Organizational learning for insider threat detectionPresentation Transcript
Organizational Sensing for Insider Threat Detection Jeffrey M. Stanton Syracuse University School of Information Studies
IT Organization as Sensor Amazon Rank: #784,784 in Books Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in
Expert-------- Expertise ---------Novice UnintentionalInsecurity Aware Assurance Intentional Destruction DangerousTinkering Detrimental Misuse BasicHygiene NaïveMistakes Malicious ----------- Intentions ----------- Benevolent *110 Information Security professionals generated lists of behaviors and rated them.
Social Network as Sensor Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior (Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)
Other Organizational Sensor Types HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement
Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering, response, and feedback tends to improve system performance
John Seely Brown and Paul Duguid (1991): Organizational Learning and Communities-of-Practice Learning in organizations occurs primarily within communities of practice (COPs) – interacting groups sharing a common base of professional “stories” Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting) Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets