Eye-Tracking Active Indicators of Insider Threats: Detecting Illicit Activity During Normal Workflow

Abstract

Cyber challenges faced by organizations today involve malicious inside actors, often labeled insider threats (ITs). These present a difficult challenge in that the most well-designed cybersecurity apparatus is vulnerable to those inside the organization who have privileged access to information systems. Innovative methods must be developed to help security analysts narrow the large pool of potential ITs in large organizations to a more manageable number. The purpose of this article is to develop and validate eye-tracking metrics that are diagnostic of IT behavior. Key stimuli, or called active indicator probes, were embedded into a simulated workflow to elicit diagnostic eye-tracking responses. Two environments were simulated: financial and intelligence analysis. We evaluated participants performing as regular workers relative to ITs to identify metrics that distinguished between the two groups. Detection of illicit eye gaze behavior while using chat programs was possible when conversations with accomplices occurred in a separate chat window from normal permissible chat conversations. Validation of results in real work environments is necessary for practical application. However, if the approach proves to translate successfully, automated monitoring of eye-tracking responses may augment existing insider detection methods, within frameworks for best practices in organizational security and cyber defense.