Cyber security inside and out: Protecting business from cyber threats within

Cyber attacks represent a real and increasing threat to business. But such attacks aren’t just carried out by seasoned hackers across the globe looking for new challenges.    What happens when the danger comes from within the business itself?  Or from trusted partners or suppliers?  Cyber-based threats can be the actions of disgruntled, corrupt or just poorly-trained employees, deliberately or accidentally harming crucial data or digital infrastructure.  They can involve many people and malicious software, exploiting vulnerabilities in business systems and processes. Yet, despite the size of the risk, insider attacks receive comparatively little attention from the cyber security community.

This is the context that has prompted the establishment of the Corporate Insider Threat Detection research project, a joint venture between the Universities of Oxford, Leicester and Cardiff, commissioned by the Centre for the Protection of National Infrastructure (CPNI). Far from being just a theoretical exploration into the problems facing businesses, this project will develop a conceptual model, as well as a prototype monitoring software, designed to detect cyber- insider threats, to help identify hazards to businesses before the threat is realised. The project team believes that by combining an understanding of human behaviours and psychology they can deliver a significant step-change in our ability to defend systems. They will be able to offer ways for the enterprise to prevent such attacks happening, including those in which unwitting employees are recruited to perpetrate these insider attacks.

Sadie Creese, Professor of Cyber Security in the Department of Computer Science at the University of Oxford, commented: “These types of insider incidents are on the increase and represent a significant danger to us and the systems we depend on for modern life. Our belief is that we can help to enhance current protections to business enterprises, not only by advancing detection in a manner supportive of the wider business culture and mission, but also by identifying opportunities to prevent these incidents manifesting in the first place.”

The challenge of the research is to develop a model for insider threat detection, which is flexible and accurate enough to operate usefully in a real business environment. We need a model that will provide advance warning of potential problems but filter out instances that are not significant. The model must also sit alongside current information systems without disrupting them.  “I am very excited to be part of the project”, said David Upton, Professor of Operations Management at the Saïd Business School.  “The management of these threats will be an increasingly important part of boards’ fiduciary responsibility to their stakeholders”.

The project will go beyond enabling business to look at the normal flows of data within an organisation and spot anomalies. It will also draw on expertise on the psychology behind insider crimes and criminal behaviour.  It is unique in drawing together expertise from fields of cyber security and visual analytics, along with knowledge of psychology, criminology and business management.    The research will also draw heavily on the real-life experiences of companies that have already experienced insider incidents.   Monica Whitty, Professor of Contemporary Media and a cyber-psychologist in the Department of Media and Communication at the University of Leicester, commented: “What is new in our detection approach is the use of human behavioural and psychological indicators along with more traditional cyber indicators.”

As well as gaining a more theoretical understanding of the profile and activities of insiders who misuse IT, the planned prototype tool will allow businesses to bring together data on potential threats to their business in one place. It will provide an innovative, visual user-interface that helps senior management to assess the relative severity of any threats issued and respond accordingly.

The team behind the research will actively disseminate their results, raising awareness of insider-threats and appropriate detection methods with business leaders, mainstreaming what risks being marginalised as an ‘IT issue’.  One route for this will be via educational courses for business leaders provided by Oxford’s Saïd Business School.  The team will be working closely with Financial Fraud Action UK, SOCA, CISCO, CIFAS – the UK’s Fraud Prevention Service – and a variety of corporate partners to ensure our detection system appeals to potential users, and is based on real threat scenarios.

This project supports the UK Government's cyber security strategy.¹

^{.............................}

¹In a Ministerial written statement to Parliament (http://www.cabinetoffice.gov.uk/sites/default/files/resources/WMS_Cyber_Strategy_3-Dec-12_3.pdf):

"CPNI is actively influencing standards, researching vulnerabilities and focusing on the key technologies and systems of cyber infrastructure. As part of this work it has commissioned a major research programme from the University of Oxford with the aim of delivering advice, guidance and products to help reduce the risk of cyber attacks mounted or facilitated with the help of company insiders."

 ^{............................}

For more information, please contact katherine.fletcher@cs.ox.ac.uk

Key researchers behind the project are:

• Sadie Creese, Professor of Cyber Security in the Department of Computer Science at the University of Oxford.
• Professor Michael Goldsmith, a Senior Research Fellow also in the Department of Computer Science at the University of Oxford.
• David Upton, American Standard Companies Professor of Operations Management at the Saïd Business School at the University of Oxford.
• Min Chen, Professor of Scientific Visualization in the University of Oxford e-Research Centre.
• Monica Whitty, Professor of Contemporary Media and a cyber-psychologist in the Department of Media and Communication at the University of Leicester.
• Michael Levi, Professor of Criminology in the School of Social Sciences at Cardiff University.

Other organisations mentioned in this article:

• Financial Fraud Action UK: the name under which the financial services industry co-ordinates its activity on fraud prevention, representing a united front against financial fraud and its effects.  Financial Fraud Action UK works in partnership with The UK Cards Association on industry initiatives to prevent fraud on credit and debit cards, with the Fraud Control Steering Group on non-cards fraud matters and the Cheque and Credit Clearing Company on credit clearing and cheque fraud.
• SOCA: Serious Organised Crime Agency (UK), an Executive Non-Departmental Public Body (NDPB) of the Home Office
• CISCO: company, worldwide leader in networking
• CIFAS: not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. Operates the National Fraud Database (NFD) and the Staff Fraud Database (SFD)

The Oxford Cyber Security Centre is an interdisciplinary centre which brings together experts from a number of departments in Oxford and the wider world to address the cybersecurity challenges of the 21st century. It will drive major developments in the theory and practice of cybersecurity and aims to help in the creation of a safe, secure and prosperous cyberspace through internationally leading research and educational programmes.

Oxford is recognised as one of GCHQ’s Academic Centres of Excellence in Cyber Security Research.