Sorting insiders from co-workers: remote synchronous computer-mediated triage for investigating insider attacks

Dando, Coral J, Taylor, Paul J, Menacere, Tarek, Ormerod, Thomas C, Ball, Linden J and Sandham, Alexandra ORCID: 0000-0002-8563-0751 (2024) Sorting insiders from co-workers: remote synchronous computer-mediated triage for investigating insider attacks. Human Factors: The Journal of the Human Factors and Ergonomics Society, 66 (1). pp. 145-157. doi:10.1177/00187208211068292

[img]
Preview
Text (Published online version)
10875-Sandham-(2022)-Sorting-insiders-from-co-workers-remote-synchronous-computer-mediated-triage.pdf - Published Version
Available under License Creative Commons Attribution 4.0.

Download (664kB) | Preview

Abstract

Objective Develop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack. Background Insiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage. Method During a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an ‘insider’ by providing information to a provocateur. Results Responses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers. Conclusion Findings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack. Application InSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.

Item Type: Article
Article Type: Article
Uncontrolled Keywords: Insiders; Computer-mediated triage; Deception; Investigation
Subjects: B Philosophy. Psychology. Religion > BF Psychology
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions: Schools and Research Institutes > School of Education and Science
Research Priority Areas: Health, Life Sciences, Sport and Wellbeing
Depositing User: Rhiannon Goodland
Date Deposited: 24 Mar 2022 13:31
Last Modified: 08 Jan 2024 12:56
URI: https://eprints.glos.ac.uk/id/eprint/10875

University Staff: Request a correction | Repository Editors: Update this record

University Of Gloucestershire

Bookmark and Share

Find Us On Social Media:

Social Media Icons Facebook Twitter Google+ YouTube Pinterest Linkedin

Other University Web Sites

University of Gloucestershire, The Park, Cheltenham, Gloucestershire, GL50 2RH. Telephone +44 (0)844 8010001.