Insider threat modeling: An adversarial risk analysis approach

TL;DR

This paper introduces two new insider threat models using adversarial risk analysis that incorporate organizational culture, detection, and defensive measures, providing more realistic insights into insider attack dynamics.

Contribution

The paper develops novel insider threat models with adversarial risk analysis that account for detection and organizational factors, improving upon previous game theoretic approaches.

Findings

Models are applicable to various insider threat scenarios

Incorporates detection and organizational culture factors

Uses ARA for realistic risk assessment

Abstract

Insider threats entail major security issues in geopolitics, cyber risk management and business organization. The game theoretic models proposed so far do not take into account some important factors such as the organisational culture and whether the attacker was detected or not. They also fail to model the defensive mechanisms already put in place by an organisation to mitigate an insider attack. We propose two new models which incorporate these settings and hence are more realistic. %Most earlier work in the field has focused on %standard game theoretic approaches to find the solutions. We use the adversarial risk analysis (ARA) approach to find the solution to our models. ARA does not assume common knowledge and solves the problem from the point of view of one of the players, taking into account their knowledge and uncertainties regarding the choices available to them, to their adversaries, the possible outcomes, their utilities and their opponents' utilities. Our models and the ARA solutions are general and can be applied to most insider threat scenarios. A data security example illustrates the discussion.