You are here: Home Contents V13 N3 V13N3_Chim.html
Personal tools

A Risk-based Layered Defence for Managing the Trusted Insider Threat



Full text

Journal of Information System Security
Volume 13, Number 3 (2017)
Pages 151173
ISSN 1551-0123
Leung Chim — Defence Science and Technology Group, Edinburgh, Australia
Daniel Bilusich — Defence Science and Technology Group, Edinburgh, Australia
Steven Lord — Defence Science and Technology Group, Edinburgh, Australia
Rick Nunes-Vaz — Defence Science and Technology Group, Edinburgh, Australia
Information Institute Publishing, Washington DC, USA




While it is known that the management of insider threats to information security requires the use of multiple layers of countermeasures, a holistic framework for designing and integrating the layers is missing. As a result it is often difficult to evaluate the overall effectiveness of a layered defence. In this paper we adapt a successful framework from physical security to support the design of insider threat security layers in a way that supports the evaluation of residual risks: a natural metric for gauging the overall effectiveness of a security program. When the insider threat is represented as a sequential pathway of insider activities and their consequences, security layers may be introduced to stop the attack or to nullify its impact in multiple ways. We find that the seven layer types from physical security all have analogous counterparts in insider security, and we provide examples using known countermeasures. The calculation of residual risk can then be performed using expert elicitation and stochastic mapping. We illustrate the method using a subset of the insider threat spectrum and assess the effectiveness of alternative (artificial) treatment packages. Note that the illustrative analysis is not intended to imply recommendations for particular solutions or approaches to the insider threat.




Holistic Framework, Information Security, Insider Threat, Integrated Security, Layered Defence, Risk Management




Anderson, R.H. (1999). ‘Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems’. RAND Corporation. Santa Monica, CA.

Brackney, R.C. and Anderson, R.H. (2004). ‘Understanding the insider threat’. In Proceedings of a March 2004 Workshop. RAND Corporation. Santa Monica, CA.

Cappelli, D.M., Moore, A.P. and Trzeciak, R.F. (2012). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), Addison-Wesley, Upper Saddle River, NJ.

Catrantzos, N. (2010). ‘Tackling the insider threat. CRISP Report’. ASIS Foundation Research Council. Alexandria, VA.

Claycomb, W.R., Huth, C.L., Flynn, L., McIntire, D.M. and Lewellen, T.B. (2012). “Chronological Examination of Insider Threat Sabotage: Preliminary Observations,” Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications, 3 (4): 4–20.

Cohen, F. (1998). “A Note on the Role of Deception in Information Protection,” Computers & Security, 17 (6): 483-506.

Cole, E. and Ring, S. (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, Syngress Publishing, Inc., Rockland, MA.

Cooke, R.M. (1991). Experts in Uncertainty: Opinion and Subjective Probability in Science, Oxford University Press, New York, NY.

Cornelissen, W. (2009). ‘Investigating Insider Threats: Problems and Solutions’. School of Management and Governance, University of Twente. Enschede, Netherlands, MS Thesis.

CPNI. (2013). ‘Personnel Security Risk Assessment: A Guide (4th Edition). Centre for the Protection of National Infrastructure’,

D'Arcy, J. and Herath, T. (2011). “A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings,” European Journal of Information Systems, 20: 643-658.

D’Arcy, J. and Hovav, A. (2007). “Towards a Best Fit Between Organizational Security Countermeasures and Information Systems Misuse Bahaviors,” Journal of Information System Security, 3 (2): 3-31.

Dhillon, G. (1999). “Managing and Controlling Computer Misuse,” Information Management & Computer Security, 7 (4): 171-175.

DoD. (2000). ‘DoD Insider Threat Mitigation. Final Report of the Insider Threat Integrated Process Team. US Department of Defense, Office of the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence)’,

Durán, F.A., Conrad, S.H., Conrad, G.N., Duggan, D.P. and Held, E.B. (2009). “Building a System for Insider Security,” Security & Privacy, IEEE, 7 (6): 30-38.

Flegel, U., Vayssière, J. and Bitz, G. (2010). ‘A State of the Art Survey of Fraud Detection Technology’, in Insider Threats in Cyber Security, Series: advances in information security, eds. C.W. Probst, J. Hunker, M. Bishop, and D. Gollmann, Springer, New York, NY.

Fleming, K.N. and Silady, F.A. (2002). “A Risk-Informed Defense-in-Depth Framework for Existing and Advanced Reactors,” Reliable Engineering & System Safety, 78 (3): 205–225.

Guido, M.D. and Brooks, M.W. (2013). ‘Insider threat program best practices’. In Proceedings of the 46th Annual Hawaii International Conference on System Sciences, IEEE Computer Society, 1831-1839. Washington, DC.

Hunker, J. and Probst, C.W. (2011). “Insiders and Insider threats: An Overview of Definitions and Mitigation Techniques,” Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications, 2 (1): 4-27.

IAEA (2008). ‘Preventive and protective measures against insider threats. IAEA nuclear security series no. 8’. International Atomic Energy Agency, Vienna, Austria.

International Standards Organisation. (2009). ‘ISO/IEC 31000:2009 Risk Management – Principles and guidelines’. IEC, Geneva, Switzerland.

Johnston, R.G. (2010). “Lessons for Layering,” Security Management, 54 (1): 64-69.

Lee, J. and Lee, Y. (2002). “A Holistic Model of Computer Abuse within Organizations,” Information Management & Computer Security, 10 (2): 57-63.

Lord, S. and Nunes-Vaz, R. (2013). “Designing and Evaluating Layered Security,” International Journal of Risk Assessment and Management, 17 (1): 19-45.

McCormick, M. (2008). ‘Data Theft: A Prototypical Insider Threat’, in Insider Attack and Cyber Security: beyond the hacker, series: advances in information security, eds. S.J. Stolfo, S.M. Bellovin, A.D. Keromytiset, S. Hershkop, S. Smith and W. Sinclair, Springer, New York, NY.

Martinez-Moyano, I.J., Rich, E., Conrad, S., Andersen, D.F. and Stewart, T.R. (2008). “A Behavioral Theory of Insider-Threat Risks: A System Dynamics Approach,” ACM Transactions on Modeling and Computer Simulation (TOMACS), 18 (2).

Mills, R.F., Grimaila, M.R., Peterson, G.L. and Butts, J.W. (2011). “A Scenario-Based Approach to Mitigating the Insider Threat,” ISSA Journal, 9 (5): 12-19.

Murray, D.W. and Biringer, B.E. (2009). ‘Defending against Malevolent Insiders using Access Control’, in Wiley Handbook of Science and Technology for Homeland Security, eds J.G. Voeller, John Wiley & Sons, Inc., Hoboken, NJ.

Noonan, T. and Archuleta, E. (2008). ‘The Insider Threat to Critical Infrastructures. The National Infrastructure Advisory Council's Final Report and Recommendations. DHS.’

Nunes-Vaz, R. and Lord, S. (2014). “Designing Physical Security for Complex Infrastructures,” International Journal of Critical Infrastructure Protection, 7 (3): 178-192.

Nunes-Vaz, R., Lord, S. and Bilusich, D. (2014). “From Strategic Security Risks to National Capability Priorities,” Security Challenges, 10 (3): 23-49.

Nunes-Vaz, R. A., Lord, S., Bilusich, D. and Chim, L. (2013). ‘Using Models to Compare the Effectiveness of Alternative Complex Security Arrangements.’ Presented at the 20th International Congress on Modelling and Simulation (MODSIM), Dec 1-6. Adelaide, Australia.

Nunes-Vaz, R., Lord, S. and Ciuk, J. (2011). “A More Rigorous Framework for Security-in-Depth,” Journal of Applied Security Research, 6 (3): 372-393.

Nurse, J.R.C., Buckley, O., Legg, P.A., Goldsmith, M., Creese, S., Wright, G.R.T. and Whitty, M. (2014). ‘Understanding Insider Threat: a Framework for Characterising Attacks’. IEEE Security and Privacy Workshops, 214-228.

Okoli, C. and Pawlowski, S.D. (2004). “The Delphi Method as a Research Tool: an Example, Design Considerations and Applications,” Information and Management, 42 (1): 15-29.

Oltsik, A. (2013). ‘The 2013 Vormetric Insider Threat Report. White Paper’, The Enterprise Strategy Group,

Ouedraogo, M., Mouratidis, H., Hecker, A., Bonhomme, C., Khadraoui, D., Dubois, E. and Preston, D. (2011). ‘A New Approach to Evaluating Security Assurance, in Proceedings of the 2011 7th International Conference on information Assurance and Security (IAS), eds. A. Abraham, D. Zeng, D. Agrawal, M.F. Abdollah, E. Corchado, V. Casola and Y.H. Choo, IEEE, Piscataway, NJ.

Park, S., Ruighaver, A.B., Maynard, S.B. and Ahmad, A. (2012). ‘Towards Understanding Deterrence: Information Security Manager's Perspective’, in Proceedings of the International Conference on IT Convergence and Security 2011, Series: Lecture Notes in Electrical Engineering, eds. K.J. Kim and S.J. Ahn, Springer Science+Business Media B.V.

Parker, D.B. (1998). Fighting Computer Crime, John Wiley & Sons, New York, NY.

Reidy, P. and Randal, K. (2013). ‘Combating the Insider Threat at the FBI: Real World Lessons Learned’, Presented at the RSA Conference, Feb. 25 – Mar. 1, 2013. San Francisco, CA,

Ruighaver, A.B., Maynard, S.B. and Warren, M. (2010). “Ethical Decision Making: Improving the Quality of Acceptable Use Policies,” Computers & Security, 29 (7): 731-736.

Ryan, J.J.C.H., Mazzuchi, T.A., Ryan, D.J., López de la Cruz, J. and Cooke, R. (2012). “Quantifying Information Security Risks using Expert Judgment Elicitation,” Computers & Operations Research, 39(4): 774-784.

Salem, M.B., Hershkop, S. and Stolfo, S.J. (2008). ‘A Survey of Insider Attack Detection Research’, in Insider Attack and Cyber Security: Beyond the hacker, series: advances in information security, eds. S.J. Stolfo, S.M. Bellovin, S. Hershkop, A.D. Keromytis, S. Sinclair and S. Smith, (Eds.), Springer, New York, NY.

Sarkar, K.R. (2010). “Assessing Insider Threats to Information Security using Technical, Behavioural and Organisational Measures,” Information Security Technical Report, 15: 112-133.

Securelist. (2011). ‘Recognizing Different Types of Insiders’,


Shaw, E.D., Fischer, L.F. and Rose, A.E. (2009). ‘Insider Risk Evaluation and Audit, PERSEREC Technical Report 09-02’, DoD,

Shaw, E.D. and Stock, H.V. (2011). ‘Behavioral risk indicators of malicious insider theft of intellectual property: misreading the writing on the wall. White Paper’. Symantec Corporation. Mountain View, CA.

Steele, S. and Wargo, C. (2007). “An Introduction to Insider Threat Management,” Information Systems Security, 16 (1): 23-33.

Stolfo, S., Bellovin, S.M. and Evans, D. (2011). “Measuring Security,” Security & Privacy, IEEE, 9 (3): 60-65.

Stoneburner, G., Goguen, S. and Feringa, A. (2002). ‘Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology’, US Department of Commerce, National Institute of Standards and Technology,

Straub, D.W. and Welke, R.J. (1998). “Coping with Systems Risk: Security Planning Models for Management Decision Making,” Management Information Systems Quarterly, 22 (4): 441-469.

Tashi, I. and Ghernaouti-Helie, S. (2009). ‘A security management assurance model to holistically assess the information security posture’. In 2009 International Conference on Availability, Reliability and Security (ARES 2009), IEEE Computer Society. Los Alamitos, CA.

Wood, B. (2000). ‘An insider threat model for adversary simulation,’ in Research on Mitigating the Insider Threat to Information Systems - #2: proceedings of a workshop held August, 2000, RAND Corporation, eds. R.H. Anderson, T. Bozek, T. Longstaff, W. Meitzler, M. Skroch and K. Van Wyk, Santa Monica, CA.

Zeadally, S., Yu, B., Jeong, D.H. and Liang, L. (2012). “Detecting Insider Threats: Solutions and Trends,” Information Security Journal: A Global Perspective, 21 (4): 183-192.