Human behaviour and insider threat: Part Two

A more effective approach for the prevention of insider threat scenarios can be developed with a focus on suspicious behaviour, according to Alton Corporation.

Detecting suspicious behaviour

President and CEO Michael Berk explained in a recent report that to develop such a program an initial threat and risk assessment must first be conducted. Following this, a matrix of indicators, prioritized and scaled by risk tolerance for analysis purposes, coupled with a centralized database that receives technology or human generated alerts would allow dedicated corporate security personnel to focus on suspicious behaviours in real time.

Additionally, an early detection capability would be greatly enhanced by deploying video analytic tools that focus on identifying psychophysiological states of employees in real time, especially in high security areas, that differ from normal behavioural/emotional pattern for that location.

Berk explains that almost all insiders involved in acts of sabotage display behavioural indicators prior to committing their crimes. Examples of such behavioural indicators include, but are not limited to:

• Conflicts with co-workers and supervisors.
• Improper use of organisation information assets.
• Rule violations and/or security violations.
• Observable signs of stress or changes in typical patterns of behaviour.

Once an indicator has been detected in real time, a company’s HR, legal and/or security departments would analyse the information in context and have a number of follow up choices to choose from depending on the existing standard operating procedures (SOP):

• A security officer could be dispatched to observe and/or interview a potential suspect (depending on the level of indicator severity).
• Continue to monitor a potential suspect’s performance online through their personal signature and/or in real time through CCTV cameras for additional indicators or until an established risk threshold is surpassed.
• Inform relevant departments about the indentified indicators for additional investigation or follow up (e.g. a targeted urine test, polygraph examination, personal interview or another assessment).

Such an approach will also require policies and procedures aimed at enhancing deterrence capabilities would also need to be introduced. Elements of positive social engineering (e.g. alerting people if they are about to access sensitive information or commit a transgression would give them a chance to make the right choice) and user training campaigns informing staff of existing detection capabilities might discourage employees from committing insider threat related crimes.

Adapted from a report by Emma McAleavey.

Read the article online at: https://www.oilfieldtechnology.com/exploration/07082014/identifying-insider-threat-1082/