• Like
Organizational learning for insider threat detection
Upcoming SlideShare
Loading in...5

Organizational learning for insider threat detection

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Organizational Sensing for Insider Threat Detection
    Jeffrey M. Stanton
    Syracuse University
    School of Information Studies
  • 2. IT Organization as Sensor
    Amazon Rank: #784,784 in Books
    Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in
  • 3. Expert-------- Expertise ---------Novice
    Aware Assurance
    Intentional Destruction
    Detrimental Misuse
    Malicious ----------- Intentions ----------- Benevolent
    *110 Information Security professionals generated lists of behaviors and rated them.
  • 4. Social Network as Sensor
    Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior
    (Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)
  • 5. Other Organizational Sensor Types
    HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals
    Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results
    Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement
  • 6. Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering, response, and feedback tends to improve system performance
  • 7. John Seely Brown and Paul Duguid (1991): Organizational Learning and Communities-of-Practice
    Learning in organizations occurs primarily within communities of practice (COPs) – interacting groups sharing a common base of professional “stories”
    Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP
    Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting)
    Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets
  • 8. Enhancing Organizational Learning for Improved Sensing
    Legitimize Peripheral Participation
    Bake-in cross-training, cross-functional teams, shadowing, externships
    Enable, reward, and celebrate “maverick” communities