Insider threat programs look for early warning signs of potential insider threats by applying analytics to various data sources to identify indicators of concerning behavior. The analytics used in these programs vary in capability from simple to complex. A method to classify these various levels of analytic capabilities can help insider threat program decision makers select and prioritize analytic requirements for detecting and preventing insider threats.
Many attempts at classifying analytics are too broadly scoped because they try to determine what potential indicators are without first understanding how indicators transition as they move through various stages in the data model. In this paper, we explain how data transformation mappings are used to refine which analytics apply to which transform. Using this model, we can refine what an analytic means for insider threat indicators. We discuss the dimensions that make up the analytic space; from those dimensions, we develop a cost matrix that an insider threat program can use to prioritize analytic indicator development. We provide examples of how the data transforms, and the cost matrix helps clear up some confusion about current insider threat analytic development.
Publisher Statement
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.Date
2021-02-15Copyright Statement
Copyright 2021 Carnegie Mellon University.