An Insider Threat Prediction Model Miltiadis Kandias, Alexios Mylonas, Nikos Virvilis Marianthi Theoharidou, and Dimitris Gritzalis Information Security & Critical Infrastructure Protection Research Group Dept. of Informatics, Athens University of Economics and Business, 76 Patission Ave., GR-10434, Athens, Greece {kandiasm,amylonas,nvir,mtheohar,dgrit}@aueb.gr http://www.cis.aueb.gr Abstract. Information systems face several security threats, some of which originate by insiders. This paper presents a novel, interdisciplinary insider threat prediction model. It combines approaches, techniques, and tools from computer science and psychology. It utilizes real time moni- toring, capturing the user’s technological trait in an information system and analyzing it for misbehavior. In parallel, the model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The model combines the above mentioned information, categorizes users, and identifies those that require additional monitoring, as they can potentially be dangerous for the information system and the organization. Keywords: Insider Threat, Information Security, Taxonomy, Prediction. 1 Introduction Information systems face several security threats, a number of which may initiate from the “trusted” inside of an organization. This is a problem with a technical and a behavioral nature. The paper proposes a prediction model, which combines a number of different approaches and techniques. The ultimate goal of the paper is to identify some of the factors influencing a user’s decision to act, as well as a number of indicators and precursors of malicious acts, especially those that leave a technological, detectable trail on a system. Currently, the information security literature does not adopt a common defi- nition of the “insider”. The identified attributes of an insider usually are: logical or physical location, authorization, expected behavior, motivation, and trust. For the purposes of this paper, an insider is “a human entity that has/had ac- cess to the information system of an organization and does not comply with the security policy of the organization”. This definition does not define the type of access (logical or physical, existing or revoked). Also, it does not define the level of skill required by the insider to meet his objectives. S. Katsikas, J. Lopez, and M. Soriano (Eds.): TrustBus 2010, LNCS 6264, pp. 26–37, 2010. c  Springer-Verlag Berlin Heidelberg 2010