Identifying Common Characteristics of Malicious Insiders

Nan Liang, David Biros


Malicious insiders account for large proportion of security breaches or other kinds of loss for organizations and have drawn attention of both academics and practitioners. Although methods and mechanism have been developed to monitor potential insider via electronic data monitoring, few studies focus on predicting potential malicious insiders. Based on the theory of planned behavior, certain cues should be observed or expressed when an individual performs as a malicious insider. Using text mining to analyze various media content of existing insider cases, we strive to develop a method to identify crucial and common indicators that an individual might be a malicious insider.


malicious insider, insider threat, the theory of planned behavior, text mining

Full Text:



Adkins, M., Twitchell, D. P., Burgoon, J. K., & Nunamaker Jr, J. F. (2004). Advances in automated deception detection in text-based computer-mediated communication. Paper presented at the Defense and Security.

Ajzen, I. (1985). From intentions to actions: A theory of planned behavior: Springer.

Ajzen, I. (1991). The theory of planned behavior. Organizational behavior and human decision processes, 50(2), 179-211.

Anderson, R. H. (1999). Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems: DTIC Document.

Bellovin, S. M. (2008). The insider attack problem nature and scope Insider Attack and Cyber Security (pp. 1-4): Springer.

Bishop, M., Engle, S., Peisert, S., Whalen, S., & Gates, C. (2009). Case studies of an insider framework. Paper presented at the System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on.

Bishop, M., & Gates, C. (2008). Defining the insider threat. Paper presented at the Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead.

Bishop, M., Gollmann, D., Hunker, J., & Probst, C. W. (2008). Countering insider threats. Paper presented at the Dagstuhl Seminar.

Brackney, R. C., & Anderson, R. H. (2004). Understanding the Insider Threat. Proceedings of a March 2004 Workshop: DTIC Document.Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Mis Quarterly, 34(3), 523-548.

Chinchani, R., Iyer, A., Ngo, H. Q., & Upadhyaya, S. (2005). Towards a theory of insider threat assessment. Paper presented at the Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on.

Cox, J. (2012). Information systems user security: A structured model of the knowing–doing gap. Computers in Human Behavior, 28(5), 1849-1858.

De Cremer, D. (2006). Unfair treatment and revenge taking: The roles of collective identification and feelings of disappointment. Group Dynamics: Theory, Research, and Practice, 10(3), 220.

Dugo, T. (2007). The insider threat to organizational information security: a sturctural model and empirical test.

Flegel, U., Vayssiere, J., & Bitz, G. (2010). A state of the art survey of fraud detection technology Insider Threats in Cyber Security (pp. 73-84): Springer.

Fuller, C. M., Marett, K., & Twitchell, D. P. (2012). An examination of deception in virtual teams: Effects of deception on task performance, mutuality, and trust. Professional Communication, IEEE Transactions on, 55(1), 20-35.

Fuller, C.M., Biros, D.P. and Wilson R.L., “Decision Support for Determining Veracity via Linguistic Based Cues,” Decision Support Systems, 46, 2009, 695-703.

Fuller, C., Biros, D., Delen, D. “Data and Text Mining methods applied to the task of Detecting Deception in Real World Crime Investigation Records, “Expert Systems with Applications, June 2011

Gelles, M. (2005). Exploring the mind of the spy. Employees’ guide to security responsibilities: Treason, 101.

Greitzer, F. L., & Frincke, D. A. (2010). Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation Insider Threats in Cyber Security (pp. 85-113): Springer.

Hayden, M. (1999). The insider threat to US government information systems: DTIC Document.

Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125.

Hirschi, T. (2002). Causes of delinquency: Transaction publishers.

Hollinger, R. C. (1993). Crime by computer: Correlates of software piracy and unauthorized account access. Security Journal, 4(1), 2-12.

Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*. Decision Sciences, 43(4), 615-660.

Hunker, J., & Probst, C. W. (2011). Insiders and insider threats—an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2(1), 4-27.

Kankanhalli, A., Teo, H.-H., Tan, B. C., & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. International journal of information management, 23(2), 139-154.

Krofcheck, J., & Gelles, M. (2005). Behavioral consultation in personnel security: Training and reference manual for personnel security professionals. Yarrow Associates, Fairfax, Virginia.

Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information Management & Computer Security, 10(2), 57-63.

Lee, S. M., Lee, S.-G., & Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707-718.

Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635-645.

Loch, K. D., & Conger, S. (1996). Evaluating ethical decision making and computer use. Communications of the ACM, 39(7), 74-83.

Moore, A. P., Cappelli, D. M., & Trzeciak, R. F. (2008). The “big picture” of insider IT sabotage across US critical infrastructures: Springer.

Nance, K., & Marty, R. (2011). Identifying and visualizing the malicious insider threat using bipartite graphs. Paper presented at the System Sciences (HICSS), 2011 44th Hawaii International Conference on.

Parker, D. B., & Parker, D. (1976). Crime by computer: Scribner New York.

Peace, A. G., Galletta, D. F., & Thong, J. Y. (2003). Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems, 20(1), 153-178.

Pfleeger, C. P. (2008). Reflections on the insider threat Insider Attack and Cyber Security (pp. 5-16): Springer.

Predd, J., Pfleeger, S. L., Hunker, J., & Bulford, C. (2008). Insiders behaving badly. IEEE Security & Privacy, 6(4), 0066-0070.

Probst, C. W., Hunker, J., Gollmann, D., & Bishop, M. (2010). Aspects of Insider Threats Insider Threats in Cyber Security (pp. 1-15): Springer.

Randall, D. M. (1989). Taking stock: Can the theory of reasoned action explain unethical conduct? Journal of Business Ethics, 8(11), 873-882.

Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D., & Moore, A. (2005). Insider threat study: Illicit cyber activity in the banking and finance sector: DTIC Document.

Salem, M. B., Hershkop, S., & Stolfo, S. J. (2008). A survey of insider attack detection research Insider Attack and Cyber Security (pp. 69-90): Springer.

Shaw, E. D., Post, J. M., & Ruby, K. G. (1999). Inside the Mind of the Insider. Security Management, 43(12), 34.

Skinner, W. F., & Fream, A. M. (1997). A social learning theory analysis of computer crime among college students. Journal of research in crime and delinquency, 34(4), 495-518.

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124-133.

Stolfo, S. J., Bellovin, S. M., Hershkop, S., Keromytis, A. D., Sinclair, S., & Smith, S. (2008). Insider attack and cyber security: beyond the hacker (Vol. 39): Springer.

Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. Mis Quarterly, 441-469.

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3), 190-198.

Wood, B. (2000). An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems, 2, 1-3.

Zimbardo, P. G. (1969). The human choice: Individuation, reason, and order versus deindividuation, impulse, and chaos. Paper presented at the Nebraska symposium on motivation.

Dimkov, T., Pieters, W., & Hartel, P. (2011). Portunes: representing attack scenarios spanning through the physical, digital and social domain. InAutomated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (pp. 112-129). Springer Berlin Heidelberg.

Probst, C. W., & Hansen, R. R. (2009, May). Analysing access control specifications. In Systematic Approaches to Digital Forensic Engineering, 2009. SADFE'09. Fourth International IEEE Workshop on (pp. 22-33). IEEE.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law