Angad Pal Singh,Ankit Sharma

DOI: https://doi.org/10.48550/arXiv.2212.05347

2022-12-11

Abstract:Insider threats is the most concerned cybersecurity problem which is poorly addressed by widely used security solutions. Despite the fact that there have been several scientific publications in this area, but from our innovative study classification and structural taxonomy proposals, we argue to provide the more information about insider threats and defense measures used to counter them. While adopting the current grounded theory method for a thorough literature evaluation, our categorization's goal is to organize knowledge in insider threat research. Along with an analysis of major recent studies on detecting insider threats, the major goal of the study is to develop a classification of current types of insiders, levels of access, motivations behind it, insider profiling, security properties, and methods they use to attack. This includes use of machine learning algorithm, behavior analysis, methods of detection and evaluation. Moreover, actual incidents related to insider attacks have also been analyzed.

Cryptography and Security

Rakan A Alsowail,Taher Al-Shehari

DOI: https://doi.org/10.7717/peerj-cs.938

2022-04-01

Abstract:With the wide use of technologies nowadays, various security issues have emerged. Public and private sectors are both spending a large portion of their budget to protect the confidentiality, integrity, and availability of their data from possible attacks. Among these attacks are insider attacks which are more serious than external attacks, as insiders are authorized users who have legitimate access to sensitive assets of an organization. As a result, several studies exist in the literature aimed to develop techniques and tools to detect and prevent various types of insider threats. This article reviews different techniques and countermeasures that are proposed to prevent insider attacks. A unified classification model is proposed to classify the insider threat prevention approaches into two categories (biometric-based and asset-based metric). The biometric-based category is also classified into (physiological, behavioral and physical), while the asset metric-based category is also classified into (host, network and combined). This classification systematizes the reviewed approaches that are validated with empirical results utilizing the grounded theory method for rigorous literature review. Additionally, the article compares and discusses significant theoretical and empirical factors that play a key role in the effectiveness of insider threat prevention approaches (e.g., datasets, feature domains, classification algorithms, evaluation metrics, real-world simulation, stability and scalability, etc.). Major challenges are also highlighted which need to be considered when deploying real-world insider threat prevention systems. Some research gaps and recommendations are also presented for future research directions.

Ismaila Idris,Adeleke Nafisa Damilola

DOI: https://doi.org/10.47760/ijcsmc.2023.v12i04.007

2023-04-30

International Journal of Computer Science and Mobile Computing

Abstract:Insider threat refers to the risk caused to an organization's security, assets, or data by individuals who have authorized access to these resources, such as employees, contractors, or partners. The aim of an insider threat is usually to exploit their access to sensitive information or systems to carry out malicious activities, such as stealing intellectual property, financial data, or sensitive information, sabotaging systems, or processes, or committing fraud. This systematic literature analysed the anatomy of insider threat, including its trends and mode of attacks to find the possible solutions by querying various academic literature. Sources of insider threat dataset are revealed in this review paper to ease the challenges of researchers in getting access to insider datasets. In addition, a taxonomy of insider threat current trends is presented in the paper. This review can serve as a benchmark for researchers in proposing a novel insider threat detection methodology and starting point for novice researchers.

Krutarth Chauhan

2024-07-24

Abstract:Conventional security solutions are insufficient to address the urgent cybersecurity challenge posed by insider attacks. While a great deal of research has been done in this area, our systematic literature analysis attempts to give readers a thorough grasp of penetration testing's role in reducing insider risks. We aim to arrange and integrate the body of knowledge on insider threat prevention by using a grounded theory approach for a thorough literature review. This analysis classifies and evaluates the approaches used in penetration testing today, including how well they uncover and mitigate insider threats and how well they work in tandem with other security procedures. Additionally, we look at how penetration testing is used in different industries, present case studies with real-world implementations, and discuss the obstacles and constraints that businesses must overcome. This study aims to improve the knowledge of penetration testing as a critical part of insider threat defense, helping to create more comprehensive and successful security policies.

Cryptography and Security

Ivan Homoliak,Flavio Toffalini,Juan Guarnizo,Yuval Elovici,Martín Ochoa

DOI: https://doi.org/10.48550/arXiv.1805.01612

2018-05-04

Cryptography and Security

Abstract:Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit from the proposed structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while leveraging existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of attackers, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an updated overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

Findlay Whitelaw,Jackie Riley,Nebrase Elmrabit

DOI: https://doi.org/10.1109/access.2024.3373265

IF: 3.9

2024-03-12

IEEE Access

Abstract:The insider threat within organisational cybersecurity continues to be of great concern globally. The current insider threat detection strategies are acknowledged as ineffective, evidenced by the increased reported events in high-profile insider threats and cyber data loss cases borne from insider and privilege misuse. The impact of insider incidents on Financial Service (FS) organisations is vast, operationally disruptive, and costly from a regulatory, financial, and reputational perspective. Many United Kingdom (UK) FS organisations have invested in insider risk programmes, but there is no sign of the insider threat diminishing. This paper will address the following research questions: 1) What factors influence employees to become malicious insider threats and apply this to employees working within the UK? 2) What preventative measures could be effectively operationalised within UK FS organisations to prevent malicious insider attacks? A literature review was conducted, reviewing 54 articles in peer-reviewed journals. Additional and relevant articles were incorporated to enrich the review, further substantiating the academic currency and context of the study. The review reveals five primary emerging insider threat themes, subsequently discussed and including behavioural indicators, information security behaviours, technical controls, insider threat strategies, and regulation. Throughout the literature review, one primary challenge highlighted the lack of articles published concerning the FS industry; however, the studies reviewed were relevant, appropriate, and applied across this review. Furthermore, the review also considers outcomes from a practitioner's perspective, offering insights into the limitations of insider threat approaches and strategies and offering potential recommendations.

computer science, information systems,telecommunications,engineering, electrical & electronic

I. Homoliak,J. Guarnizo,Martín Ochoa,Flavio Toffalini,Y. Elovici

Abstract:Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit from the proposed structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while leveraging existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of attackers, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an updated overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders’ behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

Computer Science,Law

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Fatima Rashed Alzaabi,Abid Mehmood

DOI: https://doi.org/10.1109/access.2024.3369906

IF: 3.9

2024-03-06

IEEE Access

Abstract:Insider threat detection has become a paramount concern in modern times where organizations strive to safeguard their sensitive information and critical assets from malicious actions by individuals with privileged access. This survey paper provides a comprehensive overview of insider threat detection, highlighting its significance in the current landscape of cybersecurity. The review encompasses a broad spectrum of methodologies and techniques, with a particular focus on classical machine-learning approaches and their limitations in effectively addressing the intricacies of insider threats. Furthermore, the survey explores the utilization of modern deep learning and natural language processing (NLP) based methods as promising alternatives, shedding light on their advantages over traditional methods. The comprehensive analysis of results from experiments utilizing NLP and large language models to detect malicious insider threats on the CMU CERT dataset reveals promising insights. Studies surveyed in this paper indicate that these advanced techniques demonstrate notable efficacy in identifying suspicious activities and anomalous behaviors associated with insider threats within organizational systems. Additionally, the survey underscores the potential of NLP and large language model-based approaches, which can enhance threat detection by deciphering textual and contextual information. In the conclusion section, the paper offers valuable insights into the future directions of insider threat detection. It advocates for the integration of more sophisticated time-series-based techniques, recognizing the importance of temporal patterns in insider threat behaviors. These recommendations reflect the evolving nature of insider threats and emphasize the need for proactive, data-driven strategies to safeguard organizations against internal security breaches. In conclusion, this survey not only underscores the urgency of addressing insider threats but also provides a roadmap for the adoption of advanced methodologies to enhance detection and mitigation capabilities in contemporary cybersecurity paradigms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Anton Zaytsev,Anatoly Malyuk,Natalia Miloslavskaya

DOI: https://doi.org/10.1007/978-3-319-56538-5_73

2017-01-01

Abstract:The survey of related works on insider information security (IS) threats is presented. Special attention is paid to works that consider the insiders’ behavioral models as it is very up-to-date for behavioral intrusion detection. Three key research directions are defined: (1) the problem analysis in general, including the development of taxonomy for insiders, attacks and countermeasures; (2) study of a specific IS threat with forecasting model development; (3) early detection of a potential insider. Among the second group the works on two IS threats are examined, namely intellectual property’s theft and insider cyber fraud. A few directions of future research are defined in conclusion.

Azzah A. AlGhamdi,Mahmood Niazi,Mohammad Alshayeb,Sajjad Mahmood

DOI: https://doi.org/10.1002/spe.3327

2024-03-15

Software Practice and Experience

Abstract:Context Organizations constantly strive to protect their assets from outsider attacks by implementing various security controls, such as data encryption algorithms, intrusion detection software, firewalls, and antivirus programs. Unfortunately, attackers strike not only from outside the organization but also from within. Such internal attacks are called insider attacks or threats, and the people responsible for them are insider attackers or insider threat agents. Insider attacks pose more significant risks and can result in greater organizational losses than outsider attacks. Thus, every organization should be vigilant regarding such attackers to protect its valuable resources from harm. Finding solutions to protect organizations from such attacks is critical. Despite the importance of this topic, little research has been conducted on providing solutions to mitigate insider attacks. Objective This study aims to develop an organizational readiness model to assess an organization's readiness for insider attacks. Method We conducted a multivocal literature review to identify practices that can be used to assess organizations' readiness against insider attacks. These practices were grouped into different knowledge areas of insider attacks for organizations. The insider attack readiness model was developed using identified best practices and knowledge areas: compliance, top management, human resources, and technical. Results This model was evaluated at two levels—academic and real‐world environments. The evaluation results show that the proposed model can identify organizations' readiness against insider attacks. Conclusion The proposed model can guide organizations through a secure environment against insider attacks.

computer science, software engineering

Nur Ilzam Che Mat,Norziana Jamil,Yunus Yusoff,Laiha Mat Kiah,Nur Ilzam Che Mat,Miss Laiha Mat Kiah

DOI: https://doi.org/10.1093/cybsec/tyad023

2024-01-01

Journal of Cyber Security

Abstract:Abstract Advanced persistent threats (APTs) pose significant security-related challenges to organizations owing to their sophisticated and persistent nature, and are inimical to the confidentiality, integrity, and availability of organizational information and services. This study systematically reviews the literature on methods of detecting APTs by comprehensively surveying research in the area, identifying gaps in the relevant studies, and proposing directions for future work. The authors provide a detailed analysis of current methods of APT detection that are based on multi-stage attack-related behaviors. We adhered to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and conducted an extensive search of a variety of databases. A total of 45 studies, encompassing sources from both academia and the industry, were considered in the final analysis. The findings reveal that APTs have the capability to laterally propagate and achieve their objectives by identifying and exploiting existing systemic vulnerabilities. By identifying shortcomings in prevalent methods of APT detection, we propose integrating the multi-stage attack-related behaviors of APTs with the assessment of the presence of vulnerabilities in the network and their susceptibility to being exploited in order to improve the accuracy of their identification. Such an improved approach uses vulnerability scores and probability metrics to determine the probable sequence of targeted nodes, and visualizes the path of APT attacks. This technique of advanced detection enables the early identification of the most likely targets, which, in turn, allows for the implementation of proactive measures to prevent the network from being further compromised. The research here contributes to the literature by highlighting the importance of integrating multi-stage attack-related behaviors, vulnerability assessment, and techniques of visualization for APT detection to enhance the overall security of organizations.

Everleen Nekesa Wanyonyi,Silvance Abeka,Newton Masinde

DOI: https://doi.org/10.5121/ijnsa.2023.15603

2023-11-29

International Journal of Network Security & Its Applications

Abstract:Computers are crucial instruments providing a competitive edge to organizations that have adopted them. Their pervasive presence has presented a novel challenge to information security, specifically threats emanating from privileged employees. Various solutions have been tried to address the vice, but no exhaustive solution has been found. Due to their elusive nature, proactive strategies have been proposed of which detection using Machine Learning models has been favoured. The choice of algorithm, datasets and metrics are cornerstones of model performance and hence, need to be addressed. Although multiple studies on ML for insider threat detection have been done, none has provided a comprehensive analysis of algorithms, datasets and metrics for development of Insider Threat Detection models. This study conducts a comprehensive systematic literature review using reputable databases to answer the research questions posed. Search strings, inclusion and exclusion criteria were set for eligibility of articles published in the last decade.

Jukka Ruohonen,Mubashrah Saddiqa

2024-07-08

Abstract:Insider threats refer to threats originating from people inside organizations. Although such threats are a classical research topic, the systematization of existing knowledge is still limited particularly with respect to non-technical research approaches. To this end, this paper presents a systematic literature review on the psychology of insider threats. According to the review results, the literature has operated with multiple distinct theories but there is still a lack of robust theorization with respect to psychology. The literature has also considered characteristics of a person, his or her personal situation, and other more or less objective facts about the person. These are seen to correlate with psychological concepts such as personality traits and psychological states of a person. In addition, the review discusses gaps and limitations in the existing research, thus opening the door for further psychology research.

Cryptography and Security,Computers and Society

Guerrino Mazzarolo,Anca Delia Jurcut

DOI: https://doi.org/10.48550/arXiv.1911.09575

2019-11-22

Abstract:Insider threats have become reality for civilian firms such as Tesla, which experienced sabotage and intellectual property theft, and Capital One, which suffered from fraud. Even greater social impact was caused by the data breach at the US Department of Defense, perpetrated by well-known attackers Chelsea Manning and Edward Snowden, whose espionage and hacktivist activities are widely known. The dramatic increase of such incidents in recent years and the incalculable damage committed by insiders must serve as a warning for all members of the cyber security community. It is no longer acceptable to continue to underestimate the problem of insider threats. Firms, organizations, institutions and governments need to lead and embrace a cultural change in their security posture. Through the adoption of an Insider Threat Program that engages all the strategic branches (including HR, Legal, Information Assurance, Cyber Security and Intelligence), coordinated by the chief information security officer and supported by c-level executive, it is possible to implement a framework that can prevent, detect, and respond to disloyal and/or unintentional insider threats. Hence, defending your enterprise from insider threats is a vital part of information security best practices. It is essential that your company highly valuable classified data and assets are protected from its greatest threat: the enemy within the gates.

Cryptography and Security,Computers and Society

Ayshwarya Jaiswal,Pragya Dwivedi,Rupesh Kumar Dewang

DOI: https://doi.org/10.1007/s11042-024-20273-0

IF: 2.577

2024-10-05

Multimedia Tools and Applications

Abstract:Insider threats are profoundly damaging and pose serious security challenges. These threats, perpetrated by insiders, may arise from delinquency, retaliation, or motives such as ambition for success, recognition, financial gain, or knowledge acquisition. They manifest in various forms; for example, an insider might disrupt systems by inserting a malicious script or engage in intellectual property theft. Due to their diverse nature, detection is highly complex and challenging, as standard security devices such as intrusion detection systems, firewalls, or antivirus software cannot detect it; hence, it entails careful and diligent work. This survey reviews existing research between 2010 and 2024 on detecting insider threats. It not only expounds on the novel taxonomy based on previous works and diverse motivations for insider threats but also identifies challenges and gaps in detecting malicious insiders. It highlights the state-of-the-art tools, techniques, and methodologies and also discusses the limitations of the same. Finally, the paper provides an overview of identifying optimal solutions and discusses future research directions that could lead to new methods for detecting insider threats.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Kashif Ishaq,Sidra Fareed

2023-08-26

Abstract:In the wake of the arrival of digital media, the Internet, the web, and online social media, a flood of new cyber security research questions have emerged. There is a lot of money being lost around the world because of cyber-attacks. As a result, cyber security has emerged as one of the world's most complex and pressing issues. Cyber security experts from both industry and academia institutions are now analyzing current cyber-attacks occurring around the world and developing various strategies to defend systems from possible cyber-threats and attacks. This paper examines recent cyber security attacks as well as the financial losses incurred as a result of the growing number of cyber-attacks. Our findings indicate that the majority of the research chosen for this study focused solely on a small number of widespread security flaws, such as malware, phishing, and denial-of-service attacks. A total of over 50 major studies that have been published in reputable academic journals and conferences have been chosen for additional examination. A taxonomy of cyber-attacks elements that is based on the context of use in various environments has also been suggested, in addition to a review of the most recent studies on countermeasures for cyber-attacks being the state of the art. Lastly, the research gaps in terms of open issues have been described in order to offer potential future directions for the researchers working in the field of cyber security.

Cryptography and Security

Ruba Ruba,,,Hanan AlShaher

DOI: https://doi.org/10.54216/jcim.130213

2024-01-01

Journal of Cybersecurity and Information Management

Abstract:With the exponential increase in technology use, insider threats are also growing in scale and importance, becoming one of the biggest challenges for government and corporate information security. Recent research shows that insider threats are more costly than external threats, making it critical for organizations to protect their information security. Effective insider threat detection requires the use of the latest models and technologies. Although a large number of insider threats have been discovered, the field is still limited by many issues, such as data imbalance, false positives, and a lack of accurate data, which require further research. This survey investigates the existing approaches and technologies for insider threat detection. It finds and summarizes relevant studies from different databases, followed by a detailed comparison. It also examines the types of data used and the machine learning models employed to detect these threats. It discusses the challenges researchers face in detecting insider threats and future trends in the field.

Abdulganiyu, Oluwadamilare Harazeem

DOI: https://doi.org/10.1007/s10207-023-00682-2

2023-03-28

International Journal of Information Security

Abstract:With the recent increase in internet usage, the number of important, sensitive, confidential individual and corporate data passing through internet has increasingly grown. With gaps in the security systems, attackers have attempted to intrude the network, thereby gaining access to essential and confidential information, which may cause harm to the operation of the systems, and also affect the confidentiality of the data. To counter these possible attacks, intrusion detection systems (IDSs), which is an essential branch of cybersecurity, were employed to monitor and analyze network traffic thereby detects and reports malicious activities. A large number of review papers have covered different approaches for intrusion detection in networks, most of which follow a non-systematic approach, merely made a comparison of the existing techniques without reflecting an in-depth analytical synthesis of the methodologies and performances of the approaches to give a complete understanding of the state of IDS. Nonetheless, many of these reviews investigated more about the anomaly-based IDS with more emphasis on deep-learning models, while signature, hybrid-based (signature + anomaly-based) have received minimal focus. Hence, by adhering to the principles of Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA), this work reviewed existing contributions on anomaly-, signature-, and hybrid-based approaches to provide a comprehensive overview of network IDS's state of the art. The articles were retrieved from seven databases (ScienceDirect, SpringerNature, IEEE, MDPI, Hindawi, PeerJ, and Taylor & Francis) which cut across various reputable journals and conference Proceedings. Among the 776 pieces of the literature identified, 71 were selected for analysis and synthesis to answer the research questions. Based on the research findings, we identified unexplored study areas and unresolved research challenges. In order to create a better IDS model, we conclude by presenting promising, high-impact future research areas.

computer science, information systems, theory & methods, software engineering

Sugata Sanyal,Ajit Shelat,Amit Gupta

DOI: https://doi.org/10.48550/arXiv.1010.1938

2010-10-13

Abstract:Nearly 70% of information security threats originate from inside an organization. Opportunities for insider threats have been increasing at an alarming rate with the latest trends of mobility (portable devices like Laptop, smart phones etc.), ubiquitous connectivity (wireless or through 3G connectivity) and this trend increases as more and more web-based applications are made available over the Internet. Insider threats are generally caused by current or ex-employees, contractors or partners, who have authorized access to the organization's network and servers. Theft of confidential information is often for either material gain or for willful damage. Easy availability of hacking tools on the Internet, USB devices and wireless connectivity provide for easy break-ins. The net result is losses worth millions of dollars in terms of IP theft, leakage of customer / individual information, etc. This paper presents an understanding of Insider threats, attackers and their motives and suggests mitigation techniques at the organization level

Cryptography and Security