A Method For Characterizing Sociotechnical Events Related to Insider Threat Sabotage

Analyzing historical cases of insider crimes to identify patterns or specific indicators of attack is a challenging task, particularly when using large volumes of free-text input sources, such as court documents and media reports. In this workshop paper, we offer a new process for processing, or coding, free-text descriptions of insider crimes for future analysis; specifically, we study cases of insider threat sabotage. Our method is based on a triad of discrete descriptors which allow for a quick, accurate, and repeatable characterizations of any event in the timeline of an insider attack. While the majority of this paper is concerned with reporting our development efforts and describing the current state of the project, we will briefly address some initial findings based on analysis conducted on the results of our coding efforts. In general, we found our new method increased the ease with which analysts could distinguish between technical events (those involving IT systems) and behavioral events (individual or interpersonal events not involving IT systems). Also, this coding technique also allowed for consistent comparison of events across cases. For instance, from 49 cases of insider threat sabotage, we determined that the majority had behavioral events prior to technical events, indicating a potential area for further study.