Unanswered Internal Threat Questions

Recently I have been reading a decent amount of articles about intrusion detection systems, which seems to be a particularly hot topic with the all too frequent news of a database breaches.  Target, Ashley Madison, and Sony are just a few examples. Clearly, we are “losing the cyberwar.”  While external threats are common and tend to get plenty of publicity, internal threats are considered to be much more difficult to handle. I found an article about classifying internal threat levels especially interesting.  It declares that “[t]he challenges of preventing, detecting, and responding to data leakage propagated by authorized users, or insider threats, are among the most difficult facing security researchers and professionals today”. One fundamental issue is that the heuristics typically used to identify threats have yet to be fully regarded as ‘admissible’; current algorithms tend to both overestimate as well as underestimate. This is partly due to three undecided critical questions, which are unique to each information system: can a person’s intent be accurately characterized by monitoring and analyzing interactions with computing systems, is the malicious technical behavior of insiders unusual any more often than the behavior of non-malicious users, and is unusual behavior indicative of malicious intent? Being unable to determine these will likely cause an abundance of both type 1 and type 2 errors. Researchers today use various analytical or statistical methods, but they “still struggle to define the problem, much less demonstrate the operational validity of their solutions”. With further study on my part, it’ll be interesting to see how particular systems handle these inconsistencies, if at all.  

Huth, Carly L., David W. Chadwick, William R. Claycomb, and Ilsun You. "Guest Editorial: A Brief Overview of Data Leakage and Insider Threats - Springer." Information Systems Frontier, 27 Feb. 2013. Web. 16 Oct. 2015. <http://link.spriner.com/article/10.1007/s10796-013-9419-8>.