please write an abstract based on the following instructions:
- the research problem (research phenomenon)
- the purpose of this dissertation;
- the gap in the extant literature
- research questions;
- research methodology (quantitative likert-scale question survey, population and sample size, response rate etc.)
- summary of data analysis (descriptive and regression analysis was conducted using XXX software, e.g.)
- summary of major findings: did you find any things different from the extant literature? If yes, list here. Better yet, link back to each research question if possible.
- contributions or implications of your dissertation
- also please change the tense of the paper from future (Will) to past (did).
- running heads are required for every page
A SURVEY STUDY: IDENTIFICATION OF BEHAVIORAL INDICATORS IN MALICIOUS
INSIDERS’ THREATS IN CYBERSECURITY.
By
Haifa Alanazi
MICHELLE LIU, PhD, Committee Chair
ALEX MBAZIIRA, PhD, Committee Member
ALI BICAK, PhD. External Reader
Jonathan Aberman, LLM, Dean
College of Business, Innovation, Leadership, and Technology
A Dissertation Presented in Partial Fulfillment
Of the Requirements for the Degree
Doctor of Science
Marymount University
October 2023
0
Abstract
The oil and gas industry’s digital transformation involve a variety of technological changes, and with
these changes come a variety of cyber threats, which are becoming a great concern for the industry
that can influence oil prices severely. Insider threat incidents continue despite efforts to understand
what goes on in an insider’s mind taking a back seat to developing technical controls. The study focuses
on malicious insider threat and aims to establish possible behavioral indicators in a malicious insider
threat to cybersecurity in oil and gas firms and seeks to provide an explanation based on a link between
personality traits (characteristics, motivation, capability, and opportunity) and malicious insiders’
threats in cybersecurity. Further, this study aims to use a survey study design to determine the current
technical capabilities to mitigate insider threats within computer security systems. A questionnaire
will be administered to human resources personnel and IT specialists who will be purposively chosen
as participants in the study. The questionnaire responses will be tabulated and analyzed to provide
answers to the research questions. The expected results will provide researchers and practitioners with
new information.
Keywords: Malicious insider threats, oil and gas firms, cybersecurity, survey study
1
© 2023 Haifa Alanazi
All Rights Reserved
2
Abstract …………………………………………………………………………………………………………………………. 1
Chapter One: Introduction ……………………………………………………………………………………………….. 6
Introduction ……………………………………………………………………………………………………………………. 6
Background of the Study …………………………………………………………………………………………………. 7
Problem Statement ………………………………………………………………………………………………………… 11
Statement of Purpose …………………………………………………………………………………………………….. 13
Research Question(s) …………………………………………………………………………………………………….. 14
The null and alternative hypotheses ……………………………………………………………………………… 15
Significance of the Study ……………………………………………………………………………………………….. 18
Advancing Theory ……………………………………………………………………………………………………… 18
Advances in Practice ………………………………………………………………………………………………….. 19
Filling A Gap in The Literature …………………………………………………………………………………… 19
Assumptions…………………………………………………………………………………………………………………. 20
Limitations of the study related to design and / or methodological weaknesses …………………….. 21
Measures to Address Limitations …………………………………………………………………………………. 22
Definition of Terms ………………………………………………………………………………………………………. 23
Organization of the Remaining Chapters………………………………………………………………………….. 24
Literature Review ………………………………………………………………………………………………………. 24
Methodology …………………………………………………………………………………………………………….. 24
Chapter 2: Literature Review ………………………………………………………………………………………….. 25
Introduction ………………………………………………………………………………………………………………….. 25
Literature Search Strategy ……………………………………………………………………………………………… 25
Literature Search engines ……………………………………………………………………………………………. 26
Insider Cybercrime: the perspective of Routine Activities Theory ………………………………………. 27
Insider Cybercrime: the Perspective of Diamond Theory …………………………………………………… 29
Insider Cybercrime: the Cognitivist Perspective ……………………………………………………………….. 30
Theory of Attribution …………………………………………………………………………………………………….. 31
Theoretical Perspectives in insiders’ threats in cybersecurity ………………………………………………. 33
Insider Threat Frameworks …………………………………………………………………………………………….. 34
Appreciation and prediction of insider attacks framework by Schultz (2002) ……………………. 36
Insider Threat Security Reference Architecture (ITSRA) Montelibano et al. (2012) …………… 39
Synthesis of Literature Findings in detection frameworks in malicious insider threats …………… 40
Theoretical Framework ………………………………………………………………………………………………. 41
3
Figure 1 Theoretical framework of describing malicious insider threats in cybersecurity ………. 41
Review of the Literature ………………………………………………………………………………………………… 41
Operationalization of Variables ………………………………………………………………………………………. 49
Conceptual framework …………………………………………………………………………………………………… 50
Figure 2 . Conceptual framework of malicious insiders’ threat in cybersecurity ……………………. 50
Study limitations …………………………………………………………………………………………………………… 50
Summary ……………………………………………………………………………………………………………………… 51
Chapter 3: Research Methods …………………………………………………………………………………………. 52
Introduction ………………………………………………………………………………………………………………….. 52
The rationale for the Research Approach …………………………………………………………………………. 52
Methodology ………………………………………………………………………………………………………………… 54
Figure 3. The survey study approach layout for this research. …………………………………………….. 55
Table 1: Observable behaviors and their possibility …………………………………………………………… 55
The variables that will be assessed in the study. …………………………………………………………….. 58
Population…………………………………………………………………………………………………………………. 60
Sampling and Sampling Procedures ……………………………………………………………………………… 60
Procedures for Recruitment, Participation, and Data Collection (Primary Data) ……………………. 61
Artifacts ……………………………………………………………………………………………………………………. 63
Pilot Study ………………………………………………………………………………………………………………… 63
Instrumentation………………………………………………………………………………………………………….. 63
Data Analysis ……………………………………………………………………………………………………………. 63
Validity …………………………………………………………………………………………………………………….. 66
External Validity ……………………………………………………………………………………………………….. 67
Internal Validity threats ………………………………………………………………………………………………. 67
Construct Validity ……………………………………………………………………………………………………… 68
Construct validity threats ……………………………………………………………………………………………. 69
Ethical Considerations …………………………………………………………………………………………………… 69
Summary ……………………………………………………………………………………………………………………… 69
Chapter 4: Data Analysis ……………………………………………………………………………………………….. 71
4.1 Introduction …………………………………………………………………………………………………………. 71
4.2 Pilot Study …………………………………………………………………………………………………………….. 74
4.3 Data Results …………………………………………………………………………………………………………… 75
4.4 Data Analysis …………………………………………………………………………………………………………. 78
4.5
Hypothesis Testing …………………………………………………………………………………………….. 98
The alternative hypotheses: …………………………………………………………………………………….. 100
4
4.6. Correlations ………………………………………………………………………………………………………… 108
4.7. Frequencies and percentages …………………………………………………………………………………. 127
4.8. Multivariate Regression Analysis Prerequisite – Outliers and Assessment of the Data … 134
Table 4.12
…………………………………………………………………………………………………………… 135
Table 4.12………………………………………………………………………………………………………………….. 137
Figure 4.10 ………………………………………………………………………………………………………………… 138
4.9. Summary of the Data analysis and Results ……………………………………………………………… 145
Chapter 5: Discussion, Conclusions, and Recommendations ……………………………………………. 153
5.0. Introduction ………………………………………………………………………………………………………. 153
5.1. Summary of the Results ………………………………………………………………………………………… 154
5.2.0 Hypothesis Testing …………………………………………………………………………………………….. 157
5.3. Correlations ………………………………………………………………………………………………………… 159
5.4. Frequencies and Percentages …………………………………………………………………………………. 159
5.5. Multivariate Regression Analysis Prerequisite – Outliers and Assessment of the Data. … 161
5.6. Summary of the Data analysis and results ……………………………………………………………….. 163
5.7. Interpretation of Findings ……………………………………………………………………………………… 165
5.8. Limitations of the Study ……………………………………………………………………………………….. 169
6.0 Recommendations ………………………………………………………………………………………………. 171
7:0 Conclusion…………………………………………………………………………………………………………. 173
Appendices…………………………………………………………………………………………………………………. 175
Appendix 1 Questionnaire to Participants Dealing with the IT ………………………………………. 175
Appendix 3: An introductory letter: …………………………………………………………………………… 186
Appendix 4: The information sheet:……………………………………………………………………………. 188
Appendix 5: Consent Form ……………………………………………………………………………………….. 191
References ………………………………………………………………………………………………………………….. 193
Figures
Figure 1 Theoretical framework of describing malicious insider threats in cybersecurity ………. 35
Figure 2 . Conceptual framework of malicious insiders’ threat in cybersecurity ……………………. 50
Figure 3. The survey study approach layout for this research. …………………………………………….. 55
Tables
Table 1: Observable behaviors and their possibility …………………………………………………………… 55
5
Chapter One: Introduction
Introduction
This chapter gives highlights on the key areas that will be discussed under the introduction.
These include introducing the study topic, a brief review of the study’s background, the problem
statement, and the statement of purpose. Further, this section will include the research questions, the
study hypotheses, and the study’s significance, such as in advancing related theory(ries), advances in
practice, and filling the gap in the literature. Additionally, assumptions, limitations of the study related
to design and methodological weaknesses, measures to address limitations, and definition of terms
will also be discussed in this section.
Cybersecurity is critical for an organization to reach its goals in the existing digital-controlled
economic world. Accordingly, a transformation is essential to accomplishing existing approaches and
noticing early any irregularities in the information system. The external risk group contains hackers,
cybercriminals, and state-sponsored performers. Outsiders carry out most of the data losses reported
by various organizations. Typically, outsiders’ attacks tend to arise from the outside and generally have
been addressed with traditional safety measures such as a “defense in depth” approach (Mazzarolo and
Jurcut, 2019). Studies (Ophoff et al., 2014, Partners, 2015, Parush, 2017) have shown that most often,
deterrent measures have focused on the outsiders’ threat and have underestimated the dangers of the
internal threat. insider threats present a significant cybersecurity risk to an organization’s (Chapman,
2020), and, which seem to have increased over the last few years and are estimated to be more most
expensive and problematic to recover. The threats that begin from inside are usually more problematic
to avoid and detect because insiders pose a high risk as they are conversant with the organization’s
system topology, arrangements, information, and guidelines, and can access the confidential data with
moderately low limitations (Chapman, 2020, Maasberg, et al., 2020).
6
Research continues to depict that a significant number of cyber security threat exposure in
firms is from the inside instead of outside (Omar et al., 2017, Parush et al. 2017)). Firms have
attempted to address the insider risk exposure and the prediction techniques to diagnose early insider
threats (Khan et al., 2019). Established research findings indicate that most cyber incidents are humansanctioned, requiring an increase in research on areas that are less researched that touch on
cybersecurity, such as different aspects of a person’s behavior.
Evidence-based on a few available published research articles indicate that a person’s social
and behavioral aspects may have an impact on cybersecurity threats arising from the insiders’ source
(Parush et al. 2017). There is a need to investigate cyber security threats posed by insider threats to
protect petroleum resources against insider cybersecurity threats and improve the currently available
data on insider threats in cybersecurity. All businesses are moving into the digital world. The oil and
gas sector are very dominant; any possible damage by cyber threats will have severe consequences in
especially a fall in oil and gas prices in the global market.
Background of the Study
This literature review section highlights cybersecurity and insider threats and focuses on a
multidisciplinary method that collectively addresses cybersecurity behavior and factors based on
humans. Cybersecurity is wide-reaching and involves information technology and focuses on various
features in a firm that address information availability, confidentiality and integrity threats, and threats
arising from the human aspects. Researchers have recognized insiders threat as a significant cause of
cybersecurity problems in a given firm (Mazzarolo, and Jurcut, 2019, Myers et al., 2009). Other
reported cybersecurity threats include hacking and operative risks. Due to this, protective measures
against cybersecurity necessitate a multidisciplinary method and a comprehensive strategy, and a
commitment by all staff to exercise safety measures in all firm facets. This calls for all the various
supervision levels to be cohesive and sustain operational cybersecurity applications.
7
Research findings demonstrate that discontented insiders in a firm may easily be at risk of
compromising the firm information data. The compromised insiders may be a potential threat who
may breach the firm’s data or client’s data. Azaria et al. (2014) detected that malicious insiders were
more likely to find the middle ground using the firm’s or client’s data by releasing a significant amount
of data from their firm using transferable gadgets such as CD USB sticks. In a publication by Azaria
et al. (2014), the research findings emphasized the plausible ways of conveying data from a firm by a
malevolent insider but did not determine an insider’s emotional characteristics that may encourage
malevolent events in an insider. In another study, Hong et al. (2010) proposed that forming a powerful
insider security system is significant in a firm. Creating a reciprocal trust connection between the
insider and the firm to diminish the insider hazard’s possibility is equally critical.
Hong et al. (2010) suggested that the insider menace’s deterrence necessitates safeguarding
internal appliances and early detection of insiders’ behavior or intents, which may be related to
information interference. Further, the researchers reasoned that above and beyond the security system
identifying and tracking the inside attacker, the firm needs to have an interconnection among each
work domain to deter a single person with many sanction powers.
These researchers did not study the likely impact of psychology or behavior patterns on insider’s
hazard, which this study addresses.
Ophoff et al. (2014) grouped insider threats and stated that its workers within the information
system take advantage of their legitimate access rights to attain malicious acts. These researchers
recognized that the most researched areas in insider’s cybersecurity threats were ‘Theoretical
Perspectives and Insider’ Threat Mitigation’ with ‘Insider Threat Management’ being mainly underinvestigated. Insider threat management is a significant area in the information system which can play
a critical role in safeguarding against information availability, confidentiality, and integrity threats,
which this current study will review. Maalem et al. (2020) resolved that human beings’ impulsive
8
distinctive behavior and activities make the human characteristic a significant aspect and enabler in
cybersecurity threats. The researchers emphasized the consequence of various human characteristics
such as social, biases, intent, decision-making, and many others to understand cybercrimes.
However, there is still a scarcity of studies focusing on what defines competence in leaking
information in a firm over a given period. Cobb (2016) assessed the different types of dispositions in
varied cyber characters and job gratification in cybersecurity. Still, the study did not explore the
cybersecurity skill and the likelihood this may have in the face of critical advances in security facts
and crime deterrence. Mookerjee et al.’s (2011) study on how to realize data security under
unpredictable attacks and information circulation established that cyber insecurities came from
individuals who could penetrate the firm systems, compromising its data. The researchers resolved
that identifying loss of data can be heightened by the system’s increased capability to isolate cyberattacks from normal usage through constant maintenance, assessment, and advancement of the
detection system in line with changing environment.
Literature focuses on insider threats in two aspects, namely intentional (malicious) and
unintentional human threats (human error) (Carreras et al., 2020). Parush et al. (2017) studied human
error as a behavior characteristic that could be an unintentional cybersecurity risk. They resolved that
many reasons may cause unintended cybersecurity issues, including psychological and physical
(Eftimie et al., 2020, Corradini, 2020).). A survey by Ponemon (2014) showed that over 50% reported
a deficiency of data on security results and were indeterminate whether the accessible solutions might
be the basis of attacks. These studies exposed that insiders’ malicious activities may lose information
integrity, confidentiality, and availability which is a significant cybersecurity threat arising from
insiders (Prakasa, 2019).
Several researchers have established a relationship between cybersecurity insider threat and
information loss. A hacker from inside the firm has access rights and can manipulate the security
9
measures installed in the devices, such as firewalls. This makes an insider threat in cybersecurity
matters a subject of utmost importance intended for cybersecurity management. Partners (2015)
indicated that firms focused more on unintentional insider risk on data loss than malicious data loss.
Further, Partners (2015) noted that unreasonable behavior could be hazardous and inconsistent since
it is shaped by the intensification of wrath and driven by the absence of work fulfillment. The
consequence of this is that an insider who is not gratified in a firm can effortlessly turn into a malicious
weapon of interfering with the data since they have access (Noonan, 2018).
Further, Myers et al. (2009) proposed that computerized insiders can be inspired to engage in
unlawful rights usage. Azaria et al. (2014) studied various psychological and social models and the
role of motivation factors in insider threats. Researchers have observed insiders’ characteristics, such
as personal tendencies, dissatisfaction, high pressure, and the existence of potential behaviors (drug
abuse, violence, etc.), forming unrecognizable attack channels or insufficient access rights after
completing tasks (Yang, 2018). According to current research results, it can be concluded that there is
a lack of data against internal threats in network security, and deliberate malicious errors can lead to
the loss of confidential information, thereby damaging the integrity and privacy of company data
(Azaria et al., 2014).
Several cases of insiders’ threat have been reported, such as Equifax (Kenny, 2018), The Home
Depot (Syed, 2019), Snapchat (Chavira, 2017). Sony (Romanosky, and Boudreaux, 2020) and Korea
Credit Bureau (Hu, et al., 2019).
With investment in 24 countries globally, Equifax senior managers left the business after an
enormous data breach. Equifax exposed confidential pecuniary information: names, birth dates,
addresses, and social security numbers of over 140 million citizens of American, 694.000 UK
customers, which was triggered by an Equifax employee in technology who ignored “security
10
cautions.” The company experienced massive losses because of share prices plunging to 18.4% after
the breach.
Home Depot is among the world’s foremost home development vendors that have over 2.200
stores network. Using a third-party right, hackers elevated their rights and installed malware on selfcheckout schemes of around 7000 in Canada and the USA and attained details of debit and credit card
details of customers and their email addresses costing, Home Depot an astounding $179 million.
In 2016, Snap Inc. was attacked by a person pretending to be one of the founders, Evan Spiegel,
and was emailed payroll data of over 700 employees of the corporation, compromising identity
compromised. Between the years 2012 and 2014, a contractor of computers who worked in Korea
Credit Bureau copied confidential information of customers: names, phone numbers, and social
security numbers in a USB stick and sold it to marketing firms, affecting over 20 million South
Koreans. These real-world instances undoubtedly demonstrate that malicious insider risks present a
significant threat to a firm that a malicious employee may cause.
The cited literature has explored various aspects of insider threats. These insider threats focus
on human behavior, such as deliberate mistakes and motivational factors that motivate insiders to steal
information from the company. Still, few of them focus on intentional insider threats of human error
using a multidisciplinary approach that combines human factors and cybersecurity behaviors to
identify threats and thereby suppress cybersecurity threats that this study addresses.
Problem Statement
Cybersecurity is one of the grave problems in an organization. Several studies have been
carried out, and measures have been suggested, but little if any of the measures against insider threats
in cybersecurity matters (Mazzarolo, & Jurcut, 2019) are successful. The field of cybersecurity focuses
more on risks from outsiders than on insider threat risks. There are often reports that insiders’ threats
are among the fundamental reasons for successful data leaks (Kont et al., 2015). Besides the great
11
benefits of technology, the insiders’ security attacks and deliberate misbehavior result in significant
losses to the firm. The rising cost of cybersecurity due to insider threats is enormous. The estimated
cost of malicious insider threats comprises of three mechanisms, namely; direct costs (funds required
to perceive, alleviate, explore and remediate violations), indirect costs (the value of resources and staff
time spent in handling incidents), and opportunity cost of loss (potential loss of profit due to attack).
According to studies done by The Ponemon Institute (2018 and 2020), on the cost of malicious
insider threats, an average cost of a risk rose by 31% between 2017 ($8.76 million) and 2019 ($11.45
million). These costs continue growing over time. Although all industries are moving towards digital
transformation, including the oil and gas sector, any probable damage caused by malicious insiders’
cybersecurity threats would result in a fall in oil prices in the global market. Human factors in network
security are the most difficult to manage since there are also users with less understanding about
security who are still an essential part of network security. Insiders can easily bypass existing physical
and technical safety control since they may have legal rights.
Further, the insiders who are the employees of the firm interact or access the data daily. It is
challenging to detect malicious activity, which is time-consuming (Mazzarolo and Jurcut, 2019). Also,
employees with sufficient technical knowledge may escape early detection due to having security
controls and rights (Mazzarolo and Jurcut, 2019). The studies reviewed focused mainly on the insiders’
threats due to unintentional activities such as human error. This study focuses on the malicious
insiders’ threats to cybersecurity in the oil and gas industry which has rarely been studied. This research
aims to categorize the possible psychological personality reasons, motivation, and capabilities that
may influence the insider threat problem, determine challenges of mitigating insider threats, and
suggest the best possible insider threat mitigation tools or strategies.
12
Statement of Purpose
A survey study design analysis technique will be used as an effective data methodology tool that deals
with complex circumstances in populations. This study’s population includes human resource
personnel who have proper knowledge of insider threats, their features, attitudes, motivators, and
methods of preventing insider threats in the cybersecurity department and the IT specialist. This
population is sufficient for this analysis due to time constraints. The use of quantitative analysis will
be employed to obtain and analyze data to support theories that can identify insider threats through
specific characteristics, such as behaviors and motivation factors which can be prevented through
technology and overall preventive measures or methods. The participants that will be included in this
study will be drawn from employees who work in the firm the oil and gas company. A set of questions
will also be used to obtain information on the selected variables. When determining the proposed
theory’s consistency, three variables will be considered: the malicious insider’s characteristics; the
insiders’ observable behavior and motivation that drives the insider to a malicious attack on
cybersecurity.
The first variable of the analysis will be to identify opportunities available for the insider in
the firms which may pose threats to cybersecurity by malicious insiders. The method of obtaining and
analyzing this variable in this study will be by using questionnaires that will be administered to the IT
specialists and experts in the firm. The information collected from this variable will be measured
through logical argument and comparison.
The second variable that will be analyzed will be the personality observable behavior of
insiders. Based on reviewed articles on insider threats, insiders usually show certain observable
behaviors, personality traits, and characteristics which can be associated with insider’s threat to
cybersecurity. The information will be obtained using a questionnaire given to the staff who work in
the firm and are involved in IT. The findings will be used to determine which behaviors of employees
13
show the possible likelihood of attacking the company’s assets and maybe those that can be attacked.
The results will also be compared and contrasted with available findings in published articles on
insiders’ threats. The information obtained for this variable will be used for logical argument and
comparison.
In this study, the third variable addressed will be the motivators that drive employees to turn
insiders. Such motives can range from personal gain to retribution. As in the other variables, the
information for this variable will be derived from academic papers and previous research studies
carried out on insider threat attacks.
Another way of collecting this knowledge will be to have the employees in the identified
sections filling in the questionnaire to establish the motivators that may prompt an insider to act. As
with the other variables, the data obtained for this variable will be evaluated by logical reasoning and
comparison.
Research Question(s)
1. Does the level of motivation among malicious insiders affect their impact on business security,
information infrastructure, and data security layers?
2. Do specific personality traits influence the engagement of malicious insiders in unauthorized
activities within business security, information infrastructure, and data security layers?
3. Does the level of opportunity available to insiders impact their likelihood of exploiting
vulnerabilities and gaining unauthorized access to business security, information
infrastructure, and data security layers?
4. Do the capabilities and skills of malicious insiders influence their ability to exploit
vulnerabilities in business security, information infrastructure, and data security layers?
14
The null and alternative hypotheses
1.
Ho: Insider threats with higher motives are more likely to have a negative impact on the
business security layer.
H1: Insider threats with higher motives are more likely to have a negative impact on the
business security layer.
2.
Ho: There is no significant relationship between insider personality traits and their
engagement in unauthorized activities within the business security layer.
H1: Insider threats with specific personality traits are more likely to engage in unauthorized
activities within the business security layer.
3.
Ho: There is no significant relationship between the level of opportunity an insider
possesses and their likelihood of gaining unauthorized access to the business security layer
H1: Insider threats with more opportunities are more likely to take advantage of flaws and
gain unauthorized access to the business security layer.
4.
Ho: There is no significant relationship between the cybersecurity capabilities of insiders
and their ability to exploit vulnerabilities in the business security layer.
H1: Insider threats with greater skills are more likely to take advantage of flaws in the
business security layer.
5.
Ho: Insider threats with higher motives are more likely to have a negative impact on the
Information Infrastructure security layer.
H1: Insider threats with higher motives are more likely to have a negative impact on the
Information Infrastructure security layer.
6.
Ho: There is no significant relationship between insider personality traits and their
engagement in unauthorized activities within the Information Infrastructure security layer.
H1: Insider threats with specific personality traits are more likely to engage in unauthorized
activities within the Information Infrastructure security layer.
15
7.
Ho: There is no significant relationship between the level of opportunity an insider
possesses and their likelihood of gaining unauthorized access to the Information
Infrastructure security layer.
H1: Insider threats with more opportunities are more likely to take advantage of flaws and
gain unauthorized access to the Information Infrastructure security layer.
8.
Ho: There is no significant relationship between the cybersecurity capabilities of insiders
and their ability to exploit vulnerabilities in the Information Infrastructure security layer.
H1: Insider threats with greater skills are more likely to take advantage of flaws in the
Information Infrastructure security layer.
9.
Ho: Insider threats with higher motives are more likely to have a negative impact on the
Data security layer.
H1: Insider threats with higher motives are more likely to have a negative impact on the
Data security layer.
10.
Ho: There is no significant relationship between insider personality traits and their
engagement in unauthorized activities within the Data security layer.
H1: Insider threats with specific personality traits are more likely to engage in unauthorized
activities within the Data security layer.
11.
Ho: There is no significant relationship between the level of opportunity an insider
possesses and their likelihood of gaining unauthorized access to the Data security layer.
H1: Insider threats with more opportunities are more likely to take advantage of flaws and
gain unauthorized access to the Data security layer.
12.
Ho: There is no significant relationship between the cybersecurity capabilities of insiders
and their ability to exploit vulnerabilities in the Data security layer.
H1: Insider threats with greater skills are more likely to take advantage of flaws in the Data
security layer.
16
The personality factors that may influence the insiders’ threat in cybersecurity will form the
definite characteristics which will be measured nominally to determine whether a person is or may be
an insider by reviewing past incidents of insider attacks. The probable challenges of mitigating insider
threats will be measured nominally and ranked to determine which challenges threaten the
cybersecurity most in the firm. The mitigation tools’ ability to protect against the insiders’ threats will
be measured using likert scale to postulates the best tool for protection of the cybersecurity. For all the
hypothesis testing in this study, a significance level of 0.05 for hypothesis tests will be used.
According to the Dynamic Trigger hypothesis by Andersen et al. (2004), a firm focusing on
external attacks may contribute to contentment by exploiting established vulnerabilities in
organizational defenses, allowing an insider to gain confidence. The use of technology and controls to
protect against both external and internal threats as well as detection of common behavioral features
of possible attackers within a firm can result in effective security against insider attacks.
The study is a quantitative survey study design based on the attribution theory. This theory attempts
to explain some of the causes of human behavior and tries understanding the reason for the actions a
person undertakes as well as understand the reasons behind the actions other people take. The theory
to attributes causes to the observed behaviors. This research focuses on an insider’s conduct that can
be classified as a cyber-security threat. The theory of attribution is an item of intellectual psychology
concerned with how individuals allocate connecting reasons for such actions (Harvey, 2014). The
attribution theory postulates that individuals can assign actions based on observations to either external
and internal influences. Behavior accredited to internal reason suggests that conduct is under the
influence of a person; or else, any external cause is due to the conduct. The principle of attribution is
widely used in marketing in various disciplines and recently in insider attacks (Posey, et all., 2011).
This study applies the principle of attribution to an analyst who look for insider risks.
17
Individuals tend to have inborn drive to give contributory descriptions. Theories of attribution
explore how people acquire, integrate and interpret data to make causal decisions. The consensus
aspect discusses why the actions of a person in the same situation can deviate from the behaviors of
others. When the agreement is strong, individuals usually assign conduct to external reasons.
Consistency refers to how constant an action is over a given period of time with particular situations;
while if constancy is poor, individuals equate irregular performance with internal causes. Individuality
asks whether conduct is different from other related circumstances. People often prefer to assign a
behavior to an internal cause when distinctiveness is high. The co-variation of each of the variables
predicts whether individuals attribute inconsistent conduct to an external and internal reasons.
Anomalous actions ascribed to an outside reason may absolve a possible suspect, even though
ascription to an inside source may connect to insider risks. This study applies the principle of
attribution to predict insider threats.
Significance of the Study
Advancing Theory
Cybersecurity threats are not only observed from outside the firm, but are also seen arising
from inside the firm. Malicious insiders are reported to be responsible for a significant proportion of
organizations’ cyber security breaches or other forms of losses and have attracted both academics and
practitioners’ attention. While methods and mechanisms for tracking possible insiders through
monitoring data electronically have been established, insufficient studies have focused on foreseeing
possible malicious insiders. However, the source of many losses in vital information is insider attacks
resulting in greater impact compared to the outsider attacks. Some experts suggest that internal threats
are easier to accomplish than outside attacks because insiders are more conversant with the safety
system in firms where they work. An organization’s insiders either have valid access to organizational
resources or knowledge of the organization’s activities. They can circumvent security protocols with
their expertise and legitimate access and abuse the trust the organization has put on them. Although
18
most of the workers strive to act in a professional and ethical manner, nevertheless, given the insider
threat cases which have been reported globally, in the past, it would be negligent for any company to
neglect insiders’ threat, intentionally, thus abusing the confidence status in the industry world or
causing the harm to company.
Identifying possible indicators such as disgruntlement, accepting feedback and anger
management problems, which have been associated with insiders who turn to be a threat to the
cybersecurity of the firm, would go a long way to safeguarding the firm’s data. These three factors are
reasonably good predictors for measuring insiders’ threat. These indicators, however, are all variables
and the presumption is that they can be detected in insiders who may practicing at work place. The
theory of attribution which this study will be the basis of this study.
Advances in Practice
In the formulation of mitigation techniques, including non-technical means, understanding
reality of insider risks and associated risk environment can assist in creating suitable technical and
non-technical mitigation measures that would detect possible incidences early to curb losses of
information. In this study, a survey will be carried out to identify insiders’ threat indicators, highlight
challenges associated with implementing mitigation measures as well as proposing the best options
for controlling insiders’ threats in in gas and oil industry.
Filling A Gap in The Literature
The challenges of managing the insider threats offers a major explanation for this lack of
research in this area. An insufficient evidence for study, and deficiency of effective methods for
exploring the subject are some of the factors that have led to this research void. As such, companies
and organizations continue to use technical controls such as firewalls to avoid potential insider
breaches by limiting user access or order. Regrettably, with the unacceptable false positive warnings
19
observed occasionally, technological safeguards do nothing to isolate suspicious and malicious
insider’s behaviors.
Access control founded on verification and approval, for example, has a major presumption
that insiders will always use authentic rights to conduct malicious actions and therefore if they are
detected, then the access control will lose its power and the assumption is breached. Another prevalent
insider threat strategy, surveillance, is based on the premise that irregular use of the device suggests
suspicious insiders. However, surveillance is more of a post-hoc validation tool to validate the interest
of already suspicious insiders and therefore calls into question whether it can act as a deterrent or
technique.
Two major shortcomings affecting the technological approaches to insider threat fights are due
to the facts that malicious insider motives may be unobservable and insider behavioral trends differ
significantly from person to person. Both insider attacks, however, share similar characteristics that
they are carried out with motivate, capability and when an opportunity arises by insiders. This research
focusses on identifying possible indicators in the insiders that may indicate a potential threat to
cybersecurity of the firm.
Assumptions
The study will have several assumptions which will include the following:
a) an insider attacker must be motivated to attack that is the insiders have a “a motive
b) an “opportunity” target must be identified by the insider and
C) the insider must be able to initiate a ‘capability’ assault.
The study will have an assumption that an insider threat is a person with rights who misuses them or
whose access results are misused.
20
In addition, the study will presume that the insider has rights of access based on verification
and approval which is a significant presumption that insiders will always use genuine rights to carry
out malicious actions and thus be detected, but access control will lose its power if this assumption is
broken. Further, the study will assume that the behavior of an insider will puts at risk the firm’s
reputation or its money. Additionally, the study will also assume that monitoring technique is
employed to deal with insider threat, and therefore would pick out any abnormal system procedure
pointing to suspicious insiders’ threats.
Another assumption that the study makes is on the indicators of insider’s behavior and
characteristics. The research assumes that all reasons which might be detected at work and assumed
to be behind the potential or ongoing malicious insider will be revealed in the oil and gas firm.
Limitations of the study related to design and / or methodological weaknesses
This study will be limited to the employees of oil and gas firm who work in the human resource
section and IT specialists and will use a survey design approach based on one company only. However,
a survey study design has its own concerns which act as limiting factors, such as the interconnected
issues of procedural rigor, partiality of the researcher, and external acceptability. A number of
researchers have indicated that “the use of the survey study frees the researcher of any procedural
deliberations of any kind.” A survey study is reported as having no systematic procedures which is of
greatest concern due to a relative absence of methodological guidelines. A second problem, which
involves issues such as reliability, replicability and construct validity in valid types of survey study
analysis.
Generally, criticisms have been raised concerning the methods of qualitative analysis as a
whole focusing on interpretative causes for interpretations, explanations, and appreciative of the
results: “quantitative measures appear objective, but only if questions like “where” and “how” the data
was generated” are not asked
21
The study design has been criticized as a researcher subjectivity method compared to others
which are researcher-independent. However, other authors indicate that the survey study design
contains no more bias toward validation than other approaches of investigation
Measures to Address Limitations
Key limitation factors in the survey study design approach are summarized below and the possible
ways of reducing their effect on the study are discussed after.
1)
There are concerns of external validity or generalizability in a survey study review. Deficient
of scientific rigor and provide the larger public with no basis for generalization of findings.
2)
The individual feelings of investigators may influence the results in survey study design
(researcher bias).
3)
Difficult to replicate.
4)
Requires a lot of time and expensive.
To reduce biases and researcher subjectivity, the study will ensure that the data is coded. Since the
study is a quantitative survey, the data obtained will be presented as descriptive, correlations and will
not require any personal reflection in the data analysis.
The participants will be drawn from the population all employees of an oil company, who will be
working as IT people and HR people who are based in the selected oil and gas firm in Saudi Arabia.
22
Definition of Terms
System Access: An insider is identified as a genuine user (Chinchani et al., 2005) who is allowed to
access an information system or has previously been authorized. Instead, other meanings expand the
sense of access to comprise physical access, and an insider is described as having reasonable access
to data system.
Action based definition: The definition of “access to the system” determines who insiders are, but
the definition founded on behavior describes what insiders do. “Bishop and Gates (2008) describes an
insider as a “violator of safety policies.
Availability: Term used to confirm that, when required and by those who need it, the structures
accountable provide, store and process the data are accessible.
cyber ecosystem: Set of computers, networks, channels of communication, applications, data and
users, consisting either the local secluded network or the cyberspace worldwide. It is the digital setting
in which software program functions and information is operated and shared (Rackevičienė, and
Mockienė, 2020).
Cyberespionage: The immoral act of compromising an organization’s privacy and protection in order
to outflow data or expose confidential data. In order to explicitly damage the violated entity to the
profit individuals, firms or administrations, cyber espionage may be carried out by individuals,
organizations or governments (Prakasa, 2019).
Cybersecurity: The efforts to plan, execute, and maintain security for an establishment’s internetconnected network. It is a collection of countermeasures, protections, and security controls that are
logical/technical, physical, and personnel-focused. (Althonayan, and Andronache, 2018).
Insider threat: An insider threat is described as “a person with privileges who abuses them or whose
access allows them to be abused.” (Hunker, and Probst, 2011).
23
Threat assessment: The method for assessing behaviors, incidents, and attitudes that could have an
effect on cybersecurity or cyberspace. Threat assessment is one part of risk assessment and
management. (Ramirez, and Choucri, 2016).
Vulnerability: Any flaw in an asset or a safety defense that allows a threat to damage someone. It
may be a coding error, a configuration error, a reach or power limit, an architecture, design, or logic
error, or a devious use of legitimate systems and functions. (Humayun, et. al., 2020).
Organization of the Remaining Chapters
Literature Review
This section will highlight a variety of research findings related to the study’s subject. The aim
of a literature review is to provide a summary of previous research and to identify areas that need to
be addressed. Cyber-crime is on the rise, due to advanced technology that helps offenders to avoid
detection. It is important to be able to identify cybercrime before any damage is done. The
understanding of the surrounding problems of various cyber-attacks and the implementation of defense
strategies that protect the confidentiality, integrity, and usability of all digital and information
technology are the theories behind cyber security performance. This study will focus on the malicious
insiders’ threats to cybersecurity since it is an area that has not been greatly researched compared to
the other sections such as the hardware.
Methodology
This section describes how the research will be conducted and how the data will be collected
and analyzed. In order to evaluate the employees and recognize the potential driving factors
contributing to cybersecurity risks from insiders, a questionnaire will be administered. The
information obtained will describe the factors affecting the cybersecurity from the malicious insider.
The study participants will be from the oil and gas industry.
24
Chapter 2: Literature Review
Introduction
Cybersecurity is critical for the industry to realize its contemporary digital world goals.
Accordingly, a transformation is crucial for the industries’ accomplishment to compete favorably in
the economic world with minimal loss of information, which tends to be very expensive (Huhn, 2020).
Therefore, there is a need to improve existing methods and apply ways to detect early any irregularities
in the data system. Available studies continue to show that most cybersecurity threats that a firm may
be exposed to arise from the insider threat (Harkiolakis, 2018). However, insider threats could cause
more extensive damage than outsiders that can ruin business operations.
Firms have capitalized on ways to expose and predict risks associated with insider threats in
cybersecurity. Research findings have indicated that a high percentage of cyber occurrences are
humanly motivated, necessitating that research be done to explore human behavior areas and how they
relate to insiders’ threats to cybersecurity (Harkiolakis, 2018). A few published studies depict the
relations between a person’s social and behavioral and cybersecurity threats (McAlaney, and Benson,
2020). This literature review section highlights the literature search strategy to get published peerreviewed articles on insider threats to cybersecurity. The conceptual framework showing the study’s
main variables will be included in this section. An exploration of the literature related to insider threats
and cybersecurity will be presented. Finally, this section will give a synthesis of literature conclusions
and a summary of insider threats on cybersecurity, concentrating on a multidisciplinary method that
puts together human behavior in cybersecurity.
Literature Search Strategy
The literature search strategy involved used online databases to retrieve information.
Databases are data structures that store data in an organized manner. The most common databases
are EBSCO and ProQuest (Hernandez-Castro et al. 2011), which were used in this study.
25
EBSCO database provided pertinent information that was purposeful and relevant to this
study. EBSCO is a free database that holds records for 1.4 million and more electronic dissertations
and thesis for more than three hundred and twenty higher education institutions worldwide (Stephen
2016). It provided free information on library and science information studies. The database
provided abstracting and indexing for research reports, books, and journals (Stephen, 2016. It also
offered abstracts and indexing for most peer-reviewed journals instrumental in this study. ProQuest
is a database committed to giving librarians and researchers empowerment worldwide (Stephen
2016). Its innovative technologies and information content increase productivity among the
researchers.
Literature Search engines
The study used the following search engines: Google scholar and Yahoo. The search for
articles on cyber security and insiders’ threats included the following words:
“Literature”, “search”, “approach” and “selection conditions”.
The literature was searched through Web of Science (WoS) by topic from 1950 to 2021 with
the key terms of “insider risk”, “insider threat recognition”, and “insider menace prediction”. Google
Scholar (GS) database was combed using terms such as “insider risk detection and prediction”. The
first 100 papers were put through a screening process. The reference lists of all potentially important
papers and book chapters were also included in the quest.
The following questions were used to evaluate the validity of the specified articles’ abstracts; if the
answers to all of these questions were yes, the article was shortlisted for further consideration.
I.
Is the article focused on insider cyber threats?
II.
Is the paper’s main emphasis on threat identification and/or prediction?
III.
Is the article specifically concerned with deliberate insider acts rather than accidental or
reckless insider actions?
26
IV.
Is it a journal post, a conference article, or a chapter in a book?
V.
Is the article written in English? V. Is the article written in English?
Shortlisted articles were read in full during the abstract screening process to ensure that the article’s
key emphasis was on the data-driven approach and that previous versions of the same article were
omitted.
Search words included
i.
Cyber security threats
ii.
Cyber security and oil and gas industry
iii.
Insiders’ threats and oil and gas industry
iv.
Insiders in cyber security threats
v.
Insiders’ threats to cyber security
vi.
Human behavior and cyber security
vii.
Mental motives in cyber security threats
viii.
Monetary rewards in cyber security
ix.
Challenges in cyber security management
x.
Malicious insider threats and oil and gas firms
After typing the search words into the search bar, the year was selected for example 2017. In case the
published articles were not relevant, the year were changed to another such like 2020.
Insider Cybercrime: the perspective of Routine Activities Theory
There is scant criminological literature about insider victimization. Young (2016) reports that
literature obtained from the heading of “white-collar crime” focuses on corporate elite malefactions,
either in compromised or “rotating door” relationships with supervisors or involved rebellious unit
employees (acting for themselves or for the employers). Lynn’s (2012) analysis looked at insider
victimization with extreme focus on cyber fraud. Lynn (2012), illustrated that some victimization
27
occurred due to the great levels of confidence and discretion provided to suspected criminals, making
it possible for acts to be noticed. Unethical business/industry values have been associated with
victimization. Thus, it is fair to believe the variables for insider cyber victimization may also be
present.
The theory of repetitive behaviors gives potentially valuable criminological awareness into
insider cybercrime, which resounds with Lynn’s results. For instance, a trust status is equivalent to
routine process and opportunity. However, visibility lack is equal to absence of capable custody.
Therefore, where data from victim survey is available, it can be beneficial to utilize RAT to
comprehend the probability of insider cyber victimization. Thus, it is emphasized that chances are
essential but do not provide sufficient conditions for insiders to commit crimes. RAT implies that
when an enticing target which lacks competent guardian intersects with a inspired perpetrator in time
and space, the risk of victimization increases (Phellas et al., 2011).
Cybercrime has been essential because it does not rely on nuanced understandings of criminals’
intentions. Cybercrime analysts are less likely to concentrate on criminals’ motivation due to low law
enforcement apprehension levels (Phellas et al., 2011). The following factors were critical in
predicting victimization using RAT as applied to cybercrime: target visibility (increased by the
consistency and variation of online activities routine) and target approachability (increased by the
absence of a capable guardian) (Corradini and Nardelli, 2018). These studies focused on the domestic
population while the proposed research will focus on the human resource and IT specialists in oil and
gas industry.
There is presently no analysis that trial and error apply RAT to business law-breaking.
However, several studies indicate that there is a close relationship between cyber-security threats and
intense online routine activity and can be used to predict cyber misconduct (Maasberg, et al., 2020).
Luo, et al., (2020), states that most relevant to corporate executive and victimization is online fraud
28
research among insider victims that have made some inspiring results, routine activities on online
platform, together with net banking, emailing, shopping and downloading, were systematically
established to statistically predict insider virtual fraud misconduct within the nations like USA,
Holland, and the UK (P Reisig 2010; Wilsem 2011; Williams 2016).
Nonetheless these associations were tempered by introducing RAT measures, which indicated
the connection of target visibility in predicting the rate of victimization (Reyns 2013). Williams (2016)
directed RAT’s most significant study and online fraud so far, the victimization knowledge from the
Special Survey of Eurobarometer Cybersecurity. The study showed that over seven percent of the
population reported to be victims of online theft. The victimization routine included eCommerce sites
selling merchandise, emailing, and victimization computers connected with public settings (e.g.,
libraries) predicted victimization. The measures of guardianship putting in antivirus, dynamic
passwords, and public security settings often, that avoid online victimization services and PCs were
all related statistically to victimization. Construction examination of the survey proved the prospect of
being an online fraud victim wasn’t merely reduced an individual routine activity and their
guardianship. Also, the resident country explained a half a dozen % of the chance of victimization.
Corradini and Nardelli (2018) supported the statistical vital results reported in domestic population
studies, capable guardianship measures, routine activities, and square measure tested within the
hypotheses to spot if constant patterns reach the business population.
Insider Cybercrime: the Perspective of Diamond Theory
A diamond theory has been used to mitigate insider threats on personal computers and laptops
concerning 4 approaches of improving the security of individual devices. The guidelines include
information retrieval, software design, detection methods and policy design (Boral et al. 2007). Based
on past studies and occurrences, the authors maintain that the theory of diamond is an operative
29
explanation which can mitigate threats to a firm. Nevertheless, the study did not clarify ways to
recognize malicious insiders’ risks but presents the diamond theory’s four design features.
Further, Majeed et al. (2016) deliberated a varied observation of safety and confidentiality
issues in the internet of everything (IoE) by investigating insiders that carry individual smart devices
for use inside the firm. Employee responsiveness concerning compliance legally and ethically is
critical. It ought to be an obligation to accept the ethical context within any firm, including
provisioning of training on matters of integrity at the workplace to safeguard data.
Furthermore, any firm or company’s security experts require operational visual interfaces and
collaborative systems that could perceive security attacks and competently deliver the risk information
with the corresponding user or expert. Based on this theory, user conduct tools can monitor user
behavior.
The IBM’ security analytics developed a device called user behavior analytics (UBA) tool
(Haim et al., 2017), that can provide data analysis and can be used for constant scrutiny of people’s
practice of the organizational networks and devices. It is a significant method to successfully envision
the linked insider threats, information security occurrences, and related data obtained from numerous
sources such as HR systems, via a risk focused control panel with accumulative risk points connected
with specific user groupings and organizational structure. General, it is imperative to retain a trail of
a person’s usage, the data accessed, together with data stored on personal devices (Haim et al., 2017).
The proposed study seeks to identify the most effective mitigation measure against insider threats in
cybersecurity.
Insider Cybercrime: the Cognitivist Perspective
This theory associates an analyst’s discernment to insider threats depending on the psychologytools engaged by an analyst. Patterns which enlighten insider threat analysts’ methods include
behaviorally, constructively, and cognitively. Leaning theories based on behavior are founded on
30
provocation response links which excludes the retention of information (Ertmer & Newby, 2013). This
theory is suitable for cyber system protection, such as responses to specific ways to recognized
malicious signatures. Still, it is not effective with insider threats that do not have signatures.
On the other hand, constructivist learning theories are complicated since it assumes new data
develops on existing information. Thus, it is quite challenging considering that many evident behaviors
rarely indicate similar meaning when verdicts are established on personal knowledge. Other authors
have suggested that cognitivist learning theories are suitable to insider threat investigative study since
it deals with ways individuals solve problems (Corradini and Nardelli, 2018). Insider threat analysis
(ITA) needs analysts to detect behaviors and infer reason. This theory supports the idea that for an
insider to steal information from the firm, there must be a reason for it which varies from person to
person. This has been well explained by the theory of attribution, which is an appropriate intellectual
learning model since it is concerned with intellectual of reason and consequence. This research will
be based on the attribution theory to identify factors that lead to a firm’s insiders’ exfiltrating data.
Theory of Attribution
Theory of attribution is an intellectual psychology item setting the contextual explanation for
specific events (Martinko 2018). The theory assumes that individual attributes behavior to internal or
external factors by basing it to observable features. The internal behavior cause presupposes that
personal control determines behavior. The seminal work on attribution theory by Fritz Heider (2020)
proposes that persons behave as naïve psychologists as they look for an explanation of why events
happen. Attribution theory is used in educational settings and marketing) and, more recently, insider
risks (Erbschloe 2017).
According to Simmons (2012), humans possess an innate tendency to provide causal clarifications. In
other words, attribution forms a portion of the knowledge of ones’ setting implying that if one knows
31
one environment, one will always find attributions. Attribution theories examine how people make
decisions, combine, receive information, and make causal decisions). An established and popular
attribution theory focuses on ways actors’ actions characterize thinkers—Harold Kelly (1973)
Covalent bond model.
Kelly’s covariance model describes ways social perceptions are utilized to attribute the
observed behaviors. This model is best suitable to the ITA as it is unresponsive to the purpose.
Conferring to Kelly’s model, consensus, consistency, and specificity influence attribution to be internal
or external causes (Mynard and Carson 2014). The consensus factor examines why a person’s behavior
differs from others’ behavior in the same scenario. When it is high consensus, individuals attribute the
conduct to an external cause.
Consistency refers to how constant behavior is to a given situation timely; Once stability
increases, individuals associate abnormal behavior with internal motivation. Discrimination asks if the
behavior is different in similar cases. When the power of discrimination is high, people attribute the
behavior to the inner cause. How each factor changes together predicts that people are responsible for
abnormal behavior, either internal or external.
Kelly’s model roughly refers to Barakaldo and Joshi’s pioneers (2013), who are familiar with
internal threats. Abnormal behavior due to external causes may exempt the suspect, and strange
behavior due to internal causes may imply an internal threat. According to Kelley and Michela,
individuals use historical subjective judgments to determine whether there are “some good causes” or
“some essential reasons” (Fiske 2012). The alteration is similar to the Boolean operations “AND” and
“OR.” When there are sufficient causes (and manipulations), some authors emphasize the importance
of a schema of causal attribution (O’Keefe 2017).
Kelly and Michela (1980) demarcated a contributing representation by way of “an explanation
of the general public’s idea of ways two or more causes come together to yield a particular effect.
32
“Because schemas interrelate with numerous behaviors, society must use various schemas at the same
time to assign attributions to a set of actions. This means that to meet attribution needs, Additional
cognitive resources are required. Oliveira (2007) suggested that “once” patterns are formed, there will
be resistance to change. “The rationale behind” resistance to change “is schema changes the cognitive
load. It increases because individuals are validated or else reassigned as per new information.
Theoretical Perspectives in insiders’ threats in cybersecurity
This section suggests, advances, and expands ideas, mechanisms, or innovations further to
understand insider risks, actions, or motives. Several researchers have used the application of existing
theory. This includes threat-detection research, threat-prevention research, and the application of
theory. Papers in this subcategory draw on current technologies or ideas or reference them. Security
prevention papers vary from risk metrics to the transfer of information and apps from insiders.
Reports discussing host-based surveillance and prediction decoys are also in this subcategory,
integrating static analysis methods with current mitigation frameworks, preventing data leakage by
disruption and compliance (O’Leary, 2014). In this subcategory, the most prominent topic in the
papers on cybersecurity threats revolve around use access control and signal detection theory to
classify antecedents to threats and incident threats as well as identification of perpetrators. Efforts
have been made to deliver a relationship between incidents from insiders and the capabilities of
insiders.
Different threat attack vectors, patterns of identity analysis, directory virtualization,
unattended network module node-based authentication systems, graph-based anomaly detection,
anomalies in the production process detection
Papers in the advancement in technical research explored and simulated the use of the Bayesian
Network to reflect profiles of insider attack aimed at building simulating Collaborative Information
Systems (CIS) detection structures, exploit object dependencies in exfiltration of data. This also
involves prevention of data exfiltration and detecting insider threats by studying data exfiltration
33
patterns. Threat prediction is considered by relating the insider activity and threat ranking, and the
need for effective testing of the firewall and perimeter. Thorough research ought to be carried out to
recognize long-lasting trends in predicting an insider’s actions; and frameworks developed that would
consider the organization, processes, climate, and individuals and create a shared language in
applications to predict and identify threats.
Insider Threat Frameworks
Hadlington, (2021), define an insider threat framework as a logical structure or model to guide
associate enterprises to arrange data or activities to mitigate against insider attacks. An equally vital
definition was provided by the Intelligence associated National Security Alliance (INSA) (2013) that
explains insider threat framework as a full of life set up that harmonizes and interprets technical and
untechnical tips to create a comprehensive read of an enterprise’ insider threat risk from staff
pinpointed as doubtless threats.
Similarly, Balakrishnan (2015) exemplifies malicious insider threat framework as a mitigation
approach that contains a particular set up with excellent structure authority support directed by
policies, procedures, and controls with the most aim of reducing the danger associated with insider
threats to an appropriate level. the foremost vital aspects of the definitions to notice were that the
insider threat framework was structured, integrates associated analyses technical and non-technical
elements and significantly the program should have senior management and every one worker supply
to alter a unified glimpse of an organization’s insiders’ threat risk.
Schultz (2002) observes that programs for understanding and predicting insider threats would
be essential in countering insider attacks. The author argues that an approach to prediction was to
pinpoint corresponding attack-related signs from which indications are gathered for future use to
identify insider attacks. In comparison, Kramer et al. (2005) noted that insider attacks are problematic
to predict due to analysis aimed toward prediction was still in its infancy. Nevertheless, Shaw et al.
34
(2005) pointed out that a typical insider attack could be prevented in most cases. The damage averted
by well-timed effective plans before the onset of the attack. Equally, Dark (2011) noted that it was
achievable to mix worker digital computer and web activity with substitute enterprise and social
measurements to infer that the potential would be insider threat and anticipate the dealings they’d
perform, altering the early classification of high-risk staff. According to Montelibano et al. (2012),
from the time an insider makes a decision and chooses an option to exfiltrate data from an enterprise,
culminating the enterprise’s damage, there prevail possibilities for the hindrance, recognition, and
action to the adversity.
The authors further state that a venture ought to have a sufficient capacity to expect insider
assaults. In nonappearance, the undertaking ought to have competent countermeasures to find insider
risk action. In conclusion, the endeavor ought to have authentic occurrence reaction methods to repress
the misfortune emerging from the perpetrator’s actions. Further, concurring to Hancock (2016),
Britain was one of the most noteworthy cyber-attack targets around the world. One of the goals of the
United Kingdom’s (UK) Cabinet Office in charge of Cyber Security Methodology 2011-2016 was to
make the UK one of the most protected innovative spaces in the world to conduct trade, support the
UK against electronic/digital attacks, offer support and develop a framework for the safety of UK’s
cybersecurity.
Through the CPNI’s work program with the University of Oxford, Britain included exploring
past insider misconducts, identifying patterns among the culprits and establishments involved, and
suggested countermeasures to the threat. Britain’s CPNI focused on management of insider risks to
Information Technology, and stated that the key themes in an insider threat program should contain a
name, understanding the workplace behavior user, create holistic processes, data logging, response
plan, set expected behavior, use analytical capabilities, deter attacks, conduct risk assessments that
35
include insider risks, insider risk management, grow an operative data management with a preventive
design.
In contrast, the Cybersecurity Emergency Response Team (CERT) Insider Threat Plan
discusses the essentials that can be used to strengthen the insider threat mitigation measures. These
represent firm participation, formal and distinct programs, incorporation with firm risk managing
activities, business executive threat performances associated with reliable business partners,
deterrence, recognition and response system, business executive threat coaching and responsiveness,
knowledge gathering and investigation tool, pointers and measures, the security of worker liberties
and confidentiality rights, communication of business executive threat actions, business executive
threat incidence feedback set up, confidential coverage method and systems and oversight of program
effectiveness and compliance.
Appreciation and prediction of insider attacks framework by Schultz (2002)
The structure by Schultz (2002) indicates different potential pointers of malicious insider
threats that exist and that no single pointer can control an acceptable warning of an approaching
malicious insider attack. Schultz (2002), describes the pointers, which include aware titles, big
blunders, starter mentality, common usage types, verbal temperament, and individual characteristics.
On the structure’s hand, it was conceivable to communicate any possible pointer as a mathematical
computation made up of different variables, each with its own variation or accentuation.
This framework system combines a few indicators and a numerical representation of each
pointer’s nature to allow for the detection and prevention of insider attacks. Because of the system’s
weaknesses, no single piece of data was adequate to predict and expose insider attacks. Similarly,
since the weightings against each of the markers can be guided accordingly, the system can be highly
personalized to suit any organization’s risk appetite.
36
The system, on the other hand, is suspect because its designers did not put the concept through
approval testing. Since there is no multi-level association-wide threat to the executive’s relationship
with this system, data protection engineering was autonomous and did not discuss risks from an
authoritative perspective. The framework improvement life cycle received no consideration. At the
data network foundation layer, this will remove the need for a conclusive collection and execution of
necessary countermeasures and controls. The framework tends to be suitable for small companies
because the markers and numerical conditions applicable to large organizations with more than 100
workers would be repetitive, complex, and time-consuming. and difficult to implement and update on
a regular basis for each staff member premise A mistake in calculating a portion of the markers and
their weightings, such as verbal behavior and character traits, may lead to an incorrect decision and
hate from a swayed member of staff.
Prescient model for Insider threat mitigation Greitzer et al. (2009)
Expectant limits were used in cases of insider danger by integrating an insider’s psychosocial
data with the standard data protection analysis information, according to the system’s methodology.
This crossover strategy produces a trend from traditional representative exercises while defining
deviations from “normal” behavior as abnormal.
During the transformation from facts to guessing to pointers to dispositions, a significant
amount of unimportant data was analyzed. The information was rude in that the dominant part of the
observed activities was difficult to distinguish from traditional tasks.
The Reasoner concentrates on standard deviations and displays them. The need for events, as well as
the time frame between events, is also critical. The system then combines winning pointers with newly
discovered pointers and dispositions to increase the probability of behaviors that would likely reveal
insider dangers. Its probability was derived from the agents’ ability to predict danger events. The
37
engineering was discovered by contrasting the Reasoner’s performance to the onlooker’s decision
representing insider danger events.
The key difference with Greitzer et al. (2009)’s Prescient Displaying for Insider Danger
Alleviation was that it was constructive in nature, focusing on detecting malicious activities before
they occurred. Compared to A Framework for Representing Assaults, Attendant et al., (2014). the
observing and investigation crusade was ideal and effective. The model could detect small changes in
temperament over time, revealing designs that were visible above perceptible setting activity, which
was useful in identifying the most cautious insiders hiding attitudes within “foundation commotion.
“to get away from being caught.
The downside of this framework is that the multi-level association-wide danger of the board
period was missing; as a result, the threat from a hierarchical viewpoint was not fused within the
scheme. To guide security countermeasures at the lower security levels, such as the data system level,
information level, and application level, a complete corporate construction encompassing venture
danger the board plans was required. Another significant drawback of the prescient model was that
study was built on the basis of certainty, based on opportunity and legitimate rights. Despite the fact
that the project retains the option of leading workstation observation for security decisions, there was
a risk of lower certainty. As a result, all employees should be aware of the technique in order to
discover and clarify it.
The model’s complexity grows in tandem with the number of members in a given organization,
potentially resulting in a large data consumption measure for a given predictive period. Furthermore,
if the examples were confounded, the effect of a false complaint (false positives) on an employee was
highly likely. There was the possibility of a clash between the recognized attitudes of legal versus
illegal workstation direct, causing design to acknowledge a problem. Finally, in numerous legal
38
locations around the world, knowledge affectability is gaining ground in detecting and predicting
insider attacks.
Insider Threat Security Reference Architecture (ITSRA) Montelibano et al. (2012)
The framework uses a multi-layered approach with four security layers: Enterprise, Data,
Information, and Application, to provide a holistic solution to insider danger. Layer 1 includes
corporate business requirements, such as a venture’s system. It also requires the creation of policies,
guidelines, and techniques to assess the risk of hunger and, ultimately, countermeasures to be
communicated at various levels. The next layer portrays the venture’s organizational structure, as well
as relevant parts and devices. This layer, also known as the data layer, connects the operating system
with the programming that will govern the Association’s base. The information contained in the
resulting Layer is the Association’s data resources. Finally, the Application oversees the advancement
life cycle of programming at the base layer, including both the acquisition and creation of
programming that contributes to the Association’s methodology by ensuring that corporate-level
methods are adopted.
Acceptable controls in three security basics of authorized admittance, acceptable usage, and
constant testing were required at each layer. To deal with insider attacks, executing associations were
required to enforce countermeasures at each level. Since the relationship of pointers and use of controls
cuts through all four layers and structures the primary objective of this approach as Insider Threat
Security Reference Engineering, none of the four levels can function as an individual layer.
This system, on the other hand, lacked a mechanism for understanding clients’ social behaviors.
The mental state checking flake-out suggests that the machine was constrained in its ability to predict
workers’ possible danger in any given situation.
39
Synthesis of Literature Findings in detection frameworks in malicious insider threats
Without a question, all of the programs, including Schultz (2002), Greitzer et al. (2009), and
Montelibano et al. (2012), had a framework core that described drills, references, and outcomes in a
separate insider threat reduction program. Montelibano et al. (2012), on the other hand, had a device
profile that determined current network security exercises as well as the protocol to be used by the
referred Association to achieve the Objective Profile. Montelibano et al. (2012) also listed utilization
levels for a data system, sector, application, and information layer.
Sufficient controls on authorized admittance, worthy usage, and constant testing were required
at any execution stage. To fix insider attacks, executing organizations were required to introduce
countermeasures at every level. Schultz (2002) and Greitzer et al. (2009), for example, did not have a
framework profile, because the actualizing Association has no means of knowing the new association
profile and the appealing target profile available to address malicious insider threats. Besides, the three
systems lacked the implementation levels compared to company’s layers (Business, Data, Information,
and Application). There was a connection and management of controls in the Montelibano et al. (2012)
structure among the company’s levels. The Business, data, information, and application had controls
realized at each layer, and these controls do not work without referring to one another.
The Montelibano et al. (2012) structure specified that the malicious inside threat program as a
reiterative cycle that was nonstop in nature. Be that as it may, the application of the other two systems
of Schultz (2002) and Greitzer et al. (2009) was an unexpected responsibility. The iterative association
signifies new and arising insider threats just as prevailing malicious insiders’ threats to make it an allinclusive system in integrating malicious insiders’ threats.
Another advantageous position of
Montelibano et al. (2012) system over Schultz (2002), and Greitzer et al. (2009), was that the profile
part would, in general, alter malicious insider’s threats on business needs to integrate malicious insider
threats
40
Malicious insider threats comprise a weighty issue for some industries. For example,
conventional security instruments, interruption location frameworks and firewalls try not to address
ideal answers for insider threat location and avoidance. That is because malicious insider threats are,
for the most part, performed by individuals that are trusted and who have admittance to information
on significant authoritative resources.
The proposed study will enhance available knowledge on the detection of insiders’ threats; identify
challenges in mitigating insider threats and highlight possible best techniques for detection. Figure 1
depicts the theoretical framework for the study.
Theoretical Framework
Insider characteristics
Trigger
Psychological status:
Disgruntled, Angered
Demoted
Observable behaviors ( physical):
assault sco workers
Previously observed cyber
security issues: having
disabled software for security
Personality traits: Capability of
malicious insider
Insider traits
Motivated to
attack for revenge
History of breaching
cyber security in the
firm
Confirmed cases
of breaching
cybersecurity
rules
Skill to operate
various levels
operate RAM and
Opportunity available
Attack Trends
Hack firm
server
Access
restricted data
Vulnerable due
to ineffective
protection of
server
CPU
Access rights
Premise left open
Figure 1 Theoretical framework of describing malicious insider threats in cybersecurity
Review of the Literature
The inadequacy of research and the growing focus on the need for a detection and mitigation
system of an insider threat has led to an upsurge in various fields with promises of laid down solutions
to insider threats’ complicated problem. The inspiring solutions are costly with no scientifically
41
obtained research supporting the procedures while being out of reach for most medium enterprises.
Further, the question arises on issues such as the promised solutions’ ethics or morals if they do
consider privacy matters. Even though there is no standardized instrument existing currently, several
methods are used to determine internal threats such as psychological theories, behavior analysis, and
honeypots.
According to Mazzarolo and Jurcut (2019), in a study focusing on insider threats and it effects
cyber security. Insider threats from staff working at the industry signify a very serious problem
equivalent of “wolf in sheep’s clothing: in institutions or company. The study concluded that a probable
malicious insider could cause considerable losses in terms of millions of dollars in damage to the
company through the theft of intellectual property, causing sabotage in facilities, or disclosing
information with severe irreparable damage to the company. Further, the study also indicated that even
an insider might cause irreversible damage unintentionally. The study concluded that it might not be
possible to eliminate all risks, but the overall hazards could be minimized and the remaining riskcontrolled. The authors advised on the importance of defending the company using an insider threat
assessment and an all-inclusive insider threat program to protect the firm’s individuals, services,
systems, and intellectual property
Various researchers have confirmed that disgruntled insiders in an industry may be willing to
compromise and are, therefore, a likely risk in releasing data of the firm or client to the company’s
detriment. Azaria et al. (2014) used a survey study design on insider threat and focused on
criminologists, psychologists, computer scientists, and security practitioners. The study involved an
analysis of behaviors of insider threat (BAIT) framework, using an experimental approach which
involved 795 participants focusing on the Amazon Mechanical Turk (AMT) to establish the possible
behavioral patterns that staff in an actual firm situation may follow as they are endeavoring to release
information from within an organization to the outside world. In this study, Azaria et al. (2014)
42
indicated that malicious insiders who intentionally dismiss information for personal gain are more
likely to be in a position to compromise the company’s or client’s data by distributing out quite a large
amount of data using detachable media such as USB sticks or CDs. The study further pointed out the
likely ways of conveying data from a company by a malicious insider. Still, it did not research an
insider’s psychological features that may encourage an insider’s malicious actions.
Additionally, Azaria et al. (2014) concluded that malicious insiders tend to be more active than
spiteful insiders and established a difference between the malicious and benign insiders. This study
also showed that malicious insiders always release more significant “sensitive” data than moderate
insiders. Besides this observation, Azaria et al. (2014) stated that malicious insiders usually send a
larger amount of data than benign insiders. Lastly, this study showed that malicious insiders obtained
less “unclassified” data compared to unintentional insiders. Reveraert, and Sauer (2020), suggested
that malicious insider deliberately ill use their access rights to or information about the structural
properties, to cause damage to the firm.
Hong et al. (2010) surveyed and analyzed earlier research issues and suggested an operational
method for upcoming investigations in cybersecurity threats from insiders. Based on the study
findings, nearly 90% of the data leak occurrences are lately being executed by inside employees. Hong
et al. (2010) recommended that creating a significant insider security arrangement is substantial in a
firm, but establishing a reciprocal trust connection between the insider and the firm to lessen the
probability of the insider hazard is similarly critical and projected that deterrence of the insider threat
necessitates not only guarding of internal purposes but also the early discovery of the performance or
intentions of an insider which may be linked with information interfering.
Further, the researchers maintained that in addition to the security system being able to
recognize and trail the inside attacker, the firm needs to have interdependency among each work field
43
to avert one person having a lot of the approval. This study did not focus on the probable effect of
insider threats’ psychological or behavioral patterns. Gheyas, and Abdallah (2016), conducted a study
on how to detect and predict insider risks in cybersecurity using logical literature evaluation and metaanalysis. This study addressed the current research trends used to detect and predict insider threat and
their challenges.
Additionally, the study looked at the appropriate current methods that can be used to detect
and predict the algorithms. The authors conducted a survey that reviewed 37 published articles in
edited books, peer-reviewed journals, and proceedings from conference falling within the years 1950–
2015 to establish the research trends used and the challenges observed in detecting and predicting
insider threats in cybersecurity. The majority of the papers obtained used a single point estimation of
threat probability. Simultaneously, the graph algorithms were most extensively used as tools for
detecting and forecasting insider threats.
Gheyas, and Abdallah, (2016) suggested that detecting and predicting systems face significant
challenges from the insider threat included uncertainty, undetected insider attacks, individuality,
uncontrolled patterns, class imbalance problem, collusion attacks, data nonstationary, irregular time
delays amongst activities, high false alarm rates and an enormous number of free factors in the model.
Using a meta-analysis study which excluded all theoretical papers, to categorize the most effective
insider threat detecting and predicting algorithms, only 13 reports were analyzed. The researchers
concluded that the number of published articles on insider threats is increasing per year, with the GTA
method being the most crucial source that generates data on insider threats.
Homoliak et al. (2019) conducted a study on insiders and IT and surveyed the nomenclatures,
analysis, models, and insider threat mitigation measures. The authors endeavored to deliver a
systematic and logical form of insider threat exploration data while taking advantage of the prevailing
established theory method for laborious literature review. These researchers recognized four main
44
groups of studies and elaborated efforts which included, incidents and datasets category that were
referenced in case studies on insiders’ threat, the establishment of generalized insider threat’s
characteristics and actions, and contributions from research addressing the insider attack’s lifespan,
pointers, and crucial trails, and psychological and social facts. Further, the researchers employed
simulations to describe research exploiting model and simulation methods for experimental purposes
with programmed detecting approaches or generating data. Additionally, these researches proposed a
taxonomy that adds to an orthogonal grouping of occurrences and defines the opportunities for
protection answers used against them.
Ophoff, et al. (2014) used the grounded theory, which builds theories based on observations,
behaviors, and data patterns. The authors analyzed the data using the grounded theory approach and
employed a code approach that followed open, axial, and selection code techniques. In this research,
the authors used a research methodology that consisted of an iterative approach of a five-stage
methodical and laborious review of searched literature. Ophoff, et al. (2014) was focused on the
Information Systems (IS) and comprised of cyber safety journals in the IS field. Key search words
such as ‘Insider Threat’ were selected since it is a key word linked to the investigation. A total of 622
articles were obtained, but 90 items were used in the study after filtering out duplicates.
The researchers grouped insider threat and described insider menace as employees inside the
data system who take advantage of their authentic access liberties to accomplish malevolent
performances. The investigators recognized that the most explored areas were ‘Theoretical
Perspectives’ and Insider’ Threat Mitigation’, with ‘Insider Threat Management’ predominantly
underexplored. Managing insider threats is an imperative area in the data systems and very critical in
safeguarding against information availability, confidentiality, and integrity threats. The study did not
investigate the possible human behavior indicators that may reflect a cybersecurity threat from the
insiders.
45
Maalem et al. (2020) conducted a literature review focusing on past and recent discoveries in
cybercrimes. This information is critical as the historic contributions and explorations can be useful in
cybercrimes. The investigators searched for cybercrime information from 2014 to comprehend the
cybercrime inclinations and extents. The study used search terms such as “cyber programs, hacking,
insider threat, and information security which were from the past period. In the study by Maalem et
al. (2020), research commands included: “((cybersecurity AND crime theories).” (cybersecurity AND
behavioral aspects), (human factors AND cybersecurity), (modelling and simulation AND
cybersecurity) and (cybersecurity AND interdisciplinary method). The authors searched databases
such as Google Scholar, IEEE Xplore, Science Direct, EBSCO, and JSTOR. Based on the search
results, Maalem et al. (2020) noted that numerous search outcomes included cybersecurity awareness,
which was mostly interdisciplinary with undergraduate educational students. Addae et al. (2019), used
a behavioral science approach and identified influential behaviors to cybersecurity conduct and
choices.
Addae et al. (2019) conducted an exploratory inquiry into the probability of projecting
employee behavior information analytics as a conceivable aid in evolving operative employee models
in cybersecurity, that can be adaptive. Addae et al. (2019) applied an equation model, namely, partial
least squares structural, which was used in the cybersecurity realm that collected data on attitude of
users focusing on digital security, and analyzed how this influenced the users’ adoption and use of
scientific safety controls.
Using the Bayesian-network modelling, the integration of the behavior variables simulated
sensory information and logs from a session in the web browser and other experimental information
collected to back modified adaptive decision making in cybersecurity. Addae et al. (2019), suggested
46
security discernments and observations, including the external factors affecting specific cybersecurity,
adopted conduct. Those aspects are controlled by workers’ traits (age, gender) and workplace.
Maimon and Louderback, (2019), carried out a review recapping numerous crime theories in
the context of the cyber-dependent misconduct environment. Maimon and Louderback, (2019),
indicated that crime suspicions might not make cybercrimes to be criminal offences. Payne and
Hadzhidimova, (2018) established that the most famous criminal descriptions of cybercrime include
self-control theory, routine activities theory, learning theory, and neutralization theory. This study
focused on cyber criminology and advocated for integration into the law but did not study possible
factors that may lead to insiders’ threats in cybersecurity.
Pfleeger and Caputo (2012) addressed the significance of including human conduct while
making c…