Abstract

As a way of introduction, it would be useful to consider what the security community considers the insider threat to be and how it manifests itself. Mukherjee et al. (1994) define the insider threat as that who has legitimate access to the system but is abusing their privileges. Schultz (2002) subsequently considers insider attacks as deliberate misuse by those who are authorized to use computers and networks and identifies insiders as employees, contractors, consultants, temporary helpers, or personnel from third-party business partners. He pointed out how little was understood on insider threats at the time and discussed the many misconceptions that surrounded the issue. Bishop and Gates (2008) go a step further by considering insider threats in the context of trust and security policies, where levels of trust are expressed in a set of access control rules, which are in turn represented in a security policy. Specifically, they provide the following definition for an insider:

A trusted entity that is given the power to violate one or more rules in a given security policy ... the insider threat occurs when a trusted entity abuses that power.... An insider can thus be defined with regard to two primitive actions:

violation of a security policy using legitimate access, and;

violation of an access control policy by obtaining unauthorized access.