A Simulation-Based Approach to Development of a New Insider Threat Detection Technique: Active Indicators

Current cybersecurity research on insider threats has focused on finding clues to illicit behavior, or "passive indicators", in existing data resources. However, a more proactive view of detection could preemptively uncover a potential threat, mitigating organizational damage. Active Indicator Probes (AIPs) of insider threats are stimuli placed into the workflow to trigger differential psychophysiological responses. This approach requires defining a library of AIPs and identifying eye tracking metrics to detect diagnostic responses. Since studying true insider threats is unrealistic and current research on deception uses controlled environments which may not generalize to the real world, it is crucial to utilize simulated environments to develop these new countermeasures. This study utilized a financial work environment simulation, where participants became employees reconstructing incomplete account information, under two conditions: permitted and illicit cyber tasking. Using eye tracking, reactions to AIPs placed in work environment were registered to find metrics for insider threat.