How Much is Risk Increased by Sharing Credential in Group?

  • Hiroaki KikuchiEmail author
  • Niihara Koichi
  • Michihiro Yamada
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10547)


Insider threats are one of the biggest issues in information management. In practice, the hardest challenge is protecting information assets from malicious insiders. There have been many studies to clarify the factors influencing insiders to perform malicious activities. However, a user study based on a questionnaire cannot be expected to reveal the honest opinions of potential malicious insiders who may give false answers to such studies. In addition, it is hard to observe the comprehensive searches of malicious activities in insider incidents, because available data about incidents are limited. To overcome the difficulties in studying malicious activities in insider threats, we propose a new approach employing epidemiological methodologies with (1) risk amplification, and (2) a logistic model for malicious insiders. We employed a total of 200 subjects from crowd-sourcing services and observed every step that they employed to perform a given task in an environment motivating them to malicious activities (risk amplification). We applied a logistic regression to identify the odds ratio of in favor of malicious activity among those exposed to a factor divided by the odds when not exposed to it. Our experiment shows that a credential shared in group increases the risk of malicious insiders by 3.28 with statistical significance (\(p < 0.1\)).


  1. 1.
    Fagan, M., Khan, M.M.H.: Why do they do what they do?: a study of what motivates users to (not) follow computer security advice. In: Proceedings of 12th Symposium on Usable Privacy and Security (SOUPS 2016), pp. 59–75 (2016)Google Scholar
  2. 2.
    Rao, A., Schaub, F., Sadeh, N., Acquisti, A., Kang, R.: Expecting the unexpected: understanding mismatched privacy expectations online. In: Proceedings of 12th Symposium on Usable Privacy and Security (SOUPS 2016), pp. 77–96 (2016)Google Scholar
  3. 3.
    Ion, I.,Reeder, R., Consolvo, S.: “... no one can hack my mind”: comparing expert and non-expert security practices. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), pp. 327–346 (2015)Google Scholar
  4. 4.
    Leon, P.G., Ur, B., Wang, Y., Sleeper, M., Balebako, R., Shay, R., Bauer, L., Christodorescu, M., Cranor, L.F.: What matters to users? Factors that affect users’ willingness to share information with online advertisers. In: Proceedings of the SOUPS 2013. ACM (2013)Google Scholar
  5. 5.
    Aurigemma, S., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of the 2012 45th Hawaii International Conference on System Sciences, pp. 3248–3257. IEEE Computer Society (2012)Google Scholar
  6. 6.
    Renaud, K., Goucher, W.: The curious incidence of security breaches by knowledgeable employees and the pivotal role a of security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 361–372. Springer, Cham (2014). doi: 10.1007/978-3-319-07620-1_32 Google Scholar
  7. 7.
    Hausawi, Y.M.: Current trend of end-users’ behaviors towards security mechanisms. In: 4th International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 140–151 (2016)Google Scholar
  8. 8.
    Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of 19th Annual Computer Security Applications Conference, pp. 170–179 (2003)Google Scholar
  9. 9.
    Azaria, A., et al.: Behavioral analysis of insider threat: a survey and bootstrapped prediction in imbalanced data. IEEE Trans. Comput. Soc. Syst. 1, 135–155 (2014)CrossRefGoogle Scholar
  10. 10.
    Legg, P.A., et. al.: Caught in the act of an insider attack: detection and assessment of insider threat. In: IEEE International Symposium on Technologies for Homeland Security (2015)Google Scholar
  11. 11.
    Legg, P.A.: Visualizing the insider threat: challenges and tools for identifying malicious user activity. In: 2015 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–7 (2015)Google Scholar
  12. 12.
    Greitzer, F.L., et al.: Identifying at-risk employees: modeling psychosocial precursors of potential insider threats. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 2392–2401 (2012)Google Scholar
  13. 13.
    Greitzer, F.L., Frincke, D.A.: Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds.) Insider Threats in Cyber Security. Advances in Information Security, vol. 49, pp. 85–113. Springer, Boston (2010). doi: 10.1007/978-1-4419-7133-3_5 CrossRefGoogle Scholar
  14. 14.
    Niihara, K., Kikuchi, H.: Primary factors of malicious insider in E-learning model. In: HCI International 2016 - Posters’ Extended Abstracts: 18th International Conference. Proceedings, Part I, pp. 482–487 (2016)Google Scholar
  15. 15.
    Cohen, L.E., Felson, M.: Social change and crime rate trends: a routine activity approach. Am. Sociol. Rev. 44(4), 588–608 (1979)CrossRefGoogle Scholar
  16. 16.
    Cressey, D.R.: Other People’s Money: A Study in the Social Psychology of Embezzlement. Free Press, Glencoe (1953)Google Scholar
  17. 17.
    Greitzer, F.L., et al.: Identifying at-risk employees: modeling psychosocial precursors of potential insider threats. In: 2012 45th Hawaii International Conference on System Sciences, pp. 2392–2401 (2012)Google Scholar
  18. 18.
    Fagade, T., Tryfonas, T.: Security by compliance? A study of insider threat implications for Nigerian banks. In: Tryfonas, T. (ed.) HAS 2016. LNCS, vol. 9750, pp. 128–139. Springer, Cham (2016). doi: 10.1007/978-3-319-39381-0_12 Google Scholar
  19. 19.
    Cappelli, D., Moore, A., Trzeciak, R.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. (Theft, Sabotage, Fraud). Addison-Wesley Professional, Boston (2012)Google Scholar
  20. 20.
    Cappelli, D., et al.: Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System. Carnegie Mellon University, Software Engineering Institute (2008)Google Scholar
  21. 21.
    Nurse, J.R.C. et al.: Understanding insider threat: a framework for characterising attacks. In: 2014 IEEE of the Security and Privacy Workshops (SPW), San Jose, CA, pp. 214–228 (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Hiroaki Kikuchi
    • 1
    Email author
  • Niihara Koichi
    • 1
  • Michihiro Yamada
    • 1
  1. 1.Graduate School of Advanced Mathematical SciencesMeiji UniversityTokyoJapan

Personalised recommendations