- Email: [email protected]
An assessment of opportunity-reducing techniques in information security: An insider threat perspective
An Assessment of Opportunity-Reducing Techniques in Information Security: An Insider Threat Perspective Keshnee Padayachee PII: DOI: Reference:
S0167-9236(16)30161-0 doi:10.1016/j.dss.2016.09.012 DECSUP 12769
To appear in:
Decision Support Systems
Received date: Revised date: Accepted date:
13 September 2015 1 August 2016 13 September 2016
Please cite this article as: Keshnee Padayachee, An Assessment of Opportunity-Reducing Techniques in Information Security: An Insider Threat Perspective, Decision Support Systems (2016), doi:10.1016/j.dss.2016.09.012
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT AN ASSESSMENT OF OPPORTUNITY-REDUCING TECHNIQUES IN INFORMATION SECURITY: AN INSIDER THREAT PERSPECTIVE Keshnee Padayachee (Email: [email protected])
RI P
T
Institute for Science and Technology Education, UNISA, 0003, Pretoria, South Africa ABSTRACT
This paper presents an evaluation of extant opportunity-reducing techniques employed to mitigate
SC
insider threats. Although both motive and opportunity are required to commit maleficence, this paper
NU
focuses on the concept of opportunity. Opportunity is more tangible than motive; hence it is more pragmatic to reflect on opportunity-reducing measures. To this end, opportunity theories from the
MA
field of criminology are considered. The exploratory evaluation proffers several areas of research and may assist organizations in implementing opportunity-reducing information security controls to
ED
mitigate insider threats. The evaluation is not definitive, but serves to inform future understanding.
1. INTRODUCTION
PT
KEYWORDS: Insider Threat; Situational Crime Prevention Theory; Cybercrime; Delphi Technique
AC CE
According to the CyberSecurity Watch Survey (2011), 46% of the respondents considered the maleficence caused by insider attacks to be more damaging than those caused by outsider attacks. The Boardroom Cyber Watch 2013 Survey (2013) in fact cautioned that this figure may be higher than 50%. An ‘insider’ is any individual who has legitimate access to an organization’s information technology (IT) infrastructure (Magklaras & Furnell, 2005), while an ‘insider threat’ uses the authority granted to him/her for illegitimate gain (Schultz, 2002). Although both motive and opportunity are required to commit maleficence, this paper focuses on the concept of opportunity. Opportunity is more tangible than motive; hence it is more pragmatic to reflect on opportunityreducing measures. According to Willison (2006), it is valuable for researchers to reflect on cybercrimes in terms of criminology theories as they are, after all, crimes. In criminology, four theories of crime embody the opportunity theory perspective: Rational Choice theory, Routine Activities theory, Crime Pattern and, more recently, Situational Crime Prevention (SCP) theory (Padayachee, 2015). As SCP theory is the one that has evolved most directly from the aforementioned
1
ACCEPTED MANUSCRIPT theories, it was used as a theoretical framework in the study reported on here. The aim of the study was to evaluate the perceived effectiveness of existing information security (IS) techniques as framed by SCP theory. The limitations of extant studies are that they propose a direct transposition to
RI P
T
cyberspace of the techniques that apply to SCP theory in the physical world. These extant studies consider opportunity-reducing measures from a physical landscape perspective rather the virtual context of information security. The premise of the research described in this paper is that
SC
opportunity-reducing measures need to be mapped to the virtual space, rather than crime prevention
NU
techniques intended for the physical landscape being superficially superimposed onto it. Consequently the instrument used for the research was open-ended, and the respondents were under no obligation to
MA
transmute the crime prevention techniques suggested for the physical landscape into the virtual context.
According to Theoharidou, Kokolakis, Karyda, and Kiountouzis (2005) the insider threat
ED
issue may benefit from a ‘pluralistic approach’ that would be enriched by ideas from well-established
PT
criminology theories. Many theories of crime consider the motivations for crime in an attempt to understand why criminals commit crime. Opportunity theories of crime focus on minimizing the
AC CE
opportunities that have to be present in order for crime to occur. Motivations are difficult to analyze, as they are based on human emotions. In contrast, it is easier to conceptualize opportunities and consequently to develop pragmatic strategies to minimize crime. Felson and Clarke (1998) indicate that, unlike other factors that may be associated with crime, opportunity is the ‘root cause’ of all crime. It is evident that while one may have the motivation or capability, there has to be an opportunity to commit the crime. SCP theory asserts that the opportunities for crime should be minimized (Cornish & Clarke, 2003) by applying specific interventions. This theory has been applied to the insider threat problem (see (Coles-Kemp & Theoharidou, 2010; Padayachee, 2013, 2015; Willison, 2006; Willison & Siponen, 2009)) and to general IS concerns (see (Beebe & Roa, 2005; Hinduja & Kooi, 2013)) An essential difference between outsiders and insiders is that outsiders have limited opportunity to carry out their attack. Outsiders have to exploit vulnerabilities in the system, while insiders have privileged access, and hence greater opportunity however an insider, unlike an outsider, 2
ACCEPTED MANUSCRIPT is subject to policies, procedures and agreements.(Walton, 2006). Padayachee (2013) concludes that crime opportunities from an insider threat perspective arise from the following three sets of circumstances: First, insiders are able to identify opportunities for crime within their daily activities.
RI P
T
Second, data assets that are valuable, visible, accessible and transferrable offer tempting cybercrime opportunities. Third, new innovations and changes continually produce new insider threat opportunities.
SC
An effort was made in the study reported on in this paper to evaluate the extant set of IS
NU
opportunity-reducing techniques from an SCP theory perspective. Hence the main research question was: To what extent are the opportunity-reducing measures of Situational Crime Prevention theory
MA
addressed in the current state of information security measures to mitigate the insider threat problem? Given the exploratory nature of the study, the Delphi technique was applied, since the extant literature in this area is limited. According to Hsu and Sandford (2007, p. 5), the Delphi
ED
technique is useful in ‘discovering what is actually known or not known about a specific topic,’ and it
PT
is a ‘flexible and adaptable tool to gather and analyze the needed data’; this made it appropriate for this research, which was exploratory.
AC CE
When Theoharidou et al. (2005) examined ISO17799 and its relationship to managing the insider threat problem, they found that crime theories such as SCP theory had not been contemplated in this ISO standard, as they did not consider the opportunity side of crime. This omission in the previous and current standard is an indication that the notion of opportunity requires further exploration. Willison and Backhouse (2006) support this view and argue that a formal definition of opportunity within the cybercrime domain is lacking. The rest of the paper is structured as follows: Section 2 elucidates the theoretical framework; Section 3 presents the research methodology; Section 4 presents the findings; and Section 5 reflects on the implications of the findings. The paper concludes with Section 6. 2. THE THEORETICAL FRAMEWORK FOR THE EVALUATION In the current systematic analysis (i.e. review that involves mapping, critically appraising and collating information coherently in a systematic and accountable manner (Gough, Oliver, & Thomas, 2012) various information security techniques are mapped to SCP theory to compile a catalogue of 3
ACCEPTED MANUSCRIPT techniques. The author has also included a few controls that were deemed appropriate – these are denoted by α (alpha). SCP theory considers five categories of opportunity-reducing measures, namely ‘increase effort’, ‘increase risks’, ‘reduce rewards’, ‘reduce provocation’ and ‘remove excuse’. Each
RI P
T
measure is further divided into 5 specific techniques (i.e. 25 subcategories in total) (Cornish & Clarke, 2003) which are intended for the physical landscape. These techniques were given ‘digital analogies’ by Beebe and Roa (2005), Willison (2006), Coles-Kemp and Theoharidou (2010) and Hinduja and
SC
Kooi (2013). The author’s earlier work (Padayachee, 2015) on the matter at hand was also considered.
NU
2.1 Increase the effort
The ‘increase the effort’ category involves confirming the perception that a specific crime
MA
would be difficult to execute (Smith & Scott 2011). The subcategories that are discussed in more detail below are: target hardening; control of access to facilities; screen exits; deflecting offenders and controlling tools (i.e. tools that may be used to cause harm (Coles-Kemp & Theoharidou, 2010)).
ED
The information security controls proposed for ‘target hardening’(i.e. increasing the difficulty
PT
of carrying out the crime (Smith & Scott 2011)) include anti-virus software (Willison, 2006); vulnerability patching (Beebe & Roa, 2005); sensitive system isolation (Coles-Kemp & Theoharidou,
AC CE
2010); proper password policies; custom installation; extraneous ports closed (Hinduja and Kooi (2013) and whitelistingα. Anti-viruses are susceptible to misuse, while whitelisting is easier to carry out, as it is based on maintaining a list of allowable software (Mansfield-Devine, 2009). The practice of vulnerability patches may be exploited if organizations do not apply the patches immediately (Arbaugh, Fithen, & McHugh, 2000). According to Jones and Colwill (2008), the isolation of a sensitive system may be a less effective information security practice, as storing all sensitive and confidential data in one location makes it an easy target. In order to reduce vulnerabilities, Hinduja and Kooi (2013) suggest that extraneous ports be closed and custom installations be preferred to default installations. Instituting proper password policies (Hinduja & Kooi, 2013) can also be useful, as it has been shown that insiders prefer to use a peer’s account than their own to commit maleficence (Cappelli, Moore, Shimeall, & Trzeciak, 2006). Traditional access controls have been proposed to manage the ‘control of access to facilities’ subcategory. However, they are susceptible to insider threats, as the system grants access provided the 4
ACCEPTED MANUSCRIPT access is authorized (Baracaldo & Joshi, 2013). Usage controlα may be more effective, since it includes the components missing from traditional access control – i.e. obligations and conditions (Sandhu & Park, 2003). Finer-grained authentication and access controlα may therefore be an effective
RI P
T
means of controlling access to facilities.
Firewalls, which have been proposed as a digital analogy to screen exits (Willison, 2006), are ineffective for insider threats as they work within its perimeter (Guido & Brooks, 2013). Data Loss
SC
Preventionα (DLP) controls outbound data (Joch, 2011) and may be more appropriate to screen
NU
perimeters than firewalls. Hinduja and Kooi (2013) also suggest ingress/egress filtering and internet protocol (IP)-based restrictions, which essentially assist in controlling the traffic that enters and exits
MA
the network.
The information security controls proposed to deflect offenders include honeypots (Beebe &
ED
Roa, 2005); key splitting (Coles-Kemp & Theoharidou, 2010); segregation of duties (Willison, 2006) and background checks on employees (i.e. pre-screening) (Willison, 2006) and offsite storage of data
PT
(Hinduja & Kooi, 2013). Although honeypots are effective at containing insider threats, agreements may be required to cover liability issues. The segregation of duties prevents misuse, because duties
AC CE
and responsibilities are separated (ISO/IEC 27002:2005, 2005). Both key splitting and the segregation of duties are therefore controls to prevent collusion. Although pre-screening techniques such as profiling are not accurate predictors of a future threat (Pfleeger, Predd, Hunker, & Bulford, 2010), the ISO/IEC 27002 guidelines for Human Resources Security (ISO/IEC 27002:2005, 2005) offer numerous controls that involve background checks prior to employment. These controls contribute to ensuring that an employee will adhere to the organization’s security policy during employment and that access rights are removed when employment is terminated (ISO/IEC 27002:2005, 2005). According to Hinduja and Kooi (2013), the offsite storage of data makes it difficult to identify where data is actually stored, and this uncertainty may well deflect offenders. Web access controls (Coles-Kemp & Theoharidou, 2010), filtering of downloads of illicit tools (i.e. controlling downloads (Willison, 2006)); termination procedures (Willison, 2006); least privilege (Coles-Kemp & Theoharidou, 2010); file access permission (Hinduja & Kooi, 2013) and periodic audits (Hinduja & Kooi, 2013) have been proposed as information security measures with 5
ACCEPTED MANUSCRIPT regard to controlling tools. The filtering of downloads is an essential control, as insiders may download illicit tools such as keystroke loggers (Roy Sarkar, 2010) to aid them in committing maleficence. The principle of least privilege is another fundamental control; however, its practical
RI P
T
enforcement may be limited due to fluctuations in work responsibilities. Similar to least privilege, file access permission is a means of controlling access to privileged users as a moderating control (Hinduja & Kooi, 2013). Periodic audits also help to detect suspicious users before they become
SC
problematic (Cappelli et al., 2006).
NU
2.2 Increase the risks
The ‘increase the risks’ category involves increasing the perception that ‘the risk of detection,
MA
resistance and apprehension’ associated with maleficence (Smith & Scott 2011) would be high. Its subcategories include the following: extending guardianship; assisting natural surveillance; reducing
ED
anonymity; utilizing place managers and strengthening formal surveillance. The information security control that is suggested to extend guardianship involves the
PT
management of mobile facilities (Willison, 2006). The control objective ‘Mobile Computing and Teleworking’ from ISO/IEC 27002 is more encompassing as it enforces policies on remote access via
2005).
AC CE
mobile devices and employees who are working remotely (i.e. teleworking) (ISO/IEC 27002:2005,
The information security controls that are recommended to assist natural surveillance include incident reporting (Coles-Kemp & Theoharidou, 2010) and visualization tools (Beebe & Roa, 2005). Cappelli et al. (2006) argue that incident reporting per se is not sufficient and insist that there should be a specific insider incident response plan. According to Rayethon (2009), visualization tools may be useful in replaying/reconstructing incidents. The information security controls that are recommended to reduce anonymity include audit trails and event logging (Willison, 2006). More specifically, audit trails and event logging that are completely tamperproof are proposed, as insiders may well tamper with audit trails to conceal their maleficent behavior (Insider Threat Integrated Process Team (DoD-IPT), 2000). The technique of using place managers involves the placement of employees who naturally monitor the environment as a deterrent (Smith & Scott 2011). The information security techniques 6
ACCEPTED MANUSCRIPT proposed for the use of place managers include a two-person sign-off (Willison, 2006), resource usage monitoring (Beebe & Roa, 2005) and specific assignment of information security (IS) duties (Hinduja & Kooi, 2013). A two-person sign-off will help reduce the risk of extortion (Silowash et al., 2012),
RI P
T
while resource usage monitoring is a technique commonly used due to its ‘ease of collection, modest performance impact, and compatibility with user privacy concerns’ (McKinney & Reeves, 2009, p. 2). The specific assignment of duties is another useful strategy, as the process can be more informed if
SC
specific individuals are held accountable for their behavior.
NU
The following controls are recommended in order to strengthen formal surveillance: intrusion detection (Willison, 2006); change controlsα; configuration management toolsα; and a hotline for
MA
employees (Hinduja & Kooi, 2013). There is the possibility that intrusion detection systems may not be sensitized to the commands issued by a malicious insider, and such commands may appear to be
ED
part of his/her normal duties (Myers, Grimaila, & Mills, 2009), hence, no alarm would be raised. The introduction of a hotline to report suspicious behaviors (Hinduja & Kooi, 2013) can assist in early
PT
detection. Furthermore, formal surveillance can be strengthened by introducing change controlsα and configuration managementα – the former would ensure the proper management of all changes made to
AC CE
the network and the latter would detect changes to source code and application files (Cappelli et al., 2006).
2.3 Reduce the rewards
The ‘reduce the rewards’ category involves reducing the perception that the benefits of the crime (Smith & Scott 2011) would be worthwhile. Examples of such techniques include the following: concealing targets; removing targets; identifying property; denying benefits; and disrupting markets. The information security analogy for the strategy of concealing targets involves restricting public domain information. This is an essential control, as insiders may use the organization’s intranet to identify opportunities. A more encompassing term was proposed, namely ‘security by obscurity’α. Security by obscurity is a useful technique, as it places obstacles in the way of would-be attackers – it must, however, be supplemented by other controls.(Stuttard, 2005).
7
ACCEPTED MANUSCRIPT The removal of targets is a related technique that involves the obscuring of targets by deploying Clear Desk and Clear Screenα controls as recommended by the ISO/IEC 27002 standard (2005). The introduction of sensitive system isolation can be a further means of protecting highly
RI P
T
sensitive information from insider threats as it decreases accessibility of the system (Hinduja & Kooi, 2013) (also recommended for ‘target hardening’ by Coles-Kemp and Theoharidou (2010)). Watermarking (Beebe & Roa, 2005), digital signatures (Willison, 2006) and information
SC
classification (Beebe & Roa, 2005) have been recommended as information security strategies that are
NU
equivalent to the technique of identifying property. However, watermarking is rendered ineffective if the insider has access to the original object (Sheppard, Reihaneh, & Ogunbona, 2001). Although
MA
digital signatures may prove useful for non-repudiation, they require additional validation such as time stamps (Zhou & Deng, 2000). Instead of mere information classification, asset managementα
ED
(ISO/IEC 27002) was proposed as a tool for identifying property, as it is more encompassing and includes accountability for assets (ISO/IEC 27002:2005, 2005).
PT
Encryption (Willison, 2006), automatic data destruction mechanisms (Beebe & Roa, 2005), continuity management (Coles-Kemp & Theoharidou, 2010) and incident management (Coles-Kemp
AC CE
& Theoharidou, 2010) are suggested as information security techniques that yield results which are similar to the ‘denying benefits’ technique. Encryption may be cracked by insiders because insiders have privileged access (Walton, 2006). The automatic destruction of data by mechanisms that wipe out sensitive data instantly reduces the suitability of a target (Hartel, Junger, & Wieringa, 2010). ‘Business Continuity Management’ and ‘Information Security Incident Management’ are clauses from ISO/IEC 27002 (2005), and comparative controls in COBIT5IS are ‘Manage Service Requests and Incidents’, and ‘Manage Continuity’. The ‘Manage Service Requests and Incidents’ controls involve minimizing disruptions through the quick resolution of incidents, while ‘Manage Continuity’ involves responding to incidents in order to continue with the critical business (ISACA, 2012). With regard to the technique of disrupting markets, open source products or freeware are recommended as information security controls. If this is not financially viable, an alternative could be code obfuscation,α which converts a program into an equivalent one that is more difficult to understand and reverse engineer (Collberg, Thomborson, & Low, 1997). 8
ACCEPTED MANUSCRIPT 2.4 Reduce provocations The ‘reduce provocation’ category involves removing ‘noxious stimuli from the environment’ (Smith & Scott 2011, p. 83) that may precipitate a crime. This category considers situations that act as
RI P
T
triggers or precipitators to an individual who is already motivated (Cornish & Clarke, 2003). The subcategories include: reducing frustrations and stress; avoiding disputes; reducing emotional arousal; neutralizing peer pressure and discouraging imitation.
SC
The creation of a supportive working environment (Coles-Kemp & Theoharidou, 2010) has
NU
been proposed as a generic technique for reducing frustrations and stress. This paper posits that COBIT5IS may provide a more specific technique to address this category, based on the identification
MA
of ‘pain points and trigger events’α. Examples of pain points are data loss, denial of service and coping with new technologies, while examples of triggers are new regulations and technology
ED
changes. Change managementα (ISO/IEC 27002) was proposed as a supplementary technique since both techniques manage change, which may be a stressor (ISACA, 2012). Willison (2006)
PT
recommends that support to whistle-blowers be included in the ‘assist natural surveillance’ subcategory; however, since it was theorized that this technique affects the emotional responses to a
AC CE
provocation, it was reassigned to the ‘reduce provocations’ category. Disputes may be avoided or resolved by simply introducing a Dispute Resolution Planα to manage a dispute effectively. The technique of discouraging imitation involves the prompt repair of damage inflicted on an organization’s information technology (IT) infrastructure, for example the speedy repair of a defaced website (Willison, 2006). Continuity Management from COBIT5IS also implies that a Disaster Recovery Plan is in place (ISACA, 2012), as Coles-Kemp and Theoharidou (2010) earlier proposed this technique for the ‘deny benefits’ category. The author nevertheless decided to include the technique of continuity management in this category as well, as it is synonymous with ‘rapid repair’ and therefore appropriate to this subcategory. Coles-Kemp and Theoharidou (2010) recommend security usability and user participation in the risk analysis process as possible information security controls to reduce emotional arousal. User participation in general would be beneficial, as insider threats may be precipitated when security policies or controls are misunderstood, poorly communicated or inconsistently applied (Silowash et 9
ACCEPTED MANUSCRIPT al., 2012). Insider threats may also arise as the result of a lack of procedural fairness (Bulgurcu, Cavusoglu, & Benbasat, 2009). It may therefore be useful to involve users throughout the information security life cycle, from development to implementation. Security usability could be a step towards
RI P
T
reducing the insider’s negative response to information security controls. Nonspecific ‘disciplinary processes’ (Coles-Kemp & Theoharidou, 2010) have been recommended as a means of neutralizing peer pressure and reducing intimidation.
SC
2.5 Remove excuses
NU
The ‘remove excuses’ category involves neutralizing the rationalizations of a criminal (Smith & Scott 2011). Criminals tend to justify their crime. For instance, insiders may rationalize their
MA
actions by perceiving cybercrime to be a victimless crime (Barlow, Warkentin, Ormond, & Dennis, 2013). The subcategories include setting rules; posting instructions; assisting compliance; alerting conscience and controlling drugs and alcohol.
ED
In terms of the ‘setting rules’ subcategory, rules are set with regard to the typical policies,
PT
agreements and procedures that have been proposed (e.g. procedures such as an acceptable use policy (Hinduja & Kooi, 2013)). Hinduja and Kooi (2013) also propose that an assistance programme be
AC CE
introduced to help employees to be cognizant of these rules and procedures. In terms of posting instructions, e-mail disclaimers (Beebe & Roa, 2005) are recommended as a comparable information security control, aside from the typical controls like information security policy. It is recommended that e-mail disclaimers be differentiated according to the insiders’ roles and responsibilities (Red Earth Software, 2013). Single sign-on (Willison, 2006); ethically sound business practices (Hinduja & Kooi, 2013); single point of reference for security (Coles-Kemp & Theoharidou, 2010) and the promotion of a healthy work environment (Hinduja & Kooi, 2013) have been proposed as information security controls to realize the technique aimed at assisting compliance. Single sign-on entails an insider being given one password across all systems; this assists with usability and may be centrally controlled (Pashalidis & Mitchell, 2003). Single sign-on is considered to be an aspect of ‘Centralized User Management’α (Heilbronner & Wies, 1997), which was also included in the evaluation. This notion extends to the ‘single point of reference for security’ technique, which involves the centralized 10
ACCEPTED MANUSCRIPT management of information security policies. Hinduja and Kooi (2013) suggest that promoting a healthy environment as well as ethically sound business practices constitute a strategy for facilitating compliance with organizational policies and procedures. Such a strategy not only reduces the
RI P
T
opportunity for individuals to indulge in criminal behavior, but also induces normative behavior. The information security controls that are recommended for the purpose of appealing to users’ consciences include copyright protection (Coles-Kemp & Theoharidou, 2010); a code of ethics
SC
(Coles-Kemp & Theoharidou, 2010); warning messages when logging in (Hinduja & Kooi, 2013) and
NU
context-aware interfacesα. In COBIT5IS, a distinction is made between organizational ethics and individual ethics (ISACA, 2012). This implies that organizations need to reflect on personal ethics
MA
when considering the organization’s code of ethics. According to Hinduja and Kooi (2013), it is useful to receive warning messages when logging in, as such messages prick the user’s conscience.
ED
Targeted pop-ups are equally useful, as they remove the anonymity in criminal behavior, which in turn reduces the perceived benefits of a criminal act. A more encompassing control would be
PT
‘context-aware interfaces’α (which are based on systems that ‘can examine the computing environment and react to changes to the environment’ (Schilit, Norman, & Roy, 1994, p. 1)).
AC CE
Although ‘controlling drugs and alcohol’ may appear to be incongruent with the domain of information security, it is generally agreed that the abuse of drugs and alcohol impairs an insider’s judgement (Shropshire, 2009). The study currently reported on consequently proposes an employee rehabilitationα programme. Hinduja and Kooi (2013) propose that procedures be instituted for handling complaints and that adequate benefits be granted to employees since – in their opinion – such controls serve to affirm users and prevent feelings of discrimination. The main objective of the current research is to evaluate the information security measures discussed in this section from an opportunity-reducing perspective.
11
ACCEPTED MANUSCRIPT 3. RESEARCH METHODOLOGY The Delphi technique is appropriate when a ‘problem does not lend itself to precise analytical techniques but can benefit from subjective judgments on a collective basis’ (Linstone & Turoff, 1975,
RI P
T
p. 4). In the study reported on here, it is postulated that the current set of information security techniques does not adequately reduce the insider’s perception of crime opportunities in cyberspace. The Delphi technique is an iterative process in which experts anonymously provide judgement in a
NU
the group reaches consensus (Linstone & Turoff, 1975).
SC
group context and have the opportunity to revise their reviews by receiving controlled feedback until
3.1 Research design
MA
The research design for the study was based on the Delphi technique as adapted from Schmidt et al. (2001). The research involved a three-round Delphi process with 23 experts from the industry.
ED
To increase the response rate, a nested random sample of 11 experts was involved in rounds 2 and 3, based on their availability. The experts were divided into two panels: the main group (n = 23) and the group
(n
=
11).
The
PT
core
first
round
was
conducted
via
a
website
(https://sites.google.com/site/insiderthreatmitigation/home) using Google Forms, while the second The three rounds were as follows: Round 1
AC CE
and third rounds were conducted via e-mail.
(Brainstorming), Round 2 (Consolidation) and Round 3 (Refinement). In all rounds, the experts provided feedback independently and anonymously. The alternative would have been to ‘correct’ responses or to elucidate items however it was deemed more important not to limit experts to specific responses or preconceptions. This allows for novel techniques to emerge. In Round 1, the main group responded to five open-ended questions (see Appendix A), providing as many opportunity-reducing techniques as possible. The researcher then collated the responses with the techniques identified from the systematic analysis (Section 2). In Round 2, the core group provided their value judgement on the techniques proposed (i.e. the fit for purpose (agree or disagree)). The findings were subsequently consolidated and, to ease the process, lower-ranked techniques (< 55%) were eliminated – the threshold of 55% was selected as it was the lowest boundary of the values above 50%. Lower-ranked techniques represent those items with the lowest levels of agreement. Finally in Round 3, the core group reviewed the consolidated list (composed of 12
ACCEPTED MANUSCRIPT highly ranked (70–100%) and moderately ranked (55–69%) techniques) until the threshold level (70%) of consensus was reached. The consensus that was reached in the final round implied that the consolidated list represented a list of techniques considered to be both highly and moderately effective
RI P
T
in mitigating insider threats. 3.2 Limitations
A purposive sampling strategy (i.e. a form of non-probability sampling which conforms to
SC
specified criteria (Herbst & Coldwell, 2004)) was used in this study. The experts were guaranteed
NU
anonymity, and this should have offset possible biases due to the sampling procedure. Sample size ranges from 4 to 171 experts in Delphi studies (Skulmoski, Hartman, & Krahn, 2007). Dalkey (2004)
MA
argues that as the sample size increases there are diminishing returns. Clayton (1997) in turn suggests that 15 to 30 experts should be included in homogeneous groups and 5 to 10 in heterogeneous groups
ED
(i.e. individuals who are experts in a field but come from various stratifications). 3.3 Sampling
PT
The sampling criteria involved purposively selecting a panel consisting of information security experts, but not specifically experts in the ‘insider threat problem’ domain. Hence the group
AC CE
was heterogeneous and derived from various stratifications. . However the term ‘expert’ does not necessarily imply an expert in the specific field (Linstone & Turoff, 1975; Powell, 2003), Experts can include individuals ‘who have expertise by virtue of having experienced the impact of a condition or intervention’ (Powell, 2003, p. 379). It is clear that experts in information security are themselves ‘insiders’; however, by virtue of their experience in information security they have tacit knowledge of insider threat mitigation. A sample of 250 experts was selected from a professional network (LinkedIn). However, the response rate was only 9% (n = 23). The sample was composed as follows – Management: Information Security (n = 9); Information Security Consultant (n = 5); Information Security Specialist (n = 3); Information Security Analyst (n = 2); Architect: Information Security (n =2); Engineer: Information Security (n = 2). The majority of the experts were South African (91%) and were involved in information security management. Many of the experts were from the banking sector (35%). Most of the experts who responded to the invitation were male (96%). Their qualifications 13
ACCEPTED MANUSCRIPT ranged as follows: first degree, 17%; postgraduate degree, 22%; diploma, 13%; certificate, 30%; and unknown, 17%. On average, 63% of the core group had formal qualifications (i.e. first degrees, postgraduate degrees and diplomas).
RI P
T
3.4 Context
Although this was not intentional, most of the experts were from South Africa (SA). It is therefore important to understand the results of the study within the South African context. In 2014,
SC
Mobius Consulting (2014) conducted a survey of information security personnel at eight major SA
NU
corporates from the retail and financial services sectors. It was found that, locally, the management of security falls to IT staff, but that as organizations evolved they were coming to appreciate the value of
MA
having separate divisions for security services. The study found that South African corporates rely on COBIT 5 and ISO standards for guidance, while 88% of the respondents had information security
ED
goals in place. A majority of corporations (>=63%) in the study applied tools or programmes aimed at dealing with anti-viruses; network security; incident management; vulnerability management; training
PT
and awareness; policies, procedures and guidelines; data leakage/loss prevention; mobile device management; identity access management; information security governance; information security risk
AC CE
management; compliance management; log management; patch management; mail security; database security; operating system security and disaster recovery plans. Mobius Consulting (2014) found that within the financial services domain, insider threats are considered to be one of the top five risks, while the survey (n = 1000) conducted by CISCO (2014) found that 66% of employees believed the insider threat problem to be one of the top two crimes in SA. According to the 2012/3 South African Cyber Threat Barometer (2012) report, the abuse of system privileges was the second most common mode of cyberattacks in SA. Clearly, within the South African context, the insider threat problem is a known issue and one of major concern. 3.5 Validity The current study involved a three-round process, during which the experts had the opportunity to review the interpretation of the other experts in a feedback loop; hence the core group validated the findings twice. Linstone and Turoff (1975, p. 4) advised that the ‘heterogeneity of the participants must be preserved to assure validity of the results’. Therefore the experts from industry 14
ACCEPTED MANUSCRIPT were taken from a cross-section within the information security domain that ranged from the banking sector, to information security consultancies, to IT service management. The quality of the findings also depended on the capability of the panel. The main panel had on average 8.09 years of IT
RI P
T
experience, while the core group had 7.5 years of experience. A preponderance of the main panel had tertiary qualifications (83%). 4. DATA ANALYSIS
SC
In this subsection the findings of the study are presented per round.
NU
4.1 Round 1
The responses from the experts were collated vis-à-vis the theoretical framework presented in
MA
Section 2. In total, 125 techniques were catalogued. Some techniques were found to recur. The highest number of techniques was in the ‘increase effort’ category, while the lowest number was found in the ‘reduce the rewards’ category. The percentages of techniques per category are as follows: ‘increase
4.2 Round 2
PT
and ‘reduce the rewards’, 15%.
ED
the effort’, 28%; ‘increase the risk’, 20%; ‘reduce the provocations’, 19%; ‘remove excuses’, 18%
AC CE
In this round, the core group was tasked with determining the ‘fit for purpose’ of the techniques listed per category. Tables 1 to 4 show the percentage of consensus among experts regarding the effectiveness of a specified technique in reducing the insider’s perception of a crime opportunity. The techniques identified by the experts were denoted by an asterisk (*). 4.2.1 ‘Increase the effort’ category In this category, 63% of the techniques were given a poor ranking, while only 23% of the techniques were considered to be highly effective. ‘Principle of least privilege’ was ranked the highest (91%), signifying the possibility that experts assume that controls that constrain information are effective mechanisms for mitigating insider threats. This assumption is reflected in their selection of additional techniques such as finer-grained access control, privileged identity management, role-based access control, segregation of duties and sensitive system isolation. Table 1 provides a summary of the key findings.
15
ACCEPTED MANUSCRIPT Table 1: ‘Increase the effort’ rankings High (70–100%) to moderately (69–55%) ranked techniques Finer-grained access control Privileged identity management* Role-based access* Finer-grained authentication Controlling tools Principle of least privilege Periodic audits Irrefutable audit logs* Deflecting offenders Segregation of duties Background checks of employees Human resources security Target hardening Proper password policies Sensitive system isolation Whitelisting Note: No techniques identified for Screen Exits
NU
SC
RI P
T
Category Control of access to facilities
% 73% 73% 64% 55% 91% 64% 64% 73% 73% 73% 73% 73% 64%
MA
The following controls were ranked as below average at 45%: cryptography; custom installation; data loss prevention; escalation of privileges; extraneous ports closed; file access
ED
permission; filtering the download of illicit tools; termination procedures, and workflow management systems. The following techniques were ranked poorly: key splitting (36%); usage control (36%); data
PT
classification (27%); firewalls (27%); information flow control (27%); vulnerability patching (27%); web access controls (27%); IP-based restrictions (27%); anti-virus software (18%); honeypots (18%);
AC CE
ingress/egress filtering (18%); master data management (9%), and offsite storage of data (9%). Most of the techniques deemed satisfactory (>= 55%) were specific to the insider threat problem. 4.2.2 ‘Increase the risk’ category In this category, 96% of the techniques proposed were considered ineffective. Only one technique was moderately ranked, namely ‘dialog boxes, warning banners regarding the monitoring process’, which was recommended by the experts. This finding suggests that this category is in dire need of more effective tools aimed at increasing the risk for insiders. The technique was linked to the ‘utilizing place managers’ subcategory. Three controls were ranked as below average at 45%, namely dedicated insider threats departments; security information and event management (SIEM), and video recording. A large number of techniques were ranked poorly: configuration management tools (36%); identity and access management (36%); incident reporting (36%); management of mobile computing and teleworking (36%); monitoring (36%); punitive measures (36%); radio frequency identification
16
ACCEPTED MANUSCRIPT (36%); resource usage monitoring (36%); change controls (27%); hotline for employees (27%); insider incident response plan (27%); intrusion detection systems (27%); multi-layered authentication (27%); segregation of duties (27%); two-person sign-off (27%); data loss prevention (18%); general
RI P
T
observation of employee behavior (18%); specific assignment of IS duties (18%); strong authentication (18%); visualization tools (18%); and tamperproof audit trails and event logging (9%). 4.2.3 ‘Reduce the rewards’ category
SC
In this category, 63% of known techniques were found to be ineffective at reducing the
NU
perceived benefits to be gained from committing maleficence. Table 2 provides a summary of the key findings in this regard. Data obfuscation and data masking were recommended by experts, and since
MA
these are related to hiding information, they were linked to the ‘concealing targets’ subcategory. The experts appeared to consider techniques that ‘hide’ information to be effective in mitigating an insider
ED
threat, as techniques such as data obfuscation, data masking and encryption were ranked highly. Three techniques were ranked as below average at 45%, namely asset management; clear desk and clear
PT
screen controls; and security by obscurity. However, quite a number of techniques were ranked poorly: continuity management (36%); data loss prevention (36%); information classification (36%);
AC CE
layered access control (36%); monitoring and auditing of activities (36%); watermarking (36%); incident management (27%); radio frequency identification (18%), and open source products or freeware (9%). Most of the techniques identified as satisfactory (>= 55) were appropriate to the insider threat problem except for encryption and sensitive system isolation, which, as indicated in Section 2, do not effectively manage the insider threat problem. Table 2: ‘Reduce the rewards’ rankings Categories Concealing targets Denying benefits Disrupting markets Identifying property Removing targets
17
High (70–100%) to moderately (69–55%) ranked techniques Data obfuscation techniques* Data masking* Encryption Automatic data destruction Code obfuscation Digital signatures Sensitive system isolation
% 82% 73% 73% 64% 55% 64% 64%
ACCEPTED MANUSCRIPT 4.2.4 ‘Reduce provocations’ category In this category, 54% of the known techniques were evaluated as being satisfactory. Table 3 provides a summary of the key findings. The experts subsequently proposed a number of techniques
RI P
T
to be introduced so as to reduce the provocation of employees: (a) cultivating an information security culture; (b) employee recognition; (c) automation of tasks; (d) employees to sign off on information security policies; (e) segregation of duty policies and procedures; (f) crime prevention through design
(CPTED);
(g)
information
security
SC
environmental
awareness;
(h)
interview
NU
sessions/surveys/psychometric testing; (i) penalties and (j) monitoring. The first four techniques (a–d) were linked to the subcategory ‘reducing frustration and stress’, as they are related to creating a
MA
supportive working environment. In this subcategory ‘cultivating an information security culture’ and employee recognition were ranked the highest; it is possible that the experts assume that having an environment that encourages compliance is effective in mitigating insider threats. The subcategory
ED
‘segregation of duty policies and procedures’ may be linked to ‘neutralizing peer pressure’ due to the
PT
separation of duties notion. However, CPTED (an approach aimed at deterring criminal behavior through environmental design (Jeffery, 1971)) and information security awareness are expansive
AC CE
strategies and could be associated with all categories. The ‘reduce provocations’ category should consist of techniques that are intended to decrease the emotional triggers that may precipitate a motivated criminal to commit an offence. However, the last three techniques (h–j) appear to be inconsistent with the principles of this category and are deterrents to noncompliance. The measure of building a ‘supportive working environment’ was ranked as below average at 45%. The following techniques were ranked poorly: change management (36%); continuity management (36%); information security communication (36%); hotlines (27%); identification of pain points and trigger events (27%); prompt repair (27%); security usability (27%); user participation in the information security lifecycle (27%); web application firewall and e-mail content scanning (27%); user participation in the risk analysis process (18%).
18
ACCEPTED MANUSCRIPT Table 3: ‘Reduce provocations’ rankings High (70–100%) to moderately (69–55%) ranked techniques Dispute resolution Disciplinary processes Segregation of duty policies and procedures* Reducing frustrations and Cultivating an information security culture* Employee recognition* stress Automation of tasks* Support whistle-blowers Employees to sign off on information security policies* Overarching Crime prevention through environmental design* Information security awareness* Deterrents to non- Interview sessions/surveys/psychometric testing for employees* Penalties* compliance Monitoring*
NU
SC
RI P
T
Categories Avoiding disputes Neutralizing peer pressure
% 64% 64% 64% 82% 82% 73% 73% 55% 73% 64% 64% 64% 55%
4.2.5 ‘Remove excuses’ category
MA
Note: No techniques identified for discouraging imitation and reducing emotional arousal.
In this category, 54% of the techniques were poorly ranked. Table 4 provides a summary of
ED
the key findings in this regard. Two of the techniques, namely ‘induction processes’ to acclimatize the user to the community and ‘access and authorization review campaigns’ (recommended by the
PT
experts) were combined in the ‘assisting compliance’ subcategory. ‘Information security awareness’
AC CE
was recommended in this list too; as discussed previously, this technique is overarching. An ‘employee moral programme’ was proposed by experts – this technique was linked to the ‘alerting conscience’ subcategory, as it is related to the concept of ethics. No techniques were considered effective for ‘posting instructions’ and the ‘controlling drugs and alcohol’ subcategories. In this category the experts ranked ‘acceptable use policy’ the highest, with ‘information security policies, agreements and procedures’ and information security awareness second highest. It is clear that the experts assume that setting rules and awareness of such rules is crucial to overcoming the insider threat problem.
19
ACCEPTED MANUSCRIPT Table 4: ‘Remove excuses’ rankings High (70–100%) to moderately (69–55%) ranked techniques Code of ethics Context-aware interfaces Warning messages when logging in Employee moral programme* Assisting compliance Ethically sound business practices Induction processes * Access and authorization review campaigns* Setting rules Acceptable use policy Information security policies, agreements and procedures Overarching Information security awareness* Note: No techniques were identified for posting instructions and controlling drugs and alcohol
SC
RI P
T
Categories Alerting conscience
% 64% 64% 64% 55% 55% 64% 55% 82% 73% 73%
NU
The following techniques were ranked as below average at 45%: complaint handling
MA
procedure; copyright protection; posting instructions (e.g. posting instructions on wall), and promotion of healthy work environment. The following techniques were ranked poorly: e-mail disclaimers (36%); employee rehabilitation programme (36%); centralized user management (27%);
ED
employee assistance programme (27%); naming and shaming of transgressors (27%); single point of
4.3 Round 3
PT
reference for security (27%); adequate employee benefits (18%), and single sign-on (9%).
AC CE
As part of this round, the list of top ranked (70–100%) and moderately ranked (69–55%) techniques was e-mailed to the experts for consensus. 73% of the experts eventually agreed that the list was satisfactory. In summary, it is clear that the ‘increase the risk’ category requires more effective techniques, while on average 67% of the information security techniques recommended for SCP are inadequate. In some subcategories, no techniques that were considered to be effective were identified. The number of techniques per category may not be evenly distributed among the
five categories. However as each technique is unique and each addresses the insider threat in varying degrees it is difficult to draw any deductions from the ratio of techniques per category. Some controls such as CPTED and Information security awareness were found to be overarching. The most applicable techniques are summarized in Table 5.
20
ACCEPTED MANUSCRIPT Table 5: Applicable techniques to overcome the insider threat problem Increase Effort Reduce provocations Control access to facilities: Finer-grained access Avoiding disputes: Dispute resolution peer
pressure:
Disciplinary
T
control; Privileged identity management; Role- Neutralising
processes; Segregation of duty policies and
Controlling tools: Principle of least privilege; procedures
Reducing frustrations and stress: Cultivating an
SC
Periodic audits; Irrefutable audit logs
RI P
based access; Finer-grained authentication
Deflecting offenders: Segregation of duties; information
security
culture;
Employee
NU
Background checks of employees; Human recognition; Automation of tasks; Support resources security
whistle-blowers; Employees to sign off on
Sensitive system isolation; Whitelisting
MA
Target hardening: Proper password policies; information security policies
ED
Remove Excuses Reduce Rewards Alerting conscience: Code of ethics; Context- Concealing targets: Data obfuscation; Data
PT
aware interfaces; Warning messages when masking logging in; Employee moral programme
Denying benefits: Encryption; Automatic data
AC CE
Assisting compliance: Ethically sound business destruction practices; Induction processes; Access and Disrupting marketing: Code obfuscation authorization review campaigns Setting
rules:
Acceptable
Identifying property: Digital signatures use
policy; Removing targets: Sensitive system isolation
Information security policies, agreements and procedures Increase risk Strengthening boxes,
formal
warning
monitoring process
21
surveillance:
banners
Overarching Controls Dialog Crime prevention through
regarding
environmental
the design; Information security awareness
ACCEPTED MANUSCRIPT 5. DISCUSSION OF THE FINDINGS In the qualitative review conducted by Beebe and Roa (2005), the number of techniques that were best suited to each category were tallied, whereas the current study considered the effectiveness
RI P
T
of extant techniques per category. Their findings were not tested empirically, whereas the current study confirms their deduction that the highest number of techniques was found in the ‘increase the effort category’. Note that the aforementioned study was based on an older version of SCP theory,
SC
which contained four categories, so it is difficult to carry out a direct comparison.
NU
Since the list encompassed suggestions from the experts as well as from the systematic review, there is interdependency between the subcategories. Techniques such as ‘sensitive system
MA
isolation’ appeared twice – once in the ‘reduce rewards’ category and once in the ‘increase the effort’ category – in other words, in two distinct categories as recommended by (Coles-Kemp & Theoharidou, 2010) and (Hinduja & Kooi, 2013). The experts listed ‘segregation of duty policies and
ED
procedures’ in the ‘reduce provocations’ category; however, a similar technique of ‘segregation of
PT
duty’ was included in the ‘increase the effort’ category. ‘Information security awareness’ was also proposed twice – once in the ‘reduce provocations’ category and once in the ‘remove excuses’
AC CE
category. These intersections confirm the significance of these techniques. The experts ranked both ‘background checks on employees’ and ‘human resources security’ (from the ‘increase the effort’ category) highly; however, ‘human resources security’ encompasses ‘background checks on employees’. This finding conveys the assumed effectiveness of profiling by the experts, as was also confirmed by the experts ranking ‘interview sessions/surveys/psychometric testing for employees’ moderately. The experts ranked both data masking and data obfuscation from the ‘reduce the rewards’ category as high however these terms are interrelated. Data masking is a form of data obfuscation while the former technique involves substituting data with special characters and the latter is a broader concept which implies hiding data (Raghunathan, 2013). If these interdependencies are taken into account, the number of applicable techniques is reduced further. The ‘deflecting offenders’ subcategory had the most number of highly-ranked techniques within the increase effort category namely: segregation of duties; background checks of employees; Human resources security. The experts ranked these controls highly as all these controls are well 22
ACCEPTED MANUSCRIPT known from the ISO standard. The ‘concealing targets’ subcategory had the most number of highranked techniques within the ‘reduce the rewards’ category of data obfuscation and data masking. A possible reason for this high ranking is that data masking and data obfuscation are techniques to
RI P
T
anonymize data yet still capable of being operable (Rawat & Sharma, 2012); which is superior to encryption. The ‘reducing frustrations and stress’ subcategory had the most number of top-ranked techniques within the reduce provocations category: cultivating an information security culture;
SC
employee recognition; automation of tasks; support whistle-blowers. While ‘setting rules’ had the
NU
most number of top-ranked techniques: acceptable use policy; information security policies, agreements and procedures within the remove excuses category. The experts may have ranked these
MA
techniques highly as organizational culture is a very strong determinant for motivating employees to comply and there must be engagement and support (Sikolia & Biros, 2016) to ensure compliance.
ED
The ‘reduce provocations’ category produced an ambiguous result. This may reflect the lack of acceptance of techniques that encourage compliance rather than deterring noncompliance, seeing
PT
that deterrent techniques such as interview sessions/surveys/psychometric testing for employees, penalties and monitoring were recommended by the experts. Wortley (1998) indicates that precipitator
AC CE
controls in the ‘reduce provocations’ category constitute more of a ‘soft’ approach, compared with the ‘hard’ approach in the other four categories. Highly constrictive controls can lead to stress and frustration among employees, and hence precipitate crime. Therefore it is important for organizations to balance precipitator controls with cost-benefit controls. This preference for punitive measures was found in the ‘remove excuses’ category, where experts showed a less favorable attitude towards measures that constituted affirming techniques such as adequate employee benefits and an employee assistance programme. The CPTED technique was recommended by the experts for the ‘reduce provocations’ category. It is germane to this research to note that CPTED shares an element of duality with SCP. For example, consider the broader components of CPTED: territoriality (inculcating a sense of ownership); surveillance (observation); access control (reducing opportunities for crime by denying access); activity support (encourage intended patterns of usage of public space); image management (promoting a positive image), and target hardening (increasing the level of effort required by 23
ACCEPTED MANUSCRIPT criminals) (Cozens, Saville, & Hillier, 2005). The insider threat problem may be addressed and organizations will benefit from developing and implementing information security controls from a CPTED perspective. The latter is an unexplored area of research in information security.
RI P
T
Some of the results of the current study are divisive in the sense that popular tools such as anti-viruses, incident management, and data loss prevention were ranked poorly by the experts. For instance, it was stated earlier that the tools that proved to be popular within the study context included
SC
incident management, anti-viruses, data leakage prevention and log management. Even so, the ability
NU
of these techniques to overcome the insider threat problem was rated poorly. The possible reasoning could be that while these techniques are useful, they do not solve the insider threat problem directly.
MA
As discussed in Section 3.4, despite the fact that anti-viruses are applied within the South African context at a very high level (88%), anti-viruses were ranked poorly (at 18%) as a mechanism for
ED
mitigating insider threat, perhaps because anti-viruses are generally only as good as their last update. While incident management occurs at a high level (88%), it was considered to be only 27% effective
PT
by the experts in the study reported on here. Since incident management involves the recovery of systems after the incident, it probably does not play a role in detecting or preventing the insider theat.
AC CE
Also, it is possible that the insiders involved in the threat are part of the incident response team (Cummings, Lewellen, McIntire, Moore, & Trzeciak, 2012). Data loss prevention (DLP) was also ranked as below average, possibly because the alternative term ‘data leakage prevention’ was not considered in the study. This may have misled the experts. Data loss prevention appeared in more than one category, and since it was ranked poorly on three occasions, that finding is conclusive. A possible reason for this discrepancy could be the applicability of the tool. The biggest challenge of DLP is protecting data that exists in unstructured forms, such as source code (Shabtai, Elovici, & Rokach, 2012). Log management is also comparable with tamperproof audit trails and event logging which, as a technique, was ranked very poorly at 9%. The experts were evidently of the view that log management as a tool was not effective against insider threats. A possible reason for this assumption could be the copious information and volume of analysis required (Kandias, Mylonas, Virvilis, Theoharidou, & Gritzalis, 2010), both of which render the technique ineffective. 24
ACCEPTED MANUSCRIPT According to Beebe and Roa (2005), lowering the perceived net benefit gained by cybercriminals may deter them from committing the crime. The cost-benefit type categories such as ‘increase the effort’, ‘increase the risk’ and ‘reduce the reward’ challenge the rational insider to
RI P
T
calculate the net value of the crime. The cost-benefit type categories such as ‘increase the effort’, ‘increase the risk’ and ‘reduce the reward’ challenge the rational insider to calculate the net value of the crime. In this study it was found that only 23% of known techniques (i.e. highly ranked) can
SC
effectively increase the cost of crime (risk + effort), while 16% of known techniques (i.e. highly
NU
ranked) are able to reduce the benefits (rewards) The ‘remove excuses’ and ‘reduce provocations’ categories, on the other hand, are indirect controls that force an insider to consider a crime
MA
opportunity from a rational perspective without being driven by provocations or justifications. In this case, only 21% of known tools (i.e. highly ranked) can minimize the provocations, while only 14% of
ED
known tools (highly ranked) can reduce the justifications for crime. It is possible that having fewer controls within a specific category may increase the vulnerability of an organization. The current set
PT
of information security techniques is clearly inadequate for dealing with insider threats, as opportunity-reducing considerations have not been taken into account during their development.
AC CE
Further research needs to be done, not only to develop more effective tools for each category, but also to determine the ratio of tools that is required per category to effectively minimize insider threats. 6. CONCLUSION
This paper makes two significant contributions to the understanding and mitigation of insider threat. First, the evaluation derived here may be used as a proactive mitigation strategy – it seeks to conceptualize the element of opportunity in terms of the insider threat problem. This evaluation may be used to implement information security controls that should empower information security administrators to prevent and possibly counteract insider threats. Second, several potential research areas were revealed. The gaps identified call for more in-depth studies of how the subcategories of screen exits; reducing emotional arousal; discouraging imitation; posting instructions; controlling disinhibitors such as drugs and alcohol; and in general, the ‘increase the risk’ category could be applied in the insider threat context. The elimination of incongruous subcategories and the inclusion of domain-specific subcategories constitute an area of possible research. A key limitation resulted 25
ACCEPTED MANUSCRIPT from the fact that a small sample size was used, as this probably reduced the generalizability of the results. As the Delphi technique was not conducted face-to-face, but online, there was disinvestment hence future research should involve a quantitative study based on a larger sample. The Delphi
RI P
T
technique is more appropriate for exploratory research than confirmatory research.
SC
REFERENCES
Arbaugh, W. A., Fithen, W. L., & McHugh, J. (2000). Windows of vulnerability: A case study
NU
analysis. IEEE Computer, 33(12), 52-59.
Baracaldo, N., & Joshi, J. (2013). An adaptive risk management and access control framework to
MA
mitigate insider threats. Computers & Security, 39, 237-254.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses!
ED
Discouraging neutralization to reduce IT policy violation. Computers & Security, 39(Part B), 145159.
PT
Beebe, N. L., & Roa, V. S. (2005, December). Using Situational Crime Prevention theory to explain the effectiveness of Information Systems Security. Paper presented at the Proceedings of the 2005 Conference,
AC CE
SoftWars
Las
Vegas,
Nevada.
Retrieved
from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.509.1358&rep=rep1&type=pdf Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009, August). Roles of information security awareness and perceived fairness in information security policy compliance. Paper presented at the 15th American Conference on Information Systems(AMCIS), San Francisco, California. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1409&context=amcis2009 Cappelli, M., Moore, A. P., Shimeall, T. J., & Trzeciak, R. Common Sense Guide to Prevention/Detection
of
Insider
Threats
(2006).
https://www.cylab.cmu.edu/files/pdfs/CERT/CommonSenseInsiderThreatsV2.1-1-070118-1.pdf Accessed 10.05.2014. CISCO. Cisco Security Research in South Africa Uncovers Heightened IT Security Risks Caused By a Culture of Employee Complacency. (2014). http://www.cisco.com/web/ZA/press/2014/110414.html Accessed 29.08.2015. 26
ACCEPTED MANUSCRIPT Clayton, M. J. (1997). Delphi: a technique to harness expert opinion for critical decision‐making tasks in education. Educational Psychology, 17(4), 373-386. Coles-Kemp, L., & Theoharidou, M. (2010). Insider Threat and Information Security Management. In
RI P
T
C. W. Probst, J. Hunker, D. Gollmann, & M. Bishop (Eds.), Insider Threats in Cyber Security (pp. 4571). US: Springer.
Collberg, C., Thomborson, C., & Low, D. (1997). A taxonomy of obfuscating transformation. (148).
SC
Department of Computer Science, University of Auckland, New Zealand. Retrieved from
NU
https://researchspace.auckland.ac.nz/bitstream/handle/2292/3491/TR148.pdf. Cornish, D. B., & Clarke, R. V. (2003). Opportunities, precipitators and criminal decisions: A reply to
MA
Wortley's critique of situational crime prevention. Crime Prevention Studies, 16, 41-96. Cozens, P. M., Saville, G., & Hillier, D. (2005). Crime prevention through environmental design
ED
(CPTED): a review and modern bibliography. Property management, 23(5), 328-356. CSO MAGAZINE, USSS, CERT, & Deloitte. 2011 Cybersecurity Watch Survey: Organizations need skilled
cyber
professionals
to
stay
secure.
(2011).
PT
more
www.cert.org/archive/pdf/CyberSecuritySurvey2011.pdf Accessed 12.03.2013.
AC CE
Cummings, A., Lewellen, T., McIntire, D., Moore, A. P., & Trzeciak, R. (2012). Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. (CMU/SEI-2012-SR-004). Carnegie-Mellon
University,
Pittsburgh,
Software
Engineering
Institute.
Retrieved
from
http://www.sei.cmu.edu/reports/12sr004.pdf. Dalkey,
N.
C.
The
Delphi
methodology.
(2004).
http://www.optimizationgroup.com/wp-
content/uploads/2013/02/Idea-Generation-Turning-Questions-Into-Answers.pdf Accessed 07.08.2015. Felson, M., & Clarke, R. V. (1998). Opportunity makes the thief: Practical theory for crime prevention. (98). London: Policing and Reducing Crime Unit, Research, Development and Statistics Directorate. Retrieved from http://www.popcenter.org/library/reading/pdfs/thief.pdf. Gough, D., Oliver, S., & Thomas, J. (2012). An introduction to systematic reviews. Croydon, London: Sage.
27
ACCEPTED MANUSCRIPT Guido, M. D., & Brooks, M. W. (2013, January). Insider Threat Program Best Practices. 46th Hawaii International Conference on System Sciences (HICSS), Wailea, HI, USA. 1831-1839. doi: http://dx.doi.org/10.1109/HICSS.2013.279
RI P
T
Hartel, P. H., Junger, M., & Wieringa, R. J. (2010). Cyber-crime Science = Crime Science + Information Security. (TR-CTIT-10-34). Enschede: Centre for Telematics and Information University
of
Twente.
http://eprints.eemcs.utwente.nl/18500/03/0_19_CCS.pdf.
Retrieved
from
SC
Technology
NU
Heilbronner, S., & Wies, R. (1997). Managing PC networks. IEEE Communications Magazine, 35(10), 112-117.
MA
Herbst, F., & Coldwell, D. (2004). Business research. Cape Town: Juta and Company Ltd. Hinduja, S., & Kooi, B. (2013). Curtailing cyber and information security vulnerabilities through
ED
situational crime prevention. Security Journal, 26(4), 383-402. Hsu, C.-C., & Sandford, B. A. (2007). The Delphi technique: making sense of consensus. Practical
PT
assessment, research & evaluation, 12(10), 1-8. Insider Threat Integrated Process Team (DoD-IPT). (2000). Insider Threat Mitigation. U.S.
AC CE
Department of Defense. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA391380. ISACA. (2012). COBIT five: for information security. USA: Information Systems Audit, & Control Association.
ISO/IEC 27002:2005. Information Technology—Security Techniques—Information Security Management Systems—Code of Practice for Information Security Management. (2005). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297
Accessed
01.09.2014. IT Governance. Boardroom Cyber Watch 2013: Report. (2013). www.itgovernance.co.uk/what-iscybersecurity/boardroom-cyber-watch.aspx Accessed 01.09.2014. Jeffery, C. R. (1971). Crime Prevention Through Environmental Design. Beverly Hills, CA: Sage. Joch, A. Why you can't stop insider threats: You can only hope to contain them. (2011). http://fcw.com/articles/2011/02/28/feat-cybersecurity-insider-threats.aspx Accessed 01.09.2014.
28
ACCEPTED MANUSCRIPT Jones, A., & Colwill, C. (2008, December ). Dealing with the malicious insider. Paper presented at the 6th
Australian
Information
Security
Management
Conference,
Perth.
Retrieved
from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.5182&rep=rep1&type=pdf
RI P
T
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., & Gritzalis, D. (2010). An Insider Threat Prediction Model. In S. Katsikas, J. Lopez, & M. Soriano (Eds.), Trust, Privacy and Security in Digital Business (Vol. 6264, pp. 26-37). Berlin Heidelberg: Springer.
SC
Linstone, H. A., & Turoff, M. (1975). The Delphi Method. Reading: MA: Addison-Wesley.
NU
Magklaras, G. B., & Furnell, S. M. (2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security, 24(5), 371-380.
MA
Mansfield-Devine, S. T. (2009). The promise of whitelisting. Network Security, 7, 4-6. McKinney, S., & Reeves, D. S. (2009, April). User identification via process profiling. 5th Annual
Intelligence
Challenges
and
ED
Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Strategies,
Knoxville,
Tennessee,
USA.
51:51-51:54.
doi:
PT
http://dx.doi.org/10.1145/1558607.1558666
Mobius Consulting. Corporate Information Security in South Africa – A Market Research Study. http://www.mobiusconsulting.co.za/wp-content/uploads/2014/09/Mobius-Consulting-
AC CE
(2014).
Corporate-Information-Security-Research-2014.pdf Accessed 02.08.2015. Myers, J., Grimaila, M. R., & Mills, R. F. (2009, April). Towards insider threat detection using web server logs. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, Oak Ridge, Tennessee, USA. 1-4. doi: http://dx.doi.org/10.1145/1558607.1558670 Padayachee, K. (2013, August). A conceptual opportunity-based framework to mitigate the insider threat.
Information
Security
for
South
Africa,
Johanesburg,
South
Africa.
1-8.
doi:
http://dx.doi.org/10.1109/ISSA.2013.6641060 Padayachee, K. (2015, August). A Framework of Opportunity-Reducing Techniques to Mitigate the Insider Threat: Towards Best Practice. Information Security for South Africa (ISSA), Johannesburg, South Africa. 1-8. doi: http://dx.doi.org/10.1109/ISSA.2015.7335064
29
ACCEPTED MANUSCRIPT Pashalidis, A., & Mitchell, C. J. (2003). A taxonomy of single sign-on systems. In R. Safavi-Naini & J. Seberry (Eds.), Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP) (Vol. 2727, pp. 249–264). Wollongong, Australia: Springer-Verlag.
RI P
T
Pfleeger, S. L., Predd, J. B., Hunker, J., & Bulford, C. (2010). Insiders behaving badly: addressing bad actors and their actions. IEEE Transactions on Information Forensics and Security, 5(1), 169179.
SC
Powell, C. (2003). The Delphi technique: myths and realities. Journal of advanced nursing, 41(4),
NU
376-382.
Raghunathan, B. (2013). The Complete Book of Data Anonymization: From Planning to
MA
Implementation. Boca Raton, Florida: CRC Press.
Rawat, S. S., & Sharma, N. (2012). A Survey of Various Techniques to Secure Cloud Storage.
Rayethon.
Best
practices
ED
International Journal of Computer Science and Network Security (IJCSNS), 12(3), 116 -121. for
mitigating
and
investigating
insider
threats.
(2009).
PT
www.raytheon.com/capabilities/rtnwcm/groups/iis/documents/content/rtn_iis_whitepaperinvestigati.pdf Accessed 01.09.2014.
01.09.2014.
AC CE
Red Earth Software. Email disclaimers. (2013). http://www.emaildisclaimers.com Accessed
Roy Sarkar, K. (2010). Assessing insider threats to information security using technical, behavioural and organisational measures. Information Security Technical Report, 15(3), 112-133. Sandhu, R., & Park, J. (2003). Usage control: A vision for next generation access control. In V. Gorodetsky, L. J. Popyack, & V. A. Skormin (Eds.), Computer Network Security (Vol. 2776, pp. 1731). Berlin/Heidelberg: Springer Schilit, B., Norman, A., & Roy, W. (1994, December). Context-aware computing applications. First Workshop on Mobile Computing Systems and Applications (WMCSA 1994), Santa Cruz, CA, USA. 1 - 7. doi: http://dx.doi.org/10.1109/WMCSA.1994.16 Schmidt, R. C., Lyytinen, K., Keil, M., & Cule, P. (2001). Identifying software project risks: An international Delphi study. Journal of Management Information Systems, 17(4), 5-36.
30
ACCEPTED MANUSCRIPT Schultz, E. E. (2002). A Framework for Understanding and Predicting Insider Attacks. Computers & Security, 21(6), 526–531. Shabtai, A., Elovici, Y., & Rokach, L. (2012). A survey of data leakage detection and prevention
RI P
T
solutions. New York: Springer Science & Business Media.
Sheppard, N. P., Reihaneh, S.-N., & Ogunbona, P. (2001, September-October). On multiple watermarking. ACM Multimedia Conference workshop on Multimedia and security: new challenges
SC
Ottawa, Ontario. 3-6. doi: http://dx.doi.org/10.1145/1232454.1232458
NU
Shropshire, J. (2009). A canonical analysis of intentional information security breaches by insiders. Information Management & Computer Security, 17(4), 296-310.
MA
Sikolia, D., & Biros, D. (2016, May). Motivating Employees to Comply with Information Security Policies. Paper presented at the Midwest United States Association for Information Systems (MWAIS) Milwaukee,
Wisconsin.
Retrieved
from
ED
Conference,
http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1012&context=mwais2016
PT
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T., & Flynn, L. Common sense guide to mitigating Insider threats. (2012). http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm
AC CE
Accessed 01.09.2014.
Skulmoski, G., Hartman, F., & Krahn, J. (2007). The Delphi method for graduate research. Journal of Information Technology Education: Research, 6(1), 1-21. Smith, T. R., & Scott , J. (2011). Policing and Crime prevention. In D. A. Mackey & K. Levan (Eds.), Crime prevention (1st ed., pp. 61-88). Burlington, Massachusetts: Jones & Bartlett. Stuttard, D. (2005). Security & obscurity. Network Security, 2005(7), 10-12. Theoharidou, M., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472-484. Walton, R. (2006). Balancing the Insider and Outsider Threat. Computer Fraud & Security, 11, 8-11. Willison, R. (2006). Understanding the perpetration of employee computer crime in the organisational context. Information and Organization, 16(4), 304–324. Willison, R., & Backhouse, J. (2006). Opportunities for computer crime: Considering system risk from a criminological perspective. European Journal of Information Systems, 15(4), 403-414. 31
ACCEPTED MANUSCRIPT Willison, R., & Siponen, M. (2009). Overcoming the insider: Reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133-137. Wolfpack.
2012/3
The
South
African
Cyber
Threat
Barometer.
(2012).
RI P
T
https://www.wolfpackrisk.com/SA%202012%20Cyber%20Threat%20Barometer_Medium_res.pdf Accessed 02.08.2015.
Wortley, R. (1998). A two-stage model of situational crime prevention. Studies on Crime and Crime
SC
Prevention, 7, 173-188.
NU
Zhou, J., & Deng, R. (2000). On the validity of digital signatures. ACM SIGCOMM Computer
AC CE
PT
ED
MA
Communication Review, 30(2), 29-34.
32
ACCEPTED MANUSCRIPT APPENDIX A: QUESTIONNAIRE Question 1: The ‘increase the effort’ category is accomplished by increasing the perceived difficulty associated with committing a specific crime. Examples of preventive efforts in the physical landscape
RI P
T
include the following: (a) Target hardening such as immobilizers in cars; (b) Control of access to facilities; (c) Screen exits such as electronic tags for floor stock; (d) Deflecting offenders; (e) Controlling tools/weapons. List at least ONE information security technique that would increase the
SC
effort of an insider threat in a cybercrime scenario. If there is no existing technique then describe
NU
possible tool(s) that may need to be developed to fulfil this need.
MA
Question 2: The ‘increase the risks’ category involves increasing the perceived negative consequences associated with committing crime. Examples of preventive efforts in the physical
ED
landscape include the following: (a) Extending guardianship, such as by neighborhood watch; (b) Assisting natural surveillance, such as by improved street lighting; (c) Reducing anonymity, such as
PT
by introducing taxi driver IDs; (d) Utilizing place managers, such as whistle blowers; (e) Strengthening formal surveillance, such as by using speed cameras. List at least ONE information
AC CE
security technique that would strengthen the perception of increased risk and thus reduce insider threat in a cybercrime scenario. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
Question 3: The ‘reduce the rewards’ category is accomplished by decreasing the perceived benefits associated with committing a particular crime. Examples of preventive efforts in the physical landscape include the following: (a) Concealing: Do not keep valuables in plain sight; (b) Removing targets: Install removable car radios; (c) Identifying property: Mark property; (d) Disrupting markets: Conduct checks on pawn brokers; (e) Denying benefits: Attach ink merchandise tags. List at least ONE information security technique that would strengthen the perception of reduced rewards of an insider threat in a cybercrime scenario. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
33
ACCEPTED MANUSCRIPT Question 4: The ‘reduce provocations’ category is accomplished by decreasing the emotional triggers that may precipitate a motivated criminal to offend. Examples in the physical landscape include the following techniques: (a) Reducing frustrations and stress caused for example by failures of
RI P
T
equipment; (b) Avoiding disputes by for example reducing overcrowding; (c) Reducing emotional arousal by restricting the content of offensive material; (d) Neutralizing peer pressure, for example by conducting campaigns depicting what friends think of risk-taking behavior (e) Discouraging imitation,
SC
for example by the rapid repair of damage. List at least ONE information security technique that
NU
would reduce the provocations that may trigger an insider in a cybercrime scenario to commit maleficence. If there is no existing technique, then describe possible tool(s) that may need to be
MA
developed to fulfil this need.
ED
Question 5: The ‘remove excuses’ category is accomplished by decreasing the rationalizations that criminals use to justify their behavior. Examples of actions that neutralize excuses are the following:
PT
(a) Setting rules such as agreements; (b) Posting instructions such as ‘NO PARKING’ signs; (c) Alerting the conscience such as by displaying roadside speed signs; (d) Assisting compliance; (e)
AC CE
Controlling drugs and alcohol such as by organizing alcohol-free events. List at least ONE information security technique that would remove the excuses used by insiders prior to committing maleficence. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
34
ACCEPTED MANUSCRIPT
AC CE
PT
ED
MA
NU
SC
RI P
T
BIO Keshnee Padayachee obtained a BSC degree from the University of Durban-Westville (now known as the University of Kwazulu Natal) in 1995 and a BSC(Hons) Computer Science in 1996. This was followed in 2002 by an MSC in Computer Science from the same institution. She was employed by the ML Sultan Technikon in 1997 where she lectured in the Department of Computer Studies for 3 years. In the period 2000 - 2014, she was employed by the University of South Africa as an academic in the School of Computing. During this time she has presented numerous conferences papers covering aspect-oriented programming and its relation to information security. She obtained her PhD (Computer Science) from the University of Pretoria in South Africa in 2010. As of 2014, she has been employed by the Institute for Science and Technology Education (University of South Africa). e-mail: [email protected] or [email protected]
35
ACCEPTED MANUSCRIPT Highlights Evaluation of opportunity-reducing measures in information security Suggests that extant techniques are insufficient
Evaluation derived may be used as a proactive mitigation strategy
AC CE
PT
ED
MA
NU
SC
RI P
T
36
S0167-9236(16)30161-0 doi:10.1016/j.dss.2016.09.012 DECSUP 12769
To appear in:
Decision Support Systems
Received date: Revised date: Accepted date:
13 September 2015 1 August 2016 13 September 2016
Please cite this article as: Keshnee Padayachee, An Assessment of Opportunity-Reducing Techniques in Information Security: An Insider Threat Perspective, Decision Support Systems (2016), doi:10.1016/j.dss.2016.09.012
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT AN ASSESSMENT OF OPPORTUNITY-REDUCING TECHNIQUES IN INFORMATION SECURITY: AN INSIDER THREAT PERSPECTIVE Keshnee Padayachee (Email: [email protected])
RI P
T
Institute for Science and Technology Education, UNISA, 0003, Pretoria, South Africa ABSTRACT
This paper presents an evaluation of extant opportunity-reducing techniques employed to mitigate
SC
insider threats. Although both motive and opportunity are required to commit maleficence, this paper
NU
focuses on the concept of opportunity. Opportunity is more tangible than motive; hence it is more pragmatic to reflect on opportunity-reducing measures. To this end, opportunity theories from the
MA
field of criminology are considered. The exploratory evaluation proffers several areas of research and may assist organizations in implementing opportunity-reducing information security controls to
ED
mitigate insider threats. The evaluation is not definitive, but serves to inform future understanding.
1. INTRODUCTION
PT
KEYWORDS: Insider Threat; Situational Crime Prevention Theory; Cybercrime; Delphi Technique
AC CE
According to the CyberSecurity Watch Survey (2011), 46% of the respondents considered the maleficence caused by insider attacks to be more damaging than those caused by outsider attacks. The Boardroom Cyber Watch 2013 Survey (2013) in fact cautioned that this figure may be higher than 50%. An ‘insider’ is any individual who has legitimate access to an organization’s information technology (IT) infrastructure (Magklaras & Furnell, 2005), while an ‘insider threat’ uses the authority granted to him/her for illegitimate gain (Schultz, 2002). Although both motive and opportunity are required to commit maleficence, this paper focuses on the concept of opportunity. Opportunity is more tangible than motive; hence it is more pragmatic to reflect on opportunityreducing measures. According to Willison (2006), it is valuable for researchers to reflect on cybercrimes in terms of criminology theories as they are, after all, crimes. In criminology, four theories of crime embody the opportunity theory perspective: Rational Choice theory, Routine Activities theory, Crime Pattern and, more recently, Situational Crime Prevention (SCP) theory (Padayachee, 2015). As SCP theory is the one that has evolved most directly from the aforementioned
1
ACCEPTED MANUSCRIPT theories, it was used as a theoretical framework in the study reported on here. The aim of the study was to evaluate the perceived effectiveness of existing information security (IS) techniques as framed by SCP theory. The limitations of extant studies are that they propose a direct transposition to
RI P
T
cyberspace of the techniques that apply to SCP theory in the physical world. These extant studies consider opportunity-reducing measures from a physical landscape perspective rather the virtual context of information security. The premise of the research described in this paper is that
SC
opportunity-reducing measures need to be mapped to the virtual space, rather than crime prevention
NU
techniques intended for the physical landscape being superficially superimposed onto it. Consequently the instrument used for the research was open-ended, and the respondents were under no obligation to
MA
transmute the crime prevention techniques suggested for the physical landscape into the virtual context.
According to Theoharidou, Kokolakis, Karyda, and Kiountouzis (2005) the insider threat
ED
issue may benefit from a ‘pluralistic approach’ that would be enriched by ideas from well-established
PT
criminology theories. Many theories of crime consider the motivations for crime in an attempt to understand why criminals commit crime. Opportunity theories of crime focus on minimizing the
AC CE
opportunities that have to be present in order for crime to occur. Motivations are difficult to analyze, as they are based on human emotions. In contrast, it is easier to conceptualize opportunities and consequently to develop pragmatic strategies to minimize crime. Felson and Clarke (1998) indicate that, unlike other factors that may be associated with crime, opportunity is the ‘root cause’ of all crime. It is evident that while one may have the motivation or capability, there has to be an opportunity to commit the crime. SCP theory asserts that the opportunities for crime should be minimized (Cornish & Clarke, 2003) by applying specific interventions. This theory has been applied to the insider threat problem (see (Coles-Kemp & Theoharidou, 2010; Padayachee, 2013, 2015; Willison, 2006; Willison & Siponen, 2009)) and to general IS concerns (see (Beebe & Roa, 2005; Hinduja & Kooi, 2013)) An essential difference between outsiders and insiders is that outsiders have limited opportunity to carry out their attack. Outsiders have to exploit vulnerabilities in the system, while insiders have privileged access, and hence greater opportunity however an insider, unlike an outsider, 2
ACCEPTED MANUSCRIPT is subject to policies, procedures and agreements.(Walton, 2006). Padayachee (2013) concludes that crime opportunities from an insider threat perspective arise from the following three sets of circumstances: First, insiders are able to identify opportunities for crime within their daily activities.
RI P
T
Second, data assets that are valuable, visible, accessible and transferrable offer tempting cybercrime opportunities. Third, new innovations and changes continually produce new insider threat opportunities.
SC
An effort was made in the study reported on in this paper to evaluate the extant set of IS
NU
opportunity-reducing techniques from an SCP theory perspective. Hence the main research question was: To what extent are the opportunity-reducing measures of Situational Crime Prevention theory
MA
addressed in the current state of information security measures to mitigate the insider threat problem? Given the exploratory nature of the study, the Delphi technique was applied, since the extant literature in this area is limited. According to Hsu and Sandford (2007, p. 5), the Delphi
ED
technique is useful in ‘discovering what is actually known or not known about a specific topic,’ and it
PT
is a ‘flexible and adaptable tool to gather and analyze the needed data’; this made it appropriate for this research, which was exploratory.
AC CE
When Theoharidou et al. (2005) examined ISO17799 and its relationship to managing the insider threat problem, they found that crime theories such as SCP theory had not been contemplated in this ISO standard, as they did not consider the opportunity side of crime. This omission in the previous and current standard is an indication that the notion of opportunity requires further exploration. Willison and Backhouse (2006) support this view and argue that a formal definition of opportunity within the cybercrime domain is lacking. The rest of the paper is structured as follows: Section 2 elucidates the theoretical framework; Section 3 presents the research methodology; Section 4 presents the findings; and Section 5 reflects on the implications of the findings. The paper concludes with Section 6. 2. THE THEORETICAL FRAMEWORK FOR THE EVALUATION In the current systematic analysis (i.e. review that involves mapping, critically appraising and collating information coherently in a systematic and accountable manner (Gough, Oliver, & Thomas, 2012) various information security techniques are mapped to SCP theory to compile a catalogue of 3
ACCEPTED MANUSCRIPT techniques. The author has also included a few controls that were deemed appropriate – these are denoted by α (alpha). SCP theory considers five categories of opportunity-reducing measures, namely ‘increase effort’, ‘increase risks’, ‘reduce rewards’, ‘reduce provocation’ and ‘remove excuse’. Each
RI P
T
measure is further divided into 5 specific techniques (i.e. 25 subcategories in total) (Cornish & Clarke, 2003) which are intended for the physical landscape. These techniques were given ‘digital analogies’ by Beebe and Roa (2005), Willison (2006), Coles-Kemp and Theoharidou (2010) and Hinduja and
SC
Kooi (2013). The author’s earlier work (Padayachee, 2015) on the matter at hand was also considered.
NU
2.1 Increase the effort
The ‘increase the effort’ category involves confirming the perception that a specific crime
MA
would be difficult to execute (Smith & Scott 2011). The subcategories that are discussed in more detail below are: target hardening; control of access to facilities; screen exits; deflecting offenders and controlling tools (i.e. tools that may be used to cause harm (Coles-Kemp & Theoharidou, 2010)).
ED
The information security controls proposed for ‘target hardening’(i.e. increasing the difficulty
PT
of carrying out the crime (Smith & Scott 2011)) include anti-virus software (Willison, 2006); vulnerability patching (Beebe & Roa, 2005); sensitive system isolation (Coles-Kemp & Theoharidou,
AC CE
2010); proper password policies; custom installation; extraneous ports closed (Hinduja and Kooi (2013) and whitelistingα. Anti-viruses are susceptible to misuse, while whitelisting is easier to carry out, as it is based on maintaining a list of allowable software (Mansfield-Devine, 2009). The practice of vulnerability patches may be exploited if organizations do not apply the patches immediately (Arbaugh, Fithen, & McHugh, 2000). According to Jones and Colwill (2008), the isolation of a sensitive system may be a less effective information security practice, as storing all sensitive and confidential data in one location makes it an easy target. In order to reduce vulnerabilities, Hinduja and Kooi (2013) suggest that extraneous ports be closed and custom installations be preferred to default installations. Instituting proper password policies (Hinduja & Kooi, 2013) can also be useful, as it has been shown that insiders prefer to use a peer’s account than their own to commit maleficence (Cappelli, Moore, Shimeall, & Trzeciak, 2006). Traditional access controls have been proposed to manage the ‘control of access to facilities’ subcategory. However, they are susceptible to insider threats, as the system grants access provided the 4
ACCEPTED MANUSCRIPT access is authorized (Baracaldo & Joshi, 2013). Usage controlα may be more effective, since it includes the components missing from traditional access control – i.e. obligations and conditions (Sandhu & Park, 2003). Finer-grained authentication and access controlα may therefore be an effective
RI P
T
means of controlling access to facilities.
Firewalls, which have been proposed as a digital analogy to screen exits (Willison, 2006), are ineffective for insider threats as they work within its perimeter (Guido & Brooks, 2013). Data Loss
SC
Preventionα (DLP) controls outbound data (Joch, 2011) and may be more appropriate to screen
NU
perimeters than firewalls. Hinduja and Kooi (2013) also suggest ingress/egress filtering and internet protocol (IP)-based restrictions, which essentially assist in controlling the traffic that enters and exits
MA
the network.
The information security controls proposed to deflect offenders include honeypots (Beebe &
ED
Roa, 2005); key splitting (Coles-Kemp & Theoharidou, 2010); segregation of duties (Willison, 2006) and background checks on employees (i.e. pre-screening) (Willison, 2006) and offsite storage of data
PT
(Hinduja & Kooi, 2013). Although honeypots are effective at containing insider threats, agreements may be required to cover liability issues. The segregation of duties prevents misuse, because duties
AC CE
and responsibilities are separated (ISO/IEC 27002:2005, 2005). Both key splitting and the segregation of duties are therefore controls to prevent collusion. Although pre-screening techniques such as profiling are not accurate predictors of a future threat (Pfleeger, Predd, Hunker, & Bulford, 2010), the ISO/IEC 27002 guidelines for Human Resources Security (ISO/IEC 27002:2005, 2005) offer numerous controls that involve background checks prior to employment. These controls contribute to ensuring that an employee will adhere to the organization’s security policy during employment and that access rights are removed when employment is terminated (ISO/IEC 27002:2005, 2005). According to Hinduja and Kooi (2013), the offsite storage of data makes it difficult to identify where data is actually stored, and this uncertainty may well deflect offenders. Web access controls (Coles-Kemp & Theoharidou, 2010), filtering of downloads of illicit tools (i.e. controlling downloads (Willison, 2006)); termination procedures (Willison, 2006); least privilege (Coles-Kemp & Theoharidou, 2010); file access permission (Hinduja & Kooi, 2013) and periodic audits (Hinduja & Kooi, 2013) have been proposed as information security measures with 5
ACCEPTED MANUSCRIPT regard to controlling tools. The filtering of downloads is an essential control, as insiders may download illicit tools such as keystroke loggers (Roy Sarkar, 2010) to aid them in committing maleficence. The principle of least privilege is another fundamental control; however, its practical
RI P
T
enforcement may be limited due to fluctuations in work responsibilities. Similar to least privilege, file access permission is a means of controlling access to privileged users as a moderating control (Hinduja & Kooi, 2013). Periodic audits also help to detect suspicious users before they become
SC
problematic (Cappelli et al., 2006).
NU
2.2 Increase the risks
The ‘increase the risks’ category involves increasing the perception that ‘the risk of detection,
MA
resistance and apprehension’ associated with maleficence (Smith & Scott 2011) would be high. Its subcategories include the following: extending guardianship; assisting natural surveillance; reducing
ED
anonymity; utilizing place managers and strengthening formal surveillance. The information security control that is suggested to extend guardianship involves the
PT
management of mobile facilities (Willison, 2006). The control objective ‘Mobile Computing and Teleworking’ from ISO/IEC 27002 is more encompassing as it enforces policies on remote access via
2005).
AC CE
mobile devices and employees who are working remotely (i.e. teleworking) (ISO/IEC 27002:2005,
The information security controls that are recommended to assist natural surveillance include incident reporting (Coles-Kemp & Theoharidou, 2010) and visualization tools (Beebe & Roa, 2005). Cappelli et al. (2006) argue that incident reporting per se is not sufficient and insist that there should be a specific insider incident response plan. According to Rayethon (2009), visualization tools may be useful in replaying/reconstructing incidents. The information security controls that are recommended to reduce anonymity include audit trails and event logging (Willison, 2006). More specifically, audit trails and event logging that are completely tamperproof are proposed, as insiders may well tamper with audit trails to conceal their maleficent behavior (Insider Threat Integrated Process Team (DoD-IPT), 2000). The technique of using place managers involves the placement of employees who naturally monitor the environment as a deterrent (Smith & Scott 2011). The information security techniques 6
ACCEPTED MANUSCRIPT proposed for the use of place managers include a two-person sign-off (Willison, 2006), resource usage monitoring (Beebe & Roa, 2005) and specific assignment of information security (IS) duties (Hinduja & Kooi, 2013). A two-person sign-off will help reduce the risk of extortion (Silowash et al., 2012),
RI P
T
while resource usage monitoring is a technique commonly used due to its ‘ease of collection, modest performance impact, and compatibility with user privacy concerns’ (McKinney & Reeves, 2009, p. 2). The specific assignment of duties is another useful strategy, as the process can be more informed if
SC
specific individuals are held accountable for their behavior.
NU
The following controls are recommended in order to strengthen formal surveillance: intrusion detection (Willison, 2006); change controlsα; configuration management toolsα; and a hotline for
MA
employees (Hinduja & Kooi, 2013). There is the possibility that intrusion detection systems may not be sensitized to the commands issued by a malicious insider, and such commands may appear to be
ED
part of his/her normal duties (Myers, Grimaila, & Mills, 2009), hence, no alarm would be raised. The introduction of a hotline to report suspicious behaviors (Hinduja & Kooi, 2013) can assist in early
PT
detection. Furthermore, formal surveillance can be strengthened by introducing change controlsα and configuration managementα – the former would ensure the proper management of all changes made to
AC CE
the network and the latter would detect changes to source code and application files (Cappelli et al., 2006).
2.3 Reduce the rewards
The ‘reduce the rewards’ category involves reducing the perception that the benefits of the crime (Smith & Scott 2011) would be worthwhile. Examples of such techniques include the following: concealing targets; removing targets; identifying property; denying benefits; and disrupting markets. The information security analogy for the strategy of concealing targets involves restricting public domain information. This is an essential control, as insiders may use the organization’s intranet to identify opportunities. A more encompassing term was proposed, namely ‘security by obscurity’α. Security by obscurity is a useful technique, as it places obstacles in the way of would-be attackers – it must, however, be supplemented by other controls.(Stuttard, 2005).
7
ACCEPTED MANUSCRIPT The removal of targets is a related technique that involves the obscuring of targets by deploying Clear Desk and Clear Screenα controls as recommended by the ISO/IEC 27002 standard (2005). The introduction of sensitive system isolation can be a further means of protecting highly
RI P
T
sensitive information from insider threats as it decreases accessibility of the system (Hinduja & Kooi, 2013) (also recommended for ‘target hardening’ by Coles-Kemp and Theoharidou (2010)). Watermarking (Beebe & Roa, 2005), digital signatures (Willison, 2006) and information
SC
classification (Beebe & Roa, 2005) have been recommended as information security strategies that are
NU
equivalent to the technique of identifying property. However, watermarking is rendered ineffective if the insider has access to the original object (Sheppard, Reihaneh, & Ogunbona, 2001). Although
MA
digital signatures may prove useful for non-repudiation, they require additional validation such as time stamps (Zhou & Deng, 2000). Instead of mere information classification, asset managementα
ED
(ISO/IEC 27002) was proposed as a tool for identifying property, as it is more encompassing and includes accountability for assets (ISO/IEC 27002:2005, 2005).
PT
Encryption (Willison, 2006), automatic data destruction mechanisms (Beebe & Roa, 2005), continuity management (Coles-Kemp & Theoharidou, 2010) and incident management (Coles-Kemp
AC CE
& Theoharidou, 2010) are suggested as information security techniques that yield results which are similar to the ‘denying benefits’ technique. Encryption may be cracked by insiders because insiders have privileged access (Walton, 2006). The automatic destruction of data by mechanisms that wipe out sensitive data instantly reduces the suitability of a target (Hartel, Junger, & Wieringa, 2010). ‘Business Continuity Management’ and ‘Information Security Incident Management’ are clauses from ISO/IEC 27002 (2005), and comparative controls in COBIT5IS are ‘Manage Service Requests and Incidents’, and ‘Manage Continuity’. The ‘Manage Service Requests and Incidents’ controls involve minimizing disruptions through the quick resolution of incidents, while ‘Manage Continuity’ involves responding to incidents in order to continue with the critical business (ISACA, 2012). With regard to the technique of disrupting markets, open source products or freeware are recommended as information security controls. If this is not financially viable, an alternative could be code obfuscation,α which converts a program into an equivalent one that is more difficult to understand and reverse engineer (Collberg, Thomborson, & Low, 1997). 8
ACCEPTED MANUSCRIPT 2.4 Reduce provocations The ‘reduce provocation’ category involves removing ‘noxious stimuli from the environment’ (Smith & Scott 2011, p. 83) that may precipitate a crime. This category considers situations that act as
RI P
T
triggers or precipitators to an individual who is already motivated (Cornish & Clarke, 2003). The subcategories include: reducing frustrations and stress; avoiding disputes; reducing emotional arousal; neutralizing peer pressure and discouraging imitation.
SC
The creation of a supportive working environment (Coles-Kemp & Theoharidou, 2010) has
NU
been proposed as a generic technique for reducing frustrations and stress. This paper posits that COBIT5IS may provide a more specific technique to address this category, based on the identification
MA
of ‘pain points and trigger events’α. Examples of pain points are data loss, denial of service and coping with new technologies, while examples of triggers are new regulations and technology
ED
changes. Change managementα (ISO/IEC 27002) was proposed as a supplementary technique since both techniques manage change, which may be a stressor (ISACA, 2012). Willison (2006)
PT
recommends that support to whistle-blowers be included in the ‘assist natural surveillance’ subcategory; however, since it was theorized that this technique affects the emotional responses to a
AC CE
provocation, it was reassigned to the ‘reduce provocations’ category. Disputes may be avoided or resolved by simply introducing a Dispute Resolution Planα to manage a dispute effectively. The technique of discouraging imitation involves the prompt repair of damage inflicted on an organization’s information technology (IT) infrastructure, for example the speedy repair of a defaced website (Willison, 2006). Continuity Management from COBIT5IS also implies that a Disaster Recovery Plan is in place (ISACA, 2012), as Coles-Kemp and Theoharidou (2010) earlier proposed this technique for the ‘deny benefits’ category. The author nevertheless decided to include the technique of continuity management in this category as well, as it is synonymous with ‘rapid repair’ and therefore appropriate to this subcategory. Coles-Kemp and Theoharidou (2010) recommend security usability and user participation in the risk analysis process as possible information security controls to reduce emotional arousal. User participation in general would be beneficial, as insider threats may be precipitated when security policies or controls are misunderstood, poorly communicated or inconsistently applied (Silowash et 9
ACCEPTED MANUSCRIPT al., 2012). Insider threats may also arise as the result of a lack of procedural fairness (Bulgurcu, Cavusoglu, & Benbasat, 2009). It may therefore be useful to involve users throughout the information security life cycle, from development to implementation. Security usability could be a step towards
RI P
T
reducing the insider’s negative response to information security controls. Nonspecific ‘disciplinary processes’ (Coles-Kemp & Theoharidou, 2010) have been recommended as a means of neutralizing peer pressure and reducing intimidation.
SC
2.5 Remove excuses
NU
The ‘remove excuses’ category involves neutralizing the rationalizations of a criminal (Smith & Scott 2011). Criminals tend to justify their crime. For instance, insiders may rationalize their
MA
actions by perceiving cybercrime to be a victimless crime (Barlow, Warkentin, Ormond, & Dennis, 2013). The subcategories include setting rules; posting instructions; assisting compliance; alerting conscience and controlling drugs and alcohol.
ED
In terms of the ‘setting rules’ subcategory, rules are set with regard to the typical policies,
PT
agreements and procedures that have been proposed (e.g. procedures such as an acceptable use policy (Hinduja & Kooi, 2013)). Hinduja and Kooi (2013) also propose that an assistance programme be
AC CE
introduced to help employees to be cognizant of these rules and procedures. In terms of posting instructions, e-mail disclaimers (Beebe & Roa, 2005) are recommended as a comparable information security control, aside from the typical controls like information security policy. It is recommended that e-mail disclaimers be differentiated according to the insiders’ roles and responsibilities (Red Earth Software, 2013). Single sign-on (Willison, 2006); ethically sound business practices (Hinduja & Kooi, 2013); single point of reference for security (Coles-Kemp & Theoharidou, 2010) and the promotion of a healthy work environment (Hinduja & Kooi, 2013) have been proposed as information security controls to realize the technique aimed at assisting compliance. Single sign-on entails an insider being given one password across all systems; this assists with usability and may be centrally controlled (Pashalidis & Mitchell, 2003). Single sign-on is considered to be an aspect of ‘Centralized User Management’α (Heilbronner & Wies, 1997), which was also included in the evaluation. This notion extends to the ‘single point of reference for security’ technique, which involves the centralized 10
ACCEPTED MANUSCRIPT management of information security policies. Hinduja and Kooi (2013) suggest that promoting a healthy environment as well as ethically sound business practices constitute a strategy for facilitating compliance with organizational policies and procedures. Such a strategy not only reduces the
RI P
T
opportunity for individuals to indulge in criminal behavior, but also induces normative behavior. The information security controls that are recommended for the purpose of appealing to users’ consciences include copyright protection (Coles-Kemp & Theoharidou, 2010); a code of ethics
SC
(Coles-Kemp & Theoharidou, 2010); warning messages when logging in (Hinduja & Kooi, 2013) and
NU
context-aware interfacesα. In COBIT5IS, a distinction is made between organizational ethics and individual ethics (ISACA, 2012). This implies that organizations need to reflect on personal ethics
MA
when considering the organization’s code of ethics. According to Hinduja and Kooi (2013), it is useful to receive warning messages when logging in, as such messages prick the user’s conscience.
ED
Targeted pop-ups are equally useful, as they remove the anonymity in criminal behavior, which in turn reduces the perceived benefits of a criminal act. A more encompassing control would be
PT
‘context-aware interfaces’α (which are based on systems that ‘can examine the computing environment and react to changes to the environment’ (Schilit, Norman, & Roy, 1994, p. 1)).
AC CE
Although ‘controlling drugs and alcohol’ may appear to be incongruent with the domain of information security, it is generally agreed that the abuse of drugs and alcohol impairs an insider’s judgement (Shropshire, 2009). The study currently reported on consequently proposes an employee rehabilitationα programme. Hinduja and Kooi (2013) propose that procedures be instituted for handling complaints and that adequate benefits be granted to employees since – in their opinion – such controls serve to affirm users and prevent feelings of discrimination. The main objective of the current research is to evaluate the information security measures discussed in this section from an opportunity-reducing perspective.
11
ACCEPTED MANUSCRIPT 3. RESEARCH METHODOLOGY The Delphi technique is appropriate when a ‘problem does not lend itself to precise analytical techniques but can benefit from subjective judgments on a collective basis’ (Linstone & Turoff, 1975,
RI P
T
p. 4). In the study reported on here, it is postulated that the current set of information security techniques does not adequately reduce the insider’s perception of crime opportunities in cyberspace. The Delphi technique is an iterative process in which experts anonymously provide judgement in a
NU
the group reaches consensus (Linstone & Turoff, 1975).
SC
group context and have the opportunity to revise their reviews by receiving controlled feedback until
3.1 Research design
MA
The research design for the study was based on the Delphi technique as adapted from Schmidt et al. (2001). The research involved a three-round Delphi process with 23 experts from the industry.
ED
To increase the response rate, a nested random sample of 11 experts was involved in rounds 2 and 3, based on their availability. The experts were divided into two panels: the main group (n = 23) and the group
(n
=
11).
The
PT
core
first
round
was
conducted
via
a
website
(https://sites.google.com/site/insiderthreatmitigation/home) using Google Forms, while the second The three rounds were as follows: Round 1
AC CE
and third rounds were conducted via e-mail.
(Brainstorming), Round 2 (Consolidation) and Round 3 (Refinement). In all rounds, the experts provided feedback independently and anonymously. The alternative would have been to ‘correct’ responses or to elucidate items however it was deemed more important not to limit experts to specific responses or preconceptions. This allows for novel techniques to emerge. In Round 1, the main group responded to five open-ended questions (see Appendix A), providing as many opportunity-reducing techniques as possible. The researcher then collated the responses with the techniques identified from the systematic analysis (Section 2). In Round 2, the core group provided their value judgement on the techniques proposed (i.e. the fit for purpose (agree or disagree)). The findings were subsequently consolidated and, to ease the process, lower-ranked techniques (< 55%) were eliminated – the threshold of 55% was selected as it was the lowest boundary of the values above 50%. Lower-ranked techniques represent those items with the lowest levels of agreement. Finally in Round 3, the core group reviewed the consolidated list (composed of 12
ACCEPTED MANUSCRIPT highly ranked (70–100%) and moderately ranked (55–69%) techniques) until the threshold level (70%) of consensus was reached. The consensus that was reached in the final round implied that the consolidated list represented a list of techniques considered to be both highly and moderately effective
RI P
T
in mitigating insider threats. 3.2 Limitations
A purposive sampling strategy (i.e. a form of non-probability sampling which conforms to
SC
specified criteria (Herbst & Coldwell, 2004)) was used in this study. The experts were guaranteed
NU
anonymity, and this should have offset possible biases due to the sampling procedure. Sample size ranges from 4 to 171 experts in Delphi studies (Skulmoski, Hartman, & Krahn, 2007). Dalkey (2004)
MA
argues that as the sample size increases there are diminishing returns. Clayton (1997) in turn suggests that 15 to 30 experts should be included in homogeneous groups and 5 to 10 in heterogeneous groups
ED
(i.e. individuals who are experts in a field but come from various stratifications). 3.3 Sampling
PT
The sampling criteria involved purposively selecting a panel consisting of information security experts, but not specifically experts in the ‘insider threat problem’ domain. Hence the group
AC CE
was heterogeneous and derived from various stratifications. . However the term ‘expert’ does not necessarily imply an expert in the specific field (Linstone & Turoff, 1975; Powell, 2003), Experts can include individuals ‘who have expertise by virtue of having experienced the impact of a condition or intervention’ (Powell, 2003, p. 379). It is clear that experts in information security are themselves ‘insiders’; however, by virtue of their experience in information security they have tacit knowledge of insider threat mitigation. A sample of 250 experts was selected from a professional network (LinkedIn). However, the response rate was only 9% (n = 23). The sample was composed as follows – Management: Information Security (n = 9); Information Security Consultant (n = 5); Information Security Specialist (n = 3); Information Security Analyst (n = 2); Architect: Information Security (n =2); Engineer: Information Security (n = 2). The majority of the experts were South African (91%) and were involved in information security management. Many of the experts were from the banking sector (35%). Most of the experts who responded to the invitation were male (96%). Their qualifications 13
ACCEPTED MANUSCRIPT ranged as follows: first degree, 17%; postgraduate degree, 22%; diploma, 13%; certificate, 30%; and unknown, 17%. On average, 63% of the core group had formal qualifications (i.e. first degrees, postgraduate degrees and diplomas).
RI P
T
3.4 Context
Although this was not intentional, most of the experts were from South Africa (SA). It is therefore important to understand the results of the study within the South African context. In 2014,
SC
Mobius Consulting (2014) conducted a survey of information security personnel at eight major SA
NU
corporates from the retail and financial services sectors. It was found that, locally, the management of security falls to IT staff, but that as organizations evolved they were coming to appreciate the value of
MA
having separate divisions for security services. The study found that South African corporates rely on COBIT 5 and ISO standards for guidance, while 88% of the respondents had information security
ED
goals in place. A majority of corporations (>=63%) in the study applied tools or programmes aimed at dealing with anti-viruses; network security; incident management; vulnerability management; training
PT
and awareness; policies, procedures and guidelines; data leakage/loss prevention; mobile device management; identity access management; information security governance; information security risk
AC CE
management; compliance management; log management; patch management; mail security; database security; operating system security and disaster recovery plans. Mobius Consulting (2014) found that within the financial services domain, insider threats are considered to be one of the top five risks, while the survey (n = 1000) conducted by CISCO (2014) found that 66% of employees believed the insider threat problem to be one of the top two crimes in SA. According to the 2012/3 South African Cyber Threat Barometer (2012) report, the abuse of system privileges was the second most common mode of cyberattacks in SA. Clearly, within the South African context, the insider threat problem is a known issue and one of major concern. 3.5 Validity The current study involved a three-round process, during which the experts had the opportunity to review the interpretation of the other experts in a feedback loop; hence the core group validated the findings twice. Linstone and Turoff (1975, p. 4) advised that the ‘heterogeneity of the participants must be preserved to assure validity of the results’. Therefore the experts from industry 14
ACCEPTED MANUSCRIPT were taken from a cross-section within the information security domain that ranged from the banking sector, to information security consultancies, to IT service management. The quality of the findings also depended on the capability of the panel. The main panel had on average 8.09 years of IT
RI P
T
experience, while the core group had 7.5 years of experience. A preponderance of the main panel had tertiary qualifications (83%). 4. DATA ANALYSIS
SC
In this subsection the findings of the study are presented per round.
NU
4.1 Round 1
The responses from the experts were collated vis-à-vis the theoretical framework presented in
MA
Section 2. In total, 125 techniques were catalogued. Some techniques were found to recur. The highest number of techniques was in the ‘increase effort’ category, while the lowest number was found in the ‘reduce the rewards’ category. The percentages of techniques per category are as follows: ‘increase
4.2 Round 2
PT
and ‘reduce the rewards’, 15%.
ED
the effort’, 28%; ‘increase the risk’, 20%; ‘reduce the provocations’, 19%; ‘remove excuses’, 18%
AC CE
In this round, the core group was tasked with determining the ‘fit for purpose’ of the techniques listed per category. Tables 1 to 4 show the percentage of consensus among experts regarding the effectiveness of a specified technique in reducing the insider’s perception of a crime opportunity. The techniques identified by the experts were denoted by an asterisk (*). 4.2.1 ‘Increase the effort’ category In this category, 63% of the techniques were given a poor ranking, while only 23% of the techniques were considered to be highly effective. ‘Principle of least privilege’ was ranked the highest (91%), signifying the possibility that experts assume that controls that constrain information are effective mechanisms for mitigating insider threats. This assumption is reflected in their selection of additional techniques such as finer-grained access control, privileged identity management, role-based access control, segregation of duties and sensitive system isolation. Table 1 provides a summary of the key findings.
15
ACCEPTED MANUSCRIPT Table 1: ‘Increase the effort’ rankings High (70–100%) to moderately (69–55%) ranked techniques Finer-grained access control Privileged identity management* Role-based access* Finer-grained authentication Controlling tools Principle of least privilege Periodic audits Irrefutable audit logs* Deflecting offenders Segregation of duties Background checks of employees Human resources security Target hardening Proper password policies Sensitive system isolation Whitelisting Note: No techniques identified for Screen Exits
NU
SC
RI P
T
Category Control of access to facilities
% 73% 73% 64% 55% 91% 64% 64% 73% 73% 73% 73% 73% 64%
MA
The following controls were ranked as below average at 45%: cryptography; custom installation; data loss prevention; escalation of privileges; extraneous ports closed; file access
ED
permission; filtering the download of illicit tools; termination procedures, and workflow management systems. The following techniques were ranked poorly: key splitting (36%); usage control (36%); data
PT
classification (27%); firewalls (27%); information flow control (27%); vulnerability patching (27%); web access controls (27%); IP-based restrictions (27%); anti-virus software (18%); honeypots (18%);
AC CE
ingress/egress filtering (18%); master data management (9%), and offsite storage of data (9%). Most of the techniques deemed satisfactory (>= 55%) were specific to the insider threat problem. 4.2.2 ‘Increase the risk’ category In this category, 96% of the techniques proposed were considered ineffective. Only one technique was moderately ranked, namely ‘dialog boxes, warning banners regarding the monitoring process’, which was recommended by the experts. This finding suggests that this category is in dire need of more effective tools aimed at increasing the risk for insiders. The technique was linked to the ‘utilizing place managers’ subcategory. Three controls were ranked as below average at 45%, namely dedicated insider threats departments; security information and event management (SIEM), and video recording. A large number of techniques were ranked poorly: configuration management tools (36%); identity and access management (36%); incident reporting (36%); management of mobile computing and teleworking (36%); monitoring (36%); punitive measures (36%); radio frequency identification
16
ACCEPTED MANUSCRIPT (36%); resource usage monitoring (36%); change controls (27%); hotline for employees (27%); insider incident response plan (27%); intrusion detection systems (27%); multi-layered authentication (27%); segregation of duties (27%); two-person sign-off (27%); data loss prevention (18%); general
RI P
T
observation of employee behavior (18%); specific assignment of IS duties (18%); strong authentication (18%); visualization tools (18%); and tamperproof audit trails and event logging (9%). 4.2.3 ‘Reduce the rewards’ category
SC
In this category, 63% of known techniques were found to be ineffective at reducing the
NU
perceived benefits to be gained from committing maleficence. Table 2 provides a summary of the key findings in this regard. Data obfuscation and data masking were recommended by experts, and since
MA
these are related to hiding information, they were linked to the ‘concealing targets’ subcategory. The experts appeared to consider techniques that ‘hide’ information to be effective in mitigating an insider
ED
threat, as techniques such as data obfuscation, data masking and encryption were ranked highly. Three techniques were ranked as below average at 45%, namely asset management; clear desk and clear
PT
screen controls; and security by obscurity. However, quite a number of techniques were ranked poorly: continuity management (36%); data loss prevention (36%); information classification (36%);
AC CE
layered access control (36%); monitoring and auditing of activities (36%); watermarking (36%); incident management (27%); radio frequency identification (18%), and open source products or freeware (9%). Most of the techniques identified as satisfactory (>= 55) were appropriate to the insider threat problem except for encryption and sensitive system isolation, which, as indicated in Section 2, do not effectively manage the insider threat problem. Table 2: ‘Reduce the rewards’ rankings Categories Concealing targets Denying benefits Disrupting markets Identifying property Removing targets
17
High (70–100%) to moderately (69–55%) ranked techniques Data obfuscation techniques* Data masking* Encryption Automatic data destruction Code obfuscation Digital signatures Sensitive system isolation
% 82% 73% 73% 64% 55% 64% 64%
ACCEPTED MANUSCRIPT 4.2.4 ‘Reduce provocations’ category In this category, 54% of the known techniques were evaluated as being satisfactory. Table 3 provides a summary of the key findings. The experts subsequently proposed a number of techniques
RI P
T
to be introduced so as to reduce the provocation of employees: (a) cultivating an information security culture; (b) employee recognition; (c) automation of tasks; (d) employees to sign off on information security policies; (e) segregation of duty policies and procedures; (f) crime prevention through design
(CPTED);
(g)
information
security
SC
environmental
awareness;
(h)
interview
NU
sessions/surveys/psychometric testing; (i) penalties and (j) monitoring. The first four techniques (a–d) were linked to the subcategory ‘reducing frustration and stress’, as they are related to creating a
MA
supportive working environment. In this subcategory ‘cultivating an information security culture’ and employee recognition were ranked the highest; it is possible that the experts assume that having an environment that encourages compliance is effective in mitigating insider threats. The subcategory
ED
‘segregation of duty policies and procedures’ may be linked to ‘neutralizing peer pressure’ due to the
PT
separation of duties notion. However, CPTED (an approach aimed at deterring criminal behavior through environmental design (Jeffery, 1971)) and information security awareness are expansive
AC CE
strategies and could be associated with all categories. The ‘reduce provocations’ category should consist of techniques that are intended to decrease the emotional triggers that may precipitate a motivated criminal to commit an offence. However, the last three techniques (h–j) appear to be inconsistent with the principles of this category and are deterrents to noncompliance. The measure of building a ‘supportive working environment’ was ranked as below average at 45%. The following techniques were ranked poorly: change management (36%); continuity management (36%); information security communication (36%); hotlines (27%); identification of pain points and trigger events (27%); prompt repair (27%); security usability (27%); user participation in the information security lifecycle (27%); web application firewall and e-mail content scanning (27%); user participation in the risk analysis process (18%).
18
ACCEPTED MANUSCRIPT Table 3: ‘Reduce provocations’ rankings High (70–100%) to moderately (69–55%) ranked techniques Dispute resolution Disciplinary processes Segregation of duty policies and procedures* Reducing frustrations and Cultivating an information security culture* Employee recognition* stress Automation of tasks* Support whistle-blowers Employees to sign off on information security policies* Overarching Crime prevention through environmental design* Information security awareness* Deterrents to non- Interview sessions/surveys/psychometric testing for employees* Penalties* compliance Monitoring*
NU
SC
RI P
T
Categories Avoiding disputes Neutralizing peer pressure
% 64% 64% 64% 82% 82% 73% 73% 55% 73% 64% 64% 64% 55%
4.2.5 ‘Remove excuses’ category
MA
Note: No techniques identified for discouraging imitation and reducing emotional arousal.
In this category, 54% of the techniques were poorly ranked. Table 4 provides a summary of
ED
the key findings in this regard. Two of the techniques, namely ‘induction processes’ to acclimatize the user to the community and ‘access and authorization review campaigns’ (recommended by the
PT
experts) were combined in the ‘assisting compliance’ subcategory. ‘Information security awareness’
AC CE
was recommended in this list too; as discussed previously, this technique is overarching. An ‘employee moral programme’ was proposed by experts – this technique was linked to the ‘alerting conscience’ subcategory, as it is related to the concept of ethics. No techniques were considered effective for ‘posting instructions’ and the ‘controlling drugs and alcohol’ subcategories. In this category the experts ranked ‘acceptable use policy’ the highest, with ‘information security policies, agreements and procedures’ and information security awareness second highest. It is clear that the experts assume that setting rules and awareness of such rules is crucial to overcoming the insider threat problem.
19
ACCEPTED MANUSCRIPT Table 4: ‘Remove excuses’ rankings High (70–100%) to moderately (69–55%) ranked techniques Code of ethics Context-aware interfaces Warning messages when logging in Employee moral programme* Assisting compliance Ethically sound business practices Induction processes * Access and authorization review campaigns* Setting rules Acceptable use policy Information security policies, agreements and procedures Overarching Information security awareness* Note: No techniques were identified for posting instructions and controlling drugs and alcohol
SC
RI P
T
Categories Alerting conscience
% 64% 64% 64% 55% 55% 64% 55% 82% 73% 73%
NU
The following techniques were ranked as below average at 45%: complaint handling
MA
procedure; copyright protection; posting instructions (e.g. posting instructions on wall), and promotion of healthy work environment. The following techniques were ranked poorly: e-mail disclaimers (36%); employee rehabilitation programme (36%); centralized user management (27%);
ED
employee assistance programme (27%); naming and shaming of transgressors (27%); single point of
4.3 Round 3
PT
reference for security (27%); adequate employee benefits (18%), and single sign-on (9%).
AC CE
As part of this round, the list of top ranked (70–100%) and moderately ranked (69–55%) techniques was e-mailed to the experts for consensus. 73% of the experts eventually agreed that the list was satisfactory. In summary, it is clear that the ‘increase the risk’ category requires more effective techniques, while on average 67% of the information security techniques recommended for SCP are inadequate. In some subcategories, no techniques that were considered to be effective were identified. The number of techniques per category may not be evenly distributed among the
five categories. However as each technique is unique and each addresses the insider threat in varying degrees it is difficult to draw any deductions from the ratio of techniques per category. Some controls such as CPTED and Information security awareness were found to be overarching. The most applicable techniques are summarized in Table 5.
20
ACCEPTED MANUSCRIPT Table 5: Applicable techniques to overcome the insider threat problem Increase Effort Reduce provocations Control access to facilities: Finer-grained access Avoiding disputes: Dispute resolution peer
pressure:
Disciplinary
T
control; Privileged identity management; Role- Neutralising
processes; Segregation of duty policies and
Controlling tools: Principle of least privilege; procedures
Reducing frustrations and stress: Cultivating an
SC
Periodic audits; Irrefutable audit logs
RI P
based access; Finer-grained authentication
Deflecting offenders: Segregation of duties; information
security
culture;
Employee
NU
Background checks of employees; Human recognition; Automation of tasks; Support resources security
whistle-blowers; Employees to sign off on
Sensitive system isolation; Whitelisting
MA
Target hardening: Proper password policies; information security policies
ED
Remove Excuses Reduce Rewards Alerting conscience: Code of ethics; Context- Concealing targets: Data obfuscation; Data
PT
aware interfaces; Warning messages when masking logging in; Employee moral programme
Denying benefits: Encryption; Automatic data
AC CE
Assisting compliance: Ethically sound business destruction practices; Induction processes; Access and Disrupting marketing: Code obfuscation authorization review campaigns Setting
rules:
Acceptable
Identifying property: Digital signatures use
policy; Removing targets: Sensitive system isolation
Information security policies, agreements and procedures Increase risk Strengthening boxes,
formal
warning
monitoring process
21
surveillance:
banners
Overarching Controls Dialog Crime prevention through
regarding
environmental
the design; Information security awareness
ACCEPTED MANUSCRIPT 5. DISCUSSION OF THE FINDINGS In the qualitative review conducted by Beebe and Roa (2005), the number of techniques that were best suited to each category were tallied, whereas the current study considered the effectiveness
RI P
T
of extant techniques per category. Their findings were not tested empirically, whereas the current study confirms their deduction that the highest number of techniques was found in the ‘increase the effort category’. Note that the aforementioned study was based on an older version of SCP theory,
SC
which contained four categories, so it is difficult to carry out a direct comparison.
NU
Since the list encompassed suggestions from the experts as well as from the systematic review, there is interdependency between the subcategories. Techniques such as ‘sensitive system
MA
isolation’ appeared twice – once in the ‘reduce rewards’ category and once in the ‘increase the effort’ category – in other words, in two distinct categories as recommended by (Coles-Kemp & Theoharidou, 2010) and (Hinduja & Kooi, 2013). The experts listed ‘segregation of duty policies and
ED
procedures’ in the ‘reduce provocations’ category; however, a similar technique of ‘segregation of
PT
duty’ was included in the ‘increase the effort’ category. ‘Information security awareness’ was also proposed twice – once in the ‘reduce provocations’ category and once in the ‘remove excuses’
AC CE
category. These intersections confirm the significance of these techniques. The experts ranked both ‘background checks on employees’ and ‘human resources security’ (from the ‘increase the effort’ category) highly; however, ‘human resources security’ encompasses ‘background checks on employees’. This finding conveys the assumed effectiveness of profiling by the experts, as was also confirmed by the experts ranking ‘interview sessions/surveys/psychometric testing for employees’ moderately. The experts ranked both data masking and data obfuscation from the ‘reduce the rewards’ category as high however these terms are interrelated. Data masking is a form of data obfuscation while the former technique involves substituting data with special characters and the latter is a broader concept which implies hiding data (Raghunathan, 2013). If these interdependencies are taken into account, the number of applicable techniques is reduced further. The ‘deflecting offenders’ subcategory had the most number of highly-ranked techniques within the increase effort category namely: segregation of duties; background checks of employees; Human resources security. The experts ranked these controls highly as all these controls are well 22
ACCEPTED MANUSCRIPT known from the ISO standard. The ‘concealing targets’ subcategory had the most number of highranked techniques within the ‘reduce the rewards’ category of data obfuscation and data masking. A possible reason for this high ranking is that data masking and data obfuscation are techniques to
RI P
T
anonymize data yet still capable of being operable (Rawat & Sharma, 2012); which is superior to encryption. The ‘reducing frustrations and stress’ subcategory had the most number of top-ranked techniques within the reduce provocations category: cultivating an information security culture;
SC
employee recognition; automation of tasks; support whistle-blowers. While ‘setting rules’ had the
NU
most number of top-ranked techniques: acceptable use policy; information security policies, agreements and procedures within the remove excuses category. The experts may have ranked these
MA
techniques highly as organizational culture is a very strong determinant for motivating employees to comply and there must be engagement and support (Sikolia & Biros, 2016) to ensure compliance.
ED
The ‘reduce provocations’ category produced an ambiguous result. This may reflect the lack of acceptance of techniques that encourage compliance rather than deterring noncompliance, seeing
PT
that deterrent techniques such as interview sessions/surveys/psychometric testing for employees, penalties and monitoring were recommended by the experts. Wortley (1998) indicates that precipitator
AC CE
controls in the ‘reduce provocations’ category constitute more of a ‘soft’ approach, compared with the ‘hard’ approach in the other four categories. Highly constrictive controls can lead to stress and frustration among employees, and hence precipitate crime. Therefore it is important for organizations to balance precipitator controls with cost-benefit controls. This preference for punitive measures was found in the ‘remove excuses’ category, where experts showed a less favorable attitude towards measures that constituted affirming techniques such as adequate employee benefits and an employee assistance programme. The CPTED technique was recommended by the experts for the ‘reduce provocations’ category. It is germane to this research to note that CPTED shares an element of duality with SCP. For example, consider the broader components of CPTED: territoriality (inculcating a sense of ownership); surveillance (observation); access control (reducing opportunities for crime by denying access); activity support (encourage intended patterns of usage of public space); image management (promoting a positive image), and target hardening (increasing the level of effort required by 23
ACCEPTED MANUSCRIPT criminals) (Cozens, Saville, & Hillier, 2005). The insider threat problem may be addressed and organizations will benefit from developing and implementing information security controls from a CPTED perspective. The latter is an unexplored area of research in information security.
RI P
T
Some of the results of the current study are divisive in the sense that popular tools such as anti-viruses, incident management, and data loss prevention were ranked poorly by the experts. For instance, it was stated earlier that the tools that proved to be popular within the study context included
SC
incident management, anti-viruses, data leakage prevention and log management. Even so, the ability
NU
of these techniques to overcome the insider threat problem was rated poorly. The possible reasoning could be that while these techniques are useful, they do not solve the insider threat problem directly.
MA
As discussed in Section 3.4, despite the fact that anti-viruses are applied within the South African context at a very high level (88%), anti-viruses were ranked poorly (at 18%) as a mechanism for
ED
mitigating insider threat, perhaps because anti-viruses are generally only as good as their last update. While incident management occurs at a high level (88%), it was considered to be only 27% effective
PT
by the experts in the study reported on here. Since incident management involves the recovery of systems after the incident, it probably does not play a role in detecting or preventing the insider theat.
AC CE
Also, it is possible that the insiders involved in the threat are part of the incident response team (Cummings, Lewellen, McIntire, Moore, & Trzeciak, 2012). Data loss prevention (DLP) was also ranked as below average, possibly because the alternative term ‘data leakage prevention’ was not considered in the study. This may have misled the experts. Data loss prevention appeared in more than one category, and since it was ranked poorly on three occasions, that finding is conclusive. A possible reason for this discrepancy could be the applicability of the tool. The biggest challenge of DLP is protecting data that exists in unstructured forms, such as source code (Shabtai, Elovici, & Rokach, 2012). Log management is also comparable with tamperproof audit trails and event logging which, as a technique, was ranked very poorly at 9%. The experts were evidently of the view that log management as a tool was not effective against insider threats. A possible reason for this assumption could be the copious information and volume of analysis required (Kandias, Mylonas, Virvilis, Theoharidou, & Gritzalis, 2010), both of which render the technique ineffective. 24
ACCEPTED MANUSCRIPT According to Beebe and Roa (2005), lowering the perceived net benefit gained by cybercriminals may deter them from committing the crime. The cost-benefit type categories such as ‘increase the effort’, ‘increase the risk’ and ‘reduce the reward’ challenge the rational insider to
RI P
T
calculate the net value of the crime. The cost-benefit type categories such as ‘increase the effort’, ‘increase the risk’ and ‘reduce the reward’ challenge the rational insider to calculate the net value of the crime. In this study it was found that only 23% of known techniques (i.e. highly ranked) can
SC
effectively increase the cost of crime (risk + effort), while 16% of known techniques (i.e. highly
NU
ranked) are able to reduce the benefits (rewards) The ‘remove excuses’ and ‘reduce provocations’ categories, on the other hand, are indirect controls that force an insider to consider a crime
MA
opportunity from a rational perspective without being driven by provocations or justifications. In this case, only 21% of known tools (i.e. highly ranked) can minimize the provocations, while only 14% of
ED
known tools (highly ranked) can reduce the justifications for crime. It is possible that having fewer controls within a specific category may increase the vulnerability of an organization. The current set
PT
of information security techniques is clearly inadequate for dealing with insider threats, as opportunity-reducing considerations have not been taken into account during their development.
AC CE
Further research needs to be done, not only to develop more effective tools for each category, but also to determine the ratio of tools that is required per category to effectively minimize insider threats. 6. CONCLUSION
This paper makes two significant contributions to the understanding and mitigation of insider threat. First, the evaluation derived here may be used as a proactive mitigation strategy – it seeks to conceptualize the element of opportunity in terms of the insider threat problem. This evaluation may be used to implement information security controls that should empower information security administrators to prevent and possibly counteract insider threats. Second, several potential research areas were revealed. The gaps identified call for more in-depth studies of how the subcategories of screen exits; reducing emotional arousal; discouraging imitation; posting instructions; controlling disinhibitors such as drugs and alcohol; and in general, the ‘increase the risk’ category could be applied in the insider threat context. The elimination of incongruous subcategories and the inclusion of domain-specific subcategories constitute an area of possible research. A key limitation resulted 25
ACCEPTED MANUSCRIPT from the fact that a small sample size was used, as this probably reduced the generalizability of the results. As the Delphi technique was not conducted face-to-face, but online, there was disinvestment hence future research should involve a quantitative study based on a larger sample. The Delphi
RI P
T
technique is more appropriate for exploratory research than confirmatory research.
SC
REFERENCES
Arbaugh, W. A., Fithen, W. L., & McHugh, J. (2000). Windows of vulnerability: A case study
NU
analysis. IEEE Computer, 33(12), 52-59.
Baracaldo, N., & Joshi, J. (2013). An adaptive risk management and access control framework to
MA
mitigate insider threats. Computers & Security, 39, 237-254.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses!
ED
Discouraging neutralization to reduce IT policy violation. Computers & Security, 39(Part B), 145159.
PT
Beebe, N. L., & Roa, V. S. (2005, December). Using Situational Crime Prevention theory to explain the effectiveness of Information Systems Security. Paper presented at the Proceedings of the 2005 Conference,
AC CE
SoftWars
Las
Vegas,
Nevada.
Retrieved
from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.509.1358&rep=rep1&type=pdf Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009, August). Roles of information security awareness and perceived fairness in information security policy compliance. Paper presented at the 15th American Conference on Information Systems(AMCIS), San Francisco, California. Retrieved from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1409&context=amcis2009 Cappelli, M., Moore, A. P., Shimeall, T. J., & Trzeciak, R. Common Sense Guide to Prevention/Detection
of
Insider
Threats
(2006).
https://www.cylab.cmu.edu/files/pdfs/CERT/CommonSenseInsiderThreatsV2.1-1-070118-1.pdf Accessed 10.05.2014. CISCO. Cisco Security Research in South Africa Uncovers Heightened IT Security Risks Caused By a Culture of Employee Complacency. (2014). http://www.cisco.com/web/ZA/press/2014/110414.html Accessed 29.08.2015. 26
ACCEPTED MANUSCRIPT Clayton, M. J. (1997). Delphi: a technique to harness expert opinion for critical decision‐making tasks in education. Educational Psychology, 17(4), 373-386. Coles-Kemp, L., & Theoharidou, M. (2010). Insider Threat and Information Security Management. In
RI P
T
C. W. Probst, J. Hunker, D. Gollmann, & M. Bishop (Eds.), Insider Threats in Cyber Security (pp. 4571). US: Springer.
Collberg, C., Thomborson, C., & Low, D. (1997). A taxonomy of obfuscating transformation. (148).
SC
Department of Computer Science, University of Auckland, New Zealand. Retrieved from
NU
https://researchspace.auckland.ac.nz/bitstream/handle/2292/3491/TR148.pdf. Cornish, D. B., & Clarke, R. V. (2003). Opportunities, precipitators and criminal decisions: A reply to
MA
Wortley's critique of situational crime prevention. Crime Prevention Studies, 16, 41-96. Cozens, P. M., Saville, G., & Hillier, D. (2005). Crime prevention through environmental design
ED
(CPTED): a review and modern bibliography. Property management, 23(5), 328-356. CSO MAGAZINE, USSS, CERT, & Deloitte. 2011 Cybersecurity Watch Survey: Organizations need skilled
cyber
professionals
to
stay
secure.
(2011).
PT
more
www.cert.org/archive/pdf/CyberSecuritySurvey2011.pdf Accessed 12.03.2013.
AC CE
Cummings, A., Lewellen, T., McIntire, D., Moore, A. P., & Trzeciak, R. (2012). Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. (CMU/SEI-2012-SR-004). Carnegie-Mellon
University,
Pittsburgh,
Software
Engineering
Institute.
Retrieved
from
http://www.sei.cmu.edu/reports/12sr004.pdf. Dalkey,
N.
C.
The
Delphi
methodology.
(2004).
http://www.optimizationgroup.com/wp-
content/uploads/2013/02/Idea-Generation-Turning-Questions-Into-Answers.pdf Accessed 07.08.2015. Felson, M., & Clarke, R. V. (1998). Opportunity makes the thief: Practical theory for crime prevention. (98). London: Policing and Reducing Crime Unit, Research, Development and Statistics Directorate. Retrieved from http://www.popcenter.org/library/reading/pdfs/thief.pdf. Gough, D., Oliver, S., & Thomas, J. (2012). An introduction to systematic reviews. Croydon, London: Sage.
27
ACCEPTED MANUSCRIPT Guido, M. D., & Brooks, M. W. (2013, January). Insider Threat Program Best Practices. 46th Hawaii International Conference on System Sciences (HICSS), Wailea, HI, USA. 1831-1839. doi: http://dx.doi.org/10.1109/HICSS.2013.279
RI P
T
Hartel, P. H., Junger, M., & Wieringa, R. J. (2010). Cyber-crime Science = Crime Science + Information Security. (TR-CTIT-10-34). Enschede: Centre for Telematics and Information University
of
Twente.
http://eprints.eemcs.utwente.nl/18500/03/0_19_CCS.pdf.
Retrieved
from
SC
Technology
NU
Heilbronner, S., & Wies, R. (1997). Managing PC networks. IEEE Communications Magazine, 35(10), 112-117.
MA
Herbst, F., & Coldwell, D. (2004). Business research. Cape Town: Juta and Company Ltd. Hinduja, S., & Kooi, B. (2013). Curtailing cyber and information security vulnerabilities through
ED
situational crime prevention. Security Journal, 26(4), 383-402. Hsu, C.-C., & Sandford, B. A. (2007). The Delphi technique: making sense of consensus. Practical
PT
assessment, research & evaluation, 12(10), 1-8. Insider Threat Integrated Process Team (DoD-IPT). (2000). Insider Threat Mitigation. U.S.
AC CE
Department of Defense. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA391380. ISACA. (2012). COBIT five: for information security. USA: Information Systems Audit, & Control Association.
ISO/IEC 27002:2005. Information Technology—Security Techniques—Information Security Management Systems—Code of Practice for Information Security Management. (2005). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297
Accessed
01.09.2014. IT Governance. Boardroom Cyber Watch 2013: Report. (2013). www.itgovernance.co.uk/what-iscybersecurity/boardroom-cyber-watch.aspx Accessed 01.09.2014. Jeffery, C. R. (1971). Crime Prevention Through Environmental Design. Beverly Hills, CA: Sage. Joch, A. Why you can't stop insider threats: You can only hope to contain them. (2011). http://fcw.com/articles/2011/02/28/feat-cybersecurity-insider-threats.aspx Accessed 01.09.2014.
28
ACCEPTED MANUSCRIPT Jones, A., & Colwill, C. (2008, December ). Dealing with the malicious insider. Paper presented at the 6th
Australian
Information
Security
Management
Conference,
Perth.
Retrieved
from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.5182&rep=rep1&type=pdf
RI P
T
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., & Gritzalis, D. (2010). An Insider Threat Prediction Model. In S. Katsikas, J. Lopez, & M. Soriano (Eds.), Trust, Privacy and Security in Digital Business (Vol. 6264, pp. 26-37). Berlin Heidelberg: Springer.
SC
Linstone, H. A., & Turoff, M. (1975). The Delphi Method. Reading: MA: Addison-Wesley.
NU
Magklaras, G. B., & Furnell, S. M. (2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security, 24(5), 371-380.
MA
Mansfield-Devine, S. T. (2009). The promise of whitelisting. Network Security, 7, 4-6. McKinney, S., & Reeves, D. S. (2009, April). User identification via process profiling. 5th Annual
Intelligence
Challenges
and
ED
Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Strategies,
Knoxville,
Tennessee,
USA.
51:51-51:54.
doi:
PT
http://dx.doi.org/10.1145/1558607.1558666
Mobius Consulting. Corporate Information Security in South Africa – A Market Research Study. http://www.mobiusconsulting.co.za/wp-content/uploads/2014/09/Mobius-Consulting-
AC CE
(2014).
Corporate-Information-Security-Research-2014.pdf Accessed 02.08.2015. Myers, J., Grimaila, M. R., & Mills, R. F. (2009, April). Towards insider threat detection using web server logs. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, Oak Ridge, Tennessee, USA. 1-4. doi: http://dx.doi.org/10.1145/1558607.1558670 Padayachee, K. (2013, August). A conceptual opportunity-based framework to mitigate the insider threat.
Information
Security
for
South
Africa,
Johanesburg,
South
Africa.
1-8.
doi:
http://dx.doi.org/10.1109/ISSA.2013.6641060 Padayachee, K. (2015, August). A Framework of Opportunity-Reducing Techniques to Mitigate the Insider Threat: Towards Best Practice. Information Security for South Africa (ISSA), Johannesburg, South Africa. 1-8. doi: http://dx.doi.org/10.1109/ISSA.2015.7335064
29
ACCEPTED MANUSCRIPT Pashalidis, A., & Mitchell, C. J. (2003). A taxonomy of single sign-on systems. In R. Safavi-Naini & J. Seberry (Eds.), Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP) (Vol. 2727, pp. 249–264). Wollongong, Australia: Springer-Verlag.
RI P
T
Pfleeger, S. L., Predd, J. B., Hunker, J., & Bulford, C. (2010). Insiders behaving badly: addressing bad actors and their actions. IEEE Transactions on Information Forensics and Security, 5(1), 169179.
SC
Powell, C. (2003). The Delphi technique: myths and realities. Journal of advanced nursing, 41(4),
NU
376-382.
Raghunathan, B. (2013). The Complete Book of Data Anonymization: From Planning to
MA
Implementation. Boca Raton, Florida: CRC Press.
Rawat, S. S., & Sharma, N. (2012). A Survey of Various Techniques to Secure Cloud Storage.
Rayethon.
Best
practices
ED
International Journal of Computer Science and Network Security (IJCSNS), 12(3), 116 -121. for
mitigating
and
investigating
insider
threats.
(2009).
PT
www.raytheon.com/capabilities/rtnwcm/groups/iis/documents/content/rtn_iis_whitepaperinvestigati.pdf Accessed 01.09.2014.
01.09.2014.
AC CE
Red Earth Software. Email disclaimers. (2013). http://www.emaildisclaimers.com Accessed
Roy Sarkar, K. (2010). Assessing insider threats to information security using technical, behavioural and organisational measures. Information Security Technical Report, 15(3), 112-133. Sandhu, R., & Park, J. (2003). Usage control: A vision for next generation access control. In V. Gorodetsky, L. J. Popyack, & V. A. Skormin (Eds.), Computer Network Security (Vol. 2776, pp. 1731). Berlin/Heidelberg: Springer Schilit, B., Norman, A., & Roy, W. (1994, December). Context-aware computing applications. First Workshop on Mobile Computing Systems and Applications (WMCSA 1994), Santa Cruz, CA, USA. 1 - 7. doi: http://dx.doi.org/10.1109/WMCSA.1994.16 Schmidt, R. C., Lyytinen, K., Keil, M., & Cule, P. (2001). Identifying software project risks: An international Delphi study. Journal of Management Information Systems, 17(4), 5-36.
30
ACCEPTED MANUSCRIPT Schultz, E. E. (2002). A Framework for Understanding and Predicting Insider Attacks. Computers & Security, 21(6), 526–531. Shabtai, A., Elovici, Y., & Rokach, L. (2012). A survey of data leakage detection and prevention
RI P
T
solutions. New York: Springer Science & Business Media.
Sheppard, N. P., Reihaneh, S.-N., & Ogunbona, P. (2001, September-October). On multiple watermarking. ACM Multimedia Conference workshop on Multimedia and security: new challenges
SC
Ottawa, Ontario. 3-6. doi: http://dx.doi.org/10.1145/1232454.1232458
NU
Shropshire, J. (2009). A canonical analysis of intentional information security breaches by insiders. Information Management & Computer Security, 17(4), 296-310.
MA
Sikolia, D., & Biros, D. (2016, May). Motivating Employees to Comply with Information Security Policies. Paper presented at the Midwest United States Association for Information Systems (MWAIS) Milwaukee,
Wisconsin.
Retrieved
from
ED
Conference,
http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1012&context=mwais2016
PT
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T., & Flynn, L. Common sense guide to mitigating Insider threats. (2012). http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm
AC CE
Accessed 01.09.2014.
Skulmoski, G., Hartman, F., & Krahn, J. (2007). The Delphi method for graduate research. Journal of Information Technology Education: Research, 6(1), 1-21. Smith, T. R., & Scott , J. (2011). Policing and Crime prevention. In D. A. Mackey & K. Levan (Eds.), Crime prevention (1st ed., pp. 61-88). Burlington, Massachusetts: Jones & Bartlett. Stuttard, D. (2005). Security & obscurity. Network Security, 2005(7), 10-12. Theoharidou, M., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472-484. Walton, R. (2006). Balancing the Insider and Outsider Threat. Computer Fraud & Security, 11, 8-11. Willison, R. (2006). Understanding the perpetration of employee computer crime in the organisational context. Information and Organization, 16(4), 304–324. Willison, R., & Backhouse, J. (2006). Opportunities for computer crime: Considering system risk from a criminological perspective. European Journal of Information Systems, 15(4), 403-414. 31
ACCEPTED MANUSCRIPT Willison, R., & Siponen, M. (2009). Overcoming the insider: Reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133-137. Wolfpack.
2012/3
The
South
African
Cyber
Threat
Barometer.
(2012).
RI P
T
https://www.wolfpackrisk.com/SA%202012%20Cyber%20Threat%20Barometer_Medium_res.pdf Accessed 02.08.2015.
Wortley, R. (1998). A two-stage model of situational crime prevention. Studies on Crime and Crime
SC
Prevention, 7, 173-188.
NU
Zhou, J., & Deng, R. (2000). On the validity of digital signatures. ACM SIGCOMM Computer
AC CE
PT
ED
MA
Communication Review, 30(2), 29-34.
32
ACCEPTED MANUSCRIPT APPENDIX A: QUESTIONNAIRE Question 1: The ‘increase the effort’ category is accomplished by increasing the perceived difficulty associated with committing a specific crime. Examples of preventive efforts in the physical landscape
RI P
T
include the following: (a) Target hardening such as immobilizers in cars; (b) Control of access to facilities; (c) Screen exits such as electronic tags for floor stock; (d) Deflecting offenders; (e) Controlling tools/weapons. List at least ONE information security technique that would increase the
SC
effort of an insider threat in a cybercrime scenario. If there is no existing technique then describe
NU
possible tool(s) that may need to be developed to fulfil this need.
MA
Question 2: The ‘increase the risks’ category involves increasing the perceived negative consequences associated with committing crime. Examples of preventive efforts in the physical
ED
landscape include the following: (a) Extending guardianship, such as by neighborhood watch; (b) Assisting natural surveillance, such as by improved street lighting; (c) Reducing anonymity, such as
PT
by introducing taxi driver IDs; (d) Utilizing place managers, such as whistle blowers; (e) Strengthening formal surveillance, such as by using speed cameras. List at least ONE information
AC CE
security technique that would strengthen the perception of increased risk and thus reduce insider threat in a cybercrime scenario. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
Question 3: The ‘reduce the rewards’ category is accomplished by decreasing the perceived benefits associated with committing a particular crime. Examples of preventive efforts in the physical landscape include the following: (a) Concealing: Do not keep valuables in plain sight; (b) Removing targets: Install removable car radios; (c) Identifying property: Mark property; (d) Disrupting markets: Conduct checks on pawn brokers; (e) Denying benefits: Attach ink merchandise tags. List at least ONE information security technique that would strengthen the perception of reduced rewards of an insider threat in a cybercrime scenario. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
33
ACCEPTED MANUSCRIPT Question 4: The ‘reduce provocations’ category is accomplished by decreasing the emotional triggers that may precipitate a motivated criminal to offend. Examples in the physical landscape include the following techniques: (a) Reducing frustrations and stress caused for example by failures of
RI P
T
equipment; (b) Avoiding disputes by for example reducing overcrowding; (c) Reducing emotional arousal by restricting the content of offensive material; (d) Neutralizing peer pressure, for example by conducting campaigns depicting what friends think of risk-taking behavior (e) Discouraging imitation,
SC
for example by the rapid repair of damage. List at least ONE information security technique that
NU
would reduce the provocations that may trigger an insider in a cybercrime scenario to commit maleficence. If there is no existing technique, then describe possible tool(s) that may need to be
MA
developed to fulfil this need.
ED
Question 5: The ‘remove excuses’ category is accomplished by decreasing the rationalizations that criminals use to justify their behavior. Examples of actions that neutralize excuses are the following:
PT
(a) Setting rules such as agreements; (b) Posting instructions such as ‘NO PARKING’ signs; (c) Alerting the conscience such as by displaying roadside speed signs; (d) Assisting compliance; (e)
AC CE
Controlling drugs and alcohol such as by organizing alcohol-free events. List at least ONE information security technique that would remove the excuses used by insiders prior to committing maleficence. If there is no existing technique, then describe possible tool(s) that may need to be developed to fulfil this need.
34
ACCEPTED MANUSCRIPT
AC CE
PT
ED
MA
NU
SC
RI P
T
BIO Keshnee Padayachee obtained a BSC degree from the University of Durban-Westville (now known as the University of Kwazulu Natal) in 1995 and a BSC(Hons) Computer Science in 1996. This was followed in 2002 by an MSC in Computer Science from the same institution. She was employed by the ML Sultan Technikon in 1997 where she lectured in the Department of Computer Studies for 3 years. In the period 2000 - 2014, she was employed by the University of South Africa as an academic in the School of Computing. During this time she has presented numerous conferences papers covering aspect-oriented programming and its relation to information security. She obtained her PhD (Computer Science) from the University of Pretoria in South Africa in 2010. As of 2014, she has been employed by the Institute for Science and Technology Education (University of South Africa). e-mail: [email protected] or [email protected]
35
ACCEPTED MANUSCRIPT Highlights Evaluation of opportunity-reducing measures in information security Suggests that extant techniques are insufficient
Evaluation derived may be used as a proactive mitigation strategy
AC CE
PT
ED
MA
NU
SC
RI P
T
36