Horizon CDT Research Highlights

Research Highlights

A novel approach to Cybersecurity: Insider Threat identification, intervention and mitigation

  Neeshé Khan (2018 cohort)   neeshekhan.wordpress.com/author/neeshekhan

The adoption of internet enabled services and devices that support interconnectivity has led to an increase in productivity and efficiency in the workplace (Schuh et al. 2014). Whist technologies that support collaboration empower companies to profit, they also offer criminals, industrial saboteurs and extortionists to exploit potential vulnerabilities. As traditional technical active and/or passive defences against such threats (e.g., Goethals and Hunt 2019) become increasingly sophisticated, there is a growing number of cyberattacks that rely on innocent individuals as key players to the successful deployment of an attack (Verizon, 2020). Such cyberattacks hinge on the unwitting participation of said individuals in a variety of ways such as clicking on an infected link, opening an infected attachment or completing an action that inadvertently compromises a system. This leveraging of innocent individuals to enable cyberattacks is a subsection of ‘Insider Threat’ with the remainder of this category comprising of malicious employees (or insiders) who intentionally or deliberately cause harm to organisations for a number of reasons (Mundie et al. 2013).

Work in this area largely comprises of defences that involve technical solutions that might include machine learning algorithms (Morel 2011), psychological solutions that consider personality and behavioural variables  (Hunker and Probst 2008, Hadlington 2018) and organisational approaches that emphasize the governance of IT systems and management practices (Cappelli et al. 2008, CERT 2013). Some work has also been proposed to offer sociotechnical solutions through utilizing established literature on safety and accident prevention (e.g., the application of Reason’s Generic Error Management System to the case of cyber-breaches, Liginlal et al. 2009) to position insider threat within a sociotechnical framework (Nurse et al. 2014).

This PhD project builds on the existing work relating to insider threats within computer science and applying human factors and risk engineering approaches to this challenge. The primary research questions are:

1. How can cyber systems be designed to be more effective against insider threats?
This research question aims to offer a holistic understanding of the current approaches to insider threats and identify any gaps in literature that can benefit from an interdisciplinary approach, specifically solutions offered in the Human Factors/Ergonomic field.

2. How can a systems approach improve understanding of unintentional insider threats?
This question aims to develop an understanding of how unintentional insider threats interact with various influencing factors throughout its lifecycle. It includes investigating if any interventions can help identify, reduce or eliminate unintentional insider threat risks in the early stages of its lifecycle by examining different threats in complex social and technical environment by applying the Onion Model.

3. How can GEMS and STAMP models be reliably applied to the prevalent issue of insider threat? Are  results valid when applied to different industries?
This question looks at the application of two Human Factors models GEMS (Generic Error Modelling System) and STAMP-SEC to insider threat. Both models are widely applied to various industries to identify and mitigate errors that can lead to significant and disproportionate consequences (such as those in aviation and nuclear industries). This research question also hopes to evaluate if the two models can be updated to benefit the computer science field in tackling this challenge and if findings can be effective when applied to different fields of work.

4. How are unintentional insider threat risks affected when agile sociotechnical solutions are applied?
This research question looks at exploring the use of agile and fit-for-purpose sociotechnical solutions to unintentional insider threats. In answering this question we will also explore if agile solutions have any impact on insider threats levels compared to current approaches.

5. What user centric solutions could have a positive impact in an open environment with insider threats?
This question will explore the case for designing bespoke cybersecurity solutions for individuals that can be used on a personal and professional level.

This project isolates accidental/unintentional threats from malicious/intentional ones to propose sociotechnical solutions that aim to identify, intervene and mitigate unintentional threats as they emerge. In doing so we aim to develop:

1. Sociotechnical solutions that alleviate stress and responsibility from individual users
2. Solutions that cater to human ways of operation including supporting individual ways of working
3. Agile sociotechnical solutions that adapt to an everchanging environment and resulting points of vulnerability

Outcomes from this project aim to benefit (SMEs and large) organisations through offering innovative solutions to the mounting challenge of unintentional insider threats. Unintentional insider threats, which are increasingly prevalent, result in significant disruptions and losses (financial, trust, IPs and/or reputational) and so our solutions might be utilised by organisations for early identification, intervention and mitigation of such threats.


  • Cappelli D, Desai A, Moore A, Shimeall T, Weaver E, Willke B (2008) Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System. Carnegie Mellon University, Pittsburgh. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=52324
  • CERT Insider Threat Team (2013) Unintentional Insider Threats: A Foundational Study. Software Engineering Institute. https://doi.org/10.1184/R1/6585575.v1
  • Goethals PL, Hunt ME (2019) A review of scientific research in defensive cyberspace operation tools and technologies. Journal of Cyber Security Technology. https://doi.org/10.1080/23742917.2019.1601889
  • Hadlington L (2018) The “Human Factor” in Cybersecurity: Exploring the Accidental Insider. In: McAlaney J, Frumkin LA, Benson V (eds) Psychological and Behavioral Examinations in Cyber Security. IGI Global, pp 46-63 
  • Hunker J, Probst C (2008) Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl. https://doi.org/10.22667/JOWUA.2011.03.31.004
  • Liginlal D, Sim I, Khansa L (2009) How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security. https://doi.org/10.1016/j.cose.2008.11.003
  • Morel B (2011) Artificial intelligence and the future of cybersecurity. Proceedings of the 4th ACM workshop on Security and artificial intelligence (AISec '11), Association for Computing Machinery, New York.
  • Mundie DA, Perl S, Huth CL (2013) Toward an Ontology for Insider Threat Research: Varieties of Insider Threat Definitions. 2013 Third Workshop on Socio-Technical Aspects in Security and Trust. https://doi.org/10.1109/STAST.2013.14
  • Nurse JRC, Buckley O, Legg PA, Goldsmith M, Creese S, Wright GRT, Whitty M (2014) Understanding Insider Threat: A Framework for Characterising Attacks. 2014 IEEE Security and Privacy Workshops.
  • Schuh G, Potente T, Wesch-Potente C, Weber AR, Prote JP (2014) Collaboration Mechanisms to Increase Productivity in the Context of Industrie 4.0. Procedia CIRP, 19, pp 51-56 https://doi.org/10.1016/j.procir.2014.05.016
  • Verizon (2020) Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

This author is supported by the Horizon Centre for Doctoral Training at the University of Nottingham (RCUK Grant No. EP/L015463/1) and Warwick Manufacturing Group and High Value Manufacturing (HVM) Catapult.