OPERATIONALIZING INSIDER THREAT POTENTIAL AND RISK-SIGNIFICANT
INSIDERS TO ENHANCE INSIDER THREAT DETECTION AND MITIGATION

Year
2023
Author(s)
Colton Heffington - Sandia National Laboratories
Adam D. Williams - Sandia National Laboratories
Shannon Abbott - Sandia National Laboratories
Christopher Faucett - Sandia National Laboratories
Sondra Spence - Sandia National Laboratories
William Charlton - Nuclear Engineering Teaching Laboratory, University of Texas
Katherine Holt - Office of International Nuclear Security, National Nuclear Security Administration
Melinda Lane - Lawrence Livermore National Laboratory
File Attachment
Abstract
Recent trends in insider threat for critical facilities have shifted focus toward determining the potential for a successful insider act. Consider, for example, Homeland Security’s Cyber and Infrastructure Security Agency (DHS/CISA) 2020 Insider Threat Mitigation Guide, which defines insider threat as “the potential for an insider to use access or special understanding of an organization to harm that organization.” This shift suggests a range of drivers of “the potential for an insider” to act—expanding beyond traditional insider threat mitigation programs that heavily emphasize preventative and protective strategies to deter the behavior of bad actors. Ongoing research at Sandia National Laboratories and the University of Texas—in support of international efforts to improve insider threat mitigation for nuclear facilities (e.g., International Atomic Energy Agency INFCIRC/908) for the United States National Nuclear Security Administration’s Office of International Security (NNSA/INS)—investigates the impact of shifting insider threat detection and mitigation (ITDM) from a sole focus on identifying and deterring malevolent individuals behaviors toward including collective workplace behaviors observed in nuclear facilities. This new approach to ITDM builds on continuing research that invokes artificial neural networks to capture, collate, and analyze disparate data signals to quantitatively describe operational workplace patterns in search of identifying risk significant insiders. Combining key concepts from organization science and nuclear safety, this paper offers a revised approach to insider threat mitigation based on risk significance, a measure of the capability that an individual possesses to successfully carry out an insider plot. We argue that individual-level deviations from expected workplace behaviors may be indicative of increasing risk significance. We further propose a series of experiments and discuss whether artificial neural networks can aid us in generating measures of expected workplace behavior and thus also capture risk significant deviations.