Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



Insider Risk Insights - DTEX Blog

Potential Risk Indicator Decay and Insider Risk Management

Potential Risk Indicator Decay and Insider Risk Management

Who among us hasn’t received an answer to what we thought was a precise question with, “it depends” and our mind remains befuddled. Potential Risk Indicators are like that: on the surface they seem to be very black and white, but they end up being various shades of gray dependent upon a myriad of circumstances. Understanding their nuances, and value in the context of time and decay, is critical in an entity’s ability to accurately detect and mitigate insider risks early. Let’s dig in.

The Center for Development of Security Excellence (CDSE) within the U.S. Department of Defense defines PRIs with crystallin clarity:

They are “warning signs, or indicators” and include “a wide range of individual predispositions, stressors, choices, actions, and behaviors. Some indicators suggest increased vulnerability to insider threat; others may be signs of an imminent and serious threat.”

The CDSE goes on to qualify their perspective with caution and guidance on how some activities that may constitute a risk in a certain set of circumstances may also be constitutionally protected within the United States. It is within the context of the individual employee who works within a highly sensitive and secure environments where access to classified information is the norm that the CDSE proffered their “Job Aid: Insider Threat Potential Risk Indicators.

Potential Risk Indicators (PRIs)

While individuals in sectors that don’t require the depth and breadth of enhanced security protocols mandated by the U.S. government for its classified environments, all entities are subjected to risks and thus have PRIs being presented by their employees, partners, or customers.

PRIs take various forms:

  1. Professional lifecycle and performance – poor performance review; passed over for promotion; workplace dynamics, etc.
  2. Security and compliance – safeguarding information; physical and information security practices; misuse of credentials; etc.
  3. Technical Activity – unauthorized access; downloading or storing data inappropriately; violations of acceptable use; etc.
  4. Loyalty/Behavior – advocate for extremist groups; engage in espionage; terrorism; etc.
  5. Foreign Influence and Preference – potential for leverage from a hostile nation state; engagement with known intelligence personnel; etc.
  6. Activities not associated with work – unreported outside activities (conflict of interest); moonlighting which leverages employer knowledge; etc.
  7. Financial – unmet financial obligations; illegal financial practices; unexplained affluence; etc.
  8. Substance misuse (including alcohol) – drug test failures; habitual or binge drinking; failure to follow court ordered rehab/education/treatment; etc.
  9. Personal conduct – self-harm or to others; destructive behavior; exploitable behaviors (honeytrap); etc.
  10. Criminal conduct – assault; violence; weapons crimes; military discharge for reasons less than “honorable”; etc.

Studies discussing PRIs are largely limited to the government sector(s). For example, the oft referenced study Temporal Effects of Contributing Factors in Insider Risk Assessment: Insider Threat Indicator Decay Characteristic was in fact a U.S. Air Force supported and contracted study that was conducted in support of the USAF counter-insider threat program. This study relied on a dozen expert participants, of which nine described themselves as practitioners and three as researchers. These individuals reviewed the plethora of PRIs that the Department of Defense and SOFIT (Sociotechnical and Organizational Factors for Insider Threat) taxonomy produced to create a weighted value for each for various role types and then calculated a “decay rate characterization”. The various role types include:

  1. Participating Event – disciplinary action, passed over for promotion, revocation of security clearance.
  2. Personal Predisposition – gambling addiction, mental instability, self-harm, suicidal ideation.
  3. Behavioral Precursor – attempts to obtain national security information without need-to-know, criminal behavior involving weapons, verbal abuse/bullying].
  4. Technical Precursor – disabling anti-virus software, excessive use of screen capture, sending Email to suspicious address.

While this study is of tremendous value, the small sample size, 12, begs for more of the same, with much broader participation.

The authors noted that role type classification may be insufficient and additional research is necessary, specifically to examine the “temporal effects and PRI interaction, but also to weigh in the influence of other factors, including the person’s job role.”

PRI Decay

The decay rate is the subjective variable. For example, the 20-something self may have engaged in activities that the 60-something self would raise an eyebrow. Yet the older and somewhat wiser self has moved on from the decision making of their 20-something self. We see this philosophy in practice within the U.S. government national security questionnaire (SF-86 136 pages); candidates are asked if they have committed crimes in the past seven years or if they have illegally used drugs. Use of drugs, even the widely legalized marijuana at the U.S. state level, is a disqualifier within the federal employee track. That said, if such hasn’t been the case in the more recent past, an adjudicator may discuss with the candidate and determine that the behavior which has been self-identified is no longer germane. In other words, whether it has decayed, as no drug use has occurred within the more recent past.

Similarly, there are actions that project a higher risk plane with minimal decay. For example, an individual with a history of criminal behavior or an individual who has a history of injecting malicious code into systems. These events all warrant closer inspection, as the initial risk valuation is high, as decay is low – recidivism is a very real possibility.

The move within the U.S. cleared community to Trusted Workforce 2.0 has guided the cleared population to a mindset and understanding of continuous vetting. The aforementioned national security questionnaire is the point of entry for trusted employees. Should they be granted a clearance and subsequently be in a position of trust, their actions will be subjected to continuous scrutiny.

This scrutiny makes imminent sense as it provides early warning indicators of potential risk. For example, credit reports, police records and legal records are routinely scanned on a national basis for anomalies or events, such as financial hardship or an arrest having taken place. This is not a showstopper, rather it is a caution flag indicating further investigation should take place to determine if this individual may benefit from counsel, employee assistance program help, or similar support. More often than not, the employee has already self-reported the event and has been afforded the assistance available, well before the various commercial sensors flag a risk.

Continuous vetting ensures a constant stream of data to help analyze PRI decay and increase the likelihood of flagging multiple lifestyle events, which though minor individually, become a serious concern when combined.

What You Can Do

An individual’s actions are influenced by their environment and choices. It is incumbent upon every entity to know who they are bringing into the mix and the potential risks they bring to the equation. Background checks and pre-employment interviews are the tools available to every entity. In addition, the Defense Counterintelligence Security Agency publishes their “billing rates” for various investigatory and continuous vetting products and services. While not available to the private sector writ large, the automated record checks can be replicated by any entity with sufficient resources and budget to process the regular inflow of data.

The inside risk management community is ripe for additional research, indeed, with respect to the world of PRIs. It is a greenfield of opportunity for additional research.

Similarly, utilizing the CDSE Job Aid as a guide for the interviews and as a foil to the results of the background check provides a starting point for identifying the risk and decay rate encountered by others. As always, YMMV (your mileage may vary) is based on the entity’s appetite for risk and ability to mitigate those risks.

In closing, it is important to keep in mind that an individual with a low decay event in their past may be the perfect fit for the right situation. Afterall, it depends.

The DTEX  i³ Team enables enterprise and federal entities to detect and prevent the most sophisticated insider risks from materializing into data loss events. The team offers a comprehensive set of insider risk services, and indicator-based research and Threat Advisories. For the latest insider risk insights and indicators, visit the DTEX i³ Insider Risk Research Hub.

Visit i3 Insider Risk Research Hub