IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 1, MARCH 2010 169 Insiders Behaving Badly: Addressing Bad Acto Their Actions Shari Lawrence Pfleeger, Joel B. Predd, Jeffrey Hunker, and Carla Bulford Abstract—We present a framework for describing insiders and their actions based on the organization, the environment, the system, and the individual. Using several realexamples of unwelcome insider action (hard drive removal, stolen intellectual property, tax fraud, and proliferation of e-mail responses), we show how the taxonomy helps in understanding how each situation arose and could have been addressed. The differentiation among types of threats suggests how effective responses to insider threats might be shaped, what choices exist for each type of threat, and the implications of each. Future work will consider appropriate strategies to address each type of insider threat in terms of detec- tion, prevention, mitigation, remediation, and punishment. Index Terms—Cyber crime, cyber security, insider threat. I. I NTRODUCTION A S users,managers, researchers, or administrators, we worry about outsiders attacking our systems and net- works,breaking through the perimeter defenseswehave established to keep bad actors out. Butwe also worry about the “insider threat”: people with legitimate access who behave in ways that put our data, our systems, our organizations, and even our businesses’ viability at risk. The behavior may not be malicious; it may be well-intended but stillhave unwelcome consequences. Insider misuse can threaten personal data, national security, and economic prosperity. In 2007, 59% of survey respondents perceived that they had experienced insider abuse of network resources. Aboutone in four respondents perceived that over 40% of their total financial losses from cyber attack were due to insider activities [16]. 1 The damage is difficult to quantify, because it can extend far beyond the actual cost of the items stolen or corrupted. Manuscript received August 09, 2009; accepted November 16, 2009.First published December 31, 2009; current version published February 12, 2010. This material is based on work supported by the U.S. Department of Home- land Security under Grant Award 2006-CS-001-000001. The views and con- clusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Nasir Memon. S. L. Pfleeger and J. B. Predd are with the RAND Corporation, Arlington, VA 22202 USA (e-mail: pfleeger@rand.org; jpredd@rand.org). J. Hunker and C. Bulford are with Jeffrey Hunker Associates, Pittsburgh, PA 15206 USA (e-mail: hunker@jeffreyhunker.com; Carla.bulford@gmail.com). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TIFS.2009.2039591 1 The Computer Security Institute study is a convenience survey, so its results lack statistical validity. Beginning in 1999, RAND conducted workshops to eluci- date the research agenda necessary to address this proble [7], [13]. In parallel, the U.S. Defense Department produce own report [18] outlining both a set of policy changes and search directions for reducing the insider threat. And the S ware Engineering Institute’s Computer Emergency Respon Team (US-CERT) has been working with the U.S. Secret S vice to understand the motivations of convicted insiders. 2 From these and related activities, a rich literature illuminating v aspects of the insider threat problem is emerging. But it is still difficultto compareincidents, recognize emerging insider problems, or dealwith them appropriately because we have no commonly accepted framework to add the following questions: 1) What do we mean by an insider? 2) Whatkinds of insider actions put organizations or their resources at some risk? 3) What can we do to reduce the risk of threatening insid actions? The answers allow us to distinguish among different types of insider threat, differentiate problems we can address from those we cannot, and determine the roles played by techno and policy in crafting responses. They also help us find wa manage the risk of threatening insider actions, and provid fying context in which to categorize different research effo Without consistent definitions nor understanding of the kin insider actions that present risks, each researcher develop own data set, biases, and assumptions. A consistent framework is often useful in moving forward a research area or business practice. For example, Alfred P. Sloan revolutionized General Motors’salesevaluation [46] by developing a standardized accounting sheet thatenabled all stakeholders to perform financial analysis using the same types ofnumbers in the same columns. Sloan’s accounting sheets served as diagnostic tools to categorize business ac tivities.Today,insiderthreatresearch suffers from similar problems, because there is no standard way to characterize security incident. A unifying vision like Sloan’s is needed to drive more effective response strategies. Ourframework for understanding the range of factors shaping insider threats be used as the basis for uniquely classifying insider action distinct categories. In turn, this information provides insig differentiating appropriate strategies for response. II. WHATDO WE M EAN BY “I NSIDER ”? The notion of “insider” embodies assumptions about who under consideration, the degree of trust between the insid 2 See for example [28]. 1556-6013/$26.00 © 2010 IEEE