Key Metrics to Track Your Insider Threat Program's Progress

Threatswitch Team
June 13, 2016

“How am I doing?” Four simple words too often overlooked by insider threat programs. Senior leaders need to know how your insider threat program is doing, no matter how ugly the facts are, in order to make informed risk decisions. And according to a survey published by the SANS institute in April of 2015 the numbers might be especially ugly for government agencies that often are slow to detect and respond:

Source: SANS Institute, Insider Threats and the Need for Fast and Directed Response April 2015

Measuring time to detect and respond to insider threat incidents is a good start. However, actual insider attacks are not all that common, and the more catastrophic usually the less likely. That’s a good thing, but it means you might need to get creative to measure response time. This can be done by conducting table top or red team exercises that introduce scenarios that are walked through the process from end-to-end in real time. A best practice is to establish a rhythm of repeated exercises that allow you to measure and improve detection and response over time.

Measuring simulated response times doesn't quite give you a full picture of process efficiency. To take a deeper look at how efficient your processes are, you might consider flipping how you are thinking and measuring process waste instead of process time. Waste in processes most often occurs in the form of transportation, inventory, motion, waiting, overproduction, over processing, and defects. Just remember, when looking for waste, follow the acronym TIM WOOD. Here are some specific measures that fall under each category:

Transportation (movement of goods).
Activities like shipping files between offices and travel times required to conduct inquiries fall within this category.  Have you determined whether these are done in the most efficient way possible, or if they can be done in completely new ways that still meet compliance requirements? You might consider measuring distance traveled or time spent in transportation as a metric.

Look at the average or current number of cases that are in process.  Is the number appropriate to your organization, or is a backlog being created that overwhelms the system from the get-go?

Motion (movement of people).
An inefficient office layout or operational configuration causes analysts to expend unnecessary additional effort to coordinate process steps.  Something as simple as placing analysts together who must hand-off tasks can improve communication and streamline the risk analysis process. An interesting way to go about measuring motion would be to use fitness bands (like the Fitbit) to get real data on the motion of individuals. Manufacturing firms collect this type of data, so if motion is a factor in your security processes, why not take a closer look to see if that motion adds value to your products or if it is wasted?

Waiting for records checks, other agencies, and system downtime, are not just inefficient, they can be downright deadly. Momentum is lost. The backlog increases. Morale suffers. This is probably the most common type of waste in transactional processes. To measure waiting, you can look back at email or call records and get the actual data. If that data is not available, have analysts start recording the amount of time they are waiting for things that enable their work. You might be surprised by how much of your total process time is lost to waiting.

This is the case when an organization is busy clearing, classifying and investigating more “things” (such as people, incidents, sites and leads) than are materially necessary to the program’s efficient operation or mandated by the home agency. This might be caused by your insider threat models being tuned incorrectly. To measure, go to the customer of your process and get their requirements. Compare them to the product of your process and measure the amount of unnecessary work that is being done.

Doing additional checks, investments or operations beyond the amount necessary is also wasteful. It has what economists call “low marginal utility.”  In other words, it isn’t worth the extra effort. This happens a lot in security processes (think of all the layers of reviews). To detect if over processing is happening, measure the amount a document changes after a processing step. This could be done by comparing word counts, categorical factors such as risk categories, or continuous variables like risk ratings on a 1-n scale. If you find your process steps don't really change your conclusions that often, they might not be necessary.

Yuck.  Errors, false positives (wrongly tagging loyal employees as threats) and even false negatives (not catching the bad guys), bad forms, incomplete data—these are all examples of wasteful defects that need to be eliminated.  Remember, garbage in – garbage out. As you are doing simulations and red team exercises measure how many times you are wrong in your conclusion. That is a major defect that needs to be cleaned up so time isn't wasted going down rabbit holes. To isolate defects on specific processes, count the number of products moving through the process that need rework.

You don’t need to measure each of these - instead, create a measurement plan that is unique to your priorities. It is wise to choose measures that are easily available and accurate over those that take a lot of effort to obtain or are more subjective. Once you have your plan, start by measuring a baseline, then continue to take measurements and adjust targets accordingly.

Without knowing where you stand, it is virtually impossible to get where you need to go. In that way, following best practices in measuring your security process performance is essential to improving insider threat mitigation efforts.

Keep Reading

Posts by Topic

Subscribe to our