Management and Education of the Risk of Insider Threat
(MERIT): System Dynamics Modeling of Computer System
Sabotage
Dawn M. Cappelli, dmc@cert.org, 412-268-9136
Akash G. Desai, agd@cmu.edu, 810-394-1389!
Andrew P. Moore, apm@cert.org, 412-268-5465
Timothy J. Shimeall, tjs@ cert.org, 412-268-7611
Elise A. Weaver, eweaver@ wpi.edu, 508-831-54512
Bradford J. Willke, bwillke@ cert.org, 412-268-5050
CERT® Program, Software Engineering Institute and
CyLab at Carnegie Mellon University
4555 Fifth Avenue
Pittsburgh, PA 15213
Abstract
The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s
Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S.
critical infrastructure sectors. The study indicates that management decisions related to
organizational and employee performance sometimes yield unintended consequences magnifying
risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation
alternatives, and communicating results exacerbates the problem. The goal of Carnegie Mellon
University’s MERIT (Management and Education of the Risk of Insider Threat) project is to
develop such tools.’ MERIT uses system dynamics to model and analyze insider threats and
produce interactive learning environments. These tools can be used by policy makers, security
officers, information technology, human resources, and management to understand the problem
and assess risk from insiders based on simulations of policies, cultural, technical, and
procedural factors. This paper describes the MERIT insider threat model and simulation results.
1 Introduction
Insiders, by virtue of legitimate access to their organizations’ information, systems, and
networks, pose a significant risk to employers. Employees experiencing financial problems have
found it easy to use the systems they use at work everyday to commit fraud. Other employees,
motivated by financial problems, greed, or the wish to impress a new employer, have stolen
confidential data, proprietary information, or intellectual property from their employer. Lastly,
technical employees, possibly the most dangerous because of their intimate knowledge of an
| Also a student at the Information Networking Institute, Camegie Mellon University.
2 On the faculty at Worcester Polytechnic Institute, Worcester, MA, and a visiting scientist at CERT.
3 CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Camegie Mellon
University.
“This work is supported by the Army Research Office through grant number DAA D19-02-1-0389 ("Perpetually
Available and Secure Information Systems") to Camegie Mellon University's CyLab.
organization’s vulnerabilities, have used their technical ability to sabotage their employer's
system or network in revenge for some negative work-related event.
In January 2002 the Camegie Mellon University Software Engineering Institute’s CERT Program
(CERT) and the United States Secret Service (USSS) National Threat Assessment Center
(NTAC) started a joint project, the Insider Threat Study°. The study combined NTAC’s expertise
in behavioral psychology with CERT’s technical security expertise to provide in-depth analysis
of approximately 150 insider incidents that occurred in critical infrastructure sectors between
1996 and 2002. Analysis included perusal of case documentation and interview of personnel
involved in the incident.
Two reports have been published to date as part of the Insider Threat Study, one analyzing
malicious insider incidents in the banking and finance sector (Randazzo et al. 2004), and one
analyzing insider attacks across all critical infrastructure sectors where the insider's intent was to
harm the organization, an individual, or the organization’s data, information system, or network
(Keeney et al. 2005). Two additional reports will be published in 2006: one specific to the
information technology and telecommunications sector, and one for the government sector.
The reports include statistical findings and implications regarding technical details of the
incidents; detection and identification of the insiders; nature of harm; as well as insider planning,
communication, behavior, and characteristics. The reports have been well-received across several
stakeholder domains including the business community, technical experts, and security officers.
Our fear is that practitioners will mistakenly interpret the results as stand-alone statistics and
assign consideration of individual implications to various departments within the organization
instead of taking a holistic, enterprise-wide approach to mitigating insider threat risk.
The results of the Insider Threat Study show that to detect insider threats as early as possible or
to prevent them altogether, management, IT, human resources, security officers, and others in the
organization must understand the psychological, organizational, and technical aspects of the
problem, as well as how they coordinate their actions over time. CERT staff felt strongly that an
important next step in our insider threat research was development of innovative communication,
education, and training materials to address this issue. After researching potential methods and
tools that could be used for this purpose, system dynamics was chosen for its strengths in
modeling and simulation of complex problems.
This paper describes the MERIT project. MERIT stands for the Management and Education of
the Risk of Insider Threat. The project goal is to develop a system dynamics model that can be
used to better communicate the risks of the insider sabotage threat to an organization’s
information, systems, or networks. Section 2 motivates the use of modeling and simulation to
learn about complex systems, such as the problem of insider sabotage and its mitigation. Section
3 describes in greater detail the Insider Threat Study and related research being conducted by
CERT. Section 4 describes a fictional case used as a basis for the MERIT training materials and
model development; the case is described more fully in Appendix A. Section 5 describes the
primary assumptions and scope of the MERIT model. Sections 6 through 8 describe the
behavioral, attack and defense aspects of the model, respectively. Section 9 shows how the
model can be used to generate the problematic behavior of the fictional case. Appendix B
5 The Insider Threat Study was funded by the USSS, as well as the Department of Homeland Security, Office of
Science and Technology, which provided financial support for the study in fiscal years 2003 and 2004.
2
contains a comprehensive overview of the MERIT model. Section 10 describes conclusions that
can be drawn from the current model, and work that remains to be done. Section 11 contains
acknowledgements of researchers and organizations that have contributed to this work. Section
12 contains a list of references.
2 Simulation-Based Learning
Any organization using a computerized network represents a complex system involving both
people and technology. Each employee navigates the network with a unique level of access and
set of authorized capabilities that may change over time. Each organization exercises a policy to
optimize productivity while guaranteeing security, whether or not such a policy is well-
developed and implemented. While there are many such systems, and thus a wealth of common
experience based on which to leam the important components of a good security policy, it is not
a given that all organizations manage this learning well.
Sterman (2006) describes three challenges to implementing good policy based on lessons learned
from interactions in complex systems. First, one cannot draw lessons learned unless one has
good data. Second, one cannot learn from experience, even with good data, unless one can
derive good lessons from that data. Finally, one cannot implement good policy based on lessons
learned, unless stakeholders in the system are involved politically in policy development.
Sterman makes compelling arguments that all three of these efforts are hindered by the
characteristics of complex systems. Unlike the scientific laboratory, in which variables can be
isolated and controlled, the networked organization presents serious challenges to the gathering
of valid, reliable, and easily interpretable data from which one can draw clear conclusions.
Unambiguous data are difficult to gather because a complex system, such as a networked
organization, involves cause and effect interactions across many time scales, locations, and areas
of expertise. In addition, complex systems not only respond to the decisions taken by the learner
but to decisions taken by other agents in response. Finally, one cannot afford to make risky
extreme decisions even though these might yield good data for learning, because of the ethical
and logistical implications of experimenting with real organizations. As a result, the specific
results of any action taken are difficult to discern.
Even with good data, leaming isn’t guaranteed. To derive lessons leamed, one would first form
hypotheses about system behavior, gather data, and reflect on whether the results matched those
predicted. Finally, one would update one’s mental model after reflecting deeply on any
discrepancies, in a form of double-loop learning (Argyris & Schon, 1974).
Sterman reviews research from the psychological literature (e.g., Wason, 1966; Kahneman &
Tversky, 1982) indicating that people are not normally prone to gather data that might disconfirm
their hypotheses, especially not in public (Tedeschi, 1981) or working in groups (Janis & Mann,
1977). When making judgments, we tend to use simplifying rules-of-thumb that may be efficient
but are often biased (Kahneman & Tversky, 1982). Finally, not only do we avoid looking where
disconfirming evidence might be, we also respond in ways that force the system to exhibit types
of behavior that confirm our earlier biased beliefs (Rosenthal & Jacobson, 1968).
Sterman (2006) advocates the use of virtual worlds to overcome our inability to learn in complex
systems. These need not be computer simulations, as they can be role-play games or physical
model environments as well. In simulations, distinguished from games by their verisimilitude
3
enabling knowledge transfer beyond the environment (Lane, 1995), it is possible to set up a
closed environment with known assumptions. One can then test the impact of policies without
the distortion of statistical error and reflect on the outcomes resulting only from one’s own
actions.
Lane (1995) reviews the history of such simulations and describes the value of using these to
provide managers with an intellectually and emotionally rich and engaging educational
experience. Lane points that the low cost and unambiguous feedback afforded can be “more
helpful than reality,” as long as certain caveats are considered. The model should represent the
relevant environment with fidelity, the simulation instructions should be clear, the simulation
objective (such as maximizing productivity and minimizing risk and cost) measurable and known
to the user, and there must be an opportunity for debriefing or reflection. In addition, Lane notes
that simulations provide common metaphors for communication about insights or lessons
learned.
Groessler (2004) elaborates on fifteen issues that should be considered when designing such
simulations for training.
e The first five concer the characteristics of the model, and pertaining to how well it
balances the fidelity to the context with the necessity for simplification so that lessons
can be leamed. The model should be validated against real cases without so much
complexity as to overwhelm the user.
e The second five address the characteristics of the trainees, balancing the cognitive
complexity of the task with the users’ learning styles. The simulation should be part of a
larger interactive learning environment allowing individuals many ways to glean insights
from using it.
e The third five address whether the interactive leaning environment encourages good
engagement with the task and reflection on lessons leaned. Users of the simulation
should have the opportunity to monitor indicators of success and should be given
opportunities to reflect on their hypotheses and the results of their experiments.
3 Origins of CERT Research
The Security Dynamics Network is a collaborating network of institutions and associated
researchers using system dynamics modeling to explore risk dynamics, focusing on
cybersecurity. Its members include University at Albany; A gder University College; TECNUN,
University of Navarra; Worcester Polytechnic Institute; Sandia National Labs; Argonne National
Labs; and Camegie Mellon University. The network was created in 2004 after members of the
group convened several workshops to model various aspects of the insider threat (Melara 2003;
Anderson 2004; Rich 2005).
Convinced that system dynamics modeling was a viable mechanism for transitioning our insider
threat knowledge, CERT sought funding for development of a prototype interactive learning
environment (ILE) based on empirically validated models of the insider threat problem
developed using Insider Threat Study data.° The purpose of MERIT is to develop an ILE using
5 an interactive learning environment (ILE) is a process for educational learning that allows the instructor and
student to negotiate the context of the curriculum in the real-time.
4
system dynamics for hands-on analysis of the effects of policy, technical, and countermeasure
decisions on malicious insider activity. It will provide a means to communicate insider threat
risks and tradeoffs, benefiting technical and non-technical personnel, from system administrators
to corporate CEOs. The MERIT project was funded by CyLab at the Camegie Mellon University.
At about the same time the MERIT project was initiated, the CERT insider threat team was
funded by the U.S. Department of Defense Personnel Security Research Center (PERSEREC) for
another system dynamics modeling project. That work is part of an ongoing partnership between
CERT and PERSEREC in response to recommendations in the 2000 DoD Insider Threat
Mitigation report.’ The purpose of the PERSEREC/CERT project is to develop two system
dynamics models based on actual case data - one for insider IT sabotage and one for espionage -
and then compare and contrast the models. The comparison could identify countermeasures that
could be useful for mitigating both risk of insider IT sabotage and espionage in the DOD.
CERT researchers believed that the scope of MERIT should initially be limited to a well-defined
subset of the 150 cases from the Insider Threat Study. Because a model of insider IT sabotage
could be used for both the MERIT and PERSEREC projects, the CERT research team decided to
first focus MERIT on insider IT sabotage cases. As a result, a base model is being developed for
insider IT sabotage that can be used for both projects.
One unique aspect of the Insider Threat Study that was a key to its success was the equal
attention to both the technical and psychological aspects of the problem. MERIT allowed the
CERT team to realize unexpected benefits from the overlap with the PERSEREC project.
CERT’s technical security expertise was augmented with expertise from several organizations in
the areas of psychology, insider threat, espionage, and cyber crime. Therefore, the system
dynamics model for insider IT sabotage being developed for both MERIT and PERSEREC
benefits from a broad range of experience regarding the technical, psychological, and
organizational factors influencing insider threat risk.
3.1 Key Findings from the Insider Threat Study
We base our system dynamics models on findings from the Insider Threat Study, in particular
those cases involving insider sabotage. These were among the more technically sophisticated
attacks perpetrated in the study and resulted in substantial harm to organizations. In the 49 cases
studied, 81 percent of the organizations that were attacked experienced a negative financial
impact as a result of insider activities. The losses ranged from a low of $500 to a high of “tens of
millions of dollars.” Seventy-five percent of the organizations experienced some impact on their
business operations. Twenty-eight percent of the organizations experienced a negative impact to
their reputations. The statistics in this section come from the CERT/USSS Insider Threat Study
report on insider sabotage (Keeney 2005).
The first step taken in modeling insider IT sabotage was to identify the key findings to be
reflected in our system dynamics model. A summary follows:
Insiders were disgruntled and motivated by revenge for a negative work-related event. Fifty-
seven percent of the insiders who committed IT sabotage were disgruntled. Eighty-four percent
7 www.defenselink.mil/c3i/org/sio/iptreport4_ 26dbl.doc
were motivated by revenge, and 92% of all of the insiders attacked following a negative work-
related event like termination, dispute with a current or former employer, demotion, or transfer.
Insiders exhibited concerning behavior prior to the attack. Eighty percent of the insiders
exhibited concemming behavior prior to the attack, including tardiness, truancy, arguments with
coworkers, and poor job performance.
Insiders who committed IT sabotage held technical positions. Eighty-six percent of the insiders
held technical positions. Ninety percent of them were granted system administrator or privileged
system access when hired by the organization.
The majority of the insiders attacked following termination. Fifty-nine percent of the insiders
were former employees, 57% did not have authorized system access at the time of the attack, and
64% used remote access. Many used privileged system access to take technical steps to set up the
attack before termination. For example, insiders created a backdoor account’, installed and ran a
password cracker’, took advantage of ineffective security controls in termination processes, or
exploited gaps in their organization's access controls.
3.2 Targeted Lessons for Training
Based on the above findings, the MERIT team determined that the most important lessons to be
conveyed in the interactive learning environment (ILE) are the following:
Disabling access following termination is important; in order to do so effectively organizations
must have full awareness of all access paths available to each of their employees. (See Section
5.4 for an explanation of access paths). Since so many acts of insider sabotage were committed
following termination, the MERIT ILE must emphasize the importance of completely disabling
access upon termination, a task that is often easier said than done. Many of the attacks in the
Insider Threat Study were possible because the employer did not know all of the access paths
available to their employees.
For example, system administrators created backdoor accounts with system administrator
privileges, knowing that because account audits were not conducted the account would not be
detected and would facilitate the attack following termination. Other privileged users planted
logic bombs - malicious code implanted on a target system and configured to execute at a
designated time or on occurrence of a specified system action. Often the insider configured the
logic bomb to execute following termination, knowing that no characterization and configuration
management procedures'” were in place to detect the malicious code. Other technical insiders
were able to use passwords for shared accounts because there was no formal tracking mechanism
for access to those accounts. Therefore they were overlooked upon termination.
The ILE must emphasize the importance of proactive, ongoing, rigorous access management
practices to facilitate complete disabling of access upon termination.
8 a backdoor account is an unauthorized account created for gaining access to a system or network known only to
the person who created it.
5 A password cracker is a program used to identify passwords to a computer or network resource; used to obtain
passwords for other employee accounts.
° Characterization and configuration management refers to procedures and software that track releases and changes
to software or system components so that unauthorized access can be prevented or appropriate users alerted when a
file has been modified or released.
Management should carefully consider concerning behavior by an employee who appears to be
disgruntled following a negative work-related event, possibly increasing monitoring of the
employee's online activity. It is not practical for organizations to monitor all online activity for all
employees all of the time. Determining the appropriate balance between proactive system
monitoring and other duties of the IT or technical security staff is a difficult task in any
organization. However, almost all insiders in the Insider Threat Study sabotage cases exhibited
conceming social behavior prior to the attack. Therefore, an important lesson to be conveyed by
the MERIT ILE is that organizations should maintain awareness of employee dissatisfaction and
evaluate concerning behavior. Targeted monitoring of online activity by employees of concern
can prevent insider sabotage by detecting technical precursor activity immediately.
4 Fictional Case for Training: iAssemble, Inc.
As mentioned earlier, an interactive learning environment for training on insider threat is more
effective when combined with a concrete case example that clearly illustrates the relationship
between aspects of the insider threat and the effectiveness of various measures to counter the
threat. However, the sensitivity of actual Insider Threat Study case data precludes the use of
actual cases for training. We therefore developed a fictional case scenario that is representative of
a preponderance of actual cases of insider sabotage from the Insider Threat Study.
The following characteristics of our fictional case are important:
Effective access management practices that degrade over time due to competing priorities
Increased acting out (concerning behavior) by insider
Increased tension between insider, staff, and managers
Ineffective management response that would address conceming behavior exhibited by
disgruntled employee
Increased data gathering by insider
Undetected escalation of access by insider
False perception by management underestimating insider access
Punitive actions seem ineffective to management, provocative to insider
The fictional organization is called iA ssemble, Inc.!! The full text of the iA ssemble case example
appears in Appendix A. A summary of the case follows:
iAssemble sold computer systems directly to customers; building each system made-to-order at
competitive prices. Ian Archer, the insider threat actor, had been with iAssemble since its
founding and was the sole system administrator. The environment at iAssemble was traditionally
very relaxed. However, recent substantial company growth resulted in a different culture, as well
as new management who hired a new lead system administrator over Archer.
This action triggered Archer’s disgruntlement, feeling his hard work over the years was not
appreciated. In addition, the new lead system administrator restricted the privileges of all
iAssemble employees, including Archer. Archer vented his anger by openly harassing individuals
and purposely stalling progress on important projects. A performance improvement plan was
‘| The iA ssemble organization and case example are completely fictional, any unintentional resemblance to a real
organization or insider threat case is unintentional.
instituted by Archer’s new manager with disciplinary actions including written warnings, a
temporary suspension, and reduction in his salary. Suspecting he would soon be fired, Archer
created a backdoor with system administrator privileges on iAssemble’s server for later access
should his authorized access be disabled or his administrative privileges be revoked.
Management's increased sense of risk of malicious activity by Archer led them to ramp up audits
of access control quality and access management. Unfortunately these measures were put in
place too late to prevent or detect Archer’s backdoor installation. When management fired
Archer they disabled all known access paths. But unknown to management, a coworker had
shared his password with Archer to increase productivity for their project team. Archer used that
password to log in remotely to the coworker’s machine the night of his firing. Using the backdoor
account he installed a logic bomb on the machinery server, set to detonate three months later.
The logic bomb deleted all the files on the machinery and backup servers leaving the assembly
lines at iAssemble frozen. An investigation revealed that access control policies and practices
had eroded over time. The investigation lead to the arrest of Ian Archer, but iAssemble was left
on shaky ground, causing share prices to plummet. Their image in the market was blemished and
stockholders demanded detailed explanations from company management.
iAssemble’s decision to increase monitoring and auditing was the right one - the steps they took
increased management's knowledge of employees’ access paths. However, the gap between
management's knowledge of Archer’s access paths and his actual access was not fully eliminated
when he was fired, so iAssemble could not disable all of his access paths in time. Hence, Archer
was able take advantage of the residual access that he had to attack following termination.
We believe that the iAssemble case provides a coherent and well-grounded basis for training on
the access management issues relevant to insider sabotage and is representative in character (but
not necessarily detail) of many of the actual cases that we have seen.
5 Model Assumptions
The following assumptions are key to understanding the dynamics, relationships, and conditions
in the MERIT model related to insider IT sabotage and countermeasures.
5.1 Scope
The model begins with the insider at his or her highest position in the organization. Since most
insiders became disgruntled and attacked in their current position, they tended not to carry over
problems from their previous position. While the time periods related to firing and demotion are
important in the model, hiring is not, because significant triggering events related to the attack or
prompting the desire to attack did not typically occur soon after being hired. Also within the
model scope is a negative work-related event that causes the insider to feel dissatisfied toward
the organization, supervisors, or co-workers. Termination or demotion is frequently the last
negative work-related event triggering the insider attack.
5.2 Organization
Key to the model is the organization’s knowledge of insider access rights and privileges, rather
than the authorization for and legitimacy of insider actions. Most organizations have the ability
to track, monitor, and identify access paths for employees, but they can either be unaware of or
forget access paths available to employees due to poor security management practices. In
addition, practices such as security awareness and education, account management, and
personnel behavioral management, play an important role in the model. Access control is key
because insiders require access to perform their job functions but can also use this access to
attack. Therefore, imperfect states of practice, particularly with regard to access control, have a
heavy influence in the model. Access control may not be perfect at the start of the simulation.
5.3 Insiders
The next group of assumptions deals with the insiders themselves: their means, motives, and
opportunities. The model assumes that insiders work alone in attacking the organization and do
not collude; this assumption is supported by most of the cases examined in the Insider Threat
Study. The method by which the insider attempts to attack the organization is typically limited to
the skill sets, experiences, and education exhibited while still an employee with the organization.
An insider may attempt or succeed at gaining more access than his organization authorizes, but
he will seek to gain this access within the confines of their current skill set, experience, and
education.
Insiders tend to feel entitled to perform certain actions or act in a specific way, and this
entitlement escalates over time. If they do not receive reprimands, sanctions, or correction,
insiders begin to feel that they have the organization's authorization to behave irregularly. When
insiders are penalized or corrected they may react negatively and cause further behavioral
disruption or commit technical sabotage.
5.4 Access
Ironically, while access is granted as a necessary course of conducting business operations, it is
also one of the most essential elements of insider attacks. Access to information and systems
allows employees to read, modify, and delete business and system data. The following section
expands on employee access paths, frequently used to conduct attacks.
5.4.1 Access paths
In the MERIT model, access is provided through “access paths”: a set of one or more access
points leading to a critical system. Examples of points along access paths are employee badges,
computer accounts, passwords, and Virtual Private Networks (VPN). The model presumes that
the insider obtains access in one of three ways - access paths are granted by the organization,
created by the insider, or discovered by the insider. Access paths can be known or unknown to
the organization. An access path that is unknown to management is not necessarily illegitimate,
but organizations should reduce unknown access paths by identifying them, reviewing each for
validity, and disabling those without a justified business need.
Granted paths are those authorized by the organization. For example, a granted access path fora
web server administrator could be software and hardware used to publish corporate web pages.
One problem with granted access paths, illustrated in the model, is that organizations can lose
track of their existence if formal tracking procedures are not enforced. An example of a forgotten
path is a privileged shared account created for a team of software developers for the duration of a
project that is not removed or restricted after the project terminates.
Created paths are those established by an employee, such as computer accounts that are created
or hacking tools that are installed on the system by the insider. Created paths can be authorized
or unauthorized, and the organization may or may not know of their existence.
Discovered paths are existing paths revealed to or discovered by an employee. Although they can
be used for malicious insider actions, they may not have been created with malicious intent. An
example of a discovered access path is one that is found when an employee learns that he can
access information, resources, or network services he did not know existed or for which he did
not know he had legitimate access.
Other access path assumptions in the model include:
1. Insiders can lose some or all of their access paths, as well as the ability to create new
paths.
2. Insiders who are demoted or terminated may retain the ability to create or use access
paths for which they are no longer authorized because of a lapse in procedure or practice.
3. It takes time for organizations to recover from poor access management.
4. Effectively disabling of access paths requires that management have full awareness of all
paths available to the employee, and the employee's ability to create new paths.
5. Even without deliberate action by an insider to obtain a higher level of access, there tends
to be a gradual increase in the number of access paths available to an insider over time.
5.5 Defenses
The final assumption pertaining to the model deals with organizational defenses and responses to
unacceptable employee behavior. Organizations typically use administrative, physical, and
technical controls to deter, prevent, detect, and respond to attacks on information and systems,
including insider attacks. The MERIT model focuses on administrative and technical controls,
since physical controls were not a predominant factor in most cases in the Insider Threat Study.
Administrative and technical controls relevant to mitigating risk of insider threat in the MERIT
model are described in Table 1.
10
Policy Lever
Description
Effect
Positive interventions like employee
assistance or counseling that attempt to
May not be effective if quality of
intervention is low.
oe lower disgruntlement directly, to
reduce inappropriate behavioral or
technical actions by insider.
Punitive measures that attempt to May have the opposite effect of
sanctioning motivate the insider to reduce his increasing disgruntlement and
inappropriate behavioral or technical inappropriate actions.
actions to avoid additional sanctioning.
Real-time measures to track and If technical monitoring is not initiated or
technical analyze an insider's online actions, quality is low, management may not have
monitoring such as the use of access paths or an accurate sense of the risk that an
information and resources accessed. insider poses to the organization.
Currently limited to education of Training quality affects the rate of
training employees on appropriate usage of inappropriate online actions and attacks
computer and network systems and the | by insiders.
consequences if misused.
Poor tracking leads to high rates of access
paths unknown by management, making
tracking pine i to keep track it more difficult to disable paths and
pais. easier for the insider to conceal his
actions.
Efforts by management to discover, Facilitates discovery of access paths
understand, review, and disable access | available to the insider. Poor audit allows
auditing and paths available to the insider. Allows _| insiders to amass many unknown access
disabling comparing employees’ abilities and paths making it easier to conceal actions
access paths
efforts to access information, create
access paths, or use access paths
against acceptable policies and
procedures.
and attack after termination.
The threshold of risk posed by the
Too high a threshold may give a
malicious insider additional time to attack
the organization or take technical actions
termination insider te The oNanigaoNebovs to set up an attack following termination.
threshold hich Ty fires the insid Too low a threshold may cause the
cee ee een OO CEERI eae TSE organization to terminate valuable
employees who just need a little
intervention to solve their problems.
scare The time it takes the organization to 7 termination time is too long then the
termination | terminate an insider once the insider may maintain authorized access to
time the system long enough to facilitate an
termination threshold is reached.
attack.
Table 1: Simulation Effects of Policy Levers
11
6 Modeling Behavioral Aspects
Employee disgruntlement was a recurring factor in the Insider Threat Study sabotage cases,
predominately due to some unmet expectation by the insider. For example:
1. The insider expected certain technical freedoms in his’ use of the organization's
computer and network systems, such as storing personal MP3 files, but was reprimanded
by management for exercising those freedoms.
2. The insider expected to have control over the organization’s computer and network
system, but that control was revoked or never initially granted.
3. The insider expected recognition or prestige from management, but was disturbed upon
some event in the workplace, such as being passed over for a promotion.
In our model we focus on the first two. Insider freedom thus represents freedom for the insider to
use or control the system. Expected freedoms could be measured either by the number or extent
of privileges or on a continuous scale from none to root access.
6.1 Insider Expectation of Freedom
Figure 1 depicts changes in the insider’s expectations over time based on his actual freedom as
well as the insider's predisposition to disgruntlement. This predisposition differs from one person
to the next, and influences the rate that expectations rise and fall. The rise of expectations is
influenced heavily by the actual freedom given insider. As illustrated in reinforcing loop R1,
with lax management controls actual freedom grows commensurate with expected freedoms. As
more freedom is allowed, more freedom is taken; as more freedom is taken, more is allowed. In
the model, it is assumed that even lax management sets an upper bound on the extent of
freedoms allowed to any employee.
Lax management unintentionally encourages escalation of expectation. Expectation escalation is
seen in the simulation results in Figure 2. The simulation starts off with expected and actual
freedom at an equal value of 10 freedom units - the freedom allowed any employee of the
organization according to the organization’s appropriate systems usage policy. With lax
management, some employees will try to “push the envelope”, using the system regardless of the
organization’s usage policy. This is especially true for insiders with a strong sense of entitlement.
As management allows the insider's actual freedom to increase beyond that permitted by policy,
the insider’s expectation also rises. As shown in the figure, expected and actual freedom continue
to increase at an equal rate until about week 40, when freedom reaches a point that even lax
management will not permit - more than twice the freedom allowed by policy. At this point, the
insider expects slightly more than what is permitted; this situation creates an equilibrium
condition where unmet expectation stays fairly constant over time.
© Ninety-six percent of the insiders in the Insider Threat Study who committed IT sabotage were male. Therefore,
male gender is used to describe the generic insider throughout this paper.
12
insider's unmet
expectation _
actual freedom
giveninsider ~__ woe)
precipitating
BI
*. event
expectation
re-alignment
(R14 expectation
escalation
+
Expected freedom
byinsider = |“
falling y: rising
expectation expectation
falling predisposition to rising
expectation time disgruntlement expectation time
Figure 1: Expected freedom by insider
This simulation illustrates a situation in which lax management permits increasing freedom for
the insider that can cause major problems later on, especially if that insider has a predisposition
for disgruntlement. The trigger for those major problems, which we call the precipitating event,
tends to be anything that removes or restricts the freedom to which the insider has become
accustomed. In the iAssemble case, as in some of the cases in the Insider Threat Study, the
trigger is the hiring of a new supervisor who enforces the organization’s system usage policy.
25
20
15
10
5
0 a
0 8 16 24 32 40 48 56 64 72 80 88 96 104
Time (week)
Expected freedom by insider ——++—+—2—_ 42+ freedom units
actual freedom given insider —2—-2—-2—2—-2—_2—2—-2 freedom units
insider's unmet expectation freedom units
Figure 2: Expected & Actual Freedom Growth with Lax Supervisor
13
Figure 3 shows simulation results with a new supervisor hired at week 20 who enforces the usage
policy, shown by the drop in actual freedom given insider to 10 freedom units. Coincident with
the drop is a commensurate rise in unmet expectation. Expectation rises (about 40% in 20 weeks)
much faster than it falls, approaching its original policy level at around week 92, assuming an
insider with a strong sense of entitlement. Barring any additional loss of freedom, however,
expectations do fall gradually as the insider comes to accept his new situation. Nevertheless, the
period of high unmet expectation is one of high risk for the organization as explained below. The
additional drop in the actual freedom given insider is also explained below.
25
20
15
itt oen
0 8 16 24 32 40 48 56 64 72 80 88 96 104
Time (week)
Expected freedom by insider ——+—-+—+— 2 42+ freedom units
actual freedom given insider —2—-2—-2—2—-2—_2—2—- freedom units
insider's unmet expectation freedom units
Figure 3: Expected & Actual Freedom with Strict Supervisor Hired at Week 20
6.2 Escalation of Disgruntlement and Sanctioning
Figure 4 depicts part of the model, influences of unmet expectation on the insider’s offline’®
behavior and the organization's response. Three additional stocks are introduced:
e Insider disgruntlement: the insider's internal feelings of discontent due to demands or
restrictions by the organization that he perceives as unacceptable or unfair.
e Behavioral precursors: observable aspects of the insider’s offline/social behavior inside
or outside the workplace that might be deemed inappropriate or disruptive in some way.
e Sanctions: the organization's punitive response to inappropriate behaviors. Sanctions can
be technical, like restricting system privileges or right to use the organization’s equipment
at home, or non-technical, such as demotion or formal reprimand.
A generic measure, severity units, is used to measure behavioral precursors, damage, and
disgruntlement.
'S Throughout the paper, “online behavior’ refers to actions taken using the computer, while “offline behavior”
refers to social behaviors that are not taken on the computer.
14
Reinforcing loop R2 in Figure 4 characterizes escalation of disgruntlement in response to
sanctions for inappropriate social behaviors. As the insider’s unmet expectations increase, Insider
disgruntlement increases. Insiders exhibit disgruntlement by acting inappropriately offline.
Observable inappropriate offline behaviors vary; some insiders take revenge primarily online,
exhibiting fewer offline precursors. We assume that the insider’s predisposition to disgruntlement
indicates their tendency to engage in inappropriate offline behavior before an attack.
Continuing around loop R2 of Figure 4, notice that Severity of the actions perceived by org is
impacted by time to realize insider responsible.'* Severity of actions influences the extent of
sanctioning, which further limits the actual freedom given insider. These dynamics explain the
second decrease in actual freedom in Figure 3 at around week 24, after the new supervisor
imposes sanctions further limiting the insider’s freedom. The model in Appendix B also shows
that technical restrictions on the insider can further limit the insider’s actual freedom.
Instead of (or in addition to) punitive measures, organizations may take positive actions to
address an insider’s disgruntlement. Such actions, represented as employee intervention, include
referral to an employee assistance program or counseling. Balancing loop B2 in Figure 4 reflects
use of employee intervention to address disgruntlement. The organization’s perception of the
severity of the Behavioral precursors, the observable manifestation of the insider's
disgruntlement, and organizational policies determine whether positive intervention or sanctions
are warranted.
employee employee
i ion 2 intervention
intervention proactivity
+
disgruntlement control
through employee
intervention
B2
Behavioral
acting inappropriately —_| precursors|
offline
&
Severity of
\ actions
Tnsider perceived by org
disgruntlement|
changing i %
time to realize
” disgruntlement insider
4n2) disgruntlement reponaible
Sanctioning escalation
insider's unmet
expectation _
actual freedom
given insider —_
precipitating
event
Figure 4: Escalation of Disgruntlement and Sanctioning
“4 Severity of actions perceived by org is a smooth of several factors and may also be considered a stock.
15
Figure 5 shows the increase of Insider disgruntlement due to the insider’s unmet expectation that
arises due to the new supervisor's strict enforcement of the organization’s usage policy. With
only minimal employee intervention (0.2 on a scale from 0 to 1), disgruntlement rises to almost
three times its normal level at about week 24. The predisposed insider begins to act out offline
and receives two sanctions during this time period.
0.8 severity units
3 sanctions
1 fraction
0.4 severity units
1.5 sanctions
0.5 fraction
0. severity units
0. sanctions
0 fraction
0 16 32 48 64 80 96
Time (week)
Insider disgruntlement +— severity units
Sanctions sanctions
employee intervention fraction
Figure 5: Escalation of Disgruntlement and Sanctioning with Minimal Intervention
Figure 6 provides a notional view of how proactive employee intervention can decrease both
disgruntlement and the sanctions needed to address inappropriate behavior arising from that
disgruntlement. In this case, even the predisposed insider is much less disgruntled and warrants
less of a punitive response, i.e. only one sanction. One nice aspect of employee intervention is
that by treating disgruntlement directly, there is less need for punishment and corresponding less
disgruntlement caused by the punishment. Thus, when intervention works it is a win-win
situation for both the organization and its employees. We are still investigating the general
characteristics of the insider and the intervention itself that underlie the success of the approach.
7 Modeling Technical Attack Aspects
As previously mentioned, an organization’s full awareness of access paths available to an insider
is critical to being able to disable those access paths when needed. Two stocks model this
dependency: Insider access paths unknown to org and Insider access paths known to org.
Figure 7 shows the flows between these two stocks:
e forgetting paths flow : Management or the IT staff may forget about known paths,
making them unknown. For example, a manager might authorize a software developer's
request for the system administrator password during a time of heavy development, but if
a formal list of employees with access to that password is not maintained then the
manager could forget that decision over time, or the manager could leave the
organization, leaving no “organizational memory” of the decision.
16
e discovering paths flow: Management or the IT staff can discover unknown paths, making
them known. Discovery can be accomplished by auditing, for example, when new
accounts could be discovered with system administrator or privileged access that were
previously unknown to management.
Insiders can acquire new paths unknown to the organization via the acquiring unknown paths
flow. Finally, organizations can disable known paths via the disabling known paths flow. This
stock and flow structure is used in the refinement of the technical aspects of the model described
in the section below.
0.8 severity units
3. sanctions
1 fraction
0.4. severity units
1.5 sanctions
0.5 fraction
0. severity units
0. sanctions
0. fraction
0 16 32 48 64 80 96
Time (week)
Insider disgruntlement severity units
Sanctions sanctions
employee intervention fraction
Figure 6: Disgruntlement and Sanctioning with Proactive Intervention
forgetting
Insider paths Insider
access paths << aaccess paths
acquiring | unknownto |__z__yJ knownto [ic Aing
unknown paths org discovering org known paths
paths
Figure 7: Access Path Stocks and Flows
7.1 Attack Setup and Concealment
As discussed earlier, an insider's predisposition to disgruntlement and unmet expectations can
lead to increasing disgruntlement which, if left unchecked, can spur not just behavioral
precursors but technical disruptions and attacks on the organization’s computer and network
systems. Prior to the actual attack, there are typically Technical precursors - actions by the
insider to either set up the attack (for example, installation of a logic bomb) or to put in place
mechanisms to facilitate a future attack (for example, creation of backdoor accounts to be used
later for the attack). These online Technical precursors could serve as an indicator of a pending
attack if detected by the organization. Figure 8 depicts the influence that insider disgruntlement
17
can have on the occurrence of Technical precursors that could indicate a pending attack. The
figure shows that both unknown and known access paths can be used to set the stage for attack.
time to realize ingder iss
insider
Ng, Sever of [ame] =.
Semel [esha | “unginapmpay
responsible
technical
pci predisposition 7
for technical
sabotage
| forgetting
zt insider |, Pas Tnsider
AE | ces paths aoe pats
‘acquiring | unknown to} zg known to |. Tiing
unknown paths|__o"g discovering ong | known paths
paths
Figure 8: Attack Setup and Concealment
The extent to which insiders rely on unknown access paths depends on their desire to conceal
actions. Insiders who do not care whether they are caught, or insiders acting impulsively (often
out of the passion of the moment), may use both known and unknown paths in their attack.
Insiders who are particularly risk averse may only attack using access paths that are unknown to
the organization. Of course, an insider may not know whether the organization is aware of a
particular access path or not. Nevertheless, in either case, insiders generate Technical precursors
that suggest suspicious activity. To perceive the severity of these precursors, the organization
must have a technical monitoring quality sufficient to detect the precursors in the first place.
7.2 Attack Escalation
As shown in Figure 9, Insider disgruntlement contributes directly to the rate of inappropriate
technical actions taken by the insider, especially actions that facilitate the attack. Some of these
actions also contribute to the damage potential of the attack. Examples include sabotage of
backups and decreases in the redundancy of critical services or software.
Since insiders in most sabotage cases studied were motivated by revenge, the model assumes that
the actual attack occurs once the damage potential reaches an attack threshold defined by the
insider, provided that the disgruntlement level is sufficiently high. Multiple attacks may be
executed provided that a sufficient number of access paths are available to set up and execute the
subsequent attacks. If the attack execution is autonomous (for example a logic bomb set to go off
when the system reaches a certain state) the insider may need no access paths to the
organization’s critical systems in order to execute the attack. In such a case, the planting of the
logic bomb could actually be considered to be the attack.
Figure 10 shows the simulation results with predisposition for technical sabotage and insider
desire to conceal actions set to 1. Insider disgruntlement rises to its highest level at about week
35 after which the attack is executed. At week 20, prior to the attack, Behavioral precursors are
the first observables indicating the insider's disgruntlement. About 4 weeks later the Technical
precursors start to appear. We believe that this pattem of behavioral disruption before technical
disruption is common among many insiders.
Some insiders install unauthorized tools for non-malicious purposes immediately after they are
hired. For example, one system administrator installed a root kit - a “hacker” tool used to
maintain access to a system without the owner's knowledge. These tools provide insiders with
unauthorized access that makes their work more convenient. These actions are technical
18
precursors that increase risk of an attack if that insider ever becomes angry enough to take
revenge on his employer.
The severity of the technical precursors rises above the severity of the behavioral precursors at
about the time of the attack. Attack damage, which for obvious reasons has severity much higher
than the behavior or technical precursors, occurs immediately at the time of the attack. Technical
precursors level off immediately after the attacks because disgruntlement is greatly reduced by
attack execution. We are still investigating the exact relationship between attack execution and
insider disgruntlement, but we believe that the behavior exhibited by the current model to be
representative of the insider sabotage cases in our study.
attack
threshold
time to realize
insider Attack At} tack |e
responsible a, Severity of «| damage} executing |_potential_lincreasing damage
actions perceived attack potential
by org
insider desi
to conces
actions
Technical
precursors) acting inappropriately
online
Insider predisposition
disgruntlement for technical
sabotage
Figure 9: Attack Escalation
1 event
2.5 severity units
0.5 event
1.25 severity units IN
0 event ie eee
0. severity units J |
0 16 32 48 64 80 96
Time (week)
executing attack event
terminating insider 2 event
Insider disgruntlement severity units
Behavioral precursors 4— severity units
Technical precursors severity units
Attack damage severity units
Figure 10: Attack Simulation
19
8 Modeling Technical Defense Aspects
In the fictional case, iAssemble’s defenses against insider attack were purely reactive, based on
severity of insider actions and risk subsequently perceived. Figure 11 depicts two defensive
actions:
e Auditing the organization’s systems to discover unknown access paths available to the
insider - Auditing must be followed by disabling those paths (loop B3) for this defense to
have significant effect. It is possible, however, that an organization's discovery of access
paths would be a sufficient deterrent for a risk-averse insider if the insider knows the
organization has discovered the paths.
e Reducing the insider's access path creation ability (loop B4) - This defense reduces the
insider's ability to acquire new unknown paths.
Both of these defenses target access paths that may be used by the insider to set up or execute an
attack. A risk-averse insider, who will not attack unless he can conceal his actions, will have less
incentive to attack if unknown access paths are disabled. Known access paths can also be
disabled if they are not needed by the insider to perform critical job functions.
If an organization disables the access paths required to fulfill the insider’s job responsibilities, his
performance and the organizational mission may be negatively impacted. However, if the
perceived risk is sufficiently high, the organization may choose to disable the insider’s access
paths anyway. Within the simulation run, if the risk reaches a termination threshold, the insider is
fired and all known access paths are immediately disabled. Of course, any unknown access paths
still available to the insider may be used to set up and execute an attack.
insider des
‘conceal
actions
sonityot —
actions perceived. Procusory acting inappropsialy
1 technical
by org monitoring quality rétlaoiiition. >
th For technical F) aching
time to realize sehotage quality
insider ° ‘
responsible | fining
paths
| Insider Insider
bg acces hn [oP cess pth
acquiring | unknown to} zg} knownto | icchling
unknown paths|___"y discovering ory known paths
i. paths
a
(B4P.tack control by
limiting ability to \ termination
create access paths e temmination time
4 (ost tesla
insider access 2)
path creation Suid ack contrat |
ity f Sbyedisablin
paths ,
Insider tisk
Figure 11: Risk-based Auditing and Access Path Disabling
20
Figure 12 shows the results of executing the model with audit quality set at 50%, the same level
of audit used to generate the results for Figure 10. In Figure 12, however, the number of access
paths available to the insider is shown, both known and unknown to the organization, over time.
The insider is terminated at about week 32; all known access paths are disabled at time of
termination. However, with audit quality at 50%, the insider still has enough unknown access
paths to continue to set up and execute the attack at about week 38.
To test the effects of auditing, Figure 13 shows the results using the same parameter settings
except that audit quality is set to 80%. Here, the higher level of audit quality keeps the number of
access paths unknown to the organization sufficiently low so that no attack can be executed,
before or after termination. The Technical precursors suggest that the insider started to set up the
attack, but the organization’s defenses were sufficient to stop the insider before he reached the
attack threshold. For an attack threshold of severity 2, the tipping point for the attack is an audit
quality of between 68% and 69%. Future work will determine what it means for an audit process
to be of a certain quality. Of particular interest will be the characteristics of an audit at the
tipping point for an attack.
1 event
0.6 severity units es
9 access paths
0.5 event
0.3 severity units
4.5 access paths
0 event IN
0. severity units ns |
0 access paths i Mots " ‘ .
0 16 32 48 64 80 96
Time (week)
executing attack —+ = = = = = 4— event
terminating insider event
Behavioral precursors severity units
Technical precursors 4— severity units
Insider access paths known to ory = s 5 = 5 access paths
Insider access paths unknown to org access paths
Figure 12: Attack Simulation with Audit Quality at 50%
21
1 event
0.6 severity units
9 access paths
0.5 event
0.3. severity units
4.5 access paths
0 event
0. severity units
0 access paths
0 16 32 48 64 80 96
Time (week)
executing attack event
terminating insider event
Behavioral precursors severity units
‘Technical precursors severity units
Insider access paths known to ory ‘access paths
Insider access paths unknown to ory access paths
Figure 13: Attack Simulation with Audit Quality at 80%
9 Exhibiting the iAssemble Reference Mode
This section demonstrates that the MERIT model exhibits the behavior of the iAssemble case.
Since the iAssemble case is representative of a preponderance of sabotage cases analyzed in the
Insider Threat Study, we believe this model represents key issues in insider IT sabotage cases.
From this we infer that the model is useful for identifying and analyzing the solution space,
which includes policy, procedural, and technical measures that, when used together, can
significantly help prevent or detect insider IT sabotage.
Figure 14 shows the increasing gap between the perception of the insider's access paths and the
actual access paths available to him, which has the same general pattem as in the iAssemble case
of Figure 19.
22
3° event
15 access paths
2 event [ee
10 access paths
1 event
5 access paths
0 event
0 access paths ‘ 4 hus:
0 16 32 48 64 80 96
Time (week)
executing attack event
terminating insider event
Insider access paths known to org SSS access paths
Insider's actual access paths 4 4 4 + + access paths
Figure 14: Exhibiting the iAssemble Problematic Behavior
This perception gap indicates an erosion of the organization’s control of access to its systems.
Access control quality (ACQ) is defined as follows:
access control quality
= W, xunknown path access control quality
+w, x known path access control quality
where
¢ wu is the weight that the organization gives to unknown access paths to determine the
access control quality
e wyis the weight that the organization gives to known access paths to determine the access
control quality and is equal to (1- wu)
So access control quality is perfect if and only if unknown path access control quality is perfect
and known path access control quality is perfect.
We further define
unknown path access control quality
= effectof access paths on aco( miter access paths eae |
max reasonable paths
known path access control quality
aw @ldeboracceae patisol aca{ Saneons access paths known ers)
max reasonable paths
23
where
e max reasonable paths is the number of access paths, known or unknown, beyond which
no additional benefit is gained by the insider.
e paths insider needs to do job is the minimum number of access paths the insider needs to
fulfill his job responsibilities
The function effect of access paths on ACQ, shown in Figure 15,
Figure 15: Function Defining Effect of Access Paths on Access Control Quality
The above assumes that an organization has perfect control of an employees’ access if the
following conditions hold:
1. The employees have no access paths unknown to the organization.
2. The employees have access only to access paths needed to do the job.
Employees with access to paths not meeting one of those two conditions indicate an access
control lapse. The model’s access control metric weighs access control lapses in condition 1
more heavily than those in condition 2. The graph of access control over time is shown in Figure
16. This figure has the same general shape as given in the explanation for the iAssemble attack
given in Figure 18. The rate of acting inappropriately online roughly captures the sharing of
passwords and the installation of a backdoor prior to the termination and the unauthorized access
and planting of the logic bomb during and after termination.
24
1 event
1 fraction
0.08 severity units/week ie
0.5 event
0.5 fraction
0.04 severity units/week
0 event
0 fraction we
0 severity units/week ; 4 4 4 3
0 16 32 48 64 80 96
Time (week)
executing attack event
terminating insider event
access control quality fraction
acting inappropriately online —~——-+——+—4——-=._ severity units/week
Figure 16: Explanation for iAssemble Attack (Simulation)
10 Conclusion
The MERIT project was initiated as a proof of concept - to determine whether or not an effective
interactive learning environment could be developed to teach executives, managers, technical
staff, human resources, and security officers the complex dynamics of the insider threat problem.
An appropriate ILE must be intuitive enough to be easily understood by practitioners who have
most likely never heard of system dynamics.
The steps required to develop the ILE are:
e Gather and analyze extensive insider threat cases (completed - Insider Threat Study)
e Scope the problem for the model (completed - IT sabotage cases)
e Put together team of experts (completed - team consists of experts in insider threat,
system dynamics, technical security, psychology)
Build the model (in progress - current model described in this paper)
Run simulations for initial testing and calibration of the model (in progress - some
simulations described in this paper)
e Create training materials to accompany the model and ILE (student led development of
training materials document as part of student project report (Desai 2006))
At this point, the MERIT team feels confident that an effective model that conveys important
lessons regarding insider threat has been created. The simulations accurately mimic the patterns
and trends in the majority of the cases in the Insider Threat Study. Further calibration and
validation of the model is still necessary before it can be released for educational or training use.
In addition, extensive user interface testing will be required to develop an intuitive interface and
accompanying training materials before it can be used in an actual training class.
25
In addition to training, the MERIT team plans to present the model to experts in technical
security, human resources, and organizational dynamics to calibrate it accurately so that it can be
used for additional insights into the insider threat problem and effective countermeasures.
11 Acknowledgements
CERT would like to thank the Army Research Office and Camegie Mellon University’s CyLab
for funding this project.
CERT appreciates the work and dedication of the Insider Threat Study team; without the study
none of our follow on insider threat research would have been possible. Many thanks to the
Insider Threat Study research staff:
Carnegie Mellon University, Software Engineering Institute, CERT: Andrew Moore, Bill
Wilson, Bradford Willke, Casey Dunlevy, Chris Bateman, Dave lacovetti (USSS/CERT
Liaison), David Mundie, Dawn Cappelli, Mark Zajicek, Stephanie Rogers, Tim Shimeall,
Tom Longstaff , Wayne Peterson (USSS/CERT Liasion), Comelius Tate (USSS/CERT
Liaison).
U.S. Secret Service, National Threat Assessment Center: Brandi Justice, Diana McCauley,
Eileen Kowalski, Georgeann Rooney, Jim McKinney, Lea Bauer, Lisa Eckl, Marisa Reddy
Randazzo, Megan Williams, Michelle Keeney, Susan Keverline, Tara Conway.
CERT would like to acknowledge the valuable participation in development of the MERIT
insider IT sabotage model by the DoD PERSEREC team: Dr. Lynn Fischer (PERSEREC project
sponsor), Dr. Katherine Herbig (PERSEREC), Dr. Eric Shaw (Consulting and Clinical
Psychology, Ltd.), and Dr. Stephen R. Band. The PERSEREC team members bring unmatched
expertise in insider threat, psychology, espionage, and cyber crime.
CERT would like to thank members of the The Security Dynamics Network, a collaborating
network of institutions and associated researchers using System Dynamics modeling to explore
risk dynamics, especially with respect to cybersecurity. Its members include: University at
Albany; Agder University College; TECNUN, University of Navarra; Worcester Polytechnic
Institute; Sandia National Labs; Argonne National Labs; and Camegie Mellon University.
Network members have met several times per year since 2004, providing feedback on various
system dynamics projects related to cybersecurity.
Last, but not least, we thank the anonymous reviewers of this paper for their valuable comments
to improve the paper.
12 References
Argyris, C., & Schon, D. (1974) Theory in practice: Increasing professional effectiveness. San
Francisco: Jossey Bass.
Anderson, D.F., Cappelli, D.M., Gonzalez, JJ., Mojtahedzadeh, M., Moore, A.P., Rich, E.,
Sarriegui, J.M., Shimeall, TJ., Stanton, J.M., Weaver, E., and Zagonel, A. 2004. Preliminary
System Dynamics Maps of the Insider Cyber-Threat Problem. Proceedings of the 22nd
International Conference of the System Dynamics Society, July 2004. Available at
http://www.cert.org/archive/pdf/InsiderT hreatSystemD ynamics.pdf.
26
Desai, A.G. 2006. Insider Threat Dynamics. Project Report for Master of Science in Information
Networking, Information Networking Institute, Carmegie Mellon University, 3 May 2006.
Groessler, A. (2004). Don’t let history repeat itself - methodological issues conceming the use
of simulators in teaching and experimentation. System Dynamics Review 20(3), 263-274.
Janis, I. & Mann, L. (1977). Decision Making: A Psychological Analysis of Conflict, Choice and
Commitment. New York: The Free Press.
Kahneman, D., Slovic, P. & Tversky, A. (1982). Judgment Under Uncertainty: Heuristics &
Biases. Cambridge, UK: Cambridge Univeristy Press.
Keeney, M.M., Kowalski, E.F., Cappelli, D.M., Moore, A.P., Shimeall, TJ., and Rogers, S.N.
2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. J oint
SEI and US. Secret Service Report, May 2005. Available at
http://www.cert.org/archive/pdf/insidercross051105.pdf.
Lane, D. (1995). On a resurgence of management simulations and games. The Journal of the
Operational Research Society, 46(5), 604-625.
Melara, C.; Sarriegui, J.M.; Gonzalez, J.J.; Sawicka, A.; and Cooke, D.L. 2003. A system
dynamics model of an insider attack on an information system. Proceedings of the 21st
International Conference of the System Dynamics Society July 20-24, New York, NY, USA.
Moore, A.P., and Cappelli, D.M. 2005. Analyzing Organizational Cyber Threat Dynamics.
Proceedings of the Workshop on System Dynamics of Physical and Social Systems for National
Security, 21-22 April 2005.
Randazzo, M.R., Keeney, M.M., Kowalski, E.F., Cappelli, D.M., Moore, and A.P. 2004. Insider
Threat Study: Illicit Cyber A ctivity in the Banking and Finance Sector. Joint SEI and U.S. Secret
Service Report, August 2004. Available at http://www.cert.org/archive/pdf/bankfin040820.pdf.
Rich, E., Martinez-Moyano, IJ., Conrad, S., Cappelli, D.M., Moore, A.P., Shimeall, TJ.,
Andersen, D.F., Gonzalez, J.J., Ellison, RJ., Lipson, H.F., Mundie, D.A., Sarriegui, J.M.,
Sawicka, A., Stewart, T.R., Torres, J.M., Weaver, E.A., and Wiik, J. 2005. Simulating Insider
Cyber-Threat Risks: A Model-Based Case and a Case-Based Model. Proceedings of the 23rd
International Conference of the System Dynamics Society, July 2005.
Rosenthal, R. & Jacobson, L. (1992). Pygmalion in the classroom. Expanded edition. New York:
Irvington.
Sterman, J.D. (2006). Leaming from evidence in a complex world. American Journal of Public
Health, 96(3), 505-514
Tedeschi, J.T. (1981). Impression management theory and social psychological research
NY: Academic Press.
Wason, P.C. (1966) Reasoning. In B. M. Foss (Ed.) New Horizons in Psychology.
Hammondsworth, UK: Penguin.
27
Appendix A: The iAssemble Training Case»
iAssemble sells computer systems directly to customers, building each system made-to-order and
offering competitive prices. iAssemble has been doing extremely well and conducted an initial
public offering (IPO) in 2001, after which its stock doubled.
Organization Background
iAssemble is headed by Chris Eagles, who is the Chief Executive Officer (CEO). Eagles started
the company in 1997 with two of his friends, Carl Freeman and Caroline Thompson, who are
now the Chief Financial Officer (CFO) and Chief Technical Officer (CTO), respectively. The
company had continually hired experienced managers and employees over time.
Ian Archer, the malicious insider, was among the few employees who had been with iAssemble
since its establishment. Archer started out as computer specialist and technical assistant to the
three original founders, Eagles, Freeman, and Thompson. When hired, Archer held certifications
in personal computer (PC) hardware maintenance and operating system administration but did
not possess a four-year, baccalaureate degree. He compensated for his lack of education with
hard work and over the next four years he became the sole system administrator at iAssemble.
iAssemble grew at a moderate rate. Recognizing the need for qualified personnel, Eagles and
Thompson began to hire experienced system administrators who could also function as project
managers. Lance Anderson was hired as lead system administrator because of his education and
qualifications, and, James Allen was hired as a Junior System Administrator to share Archer's
growing systems administration workload and responsibilities.
Insider Situation
Ian Archer had always been responsible for the software that ran the assembly machinery, and
played an important role when iAssemble automated its PC assembly processes.
Archer’s disgruntlement grew steadily over the course of several months due to the growth and
associated changes at iAssemble. When Anderson was handpicked for the Lead Administrator
position by Caroline Thompson, Archer began to feel confined in his current role and saw limited
opportunities for advancement. Policy changes by Anderson meant that Archer could no longer
work with the freedom he had always enjoyed. He began receiving detailed instructions on how
to work and felt “micro-managed.” Archer's performance slumped, prompting Anderson and
senior management to look to others, such as Allen, for important projects. As a result, Archer
felt detached from the new culture at iAssemble, its leadership, and its continuing success.
Archer was assigned to mentor Allen and ensure his smooth assimilation within iAssemble’s
culture. Archer and Allen worked on a few small projects together but Archer felt that the
projects were too menial for his technical skills. He found Allen to be nearly as technically
competent as himself, which contributed to his frustration. While working on one of these
projects, Allen shared the password to his personal desktop machine at iAssemble, named
'8 The iA ssemble organization and case example are completely fictional, any unintentional resemblance to a real
organization or insider threat case is unintentional.
28
Kilimanjaro, with Archer. Sharing the password enabled each of them to access the project files
when the other was out of the office.
Archer’s disgruntlement grew, and he openly proclaimed that Anderson, was just a namesake. If
anyone disagreed he verbally abused them until they backed down and apologized. He even
bottlenecked projects on purpose on several occasions, stalling his work on the project to ensure
Anderson and the project team missed project milestones. Archer received a written warning
from Thompson after several co-workers formally complained. Enraged by this, he had a heated
argument with a team member who then quit the very next day, citing Archer as the reason for
his resignation. Archer was suspended for a day without pay and received a cut in his salary.
At this point Thompson became more cautious regarding Archer and wanted to fire him.
Anderson wamed that firing a disgruntled system administrator was a complicated task. Almost
every company he worked for had access control gaps that would allow an ill-tempered, ex-
employee to cause system damage. He suspected such a scenario existed for iAssemble, and in
the face of Archer's firing, could be risky. Anderson believed that yearly audits iAssemble
conducted lacked proper vigor and documentation, and there was no way to be certain that they
had reduced their risk to sabotage by a former employee. A decision was made to increase audits
of access control quality and access management. The audits would begin immediately.
Insider Attack
After the blowup with his team member and the subsequent salary cut, Archer had the feeling
that he would soon be fired. He decided that he needed to have the means to get back at
iAssemble in the event that his worst fears came true.
The audits revealed a great deal about iAssemble’s access management. Many access paths, both
of present and past employees, were discovered which should have been disabled. Dummy
accounts were discovered which were created for testing and debugging purposes but never
deleted; a few had even been created by Archer. These access paths were promptly disabled.
Thompson felt there was steady progress being made and deemed the audit an excellent decision.
In the meantime, Archer planted a backdoor on the main machinery server that provided him
with unauthorized access. Archer’s immediate anger with iAssemble was alleviated a little after
this act, but he was still disgruntled.
Archer became infuriated when he overheard that management was planning to fire him. He
decided to wait until after his termination, then seek revenge. Two days later, on December 14,
2001, Archer was fired and his access disabled. Unfortunately, iAssemble managers were not
aware that he knew the password to Kilimanjaro, James Allen’s iAssemble machine, and did not
think to change it. Archer went home the night he was fired and successfully logged into
Kilimanjaro. He then used his backdoor on the machinery server to plant the logic bomb. He did
the same on both of the backup servers. He cleverly set it to go off two months from that date to
deflect suspicion from him. Figure 17, below, shows Ian Archer's attack method.
On February 14, 2002, the logic bomb went off, deleting all files on the machinery server and its
backup servers, leaving the assembly lines at iAssemble frozen.
29
Organization’s Response
When investigators suggested the possibility of insider attack, management was puzzled as to
how that was possible in light of the increased monitoring, policies and best practices in place at
iAssemble. Eventually, the system logs were used to trace the access to the machinery server
from Kilimanjaro. James Allen claimed that he was innocent and explained that he had given the
password to his machine to Archer when they worked together.
Ian Archer was soon arrested, but iAssemble was left on shaky ground. Their share prices
plummeted and their image in the market was blemished.
Management concluded that growth took its toll at iAssemble with the company facing access
control and employee disgruntlement issues. With a whopping growth in sales figures of 68%
over the past quarter, iAssemble was rapidly hiring good and efficient people. However, this
situation created competition for positions within iAssemble, leading to job dissatisfaction
among some employees. Access control quality also eroded over time with employees under
pressure to meet deadlines and subsequently violating security policies. Figure 18 depicts the
dynamics that occurred at iA ssemble.
1. Logs in to , 3. On December 14:
Rciniey Sever Archer’s Attack Remotes into Allen's
~ when on job work computer after
y getting fired
- I
\ piece ? .
. Terminal
~
Backup Serve 4, Logs into the
wa > backdoor via
AS Z H 5. Plants logic bomb Allen’s machine,
onall3servers | --=- ~~~
6. On Feb 14:
Logic bombs go
off
Machinery \
Server p
Backup Server 2. Plants backdoor
after login
Machinery Network Firewalled
from Intemal Network
Figure 17: Insider’s Method of Attack
Explanation for iAssemble Attack
¢
Peco cf iin iy
Access Nadas weeks 2
Management ————————~
Attack Time
Original access
management
goal
‘Access control
audit quality
Lead
Admin
Bomb Flanied
Hind Increased Monitoring
Backdoor Planted Archer Fired + Logic Bape)
Overhe ary Firing Decision. Time
Figure 18: Explanation for iAssemble Attack
Despite iAssemble’s efforts to maintain information security best practices, security policy
enforcement became lax in support of the culture of growth at all costs. Hence, access control
deteriorated over time.
When iAssemble management realized that they needed to increase monitoring and audits, they
started out on the right foot. The steps they took ensured that management's knowledge of their
employees’ access paths increased. However, the skew between management’s knowledge of
Archer’s access paths and the actual access paths that Archer had, was not fully overcome by the
time Archer was fired, and iAssemble could not disable all of his access paths in time. Hence,
Archer was able take advantage of the residual access that he had, as shown in Figure 19.
31
Problematic Behavior — Insider Access Paths
Attack Time
8 weeks
Period of sising
expectation
Insider
4 weeks
Access Level, —
ption of
Archer's access
paths
pere!
Original
authorized
access paths
Complete
Awareness
Aeher Fired + Logie
Backdoor Planted
Lead
Admin
‘Bom Planted
Increased Monitoring
Hired
Time
Overhears Firing Decision
Figure 19: Analysis of Insider Access Level
32
Appendix B: Simulation Model Overview
employee eanloywe
iitervertien — intervention
s proactivity sutaae
threshold ee
insider access
ack paths uenwn,
Alto beg) dimes [EK nsider dite *
derege | emoting | pot [inseastng dame ‘neon f
ae Potertial gaining Immune unownpath
(wah attack: quality \
OT eecalation | wittagen
access control
at
ieee opie}
¥ precursors | acting inappropriately
damage> tecnica = calines
— nonitoringquetity (Rah a
predisposition ‘Gay
for technical \
sabotage -
forgetting
Insider paths Insider
access paths f= Jaccess pratt
winownto |__| Krewnto [ying
ory, os known paths
paths
\ teriration
tamination time
threstnld
insider acoess path \
(an Giveninsider creation ability> }
cata eae ; '
paths Inownto 01 ies
i. employment
paths insider stats
erimias | aS needs to do jab> Insider risk.
a a
x SS i
falling predisposition to rising realize in —_———
disgunilement, ‘expectation time reaporsibles>
33
34
