A Simulation-Based Approach to Development of a New Insider Threat Detection Technique: Active Indicators

Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 782)


Current cybersecurity research on insider threats has focused on finding clues to illicit behavior, or “passive indicators”, in existing data resources. However, a more proactive view of detection could preemptively uncover a potential threat, mitigating organizational damage. Active Indicator Probes (AIPs) of insider threats are stimuli placed into the workflow to trigger differential psychophysiological responses. This approach requires defining a library of AIPs and identifying eye tracking metrics to detect diagnostic responses. Since studying true insider threats is unrealistic and current research on deception uses controlled environments which may not generalize to the real world, it is crucial to utilize simulated environments to develop these new countermeasures. This study utilized a financial work environment simulation, where participants became employees reconstructing incomplete account information, under two conditions: permitted and illicit cyber tasking. Using eye tracking, reactions to AIPs placed in work environment were registered to find metrics for insider threat.


Insider threat Cyber security Active Indicator Probes Eye tracking 



The research is based upon work supported by the Office of the Director of National Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via IARPA R&D Contracts, contract number 2016-16031500006. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the ODNI, IARPA, or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon.


  1. 1.
    Mohammed, D.: Cybersecurity compliance in the financial sector. J. Internet Bank. Commer. 20(1), 1–11 (2015)Google Scholar
  2. 2.
    Beer, W.: Cybercrime. Protecting against the growing threat. Global Economic Crime Survey, 30 February 2012Google Scholar
  3. 3.
    Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J., Flynn, L.: Common Sense Guide to Mitigating Insider Threats, 4th edition. DTIC Document (2012)Google Scholar
  4. 4.
    Wall, D.S.: Enemies within: redefining the insider threat in organizational security policy. Secur. J. 26(2), 107–124 (2013)CrossRefGoogle Scholar
  5. 5.
    Leschnitzer, D.: Cyber Security Lecture Series: The CERT Insider Threat Guide (2013)Google Scholar
  6. 6.
    Whitman, R.L.: Brain Betrayal: A Neuropsychological Categorization of Insider Attacks (2016)Google Scholar
  7. 7.
    Silowash, G.: Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple SourcesGoogle Scholar
  8. 8.
    Greitzer, F.L., et al.: Developing an ontology for individual and organizational sociotechnical indicators of insider threat risk. In: STIDS, pp. 19–27 (2016)Google Scholar
  9. 9.
    Meijer, E., Verschuere, B., Ben-Shakhar, G.: Practical guidelines for developing a CIT. In: Verschuere, B., Ben-Shakhar, G., Meijer, E. (eds.) Memory Detection, pp. 293–302. Cambridge University Press, Cambridge (2011)CrossRefGoogle Scholar
  10. 10.
    Verschuere, B., Ben-Shakhar, G., Meijer, E. (eds.): Memory Detection: Theory and Application of the Concealed Information Test. Cambridge University Press, Cambridge (2011)Google Scholar
  11. 11.
    Ekman, P., Friesen, W.V.: Nonverbal leakage and clues to deception. Psychiatry 32(1), 88–106 (1969)CrossRefGoogle Scholar
  12. 12.
    Emm, D., Garnaeva, M., Ivanov, A., Makrushin, D., Unuchek, R.: IT Threat Evolution in Q2 2015. Russ. Fed, Kaspersky Lab HQ (2015)Google Scholar
  13. 13.
    Hashem, Y., Takabi, H., GhasemiGol, M., Dantu, R.: Towards Insider Threat Detection Using Psychophysiological Signals, pp. 71–74 (2015)Google Scholar
  14. 14.
    Neuman, Y., Assaf, D., Israeli, N.: Identifying the location of a concealed object through unintentional eye movements. Front. Psychol. 6 (2015)Google Scholar
  15. 15.
    Synnott, J., Dietzel, D., Ioannou, M.: A review of the polygraph: history, methodology and current status. Crime Psychol. Rev. 1(1), 59–83 (2015)CrossRefGoogle Scholar
  16. 16.
    Twyman, N.W., Lowry, P.B., Burgoon, J.K., Nunamaker, J.F.: Autonomous scientifically controlled screening systems for detecting information purposely concealed by individuals. J. Manag. Inf. Syst. 31(3), 106–137 (2014)CrossRefGoogle Scholar
  17. 17.
    Derrick, D.C., Moffitt, K., Nunamaker, J.F.: Eye gaze behavior as a guilty knowledge test: initial exploration for use in automated, kiosk-based screening. Presented at the Hawaii International Conference on System Sciences, Poipu, HI (2010)Google Scholar
  18. 18.
    Schwedes, C., Wentura, D.: The revealing glance: eye gaze behavior to concealed information. Mem. Cogn. 40(4), 642–651 (2012)CrossRefGoogle Scholar
  19. 19.
    Ekman, P.: Mistakes-when-deceiving. Ann. N. Y. Acad. Sci. 364, 269–278 (1981)CrossRefGoogle Scholar
  20. 20.
    Bhuvaneswari, P., Kumar, J.S.: A note on methods used for deception analysis and influence of thinking stimulus in deception detection. Int. J. Eng. Technol. 7(1), 109–116 (2015)Google Scholar
  21. 21.
    Matthews, G., Reinerman-Jones, L.E., Barber, D.J., Abich IV, J.: The psychometrics of mental workload: Multiple measures are sensitive but divergent. Hum. Fact. J. Hum. Fact. Ergon. Soc. 57(1), 125–143 (2015)CrossRefGoogle Scholar
  22. 22.
    Staab, J.P.: The influence of anxiety on ocular motor control and gaze. Curr. Opin. Neurol. 27(1), 118–124 (2014)CrossRefGoogle Scholar
  23. 23.
    Ortiz, E., Reinerman-Jones, L., Matthews, G.: Developing an Insider Threat Training Environment. In: Nicholson, D. (ed.) Advances in Human Factors in Cybersecurity, vol. 501, pp. 267–277. Springer, Cham (2016)CrossRefGoogle Scholar
  24. 24.
    Schleicher, R., Galley, N., Briest, S., Galley, L.: Blinks and saccades as indicators of fatigue in sleepiness warnings: looking tired? Ergonomics 51(7), 982–1010 (2008)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  1. 1.University of Central FloridaOrlandoUSA

Personalised recommendations