mitigate the insider threat problem. Few proposed methods and models to identify, deter, and prevent the insider threat are based on empirical data. Additionally, few studies have focused on the targets or goals of the insider with organizational control as a foundation. From a target perspective, an organization might be able to control the outcome of a malicious insider threat attack.
This research applied a criminology lens as an organization policy violation is, or resembles, a criminal activity. This research uses the Routine Activities Theory (RAT) as a guide to develop a theoretical model. The adoption of RAT was for its focus on the target and the protective controls, while still taking into account the motivated offender. The study identified the components of the model concerning insider threats, espionage, and illicit behavior related to information systems through literature. This led to the development of 10 hypotheses regarding the relationships of key factors that influence malicious insider activity. Data was collected using a scenario-based survey, which allowed for impartial responses from a third-person perspective. This technique has become popular in the field of criminology, as the effects of social desirability, acceptance, or repudiation will not be a concern. A pilot test verified the survey's ability to collect the appropriate data. The research employed Structural Equation Modeling (SEM) and Confirmatory Factor Analysis (CFA) techniques to analyze and evaluate the data. SEM and CFA techniques identified the fit of the model and the factors that influence information security policy violations. The result of the analysis provided criteria to accept the hypotheses and to identify key factors that influence insider Information System policy violations. This research identified the relationships and the level of influence between each factor.
30
Mat, Roni Mohd Saiyidi. "An analysis of insider dysfunctional behavours in an accounting information system environment." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2015. https://ro.ecu.edu.au/theses/1640.
Full textAbstract:
Insider deviant behaviour in Accounting Information Systems (AIS) has long been recognised as a threat to organisational AIS assets. The literature abounds with a plethora of perspectives in attempts to better understand the phenomenon, however, practitioners and researchers have traditionally focussed on technical approaches, which, although they form part of the solution, are insufficient to address the problem holistically. Managing insider threats requires an understanding of the interconnectedness between the human and contextual factors in which individuals operate, since technical methodologies in isolation have the potential to increase rather than reduce insider threats. This dilemma led many scholars to examine the behaviour of individuals, to further their understanding of the issues and in turn, control insider threats. Despite promising findings, some of these behavioural studies have inherent methodological limitations, and no attempt has been made to differentiate between apparently similar, yet fundamentally different, negative behaviours.
Using the theory of planned behaviour (TPB) and actor network theory (ANT) as a foundation, the current study addresses the first concern by integrating AIS complexity and organisational culture, and identifies the contextual factors influencing behaviours that lead to insider threats. Secondly, the study addresses concerns regarding methodological approaches, by categorising various deviant insider behaviours using the concept of dysfunctional behaviour, based on two-dimensional behaviour taxonomy.
Partial least square structural equation modelling (PLS-SEM) revealed that TPB‘s predictor variables: attitude (ATT), subjective norm (SN) and perceived behavioural control (PBC), together with the moderator variables of organisational culture (CULTURE) and AIS complexity (COMPLEX), accounted for substantial variations in intention (INTENT) to engage in dysfunctional behaviour. The findings also indicated that PBC is a dual-factor construct. Changes in predictors at the behavioural subset level were highlighted, and the findings of previous studies, that ATT is a salient predictor of intention, were confirmed. This was significant across all four dysfunctional behaviour categories.
These findings add to the body of knowledge by contributing a theory that explains insider threats in AIS by deciphering dysfunctional behaviour using a predictive model. The study also provides a methodological foundation for future research to account for behavioural factors. Moreover, the findings have implications for managerial practices who want to reduce insider threats to an acceptable level by strengthening organisational culture, moderating AIS complexity, and focussing on management programs with sufficient momentum to impact attitudinal change.
31
Carvallo, Pamela. "Sécurité dans le cloud : framework de détection de menaces internes basé sur l'analyse d'anomalies." Thesis, Université Paris-Saclay (ComUE), 2018. http://www.theses.fr/2018SACLL008/document.
Full textAbstract:
Le Cloud Computing (CC) ouvre de nouvelles possibilités pour des services plus flexibles et efficaces pour les clients de services en nuage (CSC). Cependant, la migration vers le cloud suscite aussi une série de problèmes, notamment le fait que, ce qui autrefois était un domaine privé pour les CSC, est désormais géré par un tiers, et donc soumis à ses politiques de sécurité. Par conséquent, la disponibilité, la confidentialité et l'intégrité des CSC doivent être assurées. Malgré l'existence de mécanismes de protection, tels que le cryptage, la surveillance de ces propriétés devient nécessaire. De plus, de nouvelles menaces apparaissent chaque jour, ce qui exige de nouvelles techniques de détection plus efficaces.Les travaux présentés dans ce document vont au-delà du simple l’état de l'art, en traitant la menace interne malveillante, une des menaces les moins étudiées du CC. Ceci s'explique principalement par les obstacles organisationnels et juridiques de l'industrie, et donc au manque de jeux de données appropriés pour la détecter. Nous abordons cette question en présentant deux contributions principales.Premièrement, nous proposons la dérivation d’une méthodologie extensible pour modéliser le comportement d’un utilisateur dans une entreprise. Cette abstraction d'un employé inclut des facteurs intra-psychologiques ainsi que des informations contextuelles, et s'inspire d'une approche basée sur les rôles. Les comportements suivent une procédure probabiliste, où les motivations malveillantes devraient se produire selon une probabilité donnée dans la durée.La contribution principale de ce travail consiste à concevoir et à mettre en œuvre un cadre de détection basé sur les anomalies pour la menace susmentionnée. Cette implémentation s’enrichit en comparant deux points différents de capture de données : une vue basée sur le profil du réseau local de la entreprise, et une point de vue du cloud qui analyse les données des services avec lesquels les clients interagissent. Cela permet au processus d'apprentissage des anomalies de bénéficier de deux perspectives: (1) l'étude du trafic réel et du trafic simulé en ce qui concerne l'interaction du service de cloud computing, de manière de caractériser les anomalies; et (2) l'analyse du service cloud afin d'ajouter des statistiques prenant en compte la caractérisation globale du comportement.La conception de ce cadre a permis de détecter de manière empirique un ensemble plus large d’anomalies de l’interaction d'une entreprise donnée avec le cloud. Cela est possible en raison de la nature reproductible et extensible du modèle. En outre, le modèle de détection proposé profite d'une technique d'apprentissage automatique en mode cluster, en suivant un algorithme adaptatif non supervisé capable de caractériser les comportements en évolution des utilisateurs envers les actifs du cloud. La solution s'attaque efficacement à la détection des anomalies en affichant des niveaux élevés de performances de clustering, tout en conservant un FPR (Low Positive Rate) faible, garantissant ainsi les performances de détection pour les scénarios de menace lorsque celle-ci provient de la entreprise elle-même<br>Cloud Computing (CC) opens new possibilities for more flexible and efficient services for Cloud Service Clients (CSCs). However, one of the main issues while migrating to the cloud is that what once was a private domain for CSCs, now is handled by a third-party, hence subject to their security policies. Therefore, CSCs' confidentiality, integrity, and availability (CIA) should be ensured. In spite of the existence of protection mechanisms, such as encryption, the monitoring of the CIA properties becomes necessary. Additionally, new threats emerge every day, requiring more efficient detection techniques. The work presented in this document goes beyond the state of the art by treating the malicious insider threat, one of the least studied threats in CC. This is mainly due to the organizational and legal barriers from the industry, and therefore the lack of appropriate datasets for detecting it. We tackle this matter by addressing two challenges.First, the derivation of an extensible methodology for modeling the behavior of a user in a company. This abstraction of an employee includes intra psychological factors, contextual information and is based on a role-based approach. The behaviors follow a probabilistic procedure, where the malevolent motivations are considered to occur with a given probability in time.The main contribution, a design and implementation of an anomaly-based detection framework for the aforementioned threat. This implementation enriches itself by comparing two different observation points: a profile-based view from the local network of the company, and a cloud-end view that analyses data from the services with whom the clients interact. This allows the learning process of anomalies to benefit from two perspectives: (1) the study of both real and simulated traffic with respect to the cloud service's interaction, in favor of the characterization of anomalies; and (2) the analysis of the cloud service in order to aggregate data statistics that support the overall behavior characterization.The design of this framework empirically shows to detect a broader set of anomalies of the company's interaction with the cloud. This is possible due to the replicable and extensible nature of the mentioned insider model. Also, the proposed detection model takes advantage of the autonomic nature of a clustering machine learning technique, following an unsupervised, adaptive algorithm capable of characterizing the evolving behaviors of the users towards cloud assets. The solution efficiently tackles the detection of anomalies by showing high levels of clustering performance, while keeping a low False Positive Rate (FPR), ensuring the detection performance for threat scenarios where the threat comes from inside the enterprise
32
LaViscount, David F. "Inside the Black Box of Mentoring: African-American Adolescents, Youth Mentoring, and Stereotype Threat Conditions." ScholarWorks@UNO, 2019. https://scholarworks.uno.edu/td/2622.
Full textAbstract:
Despite a narrowing trend over the past forty years, the racial academic performance gap between non-Asian-American minority students and European-American students remains an overarching issue in K-12 schooling according to the Stanford Center for Education Policy Analysis (2017). Du Bois’s (1903) theory of double consciousness is implicated in the performance gap phenomenon. Though not explicitly connected, Steele and Aronson’s 1995 study revealed stereotype threat (STT) to be an empirical explanation of the negative impact of double consciousness. Steele et al.’s study revealed a psycho-social contributor to the racial academic performance gap, STT. STT is characterized by performance suppression caused by the fear of fulfilling a negative stereotype or the fear of being judged based on a negative stereotype attributed to one’s social identity group. The activation of this phenomenon is related to identity threatening cues, a systemic issue laden in the academic environment (Purdie-Vaughns, Steele, Davies, Ditlmann, & Crosby, 2008). To date, over 300 studies have been conducted on STT according to a meta-analysis conducted by Pennington, Heim, Levy, and Larkin (2016). Though certain experimental studies featuring mentoring as a vehicle for shifting stereotype narratives have yielded useful practices for STT reduction (Good et al., 2003), qualitative design, which is seldomly employed in the STT field, may produce an understanding of the phenomenon that is not possible through a deductive approach (Ezzy, 2002; van Kaam, 1966). The purpose of this phenomenological study was to explore African-American adolescent student perceptions of the impact that mentoring has on their schooling experiences while under STT conditions. The findings of this study demonstrated that African-American adolescents perceived mentoring to positively impact their schooling experiences and helped them to cope with STT activating cues in the environment. The participants discussed structural aspects of the relationships, personality attributes of the mentor, and specific mentor guidance. Participants also discussed a documented STT intervention that fell outside of the parameters of their mentoring relationships that positively impacted their schooling experiences and abilities to cope with STT cues – affirmations (Cohen, Garcia, Apfel, & Master, 2006; Walton et al., 2012). Recommendations for practice and future research are presented.
33
Carvallo, Pamela. "Sécurité dans le cloud : framework de détection de menaces internes basé sur l'analyse d'anomalies." Electronic Thesis or Diss., Université Paris-Saclay (ComUE), 2018. http://www.theses.fr/2018SACLL008.
Full textAbstract:
Le Cloud Computing (CC) ouvre de nouvelles possibilités pour des services plus flexibles et efficaces pour les clients de services en nuage (CSC). Cependant, la migration vers le cloud suscite aussi une série de problèmes, notamment le fait que, ce qui autrefois était un domaine privé pour les CSC, est désormais géré par un tiers, et donc soumis à ses politiques de sécurité. Par conséquent, la disponibilité, la confidentialité et l'intégrité des CSC doivent être assurées. Malgré l'existence de mécanismes de protection, tels que le cryptage, la surveillance de ces propriétés devient nécessaire. De plus, de nouvelles menaces apparaissent chaque jour, ce qui exige de nouvelles techniques de détection plus efficaces.Les travaux présentés dans ce document vont au-delà du simple l’état de l'art, en traitant la menace interne malveillante, une des menaces les moins étudiées du CC. Ceci s'explique principalement par les obstacles organisationnels et juridiques de l'industrie, et donc au manque de jeux de données appropriés pour la détecter. Nous abordons cette question en présentant deux contributions principales.Premièrement, nous proposons la dérivation d’une méthodologie extensible pour modéliser le comportement d’un utilisateur dans une entreprise. Cette abstraction d'un employé inclut des facteurs intra-psychologiques ainsi que des informations contextuelles, et s'inspire d'une approche basée sur les rôles. Les comportements suivent une procédure probabiliste, où les motivations malveillantes devraient se produire selon une probabilité donnée dans la durée.La contribution principale de ce travail consiste à concevoir et à mettre en œuvre un cadre de détection basé sur les anomalies pour la menace susmentionnée. Cette implémentation s’enrichit en comparant deux points différents de capture de données : une vue basée sur le profil du réseau local de la entreprise, et une point de vue du cloud qui analyse les données des services avec lesquels les clients interagissent. Cela permet au processus d'apprentissage des anomalies de bénéficier de deux perspectives: (1) l'étude du trafic réel et du trafic simulé en ce qui concerne l'interaction du service de cloud computing, de manière de caractériser les anomalies; et (2) l'analyse du service cloud afin d'ajouter des statistiques prenant en compte la caractérisation globale du comportement.La conception de ce cadre a permis de détecter de manière empirique un ensemble plus large d’anomalies de l’interaction d'une entreprise donnée avec le cloud. Cela est possible en raison de la nature reproductible et extensible du modèle. En outre, le modèle de détection proposé profite d'une technique d'apprentissage automatique en mode cluster, en suivant un algorithme adaptatif non supervisé capable de caractériser les comportements en évolution des utilisateurs envers les actifs du cloud. La solution s'attaque efficacement à la détection des anomalies en affichant des niveaux élevés de performances de clustering, tout en conservant un FPR (Low Positive Rate) faible, garantissant ainsi les performances de détection pour les scénarios de menace lorsque celle-ci provient de la entreprise elle-même<br>Cloud Computing (CC) opens new possibilities for more flexible and efficient services for Cloud Service Clients (CSCs). However, one of the main issues while migrating to the cloud is that what once was a private domain for CSCs, now is handled by a third-party, hence subject to their security policies. Therefore, CSCs' confidentiality, integrity, and availability (CIA) should be ensured. In spite of the existence of protection mechanisms, such as encryption, the monitoring of the CIA properties becomes necessary. Additionally, new threats emerge every day, requiring more efficient detection techniques. The work presented in this document goes beyond the state of the art by treating the malicious insider threat, one of the least studied threats in CC. This is mainly due to the organizational and legal barriers from the industry, and therefore the lack of appropriate datasets for detecting it. We tackle this matter by addressing two challenges.First, the derivation of an extensible methodology for modeling the behavior of a user in a company. This abstraction of an employee includes intra psychological factors, contextual information and is based on a role-based approach. The behaviors follow a probabilistic procedure, where the malevolent motivations are considered to occur with a given probability in time.The main contribution, a design and implementation of an anomaly-based detection framework for the aforementioned threat. This implementation enriches itself by comparing two different observation points: a profile-based view from the local network of the company, and a cloud-end view that analyses data from the services with whom the clients interact. This allows the learning process of anomalies to benefit from two perspectives: (1) the study of both real and simulated traffic with respect to the cloud service's interaction, in favor of the characterization of anomalies; and (2) the analysis of the cloud service in order to aggregate data statistics that support the overall behavior characterization.The design of this framework empirically shows to detect a broader set of anomalies of the company's interaction with the cloud. This is possible due to the replicable and extensible nature of the mentioned insider model. Also, the proposed detection model takes advantage of the autonomic nature of a clustering machine learning technique, following an unsupervised, adaptive algorithm capable of characterizing the evolving behaviors of the users towards cloud assets. The solution efficiently tackles the detection of anomalies by showing high levels of clustering performance, while keeping a low False Positive Rate (FPR), ensuring the detection performance for threat scenarios where the threat comes from inside the enterprise
34
Marani, Stefano <1998>. "The veto inside the EU policy-making process: is unanimity a threat to the respect of the Copenhagen criteria?" Master's Degree Thesis, Università Ca' Foscari Venezia, 2022. http://hdl.handle.net/10579/21961.
Full textAbstract:
L'Articolo 2 del Trattato sull'Unione Europea sancisce che l'UE è fondata sul rispetto della democrazia e dello stato di diritto. Ogni Stato membro dell'UE è quindi chiamato a rispettare questi princìpi, che fanno parte dei criteri che ogni Paese candidato deve soddisfare per entrare nell'Unione. Tuttavia, nel corso dell'ultimo decennio, Paesi come Polonia e Ungheria hanno approvato leggi in forte contrasto con le norme dell'UE. Nel tentativo di contrastare queste violazioni, nel 2020 la Commissione ha innescato il meccanismo di condizionalità, vincolando l'erogazione dei fondi europei per la ripresa al rispetto dello stato di diritto. Tuttavia, nel Consiglio dell'UE, le questioni finanziarie sono approvate all'unanimità, permettendo a Polonia e Ungheria di porre il veto sul meccanismo di condizionalità e di ricevere i fondi europei rimanendo sostanzialmente impunite. Questo evento mi ha motivato ad indagare le ragioni storiche, giuridiche e politiche dietro la necessità del diritto di veto, giungendo fino alla sua permanenza nel moderno processo decisionale dell'Unione. L'attenzione è in seguito stata posta su come l'UE ha contrastato le violazioni da parte della Polonia e dell'Ungheria nell'ultimo decennio, per capire se il veto, che crea un forte disagio nell'Unione, costituisca l'unica minaccia al rispetto dello stato di diritto. Infine, l'ultima parte della presente tesi è quella più sperimentale, in quanto cerca di offrire alternative concrete all'unanimità per capire, oltre la retorica, se tali prospettive sono realistiche.
35
Landress, Angela D. "The Impact of Mindfulness on Non-malicious Spillage within Images on Social Networking Sites." Thesis, Nova Southeastern University, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10842441.
Full textAbstract:
<p> Insider threat by employees in organizations is a problematic issue in today’s fast-paced, internet-driven society. Gone are the days when securing the perimeter of one’s network protected their business. Security threats are now mobile, and employees have the ability to share sensitive business data with hundreds of people instantaneously from mobile devices. While prior research has addressed social networking topics such as trust in relation to information systems, the use of social networking sites, social networking security, and social networking sharing, there is a lack of research in the mindfulness of users who spill sensitive data contained within images posted on social networking sites (SNS). The author seeks to provide an understanding of how non-malicious spillage through images relates to the mindfulness of employees, who are also deemed insiders. Specifically, it explores the relationships between the following variables: mindfulness, proprietary information spillage, and spillage of personally identifiable information (PII). A quasi-experimental study was designed, which was correlational in nature. Individuals were the unit of analysis. A sample population of business managers with SNS accounts were studied. A series of video vignettes were used to measure mindfulness. Surveys were used as a tool to collect and analyze data. There was a positive correlation between non-malicious spillage of sensitive business, both personally identifiable information and proprietary data, and a lack of mindfulness. </p><p>
36
Benke, Christoph [Verfasser], Alfons [Akademischer Betreuer] Hamm, Alfons [Gutachter] Hamm, Paul [Gutachter] Pauli, and Andreas von [Gutachter] Leupoldt. "Threat from the inside: Determinants of defensive responses to body sensations and clinical implications / Christoph Benke ; Gutachter: Alfons Hamm, Paul Pauli, Andreas von Leupoldt ; Betreuer: Alfons Hamm." Greifswald : Ernst-Moritz-Arndt-Universität, 2018. http://d-nb.info/1153713012/34.
Full text
37
Salim, Farzad. "Approaches to access control under uncertainty." Thesis, Queensland University of Technology, 2012. https://eprints.qut.edu.au/58408/1/Farzad_Salim_Thesis.pdf.
Full textAbstract:
The ultimate goal of an access control system is to allocate each user the precise level of access they need to complete their job - no more and no less. This proves to be challenging in an organisational setting. On one hand employees need enough access to the organisation’s resources in order to perform their jobs and on the other hand more access will bring about an increasing risk of misuse - either intentionally, where an employee uses the access for personal benefit, or unintentionally, through carelessness or being socially engineered to give access to an adversary.
This thesis investigates issues of existing approaches to access control in allocating optimal level of access to users and proposes solutions in the form of new access control models. These issues are most evident when uncertainty surrounding users’ access needs, incentive to misuse and accountability are considered, hence the title of the thesis.
We first analyse access control in environments where the administrator is unable to identify the users who may need access to resources. To resolve this uncertainty an administrative model with delegation support is proposed. Further, a detailed technical enforcement mechanism is introduced to ensure delegated resources cannot be misused.
Then we explicitly consider that users are self-interested and capable of misusing resources if they choose to. We propose a novel game theoretic access control model to reason about and influence the factors that may affect users’ incentive to misuse.
Next we study access control in environments where neither users’ access needs can be predicted nor they can be held accountable for misuse. It is shown that by allocating budget to users, a virtual currency through which they can pay for the resources they deem necessary, the need for a precise pre-allocation of permissions can be relaxed. The budget also imposes an upper-bound on users’ ability to misuse. A generalised budget allocation function is proposed and it is shown that given the context information the optimal level of budget for users can always be numerically determined.
Finally, Role Based Access Control (RBAC) model is analysed under the explicit assumption of administrators’ uncertainty about self-interested users’ access needs and their incentives to misuse. A novel Budget-oriented Role Based Access Control (B-RBAC) model is proposed. The new model introduces the notion of users’ behaviour into RBAC and provides means to influence users’ incentives. It is shown how RBAC policy can be used to individualise the cost of access to resources and also to determine users’ budget. The implementation overheads of B-RBAC is examined and several low-cost sub-models are proposed.
38
Procházková, Ivana. "Rozvoj obchodních aktivit podniku cestovní kancelář Cílka, s.r.o." Master's thesis, Vysoké učení technické v Brně. Fakulta podnikatelská, 2009. http://www.nusl.cz/ntk/nusl-222152.
Full textAbstract:
The Master's thesis characterizes, analyzes and assesses the current situation of the travel agency Cílka, Ltd. The thesis nalysis current position of the company, it deals with inside and outside environment that influences business activities. By the inside and outside analysis of environment there are formulated Opportunities and Threats and below Strengths and Weaknesses. On the basis of findings, the work includes complex solution strategy, development and improvement company position, which should had help establish firm and fix her position on market.
39
Gray, John Max. "Virtue Ethics: Examining Influences on the Ethical Commitment of Information System Workers in Trusted Positions." NSUWorks, 2015. http://nsuworks.nova.edu/gscis_etd/364.
Full textAbstract:
Despite an abundance of research on the problem of insider threats, only limited success has been achieved in preventing trusted insiders from committing security violations. Virtue ethics may be an approach that can be utilized to address this issue. Human factors such as moral considerations impact Information System (IS) design, use, and security; consequently they affect the security posture and culture of an organization. Virtue ethics based concepts have the potential to influence and align the moral values and behavior of information systems workers with those of an organization in order to provide increased protection of IS assets. An individual’s character strengths have been linked to positive personal development, but there has been very little research into how the positive characteristics of virtue ethics, exhibited through the character development of information systems workers, can contribute to improving system security. This research aimed to address this gap by examining factors that affect and shape the ethical perspectives of individuals entrusted with privileged access to information.
This study builds upon prior research and theoretical frameworks on institutionalizing ethics into organizations and Information Ethics to propose a new theoretical model which demonstrates the influences on Information Systems Security (ISS) trusted worker ethical behavior within an organization. Components of the research model include ISS virtue ethics based constructs, organizational based internal influences, societal based external influences, and trusted worker ethical behavior. This study used data collected from 395 professionals in an ISS organization to empirically assess the model. Partial Least Squares Structural Equation Modeling was employed to analyze the indicators, constructs, and path relationships. Various statistical tests determined validity and reliability, with mixed but adequate results. All of the relationships between constructs were positive, although some were stronger and more significant.
The expectation of the researcher in this study was to better understand the character of individuals who pose an insider threat by validating the proposed model, thereby providing a conceptual analysis of the character traits which influence the ethical behavior of trusted workers and ultimately information system security.
40
Chou, Wen-Hsiang, and 周文祥. "A Study on Insider Threat Dynamics and Mitigating Insider Threats Using Correlation of Security Alerts." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/60837672469670352976.
Full textAbstract:
碩士<br>國防大學理工學院<br>資訊科學碩士班<br>97<br>Insider threat is resulted from the legitimate users abusing their privileges and causing tremendous damage or losses. Not always being friends, insiders can be main threats to the organization. With limited capability in countering insiders’ abnormal behaviors, many security technologies have been researched to prevent threats only from external attacks, therefore, they ignore the threat caused by insiders. This paper presents a dynamic model to build and simulate insider behaviors, better understanding and exploring the threat to an organization’s information technology accidents caused by malicious insiders. We also conduct simulation-based experiments to extract quantifiable variables on developing our insider threat detection and assessment model.
We also propose the Integrated Insider Information DIDS, and develop an integrated method for detecting and assessing the risk level of insider threat, incorporating assets vulnerability assessments, identity authentication, and alert-based sensors. In order to process the generated warning messages, an attack risk level is designed to filter warning messages and get key information for information security management staffs to know who suffered a high-risk state or had animosity in an organization. So, with the proposed scheme, information security issues caused by insiders could be initiated and monitored.
In our work, there existed a critical challenge to effectively reduce the time between defection and preparation to attack, even to the point where detection of observations and associated indicators could help to predict potential exploits before they are completed.
41
Chia-ChengTu and 涂嘉成. "Design and Implementation of Insider Threats Detection System Based on NetFlow." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/55583410806878010535.
Full textAbstract:
碩士<br>國立成功大學<br>電腦與通信工程研究所<br>104<br>Internet technology grows faster with higher and higher bandwidth. More and more services are running in the Academic Network including entertainment and education not just for research. How to manage such a huge network becomes a big issue for administrators. To prevent malicious utilization of network resource, it is important to design a system to find out the hosts in the net with abnormality. Though Intrusion Detection System and Firewall are both famous defensive ways to protect the network, there is still a great chance for hacker to invade the hosts. For example, APT usually uses social engineering focusing on humanity to invade, and the traffic of it seems like normal one. It is hard to defend it because if it is blocked, normal services such as web service and mail service are blocked, too. This situation also happens in virtual environment, and we should face it and resolve it.
We may not be aware of the invasion, but we can discover the abnormal traffic made from these invaded hosts. It is no need to install agent on each host by observing the traffic. We just have to configure router or switch to export the flow data and then analyze it. It is also convenient to use open-source tools to make the traffic export in NetFlow format. The advantage of NetFlow is discarding the packet payload and just leaving the information of header. As a result, we can observe the traffic by flow not by packet reducing loading of system and promoting the efficiency.
The system extracts the abnormal behavior patterns from traffic and then aggregates them to generate the IP address list with suspicious hosts. It is not only provided for users to check their hosts but also convenient for administrator to manage the net.
42
(6387488), Asmaa Mohamed Sallam. "Anomaly Detection Techniques for the Protection of Database Systems against Insider Threats." Thesis, 2019.
Find full textAbstract:
The mitigation of insider threats against databases is a challenging problem since insiders often have legitimate privileges to access sensitive data. Conventional security mechanisms, such as authentication and access control, are thus insufficient for the protection of databases against insider threats; such mechanisms need to be complemented with real-time anomaly detection techniques. Since the malicious activities aiming at stealing data may consist of multiple steps executed across temporal intervals, database anomaly detection is required to track users' actions across time in order to detect correlated actions that collectively indicate the occurrence of anomalies. The existing real-time anomaly detection techniques for databases can detect anomalies in the patterns of referencing the database entities, i.e., tables and columns, but are unable to detect the increase in the sizes of data retrieved by queries; neither can they detect changes in the users' data access frequencies. According to recent security reports, such changes are indicators of potential data misuse and may be the result of malicious intents for stealing or corrupting the data. In this thesis, we present techniques for monitoring database accesses and detecting anomalies that are considered early signs of data misuse by insiders. Our techniques are able to track the data retrieved by queries and sequences of queries, the frequencies of execution of periodic queries and the frequencies of referencing the database tuples and tables. We provide detailed algorithms and data structures that support the implementation of our techniques and the results of the evaluation of their implementation.<br>
43
Chai, Xiao Hong Joanne. "Encouraging employee compliance with information security policies in cloud computing in Hong Kong." Thesis, 2017. http://hdl.handle.net/1959.13/1337592.
Full textAbstract:
Professional Doctorate - Doctor of Business Administration (DBA)<br>Abstract: Cloud computing with its ubiquitous, flexible and on-demand consumption model has been growing at an exponential rate and represents a major investment for organizations whose business models require constant transformation. However, cloud computing introduces security challenges at all levels, from data to applications, hosts and networks and organizations are increasingly vulnerable to cyber-attacks and data breaches from outside the organization as well as insider’s intentional or unintentional misbehaviour not in compliance with an organization’s security policies. Insider security threats are the most dangerous as they are the trusted and privilege users of the organizations and their problems are the most difficult to detect. Investigation of factors affecting employees’ behaviour in protecting their organization’s valuable assets: the information is thus very important in an organization’s defence against harmful insiders’ non-compliant behaviour. Existing literature, however, generally focuses on technical and operational protections and provides little account of human misbehaviour. This study aims to address this gap by investigating influencing factors affecting employees’ protection intention and behaviour in their organizations. This study adopts an integrated theoretical model from Siponen, Mahmood, & Pahnila (2014) that is grounded on Protection Motivation Theory (Rogers, 1983) and Theory of Planned Behaviour (Ajzen & Fishbein, 1980; Ajzen, 1991) but expands to the full nomology of both theories to enhance the rigor of the research. The theoretical model is then empirically tested with 256 employees from various industries involved in cloud computing in Hong Kong. The research model is found to explain a significant proportion of the variance of Intention to Comply with Cloud/Information Security Policies (52 percent) and Actual Compliance Behaviour (61 percent). The findings suggest that employees’ compliance intention and perceived ease of compliance are the most significant influencers of compliance behaviour. When employees have the right compliance attitude, are positively motivated by their management and peers, have faith in their organizations’ and their own ability to protect their organizations and find the compliance costs tolerable, their intention to comply with their organizations’ cloud/information security policies increases significantly. The results show that employees’ perception of the security threats has a moderate effect on compliance intention but their perception of vulnerability to security breaches and rewards of non-compliance have no impact on their intention to comply with cloud/information security policies. This study reveals a general lack of awareness of cloud/information security threats and the consequences of non-compliance. The results call for continuous Security Education, Training and Awareness (SETA) on cloud/information security policies and awareness programs to be in place to augment employees’ understanding of the cyber security threat, especially as a result of the open concept of cloud computing, and their organizations’ ability to respond to these threats; to increase employees’ skills and confidence level to defend their organizations (and themselves) from security threats; to promote the right attitude towards conforming to organizations; and to create peer pressure from senior management and co-workers towards compliance behaviour. This study enriches the understanding of the motivational factors underlining information security policies compliance behaviour and will be useful for academia and industry practitioners involved in encouraging cloud/information security policy compliance behaviour. References: Ajzen, I. (1991). The theory of planned behavior. Organizational behavior and human decision processes, 50(2), 179-211. Ajzen, I., & Fishbein, M. (1980). Understanding Attitudes and Predicting Social Behavior. Englewood Cliffs, N.J.: Prentice Hall. Rogers RW. (1983). Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. New York: Guilford Press. Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees' adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224.
44
Udoeyop, Akaninyene Walter. "Cyber Profiling for Insider Threat Detection." 2010. http://trace.tennessee.edu/utk_gradthes/756.
Full textAbstract:
Cyber attacks against companies and organizations can result in high impact losses that include damaged credibility, exposed vulnerability, and financial losses. Until the 21st century, insiders were often overlooked as suspects for these attacks. The 2010 CERT Cyber Security Watch Survey attributes 26 percent of cyber crimes to insiders. Numerous real insider attack scenarios suggest that during, or directly before the attack, the insider begins to behave abnormally. We introduce a method to detect abnormal behavior by profiling users. We utilize the k-means and kernel density estimation algorithms to learn a user’s normal behavior and establish normal user profiles based on behavioral data. We then compare user behavior against the normal profiles to identify abnormal patterns of behavior.
45
McKinney, Steven J. "Insider threat user identification via process profiling /." 2008. http://www.lib.ncsu.edu/theses/available/etd-05092008-154325/unrestricted/etd.pdf.
Full text
46
劉宜樺. "A Model-based Checklist for Insider Threat Preven." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/46225008335770193325.
Full textAbstract:
碩士<br>國立清華大學<br>工業工程與工程管理學系<br>98<br>There are some psychology measures for the organization to evaluate the mental status of the employees in Taiwan, but those measures cannot detect the insiders. The purpose of this study is to develop a checklist for the supervisors or unit heads that can apply to ensure the organization safety. Based on the model for causes of specific precursor and organization safety that structured by this study and analysis of the insider threat events by literature review, before the insiders try to execute the major malicious activity, there are some precursors. And those precursors are caused by different factors. If those precursors can be detected and be handled before the insider takes further acts, hazard will not happen.
At first, this study implements Chinese Basic Personality Inventory (CBPI) to figure out the similarities and differences of mental condition between the employees in certain company and the others, and takes place the structured interview to understand if the employee in certain company have stress what the strategies the supervisors will take. Then, the model for causes of specific precursor and organization safety is structured and the checklist is developed based on this model. The checklist is divided into two parts. One part is the strategies those are took to prevent risk happen, and the other part is the precursors those insider threats appear. Then, the structured interview with experts is taken place to modify those strategies and precursors in the checklist and to possess expert validity. Finally, the questionnaire is implemented to evaluate the reliability of the checklist.
The experts are recruited to evaluate this checklist to possess content validity. According to the high Cronbach’s alpha of the questionnaire (0.961), the reliability is acceptable. This checklist can be applied to the organization departments to help the supervisors to have a concept of the relationship between the precursors and the organization safety. It is helpful for the supervisors to check if there are potential insiders in their organization. Some strategies can be taken to ensure the safety of the organization. This study focuses on how to develop a checklist for insider threat prevention and applying this checklist is necessary for the further study.
47
Lo, Yu-Hsien, and 羅煜賢. "Insider Threat Detection Based on User's Capability and Opportunity with Reliable Evidence." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/y8c88r.
Full textAbstract:
碩士<br>國立臺灣科技大學<br>資訊工程系<br>106<br>The insider threats are done by employees who have already had the privilege to access the confidential documents. It is difficult for the defender to be aware of the differences between normal and abnormal behaviors. Most of the researchers focus on the theft of intellectual property(IP) by using machine learning algorithms to create a baseline before detecting abnormal executed by the users. However, an insider can cheat on the learning model a wrong baseline beforehand by doing extra activities. In this paper, we propose a framework, called HoneyDeception, which focuses on the theft of IP based on fraud diamond theory and MOC-Model. Moreover, we adopt deception technology and perverse incentive concept into our framework. The trap of the framework is to restrict the behavior of insiders but gives a door (i.e., an opportunity) for insiders to pass. It prevents all of the actions to get confidential documents from the authorized area to the non-protected area, except allow "Print Screen" event command to the users. We record the content of the clipboard about "Print Screen" events and record the files containing the image transmitted by the users. Especially, HoneyDeception can avoid the insider giving unintentional excuses. Because HoneyDeception requires two steps to transfer from authorized area to external area, it can avoid the insider giving unintentional excuses for violating the intellectual property.
48
Tekle, Solomon Mekonnen. "A Privacy-Preserving, Context-Aware, Insider Threat prevention and prediction model (PPCAITPP)." Thesis, 2018. http://hdl.handle.net/10500/25968.
Full textAbstract:
The insider threat problem is extremely challenging to address, as it is committed by insiders who are
trusted and authorized to access the information resources of the organization. The problem is further
complicated by the multifaceted nature of insiders, as human beings have various motivations and
fluctuating behaviours. Additionally, typical monitoring systems may violate the privacy of insiders.
Consequently, there is a need to consider a comprehensive approach to mitigate insider threats. This
research presents a novel insider threat prevention and prediction model, combining several approaches,
techniques and tools from the fields of computer science and criminology. The model is a Privacy-
Preserving, Context-Aware, Insider Threat Prevention and Prediction model (PPCAITPP). The model is
predicated on the Fraud Diamond (a theory from Criminology) which assumes there must be four elements
present in order for a criminal to commit maleficence. The basic elements are pressure (i.e. motive),
opportunity, ability (i.e. capability) and rationalization. According to the Fraud Diamond, malicious
employees need to have a motive, opportunity and the capability to commit fraud. Additionally, criminals
tend to rationalize their malicious actions in order for them to ease their cognitive dissonance towards
maleficence. In order to mitigate the insider threat comprehensively, there is a need to consider all the
elements of the Fraud Diamond because insider threat crime is also related to elements of the Fraud
Diamond similar to crimes committed within the physical landscape.
The model intends to act within context, which implies that when the model offers predictions about threats,
it also reacts to prevent the threat from becoming a future threat instantaneously. To collect information
about insiders for the purposes of prediction, there is a need to collect current information, as the motives
and behaviours of humans are transient. Context-aware systems are used in the model to collect current
information about insiders related to motive and ability as well as to determine whether insiders exploit any
opportunity to commit a crime (i.e. entrapment). Furthermore, they are used to neutralize any
rationalizations the insider may have via neutralization mitigation, thus preventing the insider from
committing a future crime. However, the model collects private information and involves entrapment that
will be deemed unethical. A model that does not preserve the privacy of insiders may cause them to feel
they are not trusted, which in turn may affect their productivity in the workplace negatively. Hence, this
thesis argues that an insider prediction model must be privacy-preserving in order to prevent further
cybercrime. The model is not intended to be punitive but rather a strategy to prevent current insiders from
being tempted to commit a crime in future.
The model involves four major components: context awareness, opportunity facilitation, neutralization
mitigation and privacy preservation. The model implements a context analyser to collect information related
to an insider who may be motivated to commit a crime and his or her ability to implement an attack plan.
The context analyser only collects meta-data such as search behaviour, file access, logins, use of keystrokes
and linguistic features, excluding the content to preserve the privacy of insiders. The model also employs
keystroke and linguistic features based on typing patterns to collect information about any change in an
insider’s emotional and stress levels. This is indirectly related to the motivation to commit a cybercrime.
Research demonstrates that most of the insiders who have committed a crime have experienced a negative
emotion/pressure resulting from dissatisfaction with employment measures such as terminations, transfers
without their consent or denial of a wage increase. However, there may also be personal problems such as a
divorce. The typing pattern analyser and other resource usage behaviours aid in identifying an insider who
may be motivated to commit a cybercrime based on his or her stress levels and emotions as well as the
change in resource usage behaviour. The model does not identify the motive itself, but rather identifies those
individuals who may be motivated to commit a crime by reviewing their computer-based actions. The model
also assesses the capability of insiders to commit a planned attack based on their usage of computer
applications and measuring their sophistication in terms of the range of knowledge, depth of knowledge and
skill as well as assessing the number of systems errors and warnings generated while using the applications.
The model will facilitate an opportunity to commit a crime by using honeypots to determine whether a
motivated and capable insider will exploit any opportunity in the organization involving a criminal act.
Based on the insider’s reaction to the opportunity presented via a honeypot, the model will deploy an
implementation strategy based on neutralization mitigation. Neutralization mitigation is the process of
nullifying the rationalizations that the insider may have had for committing the crime. All information about
insiders will be anonymized to remove any identifiers for the purpose of preserving the privacy of insiders.
The model also intends to identify any new behaviour that may result during the course of implementation.
This research contributes to existing scientific knowledge in the insider threat domain and can be used as a
point of departure for future researchers in the area. Organizations could use the model as a framework to
design and develop a comprehensive security solution for insider threat problems. The model concept can
also be integrated into existing information security systems that address the insider threat problem<br>Information Science<br>D. Phil. (Information Systems)
49
"A Model for Calculating Damage Potential in Computer Systems." Master's thesis, 2019. http://hdl.handle.net/2286/R.I.53889.
Full textAbstract:
abstract: For systems having computers as a significant component, it becomes a critical task to identify the potential threats that the users of the system can present, while being both inside and outside the system. One of the most important factors that differentiate an insider from an outsider is the fact that the insider being a part of the system, owns privileges that enable him/her access to the resources and processes of the system through valid capabilities. An insider with malicious intent can potentially be more damaging compared to outsiders. The above differences help to understand the notion and scope of an insider.
The significant loss to organizations due to the failure to detect and mitigate the insider threat has resulted in an increased interest in insider threat detection. The well-studied effective techniques proposed for defending against attacks by outsiders have not been proven successful against insider attacks. Although a number of security policies and models to deal with the insider threat have been developed, the approach taken by most organizations is the use of audit logs after the attack has taken place. Such approaches are inspired by academic research proposals to address the problem by tracking activities of the insider in the system. Although tracking and logging are important, it is argued that they are not sufficient. Thus, the necessity to predict the potential damage of an insider is considered to help build a stronger evaluation and mitigation strategy for the insider attack. In this thesis, the question that seeks to be answered is the following: `Considering the relationships that exist between the insiders and their role, their access to the resources and the resource set, what is the potential damage that an insider can cause?'
A general system model is introduced that can capture general insider attacks including those documented by Computer Emergency Response Team (CERT) for the Software Engineering Institute (SEI). Further, initial formulations of the damage potential for leakage and availability in the model is introduced. The model usefulness is shown by expressing 14 of actual attacks in the model and show how for each case the attack could have been mitigated.<br>Dissertation/Thesis<br>Masters Thesis Computer Science 2019
50
(9034049), Miguel Villarreal-Vasquez. "Anomaly Detection and Security Deep Learning Methods Under Adversarial Situation." Thesis, 2020.
Find full textAbstract:
<p>Advances in Artificial Intelligence (AI), or more precisely on Neural Networks (NNs), and fast processing technologies (e.g. Graphic Processing Units or GPUs) in recent years have positioned NNs as one of the main machine learning algorithms used to solved a diversity of problems in both academia and the industry. While they have been proved to be effective in solving many tasks, the lack of security guarantees and understanding of their internal processing disrupts their wide adoption in general and cybersecurity-related applications. In this dissertation, we present the findings of a comprehensive study aimed to enable the absorption of state-of-the-art NN algorithms in the development of enterprise solutions. Specifically, this dissertation focuses on (1) the development of defensive mechanisms to protect NNs against adversarial attacks and (2) application of NN models for anomaly detection in enterprise networks.</p><p>In this state of affairs, this work makes the following contributions. First, we performed a thorough study of the different adversarial attacks against NNs. We concentrate on the attacks referred to as trojan attacks and introduce a novel model hardening method that removes any trojan (i.e. misbehavior) inserted to the NN models at training time. We carefully evaluate our method and establish the correct metrics to test the efficiency of defensive methods against these types of attacks: (1) accuracy with benign data, (2) attack success rate, and (3) accuracy with adversarial data. Prior work evaluates their solutions using the first two metrics only, which do not suffice to guarantee robustness against untargeted attacks. Our method is compared with the state-of-the-art. The obtained results show our method outperforms it. Second, we proposed a novel approach to detect anomalies using LSTM-based models. Our method analyzes at runtime the event sequences generated by the Endpoint Detection and Response (EDR) system of a renowned security company running and efficiently detects uncommon patterns. The new detecting method is compared with the EDR system. The results show that our method achieves a higher detection rate. Finally, we present a Moving Target Defense technique that smartly reacts upon the detection of anomalies so as to also mitigate the detected attacks. The technique efficiently replaces the entire stack of virtual nodes, making ongoing attacks in the system ineffective.</p><p> </p>