A Detection-Oriented Classification of Insider IT Misuse

Although the problem of insider misuse of IT systems is frequently recognised in the results of computer security surveys, it is less widely accounted for in organisational security practices and available countermeasures. Indeed, the opportunities for insider misuse, by perpetrators with legitimately assigned privileges, are often overlooked until an incident occurs. A possible reason for this is that the problem receives relatively little attention in the commonly recognised classifications of IT-related attackers and intrusions, with most focusing upon attacks and methods involving some form of system penetration and/or unauthorised access. This paper examines the potential forms of insider misuse in more detail, classifying them according to the level within in a target system at which the incidents could be detected. It is considered that such an approach could provide a relevant foundation in terms of subsequent approaches to automate insider misuse detection methods.