Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on unintentional insider threats, in particular social engineering.

Earlier this year, the CERT Division's Insider Threat Team published the report Unintentional Insider Threats: A Foundational Study that documents results of a study of unintentional insider threats (UIT), which was sponsored by the Department of Homeland Security Federal Network Resilience (FNR). Following the success of that report, we on the Insider Threat Team continued our work on UIT, focusing on one aspect of the threat: social engineering.

Research activities have included creating a definition of social engineering as it relates to UIT, collecting and reviewing 45 UIT social engineering cases, analyzing contributing factors and observables in those cases, making preliminary recommendations for mitigating UIT social engineering, and recommending ideas for further research in this field.

We updated the working definition of an unintentional insider threat:

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization's network, system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization's resources or assets, including information, information systems, or financial systems.

We also developed a working definition of social engineering, as it relates to UIT:

Social engineering, in the context of information security, is manipulation of people to get them to unwittingly perform actions that cause harm (or increase the probability of causing future harm) to the confidentiality, integrity, or availability of the organization's resources or assets, including information, information systems, or financial systems.

We created a preliminary social engineering taxonomy that is consistent with descriptions of social engineering exploits in the scientific literature as well as real cases reported in court documents and other print media. This taxonomy reinforces the definitions we formulated for UIT and social engineering and provides a mutually exclusive, exhaustive organization of the various forms of social engineering exploits. Our research focuses on the portion of the taxonomy that applies to UIT incidents.

In the initial phase of our UIT research, we identified potential causal and correlational factors for all unintentional insider threat cases in our database. Some of those factors are also relevant to social engineering exploits. Our current research, which focuses on UIT social engineering exploits (such as phishing), sorts the initial set of possible contributing factors into three categories: demographic, organizational, and human factors.

Relevant research and case study data informed our conceptual modeling efforts to characterize UIT social engineering exploits.

We recommend future research on UIT social engineering that focuses on

• the best ways to record incidents for the whole community
• what management practices meet human factors standards to foster effective work environments and minimize stress
• what training can best educate insiders about social engineering and teach attention to phishing cues
• how to identify deceptive practices and recognize suspicious patterns
• ways to develop mitigations that apply to specific attack phases of social engineering events

Can you provide additional cases of UIT social engineering? Can you suggest additional mitigation strategies? What future research into UIT would be most useful to you or your organization? Please send us your thoughts, to insider-threat-feedback@cert.org.