1 Introduction

Today, one of the biggest challenges faced by organizations is system misuse by insiders, and these actions can have a serious impact on organizations. It has been said that the weakest link in information security is the human element because insiders’ behaviors rapidly change and are therefore difficult to predict. Insiders have the potential to cause serious damage to, and even threaten the existence of, an organization.

In order to detect malicious behaviors, many studies have been conducted from a human-computer interactive perspective [1,2,3,4]. Fagade and Tryfonas conducted a survey of IT professionals, managers and employees selected from a Nigerian bank and proposed ways in which information security could be embedded into security culture [5]. Classifying behaviors into two classes, positive and negative, Hausawi conducted interviews with security experts and identified a total of 21 negative and 15 positive security-related behaviors [6]. These survey-based studies are very useful for understanding insider behaviors and identifying possible features in relation to malicious activities. However, survey and interview responses are not always true, e.g., participants can pretend to be honest and unintentionally protective of their organization. Moreover, it is not feasible to observe every step of a potential insider who intends to perform a malicious action.

To address the drawbacks of survey-based studies, we propose a new experiment-based study to explore key behaviors related to insider threats. Our study allows the risk posed to be quantified by arbitrary conditions. In the present study, we observed all actions made by a set of participants engaging in small pre-defined tasks from a website and counted the number of cheating behaviors they made that might be linked to insider threats.

Among 21 negative behaviors considered to be security concerns [6], we focus on the most significant: sharing credentials. For example, suppose a credential (e.g., an ID and password) is shared within a group to access a resource. The members of this group should be considered a more likely potential insider threat than a group whose members do not share such credentials.

It is impossible to observe the details of suspicious behavior, and it is difficult to conduct an experiment in an actual organization because of security policies. If participants are paid for their labor, they might not attempt to perform a malicious action. However, if participants are not paid enough, it is difficult to recruit an adequate sample.

To test our hypothesis, we conducted an experiment in which all participants in one group shared a single credential for logging in and working on a crowdsourcing service, Crowdworks, Inc., while participants in another group were each assigned individual credentials for the same task.

A total of 192 participants were included in the experiment. We compared differences in the number of malicious activities performed between the sharing and individual credential groups. Moreover, we examined the effects of using indicated (visible) vs. non-indicated (hidden) IDs for the website. We assumed that the group using non-indicated IDs would perform significantly fewer malicious activities than the group using non-indicated IDs.

The remainder of this paper is organized as follows. We describe the objectives of the paper and details of our experiments in Sect. 3. We summarize our results and give a discussion in Sect. 4. Our conclusions and plans for future works are presented in Sect. 5.

2 Related Works

For our related works, we consider studies regarding research on insider threats.

Capplli et al. classified insider threats into three sections: insider IT sabotage, insider theft of intellectual property, and insider fraud [7]. The present work deals with insider fraud.

Cohen and Felson [1] presented the ‘routine activity theory’, which argues that most crimes have three necessary conditions: a likely offender, a suitable target, and the absence of a capable guardian. Cressey [2] proposed the Fraud Triangle model to explain the factors present in every fraud situation: perceived pressure, perceived opportunity, and rationalization. Greitzer et al. [3, 4] provided some indicators of insider threats based on published case studies and discussions with experienced human resources professionals. According to these studies, various hypothesized causes of insider threats exist. However, because there are so many potential causes of malicious insider threats, which ones have the greatest effect on insider behavior remains unclear.

Capplli et al. proposed MERIT related to insider threats based on investigations of criminal records [8]. Nurse et al. proposed a framework for characterizing insider attacks [9]. Their models are convenient for administrators in solving the problems and analyzing the risks associated with insider threats. We demonstrated experimentally that placing participants in environments with low levels of surveillance is more likely to lead to insider threats [10]. Hausawi conducted an interview study to survey security experts about the behavior of end-users [6]. According to these studies, the most negative behavior is sharing credentials. However, how much sharing credentials increases the risk of insider threats remains unclear.

In this paper, we investigate the relationship between sharing credentials and the risk of malicious insider threats.

3 Experiment to Observe Malicious Activities

3.1 Objective

The objective of our study was to clarify the influence of sharing credentials on the performance of malicious activities. We also aimed to clarify the influence of using indicated IDs for working on a website.

3.2 Hypotheses

We make two hypotheses related to malicious activities. Let \(H_1\), and \(H_2\) be the hypothesized causes of insider threats of sharing credentials and using a non-indicated ID, defined as follows:

  • \(H_1\) (sharing credentials) states that if an employee shares a common credential with others, then he/she will be a malicious insider.

  • \(H_2\) (non-indicated ID) states that if an employee finds that no login ID is displayed on the website, then he/she will be a malicious insider.

3.3 Method

In order to test these hypotheses, we conducted an experiment for observing potential insider threats using a pseudo website as the environment. A total of 192 participants were recruited to use a crowdsourcing service, Crowdworks, Inc. They were then divided into four groups, ABC, and D, and assigned conditions, as defined in Table 1.

Table 1. Study groups and conditions.
Full size table

Figure 1 shows a flow diagram of the experiment. First, the participants answered a questionnaire composed of 14 items and performed data entry. When the participant finished his/her task, he/she would send a completion report. After we verified and approved the participant’s access log, they were paid by the crowdsourcing service.

Fig. 1.
figure 1

Flow diagram of the experiment.

Full size image

3.4 Participants

In our experiment, our target population was a set of employees in Japan. An employee subset was sampled from those who had completed the tasks in our experiment and were qualified users of the crowdsourcing service.

To improve the quality of the participants, we recruited only those who had submitted the necessary forms of identification to the company. The participants chosen from the crowdsourcing service were appropriate for our experiment because they had various attributes that were similar to normal employees.

3.5 Groups

In order to test \(H_1\) (sharing credentials), the participants in groups A and C shared a common credential, such as a “guest” account, while those in groups B and D used individual credentials, such as user “93607”.

In order to test \(H_2\) (non-indicated ID), we did not indicate credentials to groups A or B, but we did to groups C and D.

In this way, we assigned a different malicious insider condition to participants in each group. We were interested in how many malicious activities would be observed in each group. In this experiment, we attempted to identify the primary causes of malicious activities by insiders.

3.6 Tasks

First, the participants confirmed the terms of use shown in the pseudo website. For details of the terms of service, see the Appendix A. Next, the participants answered a questionnaire composed of six questions, performed data entry, and then answered a questionnaire composed of seven questions. The participants entered text identical to that in two sample PDF documents written in Japanese and English. For details of the survey and the data entry jobs, see the Appendix B. Finally, the participants completed the tasks.

In order to observe the responses of participants who had trouble performing their tasks, we intentionally inserted a fault in the questionnaire in that the website would never accept the response to Question 6. Participants tried to resolve this issue in one of two ways:

  • “edit” button prepared for an administrator (prohibited for participants)

  • “help” button (correct response)

3.7 Obstacles

Malicious activities were not performed very frequently. Hence, we intentionally included some obstacles that would make participants choose whether to perform their tasks in a prohibited way.

  • Unacceptable Question 6. After the participants answered 13 questions and carried out data entry, they felt that they had completed all tasks. However, they would then receive the following warning message: ‘You have not yet finished Question 6’. The reason for this error is that the system does not ask them Question 6. To complete their task, the participants could deal with the problem in the following ways:

    • “Help” Page. If participants accessed the help page, they would be asked to answer 13 questions, after which, they would be regarded as having completed all tasks.

    • “Edit Button” for Question 6. If participants clicked the “edit” button for Question 6 in an attempt to modify it, this was labeled as a “malicious activity” because it was prohibited in the terms of use.

  • Synthesized Text of PDF Document. The pseudo business website gives synthesized text to participants who engage in data entry jobs.

    For details of the text, see the Appendix B.2. The text looks like meaningless sentences that no one would want to read.

These are aimed at reducing the motivation of the participants and encouraging them to perform more malicious activities than usual.

3.8 Malicious Activities

Malicious activities were detected based on accurate logs that list what activities have been performed, at what time, and by whom. We defined the following malicious activities as prohibited actions:

  1. (1)

    Violation

    Gaining unauthorized access, e.g., clicking the administrator’s edit button.

  2. (2)

    Copy and paste

    Performing unauthorized activities, e.g., pressing the Ctrl+C or Ctrl+V key.

  3. (3)

    Sabotage

    Inputting random or wrong text in the data entry website.

  4. (4)

    Low score

    Answering the questions randomly. To test whether the participants answered the questions honestly, we repeated the same questions twice in random order and then checked the consistency. We evaluated the consistency score \(S_i\), which was defined as follows:

    1. (a)

      In the case of a single-response questionnaire, if the first answer is equal to the second, we add 10 points to \(S_i\).

    2. (b)

      In the case of a multiple-response questionnaire, if two answers are consistent, we add 25 points to \(S_i\). However, 5 points are deducted for each inconsistent answer.

    Five single-response and two multiple-response questionnaire were provided. The highest possible consistency score \(S_i\) was 100.

3.9 Methods of Detection

We used a php script to detect malicious activity. We used javascript to detect malicious behavior such as pressing the Ctrl+C or Ctrl+V key or copying and pasting by right-clicking. We manually analyzed the website log, all survey answers and all input text in the database. Table 2 shows the relationship between malicious activities and methods of detection.

Table 2. Relationship between malicious activities and methods of detection.
Full size table

4 Result

4.1 Demographic Characteristics of the Participants

Table 3 shows the demographic characteristics of the participants in each group, where N is the number of users in each group. Note that the numbers of participants in a group were not always identical, e.g., there were slightly fewer participants in group A than in group D. This was because we assigned participants to each group in turn, and some participants did not complete the task, resulting in uneven group sizes.

Table 3. Number of users.
Full size table

4.2 Number of Users Who Performed Malicious Activities

Table 4 shows the number of malicious users who performed malicious activities in our experiment. The number of users N is the sum of the two groups in the same category. For example, the number of users sharing credentials are the sum of A and C. In the sharing credentials group, 28 of 93 users copied and pasted text by right-clicking. Surprisingly, more users in the individual credentials group copied and pasted text compared with the sharing credentials group. Similarly, more participants using indicated IDs were found to be performing malicious activities compared with those using non-indicated IDs (n = 27). Remarkably, the low scores (4) of some of the malicious participants of increased when they shared credentials within a group.

Figure 2 shows the probability density function of the elapsed time of the task \(T_i\) for each participant i. The elapsed time of task \(T_i\) is the difference between the starting and finishing times. A small difference was found between groups. Figure 3 shows the probability density function of the consistency score \(S_i\) for each group. Group A had the smallest average consistency.

Table 4. Number of users who performed malicious activities.
Full size table
Fig. 2.
figure 2

Probability density function of elapsed time \(T_i\) for each group.

Full size image
Fig. 3.
figure 3

Probability density function of score \(S_i\) for each group.

Full size image

4.3 Chi-Square Test

To evaluate the confidence of our experimental results, we performed a chi-square test on the number of malicious activities for (1), (2), (3) and (4).

We had the following two hypotheses:

The null hypothesis (\(H_0\)): there is no correlation between the groups and malicious activity. Malicious activities are performed independent of the group condition.

The alternative hypothesis (\(H_1\)): there is a correlation between the hypothesized causes and malicious activity.

Table 5 shows the results of the chi-square test. The results show that low scores for malicious activities (4) were significantly more frequently observed when the website did not indicate a login ID. However, the P values for activities (1), (2) and (3) were too large to reject the null hypothesis. Therefore, we conclude that only (4), a low score, was dependent on whether IDs were indicated with 90% confidence.

Table 5. Chi-square test results
Full size table

4.4 Discussion

First, we consider the influence of non-indicated IDs on malicious behavior. Based on Table 5, a low score (4) for malicious activities depended on the non-indicated ID condition. If no login ID was shown on the website, more malicious activities were performed. We therefore conclude that people do not stay motivated to work when no login ID is indicated.

Second, we observed that too many malicious activities occurred in terms of clicking the edit button. As we explained in Sect. 3.7, Question 6 was designed to not be answerable in order to tempt potential malicious participants to click the “edit button”. However, almost all participants clicked the “edit” button. We therefore believe that the participants clicked the button innocently without realizing that it was a prohibited activity. Alternatively, careless participants simply failed to notice this rule in the terms of use. Since it was useless to identify the hypothesized causes of malicious behavior, we excluded these activities in our analysis.

Finally, we remark on the relationship between individual and temporal credentials. In our experiment, we expected that users who were assigned individual credentials would perform fewer malicious activities. However, they might not have regard themselves as having individual credentials very seriously because they were only for one-time use. If we had assigned more permanent credentials, such as Social Security Numbers, the participants may have viewed them as being more serious.

5 Conclusions

In the present study, based on a survey of research related to insider threats, we focused on the occurrence of malicious activities under the condition of sharing or individual credentials. To clarify the effects, we conducted an experiment involving 198 participants who performed a small task to observe malicious activity. We observed significantly more malicious activity when a user ID was not indicated compared with when it was. However, unexpectedly, users who were sharing credentials did not perform more malicious activities than users who had individual credentials.

In future research, we plan to investigate the reasons underlying the differences seen in the number of malicious activities performed in accordance with the conditions of malicious insiders.