Using Insider Threat Profiles To Create

More Effective Early Warning Systems

“When someone shows you who they are, believe them the first time”.- Maya Angelou

“You don’t need a weatherman to know which way the wind blows”.- Bob Dylan

The job is not getting easier

Snowden

Nicholson

Manning

Ames

HanssenMontes

Mallory

Lonetree

Pollard

Walker

Madoff

Martin

Regan

Hasan

McVeigh

Alexis

Khazee

Justice

Claiborne

Underwood

Beliveau

Mo

LiewAwwad Robert

Just to name a few…

Cho

Ivins Ramos

El-Batouty

Lubitz

Security Failure

Action

PredispositionCritical Event

GrievanceIdeation

Planning & Preparation

The Insider Threat Kill Chain

The Power of Human Assessment

Self - DestructionSelf - Healing

Predisposition

Personality

Precipitating events = emotional change

Focused, Tailored, and Profile-Based Early Warning System

Focused

Tailored

Profile-based

The Framework13 Steps to a Better Early Warning System

Using a Whole Person, Whole Threat Approach

EnvironmentWithin Your Control

PersonalitySomewhat Outside Your Control

Precipitating EventsOutside Your Control

Tripwires

Early Warning…”and the wisdom to know the difference”

Determine your early warning program goals

Advertise your program

:

Create an empowered stakeholder team

Identify your critical materials, products,data and processes:

Identify everyone who has access to your critical items:Identify everyone who has accessto your critical items

Determine the early warning capability of your partners

Determine your leading vulnerabilities

Determine theInsider Profiles Most Relevant to Your Situation

Understand your insider profiles

Identify your ‘sensors’

Increase the awareness, appreciation and use of profiles and tripwires

Determine how you will respond:

Seek continuous program improvement

InsiderAttackProfiles

SabotageIP/Data Theft

FraudUnintentional

Workplace Violence

Sabotage

Angry, vengeful, vindictive, disengaged, destructive.

Confrontation with management Poor performance reviewFailed promotion effortWorkplace embarrassment Demotion or termination

Testing of security proceduresMisconfiguring products to cause failure

“Accidentally” breaking a critical machineDefacing company website pages

Contaminating a clean roomAltering enterprise software

Comparative Analysis – Applying the WPV Offender Model to Intentional Adulteration

Class Description Potential Motivations

1Criminal Intent, Outsider

Behavioral Health Patient Social Media Fame Seeker Copycat Extortion Economic motivation

2Customer/Client/Truck Driver

My load isn’t ready, you are costing me money

3Current/Former Employee or Contractor

I am upset with a coworker and adulterate to create problems for that person *I am upset with the company and adulterate as retribution and to harm the brand *Youthful stupidityI am not paid enough *

4 Domestic I am upset with a coworker and adulterate to create problems for that person

5 Ideological Radicalized Insider

* - Supported by actual incident in this briefing

The Food Industry as a Case Example

Recent Intentional Adulteration Incidents Which May Have Been Prevented with Trip Wires

IP/Data Theft

Entitled, narcissistic, anti-social, controlling.

Negative financial event Failed promotion effort

Poor performance reviewUnmet career aspirations

Resignation Termination

“Borrowing” office items for home useBringing in unauthorized equipmentAttempting privilege escalationConducing questionable downloadsViolating cyber security policyWorking out of profile hoursUnusual data transfers Stealing inventory

IP/Data Theft Case Study

Living beyond one's meansFacing debt collectionViolating enterprise policyUsing an enterprise server inappropriately Influencing use of a personally known supplierReporting minor fraudulent expensesUsing controlled, non-public information for insider tradingMaintaining unusually close association with a vendorDemonstrating excessive control over financial dutiesExhibiting shrewd or unscrupulous behavior

Insider Fraud Significant additional expenses Negative personal financial event

Unmet career aspirations

Egotistic, entitled, privileged, self-important

Insider Fraud Case Study

Flighty, unfocused, disorganized, scatter-brained, stressed, strained

Unintentional Insider Threat

New personal or professional

distraction

Personal cell phone/computer overuseUnwittingly providing sensitive infoInappropriately discussing sensitive mattersLeaving out sensitive documents or devicesPosting confidential details to social mediaConsistent failure to meet deadlines

Unintentional InsiderCase Study

Aggressive, detached, confrontational, controlling, unremorseful, and strained

Workplace violenceNegative family or relationship event

Emotional outburstsRefusing to work with othersFailure to communicateFailure to work in groupsDifficulty taking criticism Violating boundariesThreatening violencePhysical altercationsReflections of extremist beliefs

Workplace Violence Case StudyPhoto Courtesy of Long Beach Police Department

Val LeTellierASIS Defense & Intelligence Councilval@nlgroup.us

David NiccoliniTorchStone Global

david@torchstoneglobal.com

Frank PisciottaBusiness Protection Specialists

fp@securingpeople.comASIS Food Defense &

Agriculture Security Council

James SummersASIS Food Defense & Agriculture Security Counciljames.summers@kellogg.com

Jeff SiebenASIS IT Counciljeff.sieben@resolver.com