SoK: The Psychology of Insider Threats

Cloud computing is viewed as a cost-effective and scalable way of providing computing resources for both large and small organizations. However, as cloud storage is outsourced it is highly susceptible to information security risks. The insider threat may become particularly insidious with the predilection towards cloud computing. Insiders have a significant advantage, as not only do they have knowledge about vulnerabilities in policies, networks or systems but they also have the requisite capability. An `insider' is any individual who has legitimate access to an organization's information technology infrastructure whereas an `insider threat' uses the authority granted to him/her for illegitimate gain. Fundamentally, the insider threat concern is a complex issue, as the problem domain intersects the social, technical, and socio-technical dimensions. From a cloud-computing perspective, the concept of the insider is multi-contextual and consequently propagates more opportunities for malfeasance. The definition of an insider changes from context to context; an insider is someone who works within an organization that uses a cloud-based system and it also includes a user that works for a cloud service provider. Clearly, the concept of the insider within the cloud-computing domain is amorphous. This chapter intends to define the insider threat and identify the various types of insider threats that exist within the cloud-computing domain. This chapter considers the challenges involved in managing the insider threat and possible mitigation strategies including authentication schemes within cloud-based systems. To this end, this chapter also considers the various mitigation strategies that exist within the technical, social and sociotechnical domains in order to identify gaps for further research.

This qualitative study is a systematic literature review (draws on literature primarily published within the last five years) addresses a comprehensive approach to a crucial but often overlooked aspect of cybersecurity: the human factors underlying insider threats. Attention is focused on the so-called “organizational arsonists” – individuals who willfully seek to adversely impact the organization by inducing anarchy aligned with their own motivations, insiders who purposefully damage their companies using digital methods, someone intentionally causing mayhem within a company, which can be criminal in cyber environments. The purpose of the research is to identify how cybersecurity leadership can effectively detect and mitigate the risks associated with insiders, particularly those exhibiting arsonist-like behaviors. Review uncovering that organizational arsonists can escalate cybersecurity risks substantially, with insider incidents costing organizations an average of $16.2 million per incident. These incidents now represent a persistent challenge, increasing in frequency by 68% over the past year according to the 2022 Insider Threat Report. The findings highlight the necessity of leadership strategies that preemptively recognize and neutralize potential insider threats to improve organizational resilience and security posture. This approach not only informs current cybersecurity practices but also aids in the development of targeted policies and refined regulatory measures. By integrating insights from psychology, criminology, and cybersecurity, the study provides a comprehensive understanding of the human elements influencing insider threats, essential for enhancing both academic knowledge and practical applications in risk management. The results showed a parallel between the motivations of arsonists who set physical fires to the characteristics and motivations of insider threats who exploit organizational vulnerabilities. The impact of this research can be helpful in assisting cybersecurity professionals, leaders who strategize against cyber threats, and risk managers and analysts who understand and mitigate human factors and insider threats. Leaders and executives may use these insights to improve security resource allocation and culture. Policymakers and regulators may use the study’s results to create more nuanced cybersecurity legislation, while academics and students in related disciplines can use it for future research.

Motivation and opportunity based model to reduce information security insider threats in organisations

Insider threat is a significant security risk for organizations. In this paper, we attempt to discover insider threat by identifying abnormal behavior in enterprise social and online activity data of employees. To this end, we process and extract relevant features that are possibly indicative of insider threat behavior. This includes features extracted from social data including email communication patterns and content, and online activity data such as web browsing patterns, email frequency, and file and machine access patterns. Subsequently, we detect statistically abnormal behavior with respect to these features using state-of-the-art anomaly detection methods, and declare this abnormal behavior as a proxy for insider threat activity. We test our approach on a real world data set with artificially injected insider threat events. We obtain a ROC score of 0.77, which shows that our proposed approach is fairly successful in identifying insider threat events. Finally, we build a visualization dashboard that enables managers and HR personnel to quickly identify employees with high threat risk scores which will enable them to take suitable preventive measures and limit security risk.

States of exclusion from social relations (ESR) refers to severe social isolation in older age that is not always typified by increased loneliness. Relevant deficiencies in the social network of older persons may be gendered and associated with personality and socioeconomic barriers, with direct implications for older persons' welfare. Although the contribution of personality traits and socioeconomic barriers in shaping ESR states in older age are often debated, empirical evidence that addresses their unique contribution is limited. Therefore, the aim of this study was to examine the gender-stratified associations of situational (e.g., marital status, socioeconomic conditions) and dispositional factors (i.e., personality traits) with ESR states and loneliness in older age. A cross-sectional and gender-stratified secondary analysis of a sample (N = 36,814) from the Survey on Health, Aging, and Retirement in Europe was conducted using logistic regression models. The probability of ESR was higher among older men. Certain situational factors (e.g., widowed, never married) significantly increased the probabilities of ESR for both genders, while other (e.g., divorce) had a gender-specific significance. Less extraversion among older women and less conscientiousness among older men was associated with an increased probability of ESR in later life. Within ESR states, older men living alone and older women who are less extraverted were more at-risk of loneliness. Situational factors are more predictive of ESR states than personality traits, yet a gendered perspective is needed when assessing the risk factors of ESR and loneliness in later life.

PurposeThe purpose of this paper is to examine the psychometric properties of the Spanish version of the Core Self-Evaluations Scale (CSES) and the Brief Index of Affective Job Satisfaction (BIAJS) in terms of internal consistency and factor structure and to, subsequently, analyze the influence of a set of dispositional factors (namely, core self-evaluations, CSEs) and situational factors (namely, psychosocial factors) on job satisfaction.Design/methodology/approachIn total, 209 academics from an Argentinian university completed online surveys at two stages, separated in time, to reduce the common method bias.FindingsThe Spanish version of the CSES and the BIAJS showed acceptable psychometric properties, which were similar to those previously reported in North-American, European and Asian settings. Hierarchical regression analyses revealed that both situational and dispositional factors are significant predictors of job satisfaction.Research limitations/implicationsThe CSES and the BIAJS seem to be valid and reliable instruments for assessing CSEs and job satisfaction, respectively, in Latin America. The adoption of an interactionist approach that includes both situational and dispositional factors is crucial in future research examining job satisfaction.Practical implicationsManagers should carefully evaluate the personality traits of candidates during personnel selection, as well as the working conditions they offer to their employees, since both factors seem to affect job satisfaction.Originality/valueThis paper contributes to the validation of two scales that may promote future organizational behavior/psychology research in Latin America. In addition, it provides empirical evidence on the relative influence of a set of situational and dispositional factors on job satisfaction, thus contributing to the resolution of the person-situation debate.

Using alternate reality games to find a needle in a haystack: An approach for testing insider threat detection methods

Efforts to understand what goes on in the mind of an insider have taken a back seat to developing technical controls, yet insider threat incidents persist. We examine insider threat incidents with malicious intent and propose an explanation through a relationship between Dark Triad personality traits and the insider threat. Although Dark Triad personality traits have emerged in insider threat cases and deviant workplace behavior studies, they have not been labeled as such and little empirical research has examined this phenomenon. This paper builds on previous research on insider threat and introduces ten propositions concerning the relationship between Dark Triad personality traits and insider threat behavior. We include behavioral antecedents based on the Theory of Planned Behavior and Capability Means Opportunity (CMO) model and the factors affecting those antecedents. This research addresses the behavioral aspect of the insider threat and provides new information in support of academics and practitioners.

The current review aims at providing an understanding of factors implicated in traditional and cyber-bullying/victimization (TB, TV, CB, CV). More specifically, the purpose of the present review is to critically analyze and synthesize empirical findings from Greek samples and organize them within the theoretical framework of General Aggression Model (GAM). According to the GAM, some person and situational factors based on pre-existing knowledge structures could lead to specific behavioral outcomes through cognitive, affective and arousal routes. The interplay among these routes reflecting the individual’s internal state may be associated with appraisal and decision- making processes which in turn may be linked to bullying or victimization experiences. Using the GAM as a theoretical framework, a synthetic review of past empirical research of person and situational factors related to TB/TV and CB/CV is presented. Socio-demographic (e.g., gender, age, academic achievement), personality factors (e.g., big five, psychopathic traits, self-esteem, emotional intelligence, social intelligence, sensation seeking, empathy), psychological states (e.g., depression), attachment style, online disinhibition, skills (e.g., social/internet), maladaptive behaviors (e.g., Specific Learning Difficulties), beliefs (e.g., low self-efficacy), and values/perceptions (e.g., moral disengagement), (i.e. person factors), as well as specific parenting styles/practices, low friendship quality, and perceived school climate (i.e. situational factors) are proposed as risk factors of such experiences. Furthermore, possible mechanisms and processes (i.e. present internal state; cognition, affect, arousal), which may serve as routes for both TB/TV and CB/CV experiences are described. In this vein, Hostile Attribution Bias, Theory of Mind, expectation of reward and expectation of victim suffering (i.e. social cognition) are suggested as paths through which specific individual or situational factors could lead to bullying and victimization. The present review also focuses on appraisal and decision-making processes, and specifically on coping strategies, through which individual and situational factors, as well as present internal states, could be linked to bullying and victimization. Moreover, some possible psychological and behavioral consequences (e.g., low self-esteem, internalizing and externalizing problems, aggressive behaviors) of experiencing TB/TV and CB/CV are suggested. Overall, the present review provides indications that some person and situational factors, which in many cases are common in both physical contexts and cyberspace, could be associated through specific processes to TB/TV and CB/CV. However, there are some differentiations among the factors linked with TB/TV and CB/CV suggesting that these phenomena, although partially related, may not be similar. The factors and processes, which could lead to aggression, seem also to be in line with the GAM. However, some empirical findings attest that a cluster of person, cognitive and emotional factors, as well as appraisal processes might interact (e.g., personality, social cognition and coping factors) to predict specific behavioral outcomes such as bullying and aggressive behaviors. These interactive relationships are not currently considered by the GAM. Thus, the present review provides further insights into the strengths and the limitations of the aforementioned theoretical framework. In this direction, it underlines the need for reconsidering past theory and integrating several theoretical models, in order to provide a comprehensive understanding of the factors and mechanisms implicated in bullying and victimization experiences. Some possible explanations about the proposed linkages are provided, while limitations and suggestions for future studies are discussed.

Including insider threats into risk management through Bayesian threat graph networks

Human factors in information security: The insider threat – Who can you trust these days?

Insider threats are a danger to organizations everywhere and no organization is immune to the effects of an insider incident. Organizations suffer from individuals whose actions expose the organization to risk or harm in some ways. This situation includes insiders who intentionally or unintentionally cause actions that bring harm or significantly increases risk to the organization. Insider security breaches have been identified by organizations as a pressing problem with no simple solution. This paper presents a systematic literature review of published, scholarly articles on insider threat research from 2010 to 2020. The focus of this literature review is to survey the topics, methodologies, and theories of current insider threat research. The goal of this literature review is to provide an overview of the trends in insider threat research. Fifty-two studies were identified, and about half the papers dealt with identifying potential insiders through machine learning techniques. The most popular trend was the use of learning-based algorithms, such as neural networks and support vector machines, that classified a user as an insider versus a non-insider. Aside from the popular modeling approach, the other publications included in our review focused on human factors related to insider threat and the common methodology for these papers were the use of surveys and questionnaires. Another trend identified in the literature was the use of behavioral patterns as an insider threat indicator. Lastly, researchers identified best practices for organizations to address insider threats. The outcome of this literature review identified trends, best practices, and knowledge that can be used to further develop insider threat frameworks and methodologies. Furthermore, this literature review presents implications for researchers including challenges, issues, and future research directions.

The question we attempt to answer in this study is why some individuals with serious mental illness engage in repeated violence, while others do not. There appear to be two perspectives that may explain repeated violence: one that emphasizes situational factors and one that emphasizes dispositional factors. Situational factors are those that are constantly changing within one's life, whereas dispositional factors are those that remain relatively stable over time. Therefore, dispositional factors would theoretically put individuals with serious mental illness at stable risk for repeated violence because these factors remain relatively stable over time. In fact, perhaps individuals with mental illness repeatedly engage in violence because they have a dispositional trait (like impulsivity, for example) that puts them at stable risk for repeated violence. Conversely, situational factors would theoretically explain why individuals do not engage in repeated violence because they are transient and constantly changing. Therefore, perhaps one desists from violence because some situational factors changed in that individual's life. Using data from the MacArthur Violence Risk Assessment Study (i.e., MacRisk), a longitudinal study of people with serious mental illness, repeated violence was evaluated across waves. A multilevel logistic regression model was employed. Results indicate that both situational and dispositional factors are significantly associated with repeated violence. Specifically, situational factors such as marital status, drug use, perceived stress, and time away from the psychiatric hospital and dispositional factors such as personality traits including agreeableness, conscientiousness, openness, and extraversion are all significantly associated with repeated violence. These findings have important policy implications regarding criminal justice intervention and clinical practice.

Insider threats, originating from individuals with legitimate access to sensitive systems and data, represent a significant cybersecurity challenge, unlike external attacks, insider threats are harder to detect, as they often exploit legitimate credentials to bypass conventional security measures. These threats can result in severe consequences such as data breaches, financial losses, and system disruptions. Traditional detection methods, such as rule-based approaches and classical ma- chine learning models, struggle to identify evolving and sophisticated insider behaviors due to their reliance on predefined patterns and static detection criteria. Recent advancements in artificial intelligence (AI), deep learning, cryptographic security and hybrid detection frame- works have significantly enhanced the ability to detect and mitigate insider threats. Deep learning models, such as Long Short-Term Memory (LSTM) networks and Generative Adversarial Networks (GANs), excel at identifying subtle behavioral anomalies, while cryptographic techniques, such as blockchain-based authentication and data encryption, reinforce security by preventing unauthorized access. Hybrid approaches that combine AI-driven anomaly detection with structured security control mechanisms have emerged as the most effective solution, offering multi-layered protection against insider attacks. The primary objective of this paper is to present a comprehensive review of insider threat detection methodologies, comparing traditional and AI- based approaches, including specification-based detection, behavioral monitoring, anomaly-based models and cryptographic security measures. The study highlights the strengths and limitations of each method and explores future research directions, including the development of self-supervised learning models, explainable AI and optimized real-time detection systems. A holistic security strategy, integrating AI, cryptographic security and policy-driven risk mitigation is necessary to enhance organizational resilience against insider threats.

Purpose: The purpose of this study is to analyze security policies and risk management practices for reducing insider threats in the Fintech industry in Uganda. The study aims to classify and identify insider threats, examine how they relate to risk management procedures, and offer practical recommendations for improving Fintech companies’ security measures. Methodology: The study adopted a descriptive research design, focusing on diverse respondents across various sectors. Data was collected through surveys from 25 respondents, including IT security specialists, accountants, finance officers, and other relevant roles. The sectors represented included Banking and Finance (52%), Security (12%), Information Technology and Telecommunications (8% each), and others such as Agriculture, Civil Society, and Public Service (each 4%). The study employed both qualitative and quantitative data collection methods, with secondary data reviewed from existing literature and case studies. Statistical analysis was conducted using SPSS to interpret the data and identify trends in insider threat occurrences and risk management practices. Findings: The study revealed that insider threats in Uganda's Fintech sector can manifest in both physical and cyber forms. The predominant risk management practices identified include proactive measures such as robust security policies, access controls utilized by 88% of respondents, security awareness training by 80%, and continuous monitoring by 68%. Incident response and reporting procedures were also critical, ensuring that breaches are swiftly addressed to minimize impact. There was a significant positive correlation (r = .65; p < 0.05) between the frequency of past insider attacks and the regularity of risk assessments, underscoring the importance of regular evaluations in mitigating risks. Unique Contribution to Theory, Practice and Policy: The study contributes to the theoretical understanding of how local cultural attitudes and regulatory frameworks impact effectiveness of risk management strategies, providing insights that can inform RMF adaptations in similar contexts. For practitioners, it recommends development and implementation of robust security policies, employee training programs, and advanced monitoring systems. Policy-makers are advised to support regulatory frameworks that mandate regular risk assessments and the adoption of best Fintech practices.