The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - November/December (2009 vol.7)
pp: 30-38
Felicia Duran , SANDIA NATIONAL LABORATORIES, ALBUQUERQUE
Stephen H. Conrad , SANDIA NATIONAL LABORATORIES, ALBUQUERQUE
Gregory N. Conrad , SANDIA NATIONAL LABORATORIES, ALBUQUERQUE
David P. Duggan , SANDIA NATIONAL LABORATORIES, ALBUQUERQUE
Edward Bruce Held , SANDIA NATIONAL LABORATORIES, ALBUQUERQUE
ABSTRACT
Current protection strategies against insider adversaries are expensive, intrusive, not systematically implemented, and operate independently; too often, these strategies are defeated. The authors discuss the development of methods for a systems-based approach to insider security. To investigate insider evolution within an organization, they use system dynamics to develop a preliminary model of the employee life cycle that defines and analyzes the employee population's interactions with insider security protection strategies. The authors exercised the model for an example scenario that focused on human resources and personnel security activities—specifically, prehiring screening and security clearance processes. The model provides a framework for understanding important interactions, interdependencies, and gaps in insider protection strategies. This work provides the basis for developing an integrated systems-based process for building—that is, designing, evaluating, and operating—a system for effective insider security.
INDEX TERMS
insider threat; insider security; insider security systems; system dynamics modeling; modeling methodologies; model development; simulation, modeling, and visualization, applications; computing methodologies.
CITATION
Felicia Duran, Stephen H. Conrad, Gregory N. Conrad, David P. Duggan, Edward Bruce Held, "Building A System For Insider Security", IEEE Security & Privacy, vol.7, no. 6, pp. 30-38, November/December 2009, doi:10.1109/MSP.2009.111
REFERENCES
1. B. Hoffman et al., Insider Crime: The Threat to Nuclear Facilities and Programs, tech. report R-3782-DOE, RAND Corp., Feb. 1990.
2. R.H. Anderson et al., Conf. Proc.—Research on Mitigating the Insider Threat to Information Systems #2, CF-163-DARPA, RAND Nat'l Defense Research Inst., RAND Corp., Aug. 2000.
3. M. Keeney et al., Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, US Secret Service and CERT Coordination Center, Software Eng. Inst., Carnegie Mellon Univ., May 2005; www.secretservice.gov/ntacits_report_050516.pdf .
4. S.R. Band et al., Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis, tech. report CMU/SEI-2006-TR-026, ESC-TR-2006-091, Software Eng. Inst., Carnegie Mellon Univ., Dec. 2006.
5. D. Andersen et al., "Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem, Proc. 22nd Int'l Conf. System Dynamics Soc., the System Dynamics Soc., 2004; www.systemdynamics.org/conferences/2004/ SDS_2004/PAPERS186GONZA.pdf.
6. S. Hodel, Black Dahlia Avenger: A Genius for Murder, HarperCollins, 2004, p. 36.
7. C. Crayton, Security+ Exam Guide, Charles River Media, 2003.
8. M. Gregg, "Network Security Threats and Answers, By Industry," Search Networking, 15 Jan. 2007; http://searchnetworking.techtarget.com/generic 0,295582,sid7_gci1238902,00.html.
9. K.L. Herbig and M.F. Wiskoff, Espionage Against the United States by American Citizens 1947-2001, PERSEREC tech. report 02–5, Defense Personnel Security Research Center, July 2002.
10. E. Rich et al., "Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model," Proc. 23th Int'l Conf. System Dynamics Soc., the System Dynamics Soc., 2005; www.systemdynamics.org/conferences/2005/ proceed/papersRICH343.pdf.
11. I.J. Martinez-Moyano et al., "A Behavioral Theory of Insider-Threat Risks: A System Dynamics Approach," ACM Trans. Modeling and Computer Simulation, vol. 18, Apr. 2008, pp. 1–36.
12. J.T. Turner and M.G. Gelles, Threat Assessment: A Risk Management Approach, Haworth Press, 2003.
13. "Insider Analysis," The 19th Int'l Training Course, SAND2006-1987C, Sandia Nat'l Laboratories, 2006, module 23, pp. 214–287.
14. B. Schneier, Secrets &Lies: Digital Security in a Networked World, John Wiley &Sons, 2000.
25 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool