¶ … Justifying Research Methods and Design Insider threats are one of the primary sources of risk to an enterprise network and to intellectual property. For decades, the internet security realm has been rather narrowly focused on pre-empting insider threats by mean of sophisticated architecture and conventional login identification barriers. More recently, internet communications and technology (ICT) experts have taken an active position by using technological capacity to identify risk patterns, and devising systems to address insider threat when and where it is most likely to happen -- before it happens. In other words, rather than just taking a technological approach to the problem of insider threats, professionals with expertise in internet security dovetail sociological and psychological knowledge with technological knowhow The research in socio-technical methods for mitigating insider threat to enterprises hold profound promise for effective and agile solutions to a pervasive, expensive, and fluid problem.

A socio-technical approach to assessing, understanding, and mitigating insider threats capitalizes on expert knowledge about vulnerabilities and potential effective solutions. A malicious insider threat to an enterprise occurs when former or current personnel, contractors, or other types of business partners (who had or currently have authorized access to the data, network, or system belonging to an enterprise), and who intentionally misuse or exceed the access in such a way as to bring negative impact on the enterprise with regard to the integrity, trustworthiness, access / availability, or confidentiality of the company's organization and its information systems. The definition is a long one, but it clearly spells out the critical components: (1) Access to a system has been appropriately granted; (2) a trust relationship is maintained, which typically means that safeguards are static and security is often lowered as staff become complacent; (3) the work situation enables inappropriate or illegal use; and (4) the business enterprise suffers or is in danger of suffering damage due to the misuse of information.

Some of the most robust research in the internet systems security literature has utilized architectural patterns in a systems approach to develop models to address insider threats. A systems dynamics approach to permits researchers to simulate and analyze the architectural patterns associated with the threats, and to do so outside of the operational system of an enterprise (Mundie & Moore, 2012; Moore, et al., 2011; Moore, et al., 2012). The purpose of studying the patterns is to develop mitigation strategies for insider threats that are operationally valid and are scientifically derived (Burstein, 2008; Eysenck, 2004).). In order to develop these mitigation strategies, this author proposes a comprehensive research approach that incorporates both qualitative and quantitative methods in what is commonly referred to as a mixed methods approach.

A mixed methods approach is appropriate when researchers are not sure about what theories should guide their research, or what variables to measure, or even what questions to ask (Creswell, 2011). A novel line of research may establish this research predicament (Creswell, 2011). In order to address the first research question that is focused on identifying the specific risk that firms face from insider threats in cloud computing situations, a qualitative approach will be used in the form of a Delphi survey (Creswell, 2011). The first research question emphasizes a thorough inquiry into the types of specific insider threats rather than an actual frequency count of cyber attacks or cyber events. To quantitative inquiry will address the second research question that is focused on the cost assessment of risk (Creswell, 2011).

Research Question #1: What specific risks do companies face from insider threats in cloud computing situations?

The qualitative component of the research approach utilizes a Delphi approach for accessing the expert opinion of professional "sentries" and "protectors" of enterprise networks. The Delphi survey method has been used by a number of cybersecurity researchers to explore issues related to insider threats. (Catrantzos, 2009; Moore, 2011; Skulmoski, 2007). The Delphi method is an iterative approach to gathering information that relies on anonymous input from experts. Each expert selected for a Delphi survey panel needs to have substantive experience and exposure to the management or investigation of insider threats. Catrantzos (2009) used the Delphi method to test proposed cybersecurity techniques by assembling a panel of cybersecurity experts to review and critique the security methods. Catrantzos recruited dozens of experts -- including investigators, experienced defenders, and line managers -- across different disciplines and from different organizations. Moore, et al. (2012) used the Delphi approach as a complementary approach to an extensive mixed-methods research in the area of insider threats.

The rationale...

A diverse expert Delphi survey group might include professionals in counter espionage, business profit-and-loss, prevention of workplace violence, corporate reputational risk workers, defenders against systemic institutional fraud, military, and law enforcement. The comprehensive frame of a Delphi approach promotes adherence to best practices in cybersecurity research.
Alternative research approaches were considered but were rejected due to the need to cover a broad and deep array of potential insider threats. Indeed, a narrower approach to the proposed research could create an inquiry that did not fully consider the possible and actual sources of cyber risk. For instance, Moore et al. (2011) found that the potential for insider threats increases during the last 30 days of employment in an organization. While this is an entirely viable research topic, it is constrained. An inquiry that focused on insider threats during the last 30 days of employment would necessarily miss the long-tail threats that do not occur during that active period. A research design that incorporates a panel of experts with broad and deep experience is less likely to miss outlier events that can be substantively damaging even though they are not know to occur frequently. In fact, the 2011 CyberCrime Survey found that the 38% of respondents considered the most costly electronic crimes to be caused by outsiders, followed by insiders (33%), and unknown (29%).

Research Question #2: How can costs be effectively associated with risks? The quantitative component of the research approach will access and extract data from systems in order to make it available for analysis. The specific insider threat risks identified though the qualitative component of the research will provide the base for the quantitative research that will employ system dynamics simulation and modeling to derive the insider threat risk and cost relationships. It is hypothesized that the outcome of this quantitative research will show historical behavior in terms of the enterprise architecture. The systems dynamics can be used to simulate insider threats -- as identified by the Delphi expert panel -- and create tools to be used in interactive learning environments (ILE). The tools are intended to be used by decision makers, policy makers, finance officers, information technology specialists in order to understand the insider threat risk in cloud environments and the cost of proposed solutions. The tools will allow the evaluators to explore the risk-cost relationship based on simulations of procedural factors, technical considerations, cultural elements, and policies.

The rationale for using this quantitative approach to researching the cost-risk ratio is that the computer modeling and simulation capacity of a quantitative approach is far superior to a comparable attempt with qualitative methods. Moreover, using a computer modeling and simulation approach enables construction of an interactive learning environment (ILE) that is intuitive to use and easy to understand, such that professionals who do not ordinarily work with systems dynamics will be able to effectively use the tools.

Alternative research methods were considered, but were rejected on the basis that an effective cost-risk ration assessment would need to enable interactive capacity in order to be used by the expert panel recruited for the qualitative component of the research. Moreover, the computer modeling and simulation functions allow two primary objectives to be met: research and education / training. The research is grounded in both positivist theory and a pragmatic approach. Because the research outcomes are to include recommendations for application in praxis, it is once validation has taken place, the solutions will be used to estimate costs for risk mediation strategy implementation.

The quantitative component of the research is based on the work of Cappelli, et al. (2004) in the Management and Education of the Risk of Insider Threat (MERIT) program. The steps identified by Cappelli et al. (2004) for establishing an interactive learning environment (ILE) are as follows: (1) Collect and analyze extensive insider threat information and risk management strategies for those risks; (2) build the problem for the model; (3) assemble a panel of experts to include authorities on insider threats, psychology, systems dynamics, and technical security; (4) build the model that addresses the problem and the identified mitigation strategies; (5) Run the initial test simulations and calibrate the model; and (6) develop the evaluation and training materials that are aligned with the model and the interactive learning environment (ILE) (Cappelli et al., 2004; Desai, 2006; Groessler, 2004).

Conclusion

The proposed study will take a two-pronged approach to the inquiry by utilizing…