Year
2002
Abstract
This paper describes current efforts to use modeling and simulation (M&S) techniques to address the insider threat problem. Insider threats have historically been viewed in the context of computer security. Trusted insiders know where critical information (CI) is kept and how to bypass safeguards on systems used to protect CI. Insider threats are individuals who work for the target organization or have a relationship with the organization that gives them access to CI. This includes any employees, contractors, business partners, customers or sub-contractors. Insider threats may be motivated by personal, political, or financial considerations. Losses to an organization due to insider threats can be embarrassing and cause financial and political hardship. To combat an insider threat, effective security policies must be in place. The use of technology can also be used to enhance security policies. The appropriate use of technology depends on the type of CI being protected. Guarding CI stored on a computer network is different from guarding CI in document form. A tool that can model employee activities, especially when accessing CI, can help determine which technologies and procedures are most appropriate. This tool could model technologies and provide some insight about their effectiveness. It could also model adherence to security policies and could be used to generate reports for further analysis. Arena© is a commercially available modeling and simulation tool available from Rockwell Software. Arena© can be used to model facilities, employee activities, and security technologies. Data gathered from this model is then analyzed, and ‘normal’ patterns of behavior are established. Anomalous behavior is identified as patterns that differ from ‘normal’ and could indicate insider threat activity. The type of data collection and analysis of the data are the focus of this paper.