The role of behavioral research and profiling in malicious cyber insider investigations

https://doi.org/10.1016/j.diin.2006.01.006Get rights and content

Abstract

This article reviews recent empirical evidence garnered from inductive studies of insiders examining "who, what, where, when, why and how" of insider computer attacks. These results are then compared to insider "theories" and folklore. Then the use of a specific deductive profiling approach to insider investigation and case management is described along with illustrative case studies. The overall role of the behavioral consultant in insider cases is examined with emphasis on specific forms of support for the investigative team and aid to managers and security personnel with case management of insiders within corporate environments.

Introduction

Government and corporate security firms dedicate significant resources to investigating the insider computer attacks that continue to plague organizations worldwide (Gordon et al., 2005). But, until recently, relatively little behavioral data had been gathered on these subjects and their activities. Nor had much been written on how behavioral investigation techniques, or “profiling,” can contribute to insider investigations and case management. For the purposes of this article, two forms of “profiling” are considered. Inductive profiling involves the study of a group of subjects who share a common characteristic or activity to discern trends or patterns in their motives, characteristics or behavior. The FBI's famous studies of perpetrators of serial sexual homicide (Ressler et al., 1980) would be an example of the use of a series of case studies for this purpose, as would be the studies of insiders referenced below. Deductive profiling refers to the assessment of a subject's personal characteristics from his or her crimes, activities, statements or other reports and is associated with case investigations. The methods described in the second half of this article concern this form of profiling, often associated with identifying an unknown subject from his insider activities and communications and using this information to support an investigation or manage subject behavior and risk.

This article reviews recent empirical evidence garnered from inductive studies of insiders examining “who, what, where, when, why and how” of insider computer attacks. These results are then compared to insider “theories” and folklore. Then the use of a specific deductive profiling approach to insider investigation and case management is described along with illustrative case studies.

Section snippets

Recent empirical research

Many private computer security firms, corporate security departments and law enforcement agencies have extensive experience in insider investigations involving computer systems. However, there have been few studies that have collated technical and behavioral data from multiple sources and performed basic analyses on behavioral trends across cases. Two recent groups of investigators have begun to shed light on some fundamental elements of insider behavior by collecting technical and behavioral

Deductive profiling methods with insider cases

Sometimes studies such as those described above are referred to as inductive approaches to knowledge acquisition because the researcher moves from specific data points to general conclusions (e.g. disgruntled insiders often attack after termination). In this regard, the approach followed is equivalent to a form of the scientific method applied in a post hoc case study format (Kaarbo and Beasley, 1999). Through this method researchers can devise typologies to help characterize different types of

References (35)

  • N. Nykodym et al.

    Criminal profiling and insider cyber crime

    Computer Law and Security Report

    (2005)
  • A. Brantley

    Traits and characteristics of violent offenders

    (1998)
  • Economist.com. Dusting for digital fingerprints. Technology quarterly, U.S. edition; March 12,...
  • R. Fein et al.

    Threat assessment in schools: a guide to managing threatening situations and to creating safe school climates

    (May 2002)
  • Fischer LF. Characterizing information systems insider offenders. In: Proceedings of the 45th annual conference of the...
  • L. Gordon et al.

    Tenth annual CSI/FBI computer crime and security survey

    (2005)
  • T. Gudaitis

    The missing link in information security: three-dimensional profiling

    CyberPsychology and Behavior

    (1998)
  • M. Hermann

    Explaining foreign policy behavior using the personal characteristics of political leaders

    International Studies Quarterly

    (1980)
  • J. Kaarbo et al.

    A practical guide to the comparative case study method in political psychology

    Political Psychology

    (1999)
  • J. Keeney et al.

    Insider threat study: computer system sabotage in critical infrastructure sectors

    (May 2005)
  • A. Mulac et al.

    Empirical support for the “gender as culture” hypothesis: an intercultural analysis of male/female language differences

    Human Communication Research

    (2001)
  • T. O'Brien

    The rise of the digital thugs

    The New York Times

    (August 7, 2005)
  • M. O'Toole

    The school shooter: a threat assessment perspective

    (2000)
  • J.W. Pennebaker et al.

    Linguistic styles language use as an individual difference

    Journal of Personality and Social Psychology

    (1999)
  • J. Pennebaker et al.

    The power of words in social, clinical and personality psychology

    Korean Journal of Thinking and Problem Solving

    (2002)
  • M. Randazzo et al.

    Insider threat study: illicit cyber activity in the banking and finance sector

    (August 2004)
  • Cited by (52)

    • Behavioural Digital Forensics Model: Embedding Behavioural Evidence Analysis into the Investigation of Digital Crimes

      2019, Digital Investigation
      Citation Excerpt :

      Language analysis can also reflect the traits and behaviour that contributed to the victim being targeted by the offender. A treatise on language analysis in assisting digital investigations is beyond the scope of this work, however, two practical examples of work on this subject were performed by Shaw (2006) and Grant (2012). Extensive work in this area includes that of McMenamin (2002) and Coulthard et al. (2016).

    View all citing articles on Scopus

    The author would like to thank Dr. Steve Band and Dawn Capelli for their review and contributions to this article.

    View full text