Improving Insider Threat Detection Through Multi-Modelling/Data Fusion

Abstract

Insider threats within organizations can take a variety of forms including fraud, theft of classified or proprietary data, and workplace violence. Insiders can be overt individuals who commit deliberate acts against their organization, or inadvertent insiders who provide access to organizational IT systems. The damage from insider threats was estimated at an annualized average of $4.3M per company across a variety of industries in a 2016 study, which does not include the damage to an organization’s reputation, loss of business, and decrease in company value. The Scientific advances to Continuous Insider Threat Evaluation (SCITE) program sponsored by the Intelligence Advanced Research Projects Activity (IARPA) was created to improve insider threat detection. In the first phase of this effort, three competing teams were provided aggregated individual performance data and asked to answer system performance questions on a range of complex challenge problems. The purpose was to be able to detect a subset of individuals from within the overall population of an organization that displayed a behavior or belonged to a group. Teams were scored on three metrics: mean squared error, calibrated certainty interval, and interval score. The team led by Innovative Decisions, Inc. (IDI) used a multiple model approach with data fusion to model these problems. This approach proved far superior to the methods used by the two other teams across all three metrics. The results of this research are applicable to any area where the objective is to identify a very small subset of a much larger group using incomplete, noisy data. Specific areas benefitting education and research include airline passenger screening, vetting of immigration or visa applications, and security clearance reviews.