Deriving a Framework for “Insider Risk Potential” from Using Artificial Neural Networks for Insider Threat Detection & Mitigation

Colton Heffington - Sandia National Laboratories
Adam Williams - Sandia National Laboratories
Shannon Abbott - Sandia National Laboratories
Sondra Spence - Sandia National Laboratories
William Charlton - Nuclear Engineering Teaching Laboratory, University of Texas
Recent trends in insider threat for critical facilities have shifted focus in determining the potential for a successful insider act. For example, in their 2020 Insider Threat Mitigation Guide, the Department of Homeland Security’s Cyber and Infrastructure Security Agency (DHS/CISA) defines insider threat as “the potential for an insider to use access or special understanding of an organization to harm that organization.” This shift suggests a range of drivers of “the potential for an insider” to act—potentially expanding beyond traditional insider threat mitigation programs that heavily emphasize preventative and protective strategies to deter malevolent behaviors of individuals. Current research at Sandia National Laboratories—in support of international efforts to improve insider threat mitigation for nuclear facilities (e.g., International Atomic Energy Agency INFCIRC/908) for the U.S. National Nuclear Security Administration’s Office of International Security (NNSA/INS)—is investigating the impact of shifting insider threat detection and mitigation (ITDM) from a sole focus on identifying and deterring malevolent individuals behaviors toward including collective workplace behaviors observed in nuclear facilities. This new approach to ITDM builds on continuing research that invokes artificial neural networks to capture, collate, and analyze disparate data signals to quantitatively describe operational workplace patterns. Combining insights from this ongoing study with key concepts from organization science offer a framing of anomalous operational workplace patterns in terms of insider risk potential. This paper introduces—and evaluates—the hypothesis that the greater the deviation from expected operational workplace patterns, the higher the insider risk potential. After summarizing recent trends in insider threat to ground this paradigm shift and aligning them with germane concepts from organization science, this paper introduces a new ITDM framework that incorporates current trends with traditional approaches. Next, this paper will offer a more detailed explanation of the framework, including a representative set of vignettes to help highlight enhancements over current approaches. Lastly, this paper will offer conclusions, implications, and next steps for further refining this insider risk potential framework into a more robust and comprehensive ITDM solution. (SAND2022-2278A SNL is managed and operated by NTESS under DOE NNSA contract DE-NA0003525)