Towards an integrated dynamic model for managing insider threats for risks and vulnerabilities mitigation

Abstract

Despite the continuous advancement and deployment of technical information security controls, such as firewalls, endpoint protection, intrusion detection systems, anti-malware software, and comprehensive information security policies, standards, and guidelines, the human element, specifically the organisation's employees or insiders, persists as the most critical vulnerability in the information security framework. The fundamental challenge posed by insider threats stems from the paradox of authorised access. While insiders require legitimate credentials to perform their designated functions, this same access can be exploited to subvert security mechanisms, operate undetected, and obfuscate malicious activity. Such threats manifest when individuals, motivated by factors such as financial incentives, workplace disaffection, or personal retribution, leverage their privileged access to deliberately compromise the confidentiality, integrity, or availability of critical organisational assets. Accordingly, the failure to systematically address the insider threat challenge constitutes a material risk exposure, significantly increasing an organisation's susceptibility to severe insider threat security incidents. This research therefore sought to investigate and develop an integrated dynamic model for managing insider threats, with a focus on risks and vulnerabilities, employing a design science research methodology which resulted in the development of an artifact. It employs a positivist approach, since the objectives are indisputable facts about maintaining the confidentiality, integrity, and availability of organisational information in the face of insider threats. A review of existing insider threat taxonomies revealed a diverse range of classification schemes intended to characterise the insider threat agent. However, a critical observation was that the insider threat agent was not a static entity but rather a dynamic and adaptive target. It was conjectured that an adversary could traverse multiple categories within a single taxonomy, or transition across different taxonomic frameworks, thereby generating an insider threat agent traversal mutation path designed to evade precise characterisation and subsequent detection. Consequently, the integration of disparate taxonomies, while necessary to capture this complexity, results in an exponential proliferation of theoretical insider threat categories, highlighting the inherent challenge of achieving a definitive and stable classification. The research established that insider threats have a more devastating impact than external threats, as insiders have full knowledge of their organisation and authorised access to sensitive and confidential organisational information. It was noted that detecting insider threats was extremely difficult due to the subtle, dynamic nature of the insider threat problem. It was noted, further, that compared to external threats, whose footprints are difficult to conceal, internal threats were hard to detect because insiders had privileged access to internal applications, networks, and systems. This research, therefore, focused on understanding insider threats, their characterisation and taxonomies, and developing an integrated dynamic model for insider threat mitigation. The major outcome of the research was the development of an artifact, the MOCR (Motivation, Opportunity, Capability, Rationalisation) model, that enables organisations to track, profile, and detect insider threats. The model was premised on the development of a new taxonomy of insider threat agents that leverages tracking of these agents, since they follow combinatoric mutation paths throughout their lifecycle in the organisation. The model further proposed risk profiling of insider threat agents and classifying them into low, medium, high, and critical risk categories, with a view to directing threat identification, protection, detection, prevention, and mitigation efforts on high-risk insider threat agents. The development of the MOCR model advances the state-of-the-art solution in insider threat research by adding advanced mechanisms to proactively detect threat agents, propose organisational asset protection models, and recommend solutions to manage and mitigate insider threats