A few years ago, Eric Shaw and Laura Sellers published a paper describing the application of the critical-path method to evaluate insider risks.* If you’ve been around Gantt charts, you’ll know the critical path in a project plan are the tasks, in sequence, that drive your project end date. Any changes to the tasks on the critical path will change the project outcome. In this model, Shaw applies a series of steps, that in sequence, lead to an environment where “at-risk employees can plan and execute attacks.” In the paper, they reference several case studies that show how they fit the model. Shaw’s critical path model has been gaining some traction within the insider threat space.
Factors Along the Critical Path to Insider Risk
- Medical/psychiatric conditions
- Personality or social skills issues
- Previous rule violations
- Social network risks
Problematic Organizational Responses
-No risk assessment process
-Summary dismissal or other actions that escalate risk
There are some things I like about this model.
First, this articulates nicely our point of view for insider risks. A lot of companies and agencies today focus on the “at work” activities, meaning they focus on badging events and/or implement User and Entity Based Analytics (UEBA) systems that monitor IT activity and flag suspicious events. We’ve held the belief that these solutions are necessary but are the last line of defense. When one of these systems highlights activity that’s a true insider-driven malicious event, the threat has already matured. The person has decided to do something bad. We believe, and it’s supported by Shaw’s model, there are indicators and predispositions ”outside work” that lead someone to do bad. If we focus on mitigating the threat before it metastasizes, we can reduce the burden on the last line of defense or more positively intervene with the subject and help them before they’re faced with a decision to do something bad.
Secondly, I like that this model addresses organizational responses. It’s so important in an insider threat program to have policies, plans and procedures to deal with information that could highlight risk. Rarely, if ever, will information directly point to an insider threat. Rather it will be many things pieced together. Organizations need to figure out how to vet this information quickly and legally to arrive at a decision. This is an area where I think workflow systems could help, as organizations might not know what to do. Legally approved workflows that document investigative steps and disposition would be invaluable.
There’s also something I don’t like about this model. Like the critical path in a Gantt chart, it assumes each step is sequential and if each step is followed, you have heightened insider risk. I’ve spoken to a few behavioral scientists about this model who are working on insider threats. While I can barely articulate their expert opinion, I share the concern that not every case will be sequential. There may be no predispositions but stressors only that create risk. Similarly, there may be people with the same predispositions and the same stressors, but other environmental factors may mean they’re no risk at all. While it may not be perfect, the model is a good start and gives us a framework to build out our programs.
Later this month, I’ll be speaking at the Insider Threat Summit in Monterrey. The focus of my remarks will be around measuring the predispositions and stressors in the model using external data. We’ll look at some of the easy ones, some of the hard ones, and some that may be impossible. My hope is that it helps advance our collective understanding on how to apply “outside work” data to measure risk before “at work” systems have to stop a true insider threat.
*Eric Shaw, Laura Sellers (2015), Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence Vol 59, No. 2,