Researchers: Andrew Moore, Dawn Cappelli
Management and Education of Risks of Insider Threat (MERIT)
Evidence from a joint U.S. Secret Service and CERT/CC study on insider cyber crimes across the nation’s critical infrastructures indicates that managers, at times, make decisions intended to enhance organizational performance and productivity, but with the unintended consequence of magnifying the organization’s exposure to and likelihood of insider cyber attack. The lack of methods and tools for analyzing and communicating insider threat risks and mitigations exacerbates the problem faced by business managers. This project, called MERIT, develops methods and tools that help managers to understand the potential near-term and long-term insider threat risk to their organization, quantitatively analyze tradeoffs associated with alternative approaches to mitigate this risk, and communicate risks and mitigations with others in their organization.
The MERIT project uses a technique called system dynamics to model and analyze the dynamic nature of the insider threat problem and to produce interactive learning environments based on the models developed. The output of this project will be training and/or decision support tools that can be used by policy makers, security officers, information technology staff, human resources personnel, and management to understand the complexity of the problem, and assess the relative degree of organizational risk from insiders based on simulations of policies, cultural, technical, and procedural factors. These tools will help decision-makers understand insider threat risks and the effects of policy, procedure, and technology decisions on the promotion or mitigation of that risk.
Army Research Office