SEI Research Review 2015

Social Network Dynamics of Insider Threats:How do Job Engagement & Insider Espionage Relate?

Empirical analysis of insider espionage incidents (non-moles) show spy disengagement at work and home. A system dynamics (SD) model explains social network changes & helps analyze bene�ts of greater job engagement.

Approach:

• Disincentive espionage by attracting cooperation through positive incentives, complementing coercive approaches

• Indicators of disengagement alert �rst-line managers to sustain productivity/retention (lessens impact of false positives)

• Serious or continuing disengagement reviewed by investigators for action

• Social network analysis of spy incidents with SD model providing link to theory

Key Challenge: Distinguish employee engaged in job from spy gathering intel

Preliminary Finding: Spying decreases with greater employee job engagement, but other sociotechnical measures likely needed.

Future Work: Re�ne & Validate Model

• Measure level of spy disengagement

• Interview orgs to determine relationship among engagement, practices, & theft

• Develop a disengagement analysis and response tool based on SD model/ORA

Contact: Andrew P. Moore apm@cert.org Kathleen M. Carley kathleen.carley@cs.cmu.edu

Distribution Statement A:Approved for Public Release;Distribution is Unlimited

An Emerging Physics of Job Engagement and Insider Espionage

Social Network Dynamics of Spy Disengagement with Work and Family Two-Dimensional Spy Motivation Space

Social Network within Organization Social Network with Adversary

Social Network with Family

perceived success of insider’s organizational

activities (breeding trust) insider’s cooperative activities engaged in

organization

Reinforcing Social Capital in Organization

Limits to Social Capital Growth in Organization

Reinforcing Social Capital with Adversary

Limits to Social Capital Growth with Adversary

Declining Social Capital within FamilyDisgruntlement Due to

Policies/Rules

rigidity of policies/rules of operation mandated by

context

rigidity of local policies/rules of operation

average social connections per person

within organization

insider’s espionage activities engaged with

adversaryperceived success of

insider’s spying activities (breeding trust)

perceived value of connections with

adversary

insider’s disaffection with

family

strength of insider’s connections with family

insider’s �nancial desperation

insider’s social connections within

organization

perceived value of connections within

organization

employee engagement

people in organization

espionage threshold

organization allegiance

insider’s motivation

to spy

coercion of insider

insider’s ideological motivation

insider’s social connection with

adversary

insider’s disaffection with organization

professional stressors

employee resilience

R1a

B1a

B2

B1b

R1b

R2

–

–

–

–

–

–

–

–

–

––

+

+

++

++

+

+

++

+

+

+

+

+

+ ++

+

+

+

+

+

+

Engagement levelsfairly constant over years. (OPM 2014)Gallup 2013)

hiring engaged employees

hiring employees

disengaged employees

A stock (grouping)

A �ow between stocks.

engaging employees

departing engaged employees

departing disengaged employees

departing employees

changingdisengagement

hiring disengaged employees

starting to spy

fraction engagement improvement at month 3

percent actively disengaged starting to spy per year

~65% of USG workforce

~20% of USG workforce

~15% of USG workforce

Simulation shows espionage not very sensitive to extent of engagement at hiring

percent actively disengaged starting

to spy per year

fraction engagement improvement at month 3

EngagedEmployees

MildlyDisengagedEmployees

FormerEmployees

InsiderSpies

Actively Disengaged Employees

–

+ +

Gener

ally O

rient

ed to

Self

Gener

ally O

rient

ed to

Oth

er

Disaffection

Coercion

All variables range 0 to 1:Let X = Max(Money, Ideology)Let Y = Max(Disaffection, Coercion)

Motivation = X+(1–X)*YMotivation to Spy = Motivation * (1 – Org Allegiance) * (1 – Family Connection)

IdeologyMoney

Neal W. Altman, Matthew L. Collins

0 1

-1 .5 1

5

Characteristics Proxy Source Aggressive Repeated Interrogatives ??? Behavior Aggressive Repeated Exclamations !!! Behavior Aggressive Sentiment Behavior Aggressive Email Length (Short) Behavior Smart Characters Per Word Behavior Smart Characters Per Sentence Behavior Smart Sentence Length Behavior Smart AVG Reading Ease Behavior Chameleon Variability of Behavior Network Chameleon High Shared Symbols across

groups Network

Compartmentalization Local Betweenness Network Compartmentalization High Variability in

Reciprocity Network

Compartmentalization High Number of External Connections

Network

Dynamic network metrics can be used to identify those people who are potential insider threats. The key: they grow structural holes and have unusual betweenness.

Approach• Dynamic meta-networks—linking people,

personality traits, organizational role traits

• Case Studies: 9 espionage cases

• Extract dynamic networks

• Compare networks using graph techniques

• Email Studies: Enron corpus

• Use machine learning to characterize insiders based on network metrics

• Use machine learning to characterize insiders using other features derived from case studies

• Identify commonalities across two sub-studies Key FindingsCharacteristics of Insider threatsDisengagement with work and family, increasing ties outside• Network features • Build structural holes • NOT: degree centrality • Member of multiple local clusters • Increasing betweenness at “group” level • Decreasing ties to family or break with signi�cant other• Social or Organizational features • Access • Had or was in military service • Minimal supervision• Psychological features • Intelligent • Wanted to “use-the-system” for own gain • Wanted change (money/psych change)• Network features similar to other covert actors• Complimentary patterns in case studies and email• Not testable• To be tested

Espionage Case StudiesExtracted people, traits, and task featuresPeople classi�ed as in organization, external, or family

ENRON EmailORA for Network metrics, JRIP for ML

Future Work: Add “psychological” features to “network

Contact: Andrew Moore apm@cert.org, Kathleen M. Carley kathleen.carley@cs.cmu.eduGeoffrey Morgan, Neal Altman, Matt Collins

SEI Research Review 2015Distribution Statement A:Approved for Public Release;Distribution is Unlimited

Dynamic Networks of Insider Threats – Growing Holes

Individual Level Network Metrics

Group Level Network Metrics

Dynamic Networks

Behavioral Characteristics

TRUE50%

FALSE60%

TRUE50%

FALSE60%

TRUE50%

FALSE60%

(InverseClosenessCentrality_TO HI

OR CliqueCount_TO LO

& (CorrelationResemblace_TO LO

OR May2001_InDegree_TO_Internal) HI

& (CognitiveSimilarity_TO HI

OR ClusteringCoef�cient_TO LO

OR AuthorityCentrality_TO) LO

& (Constraint_TO Not VERY HI

ColumnGiniMeansDifference_TO POS

OR InverseClosenessCentrality_TO LO

&

(InverseClosenessCentrality_BCC HI

OR InverseClosenessCentrality_TO LO

& (Oct01_InDegree_TO_Internal POS

OR WeakComponentMembers_BCC) VERY HI

&

(ColumnGiniMeansDifference_TO POS

OR WeakComponentMembers_BCC HI

& May2001_InDegree_TO_All Not VERY LO

TRUE86%

FALSE18%

TRUE76%

FALSE11%

TRUE29%

FALSE4%

Frequency of “CC” Messages to Employees LOW

& Median “TO” Connections to Employees HI

Variance in “CC” Connections to Outsiders LOW

Variance in “TO” Connections to Employees V HI

& Variance in “CC” Messages to Employees LOW

Average “CC” Messages to Employees HI

& Total “CC” Messages to Employees LOW

Variance in “TO” Connections to Employees HI

& Total “CC” Connections to Employees LOW

Variance in “CC” Connections to Employees LOW

Median “TO” Connections to Employees LOW

& Frequency of “TO” Messages to Outsiders HI

Total “TO” Connections to Employees HI

Variance in “TO” Connections to Employees HI

00

0.1

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

ROC Curve, Enron October ’01

False Positive Rate

True

Pos

itiv

e R

ate

00

0.1

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Connections and Messages - Enron ROC Curve

False Positive Rate

True

Pos

itiv

e R

ate

Cleaning

NetworkAnalysis

DataFusion

Prediction

ORA

Network Dynamics Poster

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

* These restrictions do not apply to U.S. government entities.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0002735

Social Network Dynamiss Poster

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie

Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON

AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS

TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,

EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY

WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the

copyright and “No Warranty” statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without

requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to

the Software Engineering Institute at permission@sei.cmu.edu.

* These restrictions do not apply to U.S. government entities.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0002734