Fig 9 - uploaded by Ivan Homoliak
Content may be subject to copyright.
Source publication
![Fig. 6. Security action cycle (based on [Straub and Welke 1998] and...](profile/Ivan-Homoliak/publication/332216404/figure/fig2/AS:745385303760897@1554725113977/Security-action-cycle-based-on-Straub-and-Welke-1998-and-Willison-and-Warkentin_Q320.jpg)
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them...
Context in source publication
Context 1
... we consider the CIA-based definition of malicious insider threat by Cappelli et al. [2012], the CIA-based definition of intrusion attempts by Anderson [1980], the CIA-based categorization of threats to information systems from Loch et al. [1992], as well as the definition of CWB by Sackett [2002], we can see that there is an intersection of these definitions that is shared by all of them and refers to the internal malicious insider threat for information systems. The situation is depicted abstractly in Figure 9. Note that unintentional insider threat can be and aspect of CWB (e.g., not respecting policies), external intrusion attempts (e.g., thwarting by social engineering), and threats to IS security (i.e., inherently covered by the dimensions). ...
Similar publications
![Cybersecurity Items from Nilsen's Model [24]](profile/Syarulnaziah-Anawar/publication/358421734/figure/tbl3/AS:1121027769810944@1644285256521/Cybersecurity-Items-from-Nilsens-Model-24_Q320.jpg)
This article presents the architecture of integration of blockchain technology (BCT) and the Internet of Things with the planning of production processes. The authors proposed a shared concept of a distributed machine database based on BCT. As part of the work, a network of connections for the exchange of production resources was created using node...
Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting...
Internationally digital technology is widely used in support of elections. While most countries depend on technological advances in some form or the other, electronic voting as such has been far less universally adopted. Thus far, only about 20 per cent of the world has used electronic voting for national elections-and with mixed success. While ove...
Citations
... The problem is beyond the access control frontier since it includes unpredictable human behaviours. To deal with these threats, existing industrial, academic and government studies [6,7,10] elaborate human profiles and advocate for the use of surveillance systems. Without being exhaustive, some of these profiles are: -Curious persons who, without a malicious intention but without self-control too, get access to sensitive data or do some actions that are in contradiction with the company rules. ...
... Canham et al. [24] similarly concluded that cybersecurity professionals require a taxonomy of employees' unintentional errors to understand root causes and mitigate risks. Homoliak et al. [26] provided initial work on a taxonomy for unintentional insider threats, creating a structure that consisted of slips and mistakes. There was no further decomposition of slips or mistakes. ...
The unintentional activities of system users can jeopardize the confidentiality, integrity, and assurance of data on information systems. These activities, known as unintentional insider threat activities, account for a significant percentage of data breaches. A method to mitigate or prevent this threat is using smart systems or artificial intelligence (AI). The construction of an AI requires the development of a taxonomy of activities. The literature review focused on data breach threats, mitigation tools, taxonomy usage in cybersecurity, and taxonomy development using Endnote and Google Scholar. This study aims to develop a taxonomy of unintentional insider threat activities based on narrative descriptions of the breach events in public data breach databases. The public databases were from the California Department of Justice, US Health and Human Services, and Verizon, resulting in 1850 examples of human errors. A taxonomy was constructed to specify the dimensions and characteristics of objects. Text mining and hierarchical cluster analysis were used to create the taxonomy, indicating a quantitative approach. Ward’s agglomeration coefficient was used to ensure the cluster was valid. The resulting top-level taxonomy categories are application errors, communication errors, inappropriate data permissions, lost media, and misconfigurations.
... In [2], it was discovered that 27% of cybercrime incidents were suspected to be carried out by individuals within the organization, and 30% of those surveyed believed that insiders caused greater harm compared to external attackers. In [3], internal fraudsters were identified as the main culprits in 29% of economic crime cases. ...
... Furthermore, related research studies frequently use artificially generated datasets that are not suitable for insider threat scenarios. For example, some datasets lack malicious data or are out of date [3,29]. ...
Insider threats pose a significant risk to organizations, necessitating robust detection mechanisms to safeguard against potential damage. Traditional methods struggle to detect insider threats operating within authorized access. Therefore, the use of Artificial Intelligence (AI) techniques is essential. This study aimed to provide valuable insights for insider threat research by synthesizing advanced AI methodologies that offer promising avenues to enhance organizational cybersecurity defenses. For this purpose, this paper explores the intersection of AI and insider threat detection by acknowledging organizations' challenges in identifying and preventing malicious activities by insiders. In this context, the limitations of traditional methods are recognized, and AI techniques, including user behavior analytics, Natural Language Processing (NLP), Large Language Models (LLMs), and Graph-based approaches, are investigated as potential solutions to provide more effective detection mechanisms. For this purpose, this paper addresses challenges such as the scarcity of insider threat datasets, privacy concerns, and the evolving nature of employee behavior. This study contributes to the field by investigating the feasibility of AI techniques to detect insider threats and presents feasible approaches to strengthening organizational cybersecurity defenses against them. In addition, the paper outlines future research directions in the field by focusing on the importance of multimodal data analysis, human-centric approaches, privacy-preserving techniques, and explainable AI.
... Deep learning algorithms are also beneficial, work end-to-end, and can extract feature representations on their own from unprocessed data [7]. The essential characteristics are selected using the feature selection (FS) approach, which is then used to create accurate and trustworthy Insider Detection system models [8]. Reduced data dimensionality, computational cost, and enhanced detection performance are benefits of FS. ...
Insider threats remain a serious anxiety for organizations, government agencies, and businesses. Normally, the most hazardous cyber attacks are formed by trusted insiders and not by malicious outsiders. The malicious behaviors resulting from unplanned or planned mishandling of resources, data, networks, and systems of an organization constitute an insider threat. The unsupervised behavioral anomaly detection methods are mostly developed by the traditional machine learning methods for identifying unusual or anomalous variations in user behavior. The insider threat mainly originates from an individual inside the organization who is a current or former employee who has access to sensitive information about the organization. For achieving an improvement over traditional methods, the Stacked Convolutional Neural Network- Attentional Bi-directional Gated Recurrent Unit model is proposed in this paper to detect insider threats. The CNN-Attentional BiGRU model utilizes the user activity logs and user information for time-series classification. Using the log files, the temporal data representations, and weekly and daily numerical features from various sub-models of CNN are learned by the stacked generalization. Based on the chosen feature vectors, a model is trained on the CERT insider threat dataset. The stacked CNN is combined with the Attentional BiGRU model to incorporate more complex features of the user activity logs and user data during each convolution operation without raising network parameters. Thus the classification performance is improved with less complexity. The non-linear time control, chaos-based strategy, update rules, and opposite-based learning strategies are evaluated for generating the Modified-Equilibrium Optimization. The simulation outputs obtained by the model are 92.52% accuracy, 98% Precision, 95% Recall, and 96% F1-score. Thus, the proposed model has reached higher detection performance.
... [3] offers a review of existing insider threat approaches that use NSL-KDD to detect DOS attacks. [27] provides context-specific definitions of ML model hyperparameters as well as their impact on tuning model hyperparameters for decision-making performance and various approaches to obtain optimal values. In [28], the sensitivity of hyperparameter adjustment to eliminate bias in performance prediction is explored. ...
... [30] details the NSL-KDD data set features as well as both the concerns observed in kdd99 and the attack type classifications. The researchers in [27] conduct a survey assessment of insider threat concerns. They state that the extent of the insider threat is a complicated challenge since it is usually difficult to distinguish between insiders and outsiders of a community while operating within a LAN. ...
Insider threats have recently become one of the most urgent cybersecurity challenges facing numerous businesses, such as public infrastructure companies, major federal agencies, and state and local governments. Our purpose is to find the most accurate machine learning (ML) model to detect insider attacks. In the realm of machine learning, the most convenient classifier is usually selected after further evaluation trials of candidate models which can cause unseen data (test data set) to leak into models and create bias. Accordingly, overfitting occurs because of frequent training of models and tuning hyperparameters; the models perform well on the training set while failing to generalize effectively to unseen data. The validation data set and hyperparameter tuning are utilized in this study to prevent the issues mentioned above and to choose the best model from our candidate models. Furthermore, our approach guarantees that the selected model does not memorize data of the threats occurring in the local area network (LAN) through the usage of the NSL-KDD data set. The following results are gathered and analyzed: support vector machine (SVM), decision tree (DT), logistic regression (LR), adaptive boost (AdaBoost), gradient boosting (GB), random forests (RFs), and extremely randomized trees (ERTs). After analyzing the findings, we conclude that the AdaBoost model is the most accurate, with a DoS of 99%, a probe of 99%, access of 96%, and privilege of 97%, as well as an AUC of 0.992 for DoS, 0.986 for probe, 0.952 for access, and 0.954 for privilege.
... Students often reuse passwords across applications, store passwords insecurely, connect to unsecured networks, or fail to install software updates [12]. Unintentional insider threats stem from negligence, errors, or lack of training [13]. Most ransomware attacks initially access networks by exploiting known software vulnerabilities or stolen credentials [14]. ...
... Student cyber hygiene and developing a "human firewall" are essential but underserved currently. Research such as [12], [13] also highlight the need of cybersecurity knowledge in learning environments, which is consistent with your findings on students' lack of awareness. Our conclusions regarding the necessity of all-encompassing cybersecurity plans are consistent with those found in [15] and [16], which address the significance of a robust security culture and layered defenses. ...
... The scope was limited to cybersecurity awareness and did not delve into specific technological solutions or policies in educational settings. Homoliak et al. [13] Analyzed insider threats in cybersecurity. ...
div align="center"> With the rapid growth of distance learning, especially since the COVID-19 pandemic, cybersecurity has become increasingly essential to protect students, instructors, and institutions from cyber threats. This paper examines the role of cybersecurity in enhancing students’ security awareness during distance learning. A literature review covers critical cyber threats in distance learning and strategies to mitigate risks through cybersecurity tools, policies, training, and promoting a culture of cybersecurity. Primary research was conducted by surveying 531 university students engaged in distance learning to assess their cybersecurity awareness, attitudes, and behaviors. Results indicate relatively low awareness and adoption of secure practices. Recommendations include implementing multi-layered cybersecurity defenses, student security awareness training, and nurturing a “human firewall” through a cyber-aware campus culture. Cyber risks can be reduced through proactive partnerships between students, faculty, information technology (IT) staff, and administrators to secure distance learning environments. </div
... Insider threat refers to the insider's behaviors that violate the security policy of the organization (Homoliak et al. 2019), and it is currently widely affecting various enterprises and organizations. User behaviors can be described as sequential decision-making processes (Pan et al. 2020). ...
... Insider threat is a special and important information system threat, and there are many targeted detection methods against insider threat. As shown in Fig. 2, insider threat detection techniques can be classified into 5 categories: anomaly-based, misuse-based, hybrid, classification-based, and unsupervised detection (Homoliak et al. 2019). Besides, access control and trust management are also important for defending against insider threats. ...
Researchers usually detect insider threats by analyzing user behavior. The time information of user behavior is an important concern in internal threat detection. Existing works on insider threat detection fail to make full use of the time information, which leads to their poor detection performance. In this paper, we propose a novel behavioral feature extraction scheme: we implicitly encode absolute time information in the behavioral feature sequences and use a feature sequence construction method taking covariance into account to make our scheme adaptive to users. We select Stacked Bidirectional LSTM and Feedforward Neural Network to build a deep learning-based insider threat detection model: Behavior Rhythm Insider Threat Detection (BRITD). BRITD is universally applicable to various insider threat scenarios, and it has good insider threat detection performance: it achieves an AUC of 0.9730 and a precision of 0.8072 with the CMU CERT dataset, which exceeds all baselines.
Graphical Abstract
... It highlights the factors that reflect the methodology and performance of the reviewed approaches from various empirical perspectives. Another recent survey [7] addresses the taxonomy and categorization on insider threats. ...
In today’s interconnected world, cybersecurity has emerged as a critical domain for ensuring the integrity, confidentiality, and availability of digital assets. Within this sphere, insider threats represent a unique and particularly insidious class of security risks, originating not from external hackers but from within the organization itself. These threats are perpetrated by individuals with inside information concerning the organization’s security practices, data, and computer systems. Traditional security measures like firewalls, intrusion detection systems, and antivirus software are often inadequate for tackling insider threats effectively, owing to their focus on external threats. This inadequacy underscores the urgent need for the development and implementation of more sophisticated, targeted detection techniques for insider threats. In response to this challenge, our research introduces a groundbreaking approach that employs the Density-Based Local Outlier Factor (DBLOF) algorithm, fine-tuned to specifically tackle the challenges posed by the imbalanced nature of the CERT r4.2 insider threat dataset. This dataset is characterized by a highly skewed distribution, with a significant majority of benign instances and only a minimal proportion of malicious activities. Conventional detection algorithms often fail to effectively identify these rare but dangerous instances, leading to a high rate of false negatives. Our methodology capitalizes on the algorithm’s ability to focus on the local density deviation of data points, thereby enabling the precise identification of outliers that are indicative of potential insider threats. Through rigorous testing and validation processes, we have achieved outstanding results, with an of F-score 98%. These remarkable outcomes not only affirm the effectiveness of the DBLOF algorithm as a powerful tool for combating insider threats but also contribute valuable insights to the broader academic and professional discourse on cybersecurity. Importantly, our findings have practical implications, offering organizations actionable recommendations for boosting their internal security mechanisms against the complex and evolving landscape of insider threats.
... Employees can also participate in system misuse. Information system misuse may include using company computers for non-work-related activities or unauthorized access to confidential information (Homoliak, Toffalini, Guarnizo, Elovici, & Ochoa, 2019). Intentional behavior also includes information theft, sabotage, or espionage (Hills & Anjali, 2017). ...
... Employees may also perform more direct, malicious, and intentional violations of cybersecurity policies that may harm information systems. For example, employees may transfer sensitive data to their mobile devices, modify security configurations, or share confidential information with third parties outside the organization (Das & Khan, 2016;Homoliak et al., 2019). Malicious activity by insiders is associated with scams, fraud, and social engineering incidents (Niblett, 2016). ...
... For example, employees may leave an unattended computer in a logged-in status out of negligence (Omoyiola, 2023). Also, insiders who are mischievous or insiders who have an attitude of resistance toward cybersecurity policies may cause security incidents (Homoliak et al., 2019). Non-malicious employees' risky actions may be due to a lack of knowledge or awareness of such actions' consequences. ...
Some cybersecurity executives have not mitigated the human insider weakness in their organizations. The lack of employee security awareness and training is a significant threat to organizations because it leads to security risks, attacks, and breaches in companies. Cybersecurity executives utilize security education training and awareness programs to mitigate the human insider factor weakness in their organizations. Hence, firms in various sectors of the economy should conduct security education training and awareness programs every quarter and communicate security risks and updates every week for improved and desired cybersecurity behavior. In this paper, we examine the strategies for addressing and mitigating the human insider factor in cybersecurity.
... Some taxonomies and typologies distinguish by insider position (Cole & Ring, 2005;Magklaras & Furnell, 2001;Bundesamt für Sicherheit in der Informationstechnik, 2018) or attack vector (Phyo & Furnell, 2004). Homoliak et al. (2019) provide a comprehensive taxonomy with multiple aspects. ...
... To develop types that are as complete as possible, our aim was to look at as many aspects of malicious insider threats as possible. Therefore, we prepared an analysis scheme based on various existing taxonomies (see table 3), which partly follows the comprehensive taxonomy by Homoliak et al. (2019), who examined and combined various existing taxonomies. We grouped the different type aspects in six groups of characteristics: intention(s) or outcome, motivation, insider position, attack vector, timing, and psychosocial characteristics. ...
Malicious insider threats represent a particular challenge not only for defense, but also for research, as it is estimated there is a high number of unreported cases. Current taxonomies and typologies usually focus on specific aspects, such as goal or motivation, and tend to have tight boundaries. A number of malicious insider threat attack scenarios were identified in our research through qualitative interviews, enhanced with a game-based creative approach. The resulting data was used to develop a malicious insider threat typology in an empirical bottom-up approach. We developed an analysis scheme from existing taxonomies and typologies and used it in an empirical analysis of malicious insider roles and attack scenarios. We were able to identify eleven archetypes of malicious insider threats considering multiple facettes. This paper describes the analysis and the identified types.
