Using alternate reality games to find a needle in a haystack: An approach for testing insider threat detection methods
| Autor: | Gerald Matthews, Shannon Wasko, Megan Goforth, Nathan Bos, Alice Leung, Jonathon Kopecky, Hannah P. Cowley, Rebecca Rhodes, Satish G. Iyengar |
|---|---|
| Rok vydání: | 2021 |
| Předmět: |
Class (computer programming)
General Computer Science Exploit business.industry Ecological validity Computer science Internet privacy Insider threat 020206 networking & telecommunications 02 engineering and technology Security awareness Insider 0202 electrical engineering electronic engineering information engineering Position (finance) 020201 artificial intelligence & image processing Haystack business Law |
| Zdroj: | Computers & Security. 107:102314 |
| ISSN: | 0167-4048 |
| DOI: | 10.1016/j.cose.2021.102314 |
| Popis: | Insider threats are individuals who pose significant security risks but are difficult to identify with traditional methods that rely on passively collected data. Recently, active indicators have been developed as a more active monitoring method designed to evoke differential behaviors in insider threats and benign employees. While these methods have shown promise, it is unclear how well they can work in real-world office settings. In this experiment, we tested three classes of email-based active indicators in an alternate reality game to assess their ability to differentiate insiders from benign employees in a realistic setting. Participants took turns playing the role of a benign employee and an insider threat in an immersive, realistic environment and were exposed to active indicators under both scenarios. The active indicators were designed to elicit the following behaviors from participants acting as insider threats: exploit opportunities to gather information, avoid accidental or inadvertent discovery, or maintain hypervigilant security awareness. The alternate reality game was successful in creating a highly engaging environment with high ecological validity. Active indicators that revealed opportunities to gather desirable information were most effective; participants acting as insider threats were significantly more likely to engage in the characteristic behavior (e.g. apply for an administrative position to get additional access) than participants acting as benign employees for most of the active indicators in this class. Our results suggest that active indicators can be tested with alternate reality games to help estimate their effectiveness in realistic, noisy environments. The finding that some types of active indicators could identify insider threats in a setting where participants had significant latitude for how they could respond suggests promise for using active indicators in real-world work environments. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
Full Text from ScienceDirect