Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Organizational learning for insider threat detection


Published on

  • Be the first to comment

  • Be the first to like this

Organizational learning for insider threat detection

  1. 1. Organizational Sensing for Insider Threat Detection<br />Jeffrey M. Stanton<br />Syracuse University<br />School of Information Studies<br />
  2. 2. IT Organization as Sensor<br />Amazon Rank: #784,784 in Books<br />Makes the argument that extensive IT monitoring of employee technology use works best with high levels of employee awareness and buy-in<br />
  3. 3. Expert-------- Expertise ---------Novice<br />UnintentionalInsecurity<br /> Aware Assurance<br />Intentional Destruction <br />DangerousTinkering<br />Detrimental Misuse<br />BasicHygiene<br />NaïveMistakes<br /> Malicious ----------- Intentions ----------- Benevolent<br />*110 Information Security professionals generated lists of behaviors and rated them. <br />
  4. 4. Social Network as Sensor<br />Shuyuan Ho (2008) promotes the metaphor of social networks as behavioral sensors; colleagues with ample opportunity to observe a target’s behavior over time have the capability to detect unexpected changes– “anomalies” –in a target’s behavior<br />(Ho, S.M. (2008) Attribution-based Anomaly Detection: Trustworthiness in an Online Community. In Huan Liu, John J. Salerno and Michael J. Young, Social Computing, Behavioral Modeling, and Prediction (pp. 129-140). New York: Springer US.)<br />
  5. 5. Other Organizational Sensor Types<br />HR: Changes to benefit configurations, demographic data changes, vacation drought, travel authorizations, grievances and appeals<br />Finance: Changes to temporal & geographical expenditure patterns; exceptions to standard operating procedures; audit results<br />Procurement & Facilities: Atypical requests for equipment, software; room reservations, door swipes, ID card replacement<br />
  6. 6. Sensors work well when tuned to detect meaningful events and ignore meaningless ones; fusing data across multiple sensors tends to improve reliability; coordinated analysis, triggering, response, and feedback tends to improve system performance<br />
  7. 7. John Seely Brown and Paul Duguid (1991): Organizational Learning and Communities-of-Practice<br />Learning in organizations occurs primarily within communities of practice (COPs) – interacting groups sharing a common base of professional “stories”<br />Effective diagnosis of difficult problems and innovative solutions result from antiphonal recitation (Orr, 1990): sharing the story from different perspectives within the COP<br />Departmentalization encloses COPs within a range of related professional specializations (e.g., corporate analysis; mergers and acquisitions; equity and debt; underwriting) <br />Antiphonal recitation then reflects a narrowed set of perspectives; organizational learning only occurs in isolated pockets<br />
  8. 8. Enhancing Organizational Learning for Improved Sensing<br />Legitimize Peripheral Participation<br />Bake-in cross-training, cross-functional teams, shadowing, externships<br />Enable, reward, and celebrate “maverick” communities<br />