Visual Analytics of E-mail Sociolinguistics for User Behavioural Analysis

The cyber-security threat that most organisations face is not one that only resides outside their perimeter attempting to get in, but emanates from the inside too. Insider threats encompass anyone or thing which exploits authorised access to company information and resources to steal, corrupt or disrupt assets. Threat actors could include not only employees, but also contractors, trusted partners and in some cases clients. The nature of their access is usually persistent, as it is valid and required to conduct their roles, and as such, abuse of their privileges can pose a serious and real threat to the successful operation of the business. Whilst measures have been proposed for detecting previous attacks or those currently in progress, what would be much more desirable is to detect employees who are possibly becoming vulnerable to coercion or persuasion into conducting an attack of some form – enabling supportive or preventative action by the organisation to avoid escalation of an attack. Research into psychology and behaviour is indicating that it may be possible to detect such human vulnerability through analysis of language used – linguistics. In this paper we present a visual analytics tool for the assessment of sociolinguistic behaviours exhibited via e-mail communications, aimed at helping to identify people who are potentially at risk. We discuss the visual designs choices made to provide both detail and overview for the analyst for studying communications within a large group of users, and demonstrate this for a large real-world dataset of over 600 employees. We show how an analyst can use the tool to construct linguistic behavioural models to identify vulnerable employees. We propose that this approach could support wider insider threat prevention and detection systems.