Are you a fallible frog or a misbehaving magpie? Perhaps you feel more like a disempowered marionette?
When it comes to the ‘insider threat’ posed to an organisation’s cybersecurity every employee falls into one of seven categories, according to a researcher at the University of Strathclyde.
The categories have been developed by Dr Karen Renaud, Reader in the Department of Computer & Information Science, working with colleagues from Mississippi State University, Charles Sturt University and Abertay University.
They were created as part of a framework to help organisations better identify and address insider threats – employees who may unwittingly or deliberately cause a damaging breach of computers, software or other information systems.
Practical strategies
The framework identifies seven categories of insider threat, each reflecting distinct behaviours, and offers practical strategies to mitigate these risks:
- Blissfully Ignorant Dodo: Employees unaware of security risks who may unintentionally expose organisations to threats. Mitigation: Retraining and education to build awareness and promote secure practices.
- Fallible Frog: Staff vulnerable to errors due to fatigue, stress, or manipulation. Mitigation: Providing support, addressing burnout, and fostering an understanding of their critical role in maintaining security.
- Disempowered Marionette: Individuals constrained by rigid processes and unprepared for new threats, such as those posed by generative AI. Mitigation: Reducing reliance on inflexible rule-based systems and equipping staff to handle novel challenges.
- Whistleblowing Dolphin: Employees with a strong moral compass who expose unethical behaviours. Mitigation: Encouraging ethical practices and maintaining confidential reporting channels to address issues internally.
- Misbehaving Magpie: Staff driven by curiosity or dissatisfaction who bypass security measures. Mitigation: Monitoring behaviours and ensuring that employees are thoroughly vetted and supported.
- Ideologue Ant: individuals who are driven by ideology and act deliberately to steal vital secrets or set out to harm organisations for ideological purposes. Mitigation: Ensure that people are thoroughly vetted before being employed and monitor employee behaviours.
- Malicious Mamba: Individuals seeking to harm their organisation, often in retaliation. Mitigation: Implementing technical access controls, monitoring employee activities, and fostering a positive workplace culture to discourage retaliation.
The categories were created based on research published in the Information & Management Journal and Computer Fraud & Security, an extensive literature review and a survey of senior company executives to inform mitigations which align with each different insider threat type.
Utmost importance
A 2020 survey by software company Bitglass found that 61% of companies who responded had suffered an insider threat in the previous 12 months, while a 2022 report from cybersecurity firm Kaspersky found that 22% of data leaks were caused by employees.
Dr Renaud said: “Society’s reliance on computers and data makes cybersecurity of utmost importance today, and governments and companies are faced with an increasing barrage of threats.
“These threats might come from malicious hackers but equally may originate from inside an organisation, from staff who have legitimate access to all internal data and systems.
It is vital that organisations recognise the threat from within – whether through employees’ lack of understanding and awareness of the threat to cybersecurity or through intentionally malign or ideological acts.
“The categorisation we have developed aims to help organisations understand the different types of insider threat and the actions they can take to reduce this.”
Organisational resilience
The framework underlines the importance of combining employee-focused strategies with technical measures, such as access controls and monitoring, to enhance organisational resilience against insider threats.
Dr Renaud is a member of StrathCyber, the Cyber Security Group at the University, which produces internationally-recognised research into the technical, human, societal and organisational aspects of cybersecurity.
The Group is recognised by GCHQ’s National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council (EPSRC) as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR). Our Graduate Apprenticeship MSc Cyber Security is also accredited by the NCSC.