Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: https://uscgproceedings.epubxp.com/i/436751
75 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings capability to collect all types of data. Most are a type of com- puter with the potential interface to the network that can bring about denial of service, identity and data theft, and data manipulation. Without physically connecting to the network, an insider can record images, sounds, and even signals to adversely impact a mission. Data Collection and Analysis More data is better. Big data analytics offers the potential to break down mass amounts of information to achieve indica- tors of anomalous behavior, both on and off the network. Just as the operating systems on a ship or in a port are con- stantly analyzed to detect potentially harmful anomalies, data concerning a ship's crew or a port's workforce should be gathered and analyzed. What data should be gathered and how it should be analyzed varies with the operating environment and the culture of the organization. Public and private sector may require different rules and protocols. However, as a minimum, records pertaining to security, human resources, maintenance, computer, logistics, and dis- cipline should be reviewed and analyzed on a continuous basis. In the government, this could extend into fnancial data, travel information, and workforce and frst line super- visor surveys. You cannot have enough data. To be useful, data needs to be analyzed. Insider threat analysis is not a pick-up game. There needs to be a central analytic capability (even if only one person) devoted to resolving identifed concerns. For large organizations with huge amounts of data, teams of analysts armed with proper automated tools are required. Risk Assessments Risk assessments can be as simple as a survey, or as complex as an extensive Inspector General or other type of inspec- tion. They are useful for addressing the potential impact of known or postulated threats against ship or port vul- nerabilities. The focus may be on analyzing activities, poli- cies, or procedures that could have shortfalls exploitable by an insider who means harm. These are not investiga- tions or even security reviews per se. Separate or as part of this, some entity in the organization should be responsible for maintaining an understanding of the types of threats posed to the organization. These can be "cyber" or "bricks and mortar." There are plenty of sources for threat informa- tion within government and many available in industry as well through general "open source" reporting or industry- specifc sources. Behavioral Science Support "Do behave!" said Austin Powers, the international man of mys tery who had a global audience rolling with laughter. But poor employee behavior is no joke. Even the best employee can have a series of life and on-the-job stressors that can lead to a sudden, impulsive, or even well-planned attack on the organization. An insider who turns bad usu- ally does so over a period of time, and personality and behavioral indicators identifed early on can help detect and deter malicious activity. Motive, opportunity, ego, lack of inhibition, and lax security all contribute to a hostile insid- er's decision to act. Behavioral science support has proven critical to helping an insider threat program identify potential problems on inception, or even prevent them from developing. At the end of the day, the business is people and behavioral science provides a unique perspective on how to categorize behav- ior in the workplace, assess it, and respond to it. Behavioral science can help inform and even drive a wide variety of insider threat activities, including cyber behavior, person- nel security determinations, anomalies analysis, investiga- tions, and training. Behavioral scientists can help you get to the root causes of anomalous and dangerous employee behavior. Also, using the plethora of current and past stud- ies, they can customize these models of such behavior for your organization. Security Programs These are still a lynch-pin of any insider threat program, especially in the government. Security checks, criminal records checks, and background investigations backed by sound adjudicative standards provide a modicum of assur- ance for an employee entering the workforce. Periodic rein- vestigations, incident-driven investigations, and continuous monitoring provide a baseline means of assessing employ- ees already in the workforce. Controls on access help assess employee compliance with existing rules and protocols and may help deter or detect a potential threat. Compliance Actions When an insider threat is discovered, unlike the proverbial dog that chases a car, organizations or agencies should make sure they know what to do if they catch their quarry. Plans and protocols must be in place for swift, appropriate, and legal action. The nature of this will vary with the type of threat posed as well as the organization's needs. The threat of physical harm to another employee requires swift action by secu- rity or law enforcement. The theft of secrets or proprietary information might require security, counterintelligence, the Inspector General, and possibly law enforcement. But the response might be more deliberative, or not, depending on the specifcs.