Please paraphrase the below

Abstract

The insider threat has received considerable attention, and is often cited as the most serious security problem. It is also considered the most difficult problem to deal with, because an "insider" has information and capabilities not known to external attackers. The difficulty in handling the insider threat is reasonable under those circumstances; if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved? This chapter presents some aspects of insider threats

1 Introduction

The "insider threat" or "insider problem" has received considerable attention [2, 13], and is cited as the most serious security problem in many studies. It is also consid- ered the most difficult problem to deal with, because an "insider" has information and capabilities not known to other, external attackers. However, the term "insider threat" is usually either not defined at all, or defined nebulously.

The difficulty in handling the insider threat is reasonable under those circumstances; if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved? It is noteworthy that, despite this im-ponderability, definitions of the insider threat still have some common elements. For example, a workshop report [4] defined the problem as malevolent (or possibly in- advertent) actions by an already trusted person with access to sensitive information and information systems. Elsewhere, that same report defined an insider as some- one with access, privilege, or knowledge of information systems and services. An- other report [12] implicitly defined an insider as anyone operating inside the security perimeter-while already the assumption of only having a single security perimeter may be optimistic.

Insiders and Insider Threats

One of the most urgent quests for communities dealing with insider threats is identifying the characteristic features of an insider. One approach for doing so is to look at recent insider threat cases, and try to find individual or common properties. This is an important step, since insider threat cases can be rather diverging.

To be able to deal with cases so divergent, one clearly needs 1) a common vision of how insiders can be categorized; and 2) security policies for countering insider threats, and ways to evaluate the impact of alternative security policies.

From analyzing cases several approaches to identifying an insider can be developed:

• An insider is defined with respect to a resource, leading to "degrees of insider- ness";
• An insider is somebody with legitimate access to resources;
• An insider is a wholly or partially trusted subject;
• An insider is an individual who has or had access to resources;
• An insider is a system user who can misuse privileges;
• An insider is an individual with authorized access who might attempt unautho- ?rized removal or sabotage of critical assets or who could aid outsiders in doing ?so; and
• An insider is a person or company whom we trust.

These definitions immediately lead to a series of discussions on what is meant by "access" (code, credentials, timing of access rights), whether an insider is suffi- ciently defined based on resources or whether a definition should take the system into account, and how the definition relates to a masquerader, namely an outsider being able to trick a system into believing he is an insider. ?Exploring these aspects enables us to reason about what makes a good insider:

• Knowledge, intent, motivation;
• Possesses power to act as agent of the business;
• Knowledge of underlying business IT platforms;
• Knowledge/control over IT security controls; and
• Ability to incur liability in pecuniary terms or in brand damage or other intangible ?terms.

The skill of insiders is also an important a factor defining the threat posed by ma- licious insiders, or non-malicious insiders just trying to get their job done. "Moti- vation" in general is an important question when dealing with insider threats and their consequences. This can cover the whole range from "innocent action", "fun", "technical challenge", "criminal intentions", to "espionage", or a combination of each of these factors. Surprisingly, even though one would expect the contrary, the effect of actions can be equally devastating for each of these motivations. This, of course, makes detecting a threat even more important-but also more complicated. A key observation is that the definition of an insider for threat purposes is different than the definition for business purposes.

Based on the aspects defined above, one can in turn decide how to defined an insider, namely in terms of someone with:

• Knowledge: Implies an open system, one that remains secure (if at all) even with full knowledge of the system operation; alternatively, security through obscurity; or
• Trust: An individual is empowered by the organization to be an insider; or
• Access: An insider is in possession of a credential giving access to the system - an IT centric perspective, since the system in general does not know who ?possesses the credential.