The role of behavioral research and profiling in malicious cyber insider investigations☆
Introduction
Government and corporate security firms dedicate significant resources to investigating the insider computer attacks that continue to plague organizations worldwide (Gordon et al., 2005). But, until recently, relatively little behavioral data had been gathered on these subjects and their activities. Nor had much been written on how behavioral investigation techniques, or “profiling,” can contribute to insider investigations and case management. For the purposes of this article, two forms of “profiling” are considered. Inductive profiling involves the study of a group of subjects who share a common characteristic or activity to discern trends or patterns in their motives, characteristics or behavior. The FBI's famous studies of perpetrators of serial sexual homicide (Ressler et al., 1980) would be an example of the use of a series of case studies for this purpose, as would be the studies of insiders referenced below. Deductive profiling refers to the assessment of a subject's personal characteristics from his or her crimes, activities, statements or other reports and is associated with case investigations. The methods described in the second half of this article concern this form of profiling, often associated with identifying an unknown subject from his insider activities and communications and using this information to support an investigation or manage subject behavior and risk.
This article reviews recent empirical evidence garnered from inductive studies of insiders examining “who, what, where, when, why and how” of insider computer attacks. These results are then compared to insider “theories” and folklore. Then the use of a specific deductive profiling approach to insider investigation and case management is described along with illustrative case studies.
Section snippets
Recent empirical research
Many private computer security firms, corporate security departments and law enforcement agencies have extensive experience in insider investigations involving computer systems. However, there have been few studies that have collated technical and behavioral data from multiple sources and performed basic analyses on behavioral trends across cases. Two recent groups of investigators have begun to shed light on some fundamental elements of insider behavior by collecting technical and behavioral
Deductive profiling methods with insider cases
Sometimes studies such as those described above are referred to as inductive approaches to knowledge acquisition because the researcher moves from specific data points to general conclusions (e.g. disgruntled insiders often attack after termination). In this regard, the approach followed is equivalent to a form of the scientific method applied in a post hoc case study format (Kaarbo and Beasley, 1999). Through this method researchers can devise typologies to help characterize different types of
References (35)
- et al.
Criminal profiling and insider cyber crime
Computer Law and Security Report
(2005) Traits and characteristics of violent offenders
(1998)- Economist.com. Dusting for digital fingerprints. Technology quarterly, U.S. edition; March 12,...
- et al.
Threat assessment in schools: a guide to managing threatening situations and to creating safe school climates
(May 2002) - Fischer LF. Characterizing information systems insider offenders. In: Proceedings of the 45th annual conference of the...
- et al.
Tenth annual CSI/FBI computer crime and security survey
(2005) The missing link in information security: three-dimensional profiling
CyberPsychology and Behavior
(1998)Explaining foreign policy behavior using the personal characteristics of political leaders
International Studies Quarterly
(1980)- et al.
A practical guide to the comparative case study method in political psychology
Political Psychology
(1999) - et al.
Insider threat study: computer system sabotage in critical infrastructure sectors
(May 2005)
Empirical support for the “gender as culture” hypothesis: an intercultural analysis of male/female language differences
Human Communication Research
The rise of the digital thugs
The New York Times
The school shooter: a threat assessment perspective
Linguistic styles language use as an individual difference
Journal of Personality and Social Psychology
The power of words in social, clinical and personality psychology
Korean Journal of Thinking and Problem Solving
Insider threat study: illicit cyber activity in the banking and finance sector
Cited by (52)
VISTA: An inclusive insider threat taxonomy, with mitigation strategies
2024, Information and ManagementBehavioural Digital Forensics Model: Embedding Behavioural Evidence Analysis into the Investigation of Digital Crimes
2019, Digital InvestigationCitation Excerpt :Language analysis can also reflect the traits and behaviour that contributed to the victim being targeted by the offender. A treatise on language analysis in assisting digital investigations is beyond the scope of this work, however, two practical examples of work on this subject were performed by Shaw (2006) and Grant (2012). Extensive work in this area includes that of McMenamin (2002) and Coulthard et al. (2016).
Internal-led cyber frauds in Indian banks: an effective machine learning–based defense system to fraud detection, prioritization and prevention
2023, Aslib Journal of Information ManagementFiends and Fools: A Narrative Review and Neo-socioanalytic Perspective on Personality and Insider Threats
2023, Journal of Business and Psychology
- ☆
The author would like to thank Dr. Steve Band and Dawn Capelli for their review and contributions to this article.