Michael Theis of CERT discusses what's new in the sixth edition of Common Sense Guide to Mitigating Insider Threats and how workplace violence and IT sabotage are two sides of the same coin.

Don’t forget to sign up for upcoming episode alerts!

How to Listen

Episode Table of Contents

• [0:22] Introducing Our Guest, Michael C. Theis
• [1:55] The Authors of Common Sense Guide to Mitigating Insider Threats
• [7:44] People Make Decisions When Stressor Happens
• [9:19] What Is Perceived Organizational Support?
• [11:31] Basic Examples of Positive Incentives
• [12:32] What Has Changed With the Workplace Violence
• [15:15] Workplace Violence Versus Cyber Violence
• [19:22] Are Government Organizations Getting Better or Worse at Detecting Insider Threats?
• About Michael C. Theis

Introducing Our Guest, Michael C. Theis

Eric: Welcome back to To The Point - Cybersecurity podcast. I'm Eric Trexler, your host and Arika is unavailable this week, but we have a stand-in, where Carolyn Ford is joining us today. She is a Senior Marketing Product Manager from Forcepoint and this is her first podcast, so go easy on her on the comments, but we're really looking forward to the dialogue. Today we're joined by Mike Theis. He's a Chief Counter-intelligence Expert and Technical Lead for Insider Threat Research, let me breathe for a second, at Carnegie Mellon University. Mike's got a 20 plus year history in Insider Threat starting in the army. Welcome to the show, Mike.

Michael: Thank you for having me.

Eric: 20 years. Counter-intel Special Agent. Now you're at Carnegie Mellon. That's quite a career.

Michael: Yeah, I've enjoyed it. I had my own business for a while and then got pulled back into government service after 9/11 and then wanted to go back to just private life again. And when I left the government the second time, that's when Carnegie Mellon asked me, and it's actually the Software Engineering Institute. So it's one of the places in Carnegie Mellon has the program called CERT. And the CERT has the Insider Threat Center. And so they said, "You were using all of our research during the time after you came back to help build Insider Threat Programs. So could you come up here and help us show how to take our research and apply it operationally?" And that's basically the main role that I have.

The Authors of Common Sense Guide to Mitigating Insider Threats

Eric: You have 20 years in the US Army, a number of years in the intelligence community and now you're working with Carnegie Mellon and teaching others and working with others.

Michael: Right. And I have 30 years of Computer Systems Engineering concurrently, so I'm not like 105, but some of these things overlap.

Eric: Awesome. Awesome. And I understand you wrote a publication, you're in the sixth edition here of a Common Sense Guide to Mitigating Insider Threats. I think, Carolyn, you read that?

Carolyn: Yeah, actually Mike and I go back a few years. I cut my teeth on Insider Threat with Mike and this is the Bible, the CERT Guide to Insider Threats. And I saw, Mike, that you guys came out with the latest edition just February of this year. So I'd love for you to talk about what's new and different in the latest edition. And the copy I've got is the first copy and it's a hardbound book, but I understand the newest one is a PDF.

Michael: Yeah. So let me just clarify that a little bit. The original that you're talking about, the hardbound book, is a standalone one and one in of itself. And it was written by three authors. The main author was Dawn Cappelli and she's the one who actually created the CERT Insider Threat Center. Randy Trzeciak is a coauthor and Andy Moore. So Andy Moore is what we call a Modeler, so he can take all of this type of data and build models that show how these types of attacks happen for different kinds of threats.

The CERT Guide to Insider Threats

Michael: So they put together that book that was published and I believe it's actually considered required or highly recommended for cybersecurity professionals by some large organization, which I just can't remember the name of right now. Aside from that, Randy was in charge of the research team at that point and they started taking what we call the corpus of insider threat incidents.

Michael: At that time it was about 500 and they said, "We should try to publish what are some of the best practices for either preventing, detecting or responding to insider threats." And so that became the guide, which is called the Common Sense Guide to Mitigating Insider Threat. And that is a completely sort of different thing than the original book. So, that has been in the sixth edition now.

The only reason it looks like I wrote it is because I led the team to do the sixth edition version of it. So my name sort of appears first, but really it was many, many people who have contributed to this thing over time. And we sort of dropped that off and put it into the acknowledgement in the front. So if you really want to see all the people who've contributed as authors, that's where you would find it.

The Foundation: Common Sense Guide to Mitigating Insider Threats

Eric: ... if Carolyn and I pick up, if we're working for a government agency and we're now in charge of insider threat, I mean we've got a lot with CMMC, a lot of responsibility in the DoD. It's big in the civilian agencies, it's big internationally. But if Carolyn and I are management and we pick up insider threat, is this where we start or is this a guideline we hand to our team but we start somewhere else.

Michael: So no, I would say that this is where you would start. Although, we're not the only people who have published anything or done anything. But I would say that we are considered kind of the foundation because we started insider threat research in 2001, so it was well before anybody else. And we have accumulated a mass of knowledge, scientifically-based, empirical-based knowledge over that time along with collecting best practices.

Michael: So, what you would find in this guide is you could look at the 20 best practices, sort of like in the table of contents. You could see them sort of an abstract from a management perspective. But then you could also find in an appendix where we would say if you're in IT, here are the practice numbers that you should look at and try to apply. And if you're in HR, here are the practice numbers that would apply mostly to you, every part of your organization, physical security, legal, contracting.

Eric: So all-encompassing.

Michael: All [crosstalk 00:06:24] stuff.

What Has Changed Since the First Edition of Common Sense Guide to Mitigating Insider Threats

Eric: Okay. So Carolyn, you were basically a kid in 2001, we'll read this book. But Mike, what's changed? What have you seen over these years? I mean, it's almost two decades now since the first edition. How's the business changed?

Michael: Well. So we are up to 20 best practices now. So every time we do an addition, we actually update the existing best practices. Sometimes we'll drop one and add a different one in its place. In this particular sixth edition version, what we did is we went back and refreshed the existing 19 with either additional case studies or updated advice based on the way that things are done now in the world. So in other words, some practices have discontinued in business and newer practices have picked up. So we've put those in there.

Michael: And then we added a brand new one, which was using positive incentives to help reduce risk. So, that's the 20th practice.

And the idea behind it is you don't at all need to know what the threat is. If you have positive incentives, they can outweigh the negative incentives and help people break good, so to speak. So everyone has stressors and everyone has personal predispositions.

People Make Decisions When Stressor Happens

Eric: You're talking people in the business, employees?

Michael: People, human beings, all human beings. So when a stressor happens based on how their predispositions, the things they brought with them to this employment, they will make some decisions. And what we will hope they would do is make good decisions and be able to cope with the stressor rather than acting out in a way that causes harm either through fraud or IT sabotage or intellectual property theft and that type of thing.

So this particular best practice comes from a research study that we did that took a year and it was published and it basically has the same name. It's pretty close to the same name. You can find that on our website. All of our research is publicly available. It's free to download all of that type of thing.

Michael: There were three major factors that came out of this. What we found to be the three most important factors for positive incentive was job engagement. How engaged is the person with the work that they're doing. The second was engagement with their coworkers. So how engaged were they with the team that they were working with? And the third was how much organizational support did they perceive they had.

Michael: And when we measured those things using different factors, different weights and measures, we found that all three of them were important compared to all other things that we measured. But the most important was the perceived organizational support. So think about it this way.

What Is Perceived Organizational Support?

Eric: What is that? That's like-

Michael: I'm going to explain that.

Eric: ... unlimited vacation time or Amazon book ordering capability? What is that?

Michael: No. So let's say that you really love your job. You love the work. It's like, I love doing this work. But this may not be the only place you could do that work. So what keeps you loyal, so to speak, to the organization or believing in supporting the organization. The other thing is you might love your coworkers and have a good time with your team, but that doesn't mean there aren't other people that you could work with where you could find the same kind of satisfaction.

Michael: Perceived organizational support means that I believe that the organization has my best interest at heart, that they're always trying to do what they can to help me and support me. And that even if I make mistakes or things aren't going well, I believe they have my best interests. They're trying to support me in that way. That's hard to find, right? Because you never really know what another organization's going to be like. And it's very rare for most people. And when they find that kind of job, that's when they stay.

How Perceived Organizational Support Is Measured

Carolyn: So Mike-

Michael: Because they want to have that.

Carolyn: ... how did you measure this? Is this a survey? Is it like user [crosstalk 00:00:10:30].

Michael: It uses a combination of factors. So, we analyze cases of incidents. We actually did do some survey type stuff with HR and other groups within the organization. And then there was a third thing, which right now off the top of my head, I can't remember, but it's detailed in that best practice of the methodology that was used.

Carolyn: So with the best practice, do you talk about what organizations can do to support this best practice?

Michael: Yes, absolutely. So for every one of the best practices, what we break down in there is what are your quick wins and how do you get started? And if you're a large organization, but what if you're a smaller organization or a medium organization? So we always give you examples of where you could get started. Because not everyone has the same level of resources. So there are four basic examples of positive incentives that are in this best practice. But, you could expand well beyond that.

Basic Examples of Positive Incentives

Michael: So, for example, how do I make sure that people feel like that they're engaged and that they're supported? Well, we want to have inclusion, right? So everyone should have to have the feeling that their opinion matters. Even if the decision doesn't go their way, they feel like they had their opportunity to contribute. Same thing with the work, that feel like they're a valuable member of the team. They don't necessarily have to be the superstar, but they know that they're-

Eric: They're valued in what they do.

Michael: ... actually valued. Yeah, exactly. Those kinds of things are positive incentives.

Carolyn: You've talked a lot about workplace violence, and this comes to mind because we just had an active shooter training at work actually, and this is making me think that this all is related.

Eric: We've definitely seen an uptick in interest around workplace violence. I don't know the statistics whether workplace violence has increased over the last couple of decades, but we're having a lot more conversations with government-

What Has Changed With the Workplace Violence

Carolyn: Yeah, we just talk about it a lot.

Eric: ... yeah, I mean, agencies really do care and they're focusing on it. So Mike, what's changed?

Michael: Yeah, I would say awareness, right? So it's like insider threat itself. So people might say, "Wow, there's suddenly a lot of insider threat." It's like, no, there's always been insider threat. It's just that in most cases organizations weren't able to detect it. So in other words, intellectual property theft, they just knew that suddenly they were getting a lot more market pressure because competitors were gaining or leapfrogging over them. But not putting together the idea that they had an insider threat that took intellectual property or fraud or IT sabotage or whatever the issue is.

Michael: Once that starts to get reported more, it becomes a focus, right? So people start to hear it. I would argue that the workplace violence is probably fairly similar in the sense that the total amount of incidents maybe isn't increasing, but definitely the focus on it is so everyone, it comes to your attention immediately when you hear it.

Michael: What we have done is in that sixth edition of the common sense guide, we went back and updated every one of the best practices for any aspects of how it could also apply to workplace violence and preventing it. I would like to also say that it doesn't just mean active shooter.

Tracking the Components of Workplace Violence

Michael:  I mean I know that's kind of becoming synonymous in people's minds for workplace violence, but there's workplace aggression. Workplace violence would be if somebody slugged somebody else, it's technically workplace violence and those types of things are much, much more common than active shooter type stuff.

Eric: Do you find their track back to the same components? How engaged is someone in their job? How engaged are they from an organizational support perspective? Same factors we're looking at here or do they change as it relates to workplace violence?

Michael: No, I don't think it would change necessarily with one exception that in a lot of cases of workplace violence, a mental health status may have an overriding capability. So in other words, in most of the other types of threats, I think that the positive incentives would definitely outweigh it. But, mental health is very challenging even for behavioral scientists. So I don't have any evidence or any measurement that could tell me right now whether or not it would work for that aspect of the problem.

Michael: But if it's not a mental health issue that causes the workplace violence, I do believe that probably would be beneficial.

Workplace Violence Versus Cyber Violence

Michael:  So the way that we looked at this was because the Department of Defense, all the military services asked us, "Can you apply these models to workplace violence?" So we thought, "That's a great question." The only reason we hadn't done it up to this point was because we're the Software Engineering Institute and it was all about cyber and how to protect cyber and how people are using cyber to commit these types of crimes.

Michael: So now that we're being asked for more of a physical type thing, we started with saying how does it compare to cyber? So the first thing we thought was, what about IT sabotage? It's actually an act of aggression. It's just an act of aggression against computer systems as opposed to a human being.

So we went and started looking at cases of, in this situation we did use active shooter cases for workplace violence and for significant sabotage cases and compared them. And what we found is that there are many commonalities up to a certain point. So in other words, the predispositions are very similar.

The stressors that people faced are very similar. But once they made the ideation that they're going to act out, that's when the paths diverge. And so if you can collect all that information before they make the ideation, you could probably prevent it and you wouldn't even have to know was it going to be IT sabotage or physical violence in the real world?

Observing the Most Common Stressors in Workplace Violence

Carolyn: So there are technical observables for the workplace violence, just like the IT sabotage, just like the fraud?

Michael: Yeah, absolutely. So, that was just the beginning of the work. I should say that what we found is the most common stressors that applied to both crimes, was stress that was caused by the organization itself and stress that was caused by coworker relationships.

Eric: Oh, I need you to talk to my boss and my peers then, [inaudible 00:17:11].

Michael: Yeah. So that's kind of the idea behind it is if an organization should have the ability to observe that and if they found ways to measure it, either through business intelligence analytics or other kinds of things. Like you could say, "Hey, this person is being asked to travel a lot and it's causing them stress." Or they're having some tension on the project that they're working on because of their coworkers." You could say, "How can we reduce those stressors? Maybe assign them to a different team, maybe give them a different project."

Whatever it is. Then you could avoid potentially IT sabotage or workplace violence in the future. So that's the idea of observing and then taking an action so you're not waiting for a policy violation or a concerning behavior. You're looking at reducing those stressors before it happens.

The Technical Detection of Intended Violence Against Self or Others

Eric: [crosstalk 00:18:02]. Go ahead, Carolyn. [crosstalk 00:18:04].

Michael: I was going to say, we followed that up with how could you then detect once a person's made an ideation of either harm to themselves or harm to someone else, could you use your same insider threat technical detection stuff to see those indicators? And so that's a separate research that we followed up that you can also get on our website and it's called Technical Detection of Intended Violence Against Self or Others. I know it's a long title, but you know, we're academics. We have to do that.

Eric: Sounds like the next movie hit coming out for Christmas here. Carolyn, you were about to say.

Carolyn: Well, I know you just published the results this year, but have you been able to see some of these best practices in play and have they made a difference? Have you been able to measure that yet?

Michael: Yeah, all the other best practices, the other 19, we've definitely seen in operational environments, the 20th one, the positive incentives. That's what we're looking for, is to partner with an organization that we could explain to them how they could do it and then we could measure it. So, they would look at what their baseline is right now with incidents and then implement these positive incentives or increase the ones they already have. And then let's see if there is a change in the rate of incidents that happen after that. So that's what we're looking for.

Are Government Organizations Getting Better or Worse at Detecting Insider Threats?

Eric: Michael, last question as we're wrapping up, because we are to the point, is our businesses and government organizations getting better or worse ... at insider threat, at detecting these problems, workplace violence? Are we getting better as an industry or is it just getting more and more complicated and we need to change some things, we need to pay more attention? Yeah. I don't know what the answer is, or I wouldn't be asking the question, but are we getting better or worse?

Michael: I think organizations generally are getting better if they've recognized that it's something that they should be caring about. And that's because there are more, there's more guidance, more research and more technical capabilities available now. And when I say technical, I don't mean you're just capturing technical things like somebody copying something to a USB. You could also capture behavioral stuff using technical controls, technical measures. So that might be sentiment in email or chat, those types of things.

Michael: So I think organizations are getting better at the detection. I think they're probably getting better at the prevention if they're following the research and the recommendations that are out there. Response, that's a little bit harder to gauge. And that's because most organizations don't report what happens internally. So, we see somewhere between 75 and 79% of all insider incidents are never reported outside the organization. So it's really hard to tell how the response is working.

Eric: And it's hard to learn from it. Okay.

Michael: Correct.

Subscribe to To the Point Cybersecurity on Apple Podcast and Give Us a Rating

Eric: This has been a fascinating discussion. Really appreciate you spending some time with us today. Carolyn Ford, your inaugural or initial introduction to the podcast. Thank you so much for sitting in for Arika this week. I really appreciate it.

Carolyn: Yeah, it was a pleasure. I do have one last very important question for Mike.

Eric: Let's do it.

Eric: Okay. Very nice. Well, to our listeners, thank you again, Michael. Michael Theis from Carnegie Mellon. Thank you, Carolyn. To our listeners, please tune in, subscribe, listen to us each week on your favorite podcasting application, leave us feedback, leave us comments. We really appreciate those. It helps guide our discussion from week to week. Have a great rest of 2019 and we will talk to you in the new year. Thank you very much and have a great week.

About Michael C. Theis

Michael C. Theis (pronounced Tice) uses his 25+ years as a Counterintelligence Special Agent supporting the US Intelligence Community along with his 30+ years of concurrent computer systems engineering experience to aid the CERT© Insider Threat Center further its research and development of socio-technical controls to prevent, detect and respond to insider threats. He is also a Senior Member of the Technical Staff at the Software Engineering Institute (SEI). Previously, Theis was the first-ever Chief of Cyber-Counterintelligence for the National Reconnaissance Office, where he served as the Chief for Cyber-CI investigations and operations for over six years. In 2006, he was named one of the Premier 100 IT Leaders in the nation by Computerworld magazine.