DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

The role of behavioral research and proling in malicious cyber insider investigations5
Eric D. Shaw
Consulting and Clinical Psychology, Ltd and Professorial Lecturer, Elliot School of International Studies, George Washington University, Washington, DC

article info
Article history: Received 25 January 2005 Revised 26 January 2006 Accepted 26 January 2006 Keywords: Insiders Behavioral consulting Proling Forensic psychology Cyber crime Cyber criminals

abstract
This article reviews recent empirical evidence garnered from inductive studies of insiders examining "who, what, where, when, why and how" of insider computer attacks. These results are then compared to insider "theories" and folklore. Then the use of a specic deductive proling approach to insider investigation and case management is described along with illustrative case studies. The overall role of the behavioral consultant in insider cases is examined with emphasis on specic forms of support for the investigative team and aid to managers and security personnel with case management of insiders within corporate environments. 2006 Elsevier Ltd. All rights reserved.

1.

Introduction

Government and corporate security rms dedicate signicant resources to investigating the insider computer attacks that continue to plague organizations worldwide (Gordon et al., 2005). But, until recently, relatively little behavioral data had been gathered on these subjects and their activities. Nor had much been written on how behavioral investigation techniques, or proling, can contribute to insider investigations and case management. For the purposes of this article, two forms of proling are considered. Inductive proling involves the study of a group of subjects who share a common characteristic or activity to discern trends or patterns in their motives, characteristics or behavior. The FBIs famous studies of perpetrators of serial sexual homicide (Ressler et al., 1980) would be an example of the use of a series of case studies for this

purpose, as would be the studies of insiders referenced below. Deductive proling refers to the assessment of a subjects personal characteristics from his or her crimes, activities, statements or other reports and is associated with case investigations. The methods described in the second half of this article concern this form of proling, often associated with identifying an unknown subject from his insider activities and communications and using this information to support an investigation or manage subject behavior and risk. This article reviews recent empirical evidence garnered from inductive studies of insiders examining who, what, where, when, why and how of insider computer attacks. These results are then compared to insider theories and folklore. Then the use of a specic deductive proling approach to insider investigation and case management is described along with illustrative case studies.

The author would like to thank Dr. Steve Band and Dawn Capelli for their review and contributions to this article. E-mail address: eshaw@msn.com 1742-2876/$ see front matter 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2006.01.006

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

21

2.

Recent empirical research

System logs helped identify the insider in 74% of cases while forensic examination of the targeted network, system or data helped identify the subject in 30% of cases. In summary, this group of nancially motivated insiders appears to have taken advantage of their knowledge of policy or business procedure vulnerabilities to attack familiar systems. When the acts were planned in advance, others often became aware of the risk and a large proportion of these subjects were known to management and staff as problematic prior to the incident. Over a quarter of these subjects had prior arrests. While the majority of these subjects engaged in theft or fraud, this groups second study published in May 2005 concentrated on 49 disgruntled insiders from critical infrastructure sectors. In these cases the insiders primary goal was to sabotage some aspect of the organization or harm a specic individual. These disgruntled subjects present a slightly different picture from those above motivated mainly by greed. For example, this study found that:  Most insiders actions were triggered by a negative, workrelated experience and that these subjects had already acted out in a concerning manner in the workplace.  Most of the attacks were planned in advance.  Although these subjects were granted system administrator or privileged access when hired, less than half had authorized access at the time of the attack due to employment problems. Most therefore, attacked remotely.  The subjects used a combination of unsophisticated methods as well as sophisticated attack tools to compromise computer accounts, create unauthorized backdoor accounts or use shared accounts.  A majority of attacks were detected when there was a noticeable irregularity in the information system or it became unavailable.

Many private computer security rms, corporate security departments and law enforcement agencies have extensive experience in insider investigations involving computer systems. However, there have been few studies that have collated technical and behavioral data from multiple sources and performed basic analyses on behavioral trends across cases. Two recent groups of investigators have begun to shed light on some fundamental elements of insider behavior by collecting technical and behavioral information from mainly successfully prosecuted cases. These cases may differ from the majority of insider attacks, given the relatively low rate with which these acts are apparently referred to law enforcement. However, the use of successfully prosecuted cases increases the reliability and validity of data for research purposes. Datasets on insiders are also so rare that these studies represent an important preliminary contribution and an opportunity to test emerging theories and folklore regarding the origins and basic characteristics of insider activity.

2.1. The Secret Service/Carnegie Mellon University Software Engineering Institute (SEI) studies
The most signicant recent research contribution to understanding insider behavior comes from joint studies (Randazzo et al., 2004; Keeney et al., 2005) by the Secret Service and Carnegie Mellon Universitys Software Engineering Institute. This groups rst study of 23 insider incidents from the banking and nance sector released in August 2004, emphasized nancially motivated insiders and involved 15 acts of fraud, four thefts of intellectual property and four acts of sabotage of IT systems or networks between 1996 and 2002. Some of their major ndings included the discovery that:  Most of the incidents involved violations of business rules or policies rather than technically sophisticated attacks on IT system vulnerabilities.  Eighty-one percent of the attacks were planned in advance and, in 85% of these cases someone besides the insider (beneciaries, coworkers, friends and family) had full or partial knowledge of the subjects plans, intentions or activities.  While revenge was a factor, most of the insiders studied were motivated by nancial gain, with 21% experiencing nancial difculty at the time of the event.  While there was no common demographic prole of subject personal characteristics, there were indicators of risk. Thirty-three percent of subjects were perceived by management as difcult and 19% were viewed as disgruntled by other employees. Twenty-seven percent had come to the attention of either a supervisor or coworker for a behavior of concern prior to the incident and another 27% had prior arrests.  Little consistency was found in the manner in which the attacks were detected with customers nding 35% of attacks and supervisors and other non-security personnel detecting 13% of these acts, each. Twenty-six percent of insiders were caught through system failures or irregularities with another 22% caught by auditing or monitoring procedures.

2.2. The Defense Personnel Security Research Center (PERSEREC) Studies

While the Secret Service/SEI team collected an unprecedented number of case studies, Shaw and Fischer (2005) performed more in-depth behavioral analysis of 10 cases, including nine that were successfully prosecuted. They also concentrated on disgruntled insiders but were particularly interested in how the subject presented in the workplace prior to and during the offense. The data from these 10 in-depth cases were also consistent with results collected previously by these investigators for insiders within the Department of Defense (Fischer, 2003) and in corporate positions within U.S. critical infrastructure industries (Shaw et al., 1998). Their ndings included the discovery that:  Their subjects came from diverse locations within their organizations from the Help Desk to the Chief Technology Ofcer.  Prior to the event their subjects experienced serious personal stress and/or employment problems, and had social and cultural conicts with coworkers. Employment problems resulted in high rates of probation and termination among these subjects and most attacked remotely after termination.

22

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

 There were lost windows of opportunity for more effective personnel interventions in that most subjects were disgruntled prior to coming to attention of supervisors and for a period after coming to management attention before their attacks. Most management interventions escalated the conict rather than lowered the risk of attack.  The organization involved was also frequently undergoing serious stress due to nancial pressures, reorganization or downsizing.  Half the subjects had unusual control over their respective IT systems and used this to exert inuence and intimidate managers.  Half the subjects had prior legal or hacking offenses that were not detected when they were hired due to lack of screening or late screening.  Most of the subjects took advantage of a lack of personnel and computer security policies, practices and enforcement or simply evaded or ignored enforcement efforts and engaged in some form of operational security to hide their attacks and/or identity.  There were frequent failures of post-termination security efforts. These recent empirical efforts appear to reveal two distinct groups of insiders who differ by motivation. Subjects from SEIs rst study appear to be largely nancially motivated and to have taken advantage of their access to, and familiarity with, a system to violate business rules or policies for personal gain. They were mainly non-technical in background and tended to attack from work. A minority of the rst SEI subjects appear to have been on managements radar prior to their violations for inappropriate interpersonal behavior in the workplace. However, employees and other acquaintances appear to have been aware of the risk posed by many of these individuals prior to their attacks. The second group of insiders described in SEIs second study and by Shaw and Fischer appears to contain a larger proportion of disgruntled employees motivated by revenge. They were more likely to be technical employees and they attacked mainly from remote locations, often because their more serious employment problems resulted in termination or suspension. In general, these investigators appear to have captured similar insider behavior within a disgruntled group of employees. This is not surprising given that both datasets originated with law enforcement cases. The general behavioral picture of a disgruntled insider within his organization that emerges from these results includes the following features:  a likelihood of previous legal or behavioral problems that are missed by the organizations screening, or lack thereof;  the subject enters the workplace disgruntled or becomes disgruntled on the job but is not detected promptly by appropriate authorities;  the subjects disgruntlement eventually leads to management intervention but these efforts, often involving termination or probation, are ineffective in preventing the subject from escalating his misbehavior and may even facilitate escalation;  the subject plans his attack in advance, engages in operational security but there is also awareness of the general

risk he poses among HR personnel, supervisors, employees, friends and/or family members;  the subjects attack involves remote unauthorized access through a system he has been familiar with and may have had unusual control over; and  the attack usually remains undetected until it causes some system disruption due to inadequate system monitoring capacity.

2.3. Implications for insider theory, folklore and management

Lack of empirical data and accepted typologies of insider activity have slowed the development of theoretical and other research efforts designed to advance our understanding of insider behavior, despite the availability of a great deal of anecdotal information. The recent availability of the efforts described above allows the examination of emerging hypotheses regarding insider behavior. For example, Wood (2000) noted that inside attackers are likely to target familiar domains and may even be domain experts. Both the results described above support this hypothesis.

2.3.1.

Insider typologies

A number of authors have advanced insider typologies in hopes of facilitating basic descriptive research. Nykodym et al. (2005) divided insider computer criminals by type of act into spies, saboteurs, thieves and net abusers. The combined efforts of SEI (Randazzo et al., 2004; Keeney et al., 2005) and Shaw and Fischer (2005) described above provide strong support for the categories of thieves and saboteurs, but, due in part to the selection criteria used and low base rates, did not encounter spies and net abusers. This research also further developed our understanding of the differences between these two groups in terms of their motivation and modus operandi. The rst group thieves motivated by greed and nancial opportunity, appears to take advantage of their system access and business rules and regulations to attack from work. They were generally not technically sophisticated. The second group containing a higher percentage of disgruntled, technical employees set on revenge through sabotage appears to be undergoing signicant work stress (including probation or termination) and attack remotely through backdoors or other means of obtaining unauthorized access. In their smaller sample Shaw and Fischer (2005) found support for their insider categories of Hackers, Proprietors and Avengers but did not nd evidence for their other proposed categories of Explorers (persons who harm the system as they explore and test their capabilities without malicious intent), Samaritans (who harm the system inadvertently when attempting to use unconventional means to solve another problem), Machiavellians (who use the system in a manipulative way for personal political or business gain), moles (spies who enter the organization specically to harm it or steal secrets) or thieves (who attack the system for nancial gain). Again, selection criteria limited access to these subjects through the requirement for successful prosecution. The work of Randazzo et al. (2004) also appears to conrm the existence

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

23

of the thieves category hypothesized, especially if theft of intellectual property is included along with money. The authors dened Hackers as individuals who have a prior history of hacking that continue penetrating systems after they are hired. These individuals tend to install logic bombs or other devices in company systems to serve as job insurance when their activities are discovered. The authors found that these individuals had a history of:  serious personal, social and professional set-backs,  previous computer misuse, with and without convictions,  disabling organizational security devices shortly after employment,  disregard for security and personnel protocols,  signicant self-esteem issues that require unusual attention, making the subject sensitive to slight or generally a high maintenance employee,  personnel conicts or problems requiring ofcial attention,  an angry reaction to a company policy or action related to him or his interests, and  a lack of inhibitions about retaliation or revenge for these perceived activities. More detailed descriptions of the Hacker subtype can be found in Shaw and Fischer (2005) and Shaw (2004, 2001). The authors described Proprietors as individuals who act as if they own the systems they are entrusted with and will do anything to protect their control and power over this territory. They may actively resist threats to their control and are willing to destroy or damage the system rather than give-up control. In their initial presentation, these subjects may be skilled, responsive and hard-working. As managements dependency on their skills and dedication grow, however, they become more autonomous and independent of direct management control. Increasingly, they grow to personalize the system involved as their turf, subject to their exclusive control and requiring protection from less competent outsiders. Often their independent relationships with other managers or customers give them political power or protection within the organizations that complicates their direct supervisors management tasks. These subjects resist efforts to dilute or divert their control over the system and frequently refuse to train back-up personnel or grant access to technically qualied individuals who can threaten their control. Proprietors studied by this group have used their unique system knowledge to facilitate the failure of perceived competitors and produce crises which only they can solve. They frequently use their unique system control to facilitate even greater levels of control and operational security. This is particularly true when they feel threatened by management changes. Many of these subjects preferred to destroy the system than give-up control and believed that serious damage to the system on their departure would facilitate their return as highly paid consultants. In conicts with managers seeking to restore control of these systems Proprietors often display a crucial vulnerability they overestimate their abilities and underestimate the capabilities of others to salvage or manage the system without them. More detailed examples of the Proprietor subtype are contained in Shaw and Fischer (2005) and Shaw (2004, 2001).

2.3.2.

Insider characteristics

2.3.2.1. Demographics. According to recent studies, insider computer crime subjects appear to span the full range of age across subject types and the majority of subjects are male. However, those motivated by greed are more likely to be female than those motivated by disgruntlement. Nykodym et al. (2005) analyzed the age distribution of persons convicted of general cyber crimes displayed on the Department of Justices Computer Crime and Intellectual Property Section website (www.cybercrime.gov/cccases.html). They found a broad distribution with about a 36% between 20 and 29 years old, 34% between 30 and 35 and 27% over 35. The rst set of SEI insiders studied, associated with nancial motives, ranged from 18 to 59 years of age. The second set of SEI insiders studied ranged from 17 to 60 years of age with an average of 32 years and held technical positions. However, it was interesting to note that 42% of the SEI subjects associated with nancial motivation were female while only 4% of the SEI subjects associated with disgruntlement were female. Greed versus disgruntlement appears to span the gender gap. Both sets of SEI subjects were also just as likely to be married or single. A large range of ethnic backgrounds were represented in all groups. 2.3.2.2. Personal characteristics. There have been few published empirical studies on the personal characteristics of insiders committing computer crimes. Theoretical reports have suggested probable characteristics anecdotal reports, based on actual insider cases, and have commented on the traits of individual subjects. Exploration of subject personal characteristics is also complicated by signicant methodological and theoretical problems. For example, interviews with convicted insiders are difcult to acquire as these subjects do not like to draw personal attention to themselves. Those insiders who do grant interviews to psychological investigators often have very specic points of view of their behavior which can skew the reliability of their reports. Coworkers, family members and supervisors may also have biased opinions regarding these subjects, especially if the case has gone to trial. Finally, many authors have questioned the utility of investigating personal characteristics because of the danger of false positives (many more individuals will have these characteristics than go onto commit crimes) and the observation that these subjects are better identied by their personal interactions within their environment, especially developments that lead to escalation and attacks (Shaw and Fischer, 2005; Gudaitis, 1998; Reddy et al., 2001). 2.3.2.3. Risk adverse. Working from a theoretical position, Wood (2000) suggested that inside attackers would be riskaverse and therefore are likely to work alone, recruiting only trusted colleagues as allies. Schudel and Wood (2000) argued that a cyber terrorist (presumably including insiders) would prefer quiet, stealthy and passive techniques and that this adversarys risk tolerance decreases over time as exposure or risk increases. While Woods description might apply to a professional mole, inserted for the purpose of espionage or sabotage, it does not appear applicable to the subjects described above. Of those SEI subjects most like moles insiders

24

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

motivated by greed the data above indicate that many had come to the attention of a supervisor or coworker for concerning behavior (complaints, salary dissatisfaction, outbursts, etc.) prior to the attack. Of the technical employees in this group, 33% were considered difcult to manage. In SEIs sample of sabotage cases, 97% had come to the attention of coworkers, supervisors and/or subordinates in the workplace due to concerning behaviors (Keeney et al., 2005, p. 15). Thirty-one percent of this group had formal disciplinary records. In 31% of these cases coworkers, friends, family members or someone involved in the incident had information about the insiders plans ahead of time. Half of the 10 subjects in Shaw and Fischer (2005) study worked alone and nine out of 10 employed some form of operations security for their attacks. However, their behavior both on- and off-line indicated that they were frequently disgruntled, emotionally aroused, and unable to avoid drawing attention to themselves. Eight of the 10 employees had personnel problems off-line, sufcient to merit ofcial attention and intervention prior to their attacks. Several engaged in extremely risky on-line behaviors that drew attention to the likelihood of subsequent attacks. For example, several ignored previous sanctions and made email threats to supervisors. These subjects appear unable to maintain the low prole associated with more covert moles.

become visible through difcult personal interactions or emotional leakage.  A sense of entitlement: many subjects appeared to behave as if they deserved special forms of attention and treatment such as exceptions to standard work policies and requirements. These feelings appeared to be derived from a sense that they possessed unique skills or gifts or that past difculties merited compensation in the form of preferential treatment. This characteristic manifested itself in poor treatment of peers, difculty adapting to social and professional requirements, and a general need for unusual levels of attention from supervisors and peers. These subjects were often described as high maintenance.  Ethical exibility: subjects in previous research appeared to lack the developed moral reasoning or attachment to others that would deter them from ethical violations. Researchers noted a lack of a conscience; lack of empathy for the harm they would be inicting on others; and lack of loyalty to peers, supervisors, and the organizations affected by their actions. These characteristics were often associated with a failure to inhibit angry impulses and behaviors. Shaw and Fischer (2005) examined these hypothesized traits indirectly, in their more recent work through personal histories and reports of current behaviors from interviews with some subjects, supervisors and coworkers. Table 1 below displays the distribution of these characteristics among nine of the 10 cases. Shaw et al. (1998, 1999) and Shaw (2005) devalued the importance of these characteristics alone as predictors of insider risk or potential screening traits, but did suggest that when these traits were combined with certain other experiences, the overall risk of insider activity was increased. They refer to this overall framework as a critical pathway followed by many subjects on their way to committing insider violations (Shaw et al., 1998, 1999). The critical pathway shows how a subjects personal characteristics, personal and professional stressors, and interactions with others in the workplace could increase the risk of attack. This pathway was dened as containing ve interrelated components:  the occurrence of signicant personal and/or professional stressors within six months of the attack;

2.3.2.4. Planned versus impulsive attacks. The SEI data described above indicate that 85% of the insiders in the banking and nance sector and 62% of the insiders that committed sabotage carried out signicant planning prior to their attacks. Shaw and Fischer (2005) found that 55% of their subjects engaged in advanced planning while the remainder acted within hours of being terminated or placed on probation. Of the subjects who engaged in planning, 60% were also involved in on-going relationships and struggles with persons within their organizations and their attacks occurred as a result of developments within these on-going relationships. This nding indicates that the attacks are more likely to come when the link to the organization is nally severed an important implication for termination planning and security. 2.3.2.5. Personal history and traits. The limitations of examining personal characteristics have been discussed above. Shaw et al. (1998) observed several characteristics in an early sample of insiders. They hypothesized that although many more subjects had these characteristics than became insiders, that these traits, combined with other factors (like personal and professional stress), might contribute to an increased risk of insider abuse. These characteristics were summarized in four broad categories, including:
 A history of negative social and personal experiences: this history appears to manifest itself in a low threshold for frustration and a propensity for anger at peers and authority gures.  Lack of social skills and a propensity for social isolation: many subjects in earlier studies appear to lack the social skills leading to an increased chance of success in school and social or professional settings. This lack of social skills tends to decrease the odds that when difculties are encountered the subject will address these problems in a constructive manner. This anger, frustration or disgruntlement tends to

Table 1 Distribution of increased risk characteristics Subjects Negative history

1. 2. 3. 4. 5. 7. 8. 9. 10. Unknown Yes Yes Unknown Yes Yes Yes Yes Yes

Risk characteristics Lack of social skills

Yes Yes Yes Unknown Yes Yes Yes Yes Yes

Sense of entitlement
Yes Yes Yes Unknown Yes Yes Yes Yes Yes

Ethical exibility
Yes Yes Yes Unknown Yes Yes Yes Yes Yes

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

25

 a maladaptive behavioral reaction to the stressor (which was hypothesized to be, in part, a result of a preexisting vulnerability to frustration, underlying anger at authority, poor social judgment and/or skills);  an emotional reaction to the stressor;  the behavioral and/or emotional reactions in the workplace are sufcient to gain ofcial attention (disciplinary action, counseling, etc.); and  the resulting managerial intervention is insufcient to divert the subject from the destructive pathway and may even escalate the process. Again, Shaw and Fischer (2005) tested this hypothesis regarding the critical pathway with available data from the 10 subjects from their case studies. Table 2 below displays the results of this effort for subjects for whom data were available. Selected data gathered by SEI also support partial aspects of this model. For example, in terms of personal stressors, 27% of the subjects in the banking and nance sector and 30% of the subjects who committed IT sabotage had a prior arrest history. Ninety-two percent of the sabotage SEI subjects acted after a specic work event or series of events while 23% of sabotage subjects motivated by greed were also motivated by work-related vengeance. Gudaitiss (1998, p. 326) observation that the vengeful inside intruder is actively sabotaging after they perceive their organization has done damage to them is also consistent with the important role of a professional stressor in the critical pathway. An example of these increased risk characteristics and their role in a subjects progression down the critical pathway includes the case of a young help desk worker. This employee reported a long history of difcult international moves due to family nancial stresses, being asked to leave his high school in his country and, just prior to his work problems, the divorce of his parents. He also reported signicant frustrations in successfully completing the computer training necessary to become a network engineer. His frustrations in the workplace began to mount rapidly when he felt he did not receive the recognition he was entitled to for making important network engineering xes. But rather than voicing his frustration to management, he withdrew and complained about these problems to his friends in the hacker community. His attitude problems and his inconsistencies at work led to his being placed on probation several months prior to the attack. At one point he wrote a lengthy memorandum on how managers must learn to handle Hackers in the work environment differently than regular employees, indicating that he felt entitled to special treatment. For example, according to this employee: A hacker can be dramatically more effective than a nonhacker at a job, or dramatically less effective. Jobs where hackers are particularly good are: Systems administration, Programming, Design. Jobs where hackers are particularly bad are Data entry. More generally, a job that requires fast and unexpected changes, signicant skill, and is not very repetitive will be one a hacker will excel at. Repetitive, simple jobs are a waste of a good hacker, and will make your hacker bored and frustrated. No one works well bored and frustrated. The good news is, if you get a hacker on something he particularly likes, you will frequently see

performance on the order of ve to 10 times what a normal worker would produce. And yes, I am serious; a hacker on a roll may be able to produce, in a period of a few months, something that a small development group (say, 78 people) would have a hard time getting together over a year. He also may not. Your mileage will vary. IBM used to report that certain programmers might be as much as 100 times as productive as other workers, or more. This kind of thing happens.1 Confronted by what he felt was false advertising on the part of his company, he felt obliged to correct the alleged misstatement by smuggling out the companys proprietary engineering plans to a hacker friend working for a competitor. He viewed this as getting the truth out and admits placing this value above loyalty or legal obligation to his company.

2.4.

Summary of research results

Analysis of trends in this early data indicates the existence of at least two different types of insiders (thieves and disgruntled) who differ somewhat, in their motivation, personal characteristics, modus operandi and psychological state at the time of attack. The emerging picture of disgruntled employees includes apparent risk factors prior to the attack, work-related stressors that result in dramatic escalation of underlying dissatisfaction despite management interventions, and an attack from a remote setting as a result of employment termination or suspension. These preliminary ndings have implications for employee screening, aggressive discovery and more effective management of disgruntled employees, the risks associated with abrupt employee termination and remote access. While these ndings can inform management of employees at-risk, a different set of psychological skills is needed to assist in insider case investigation and management.

3. Deductive proling methods with insider cases

Sometimes studies such as those described above are referred to as inductive approaches to knowledge acquisition because the researcher moves from specic data points to general conclusions (e.g. disgruntled insiders often attack after termination). In this regard, the approach followed is equivalent to a form of the scientic method applied in a post hoc case study format (Kaarbo and Beasley, 1999). Through this method researchers can devise typologies to help characterize different types of insiders and these denitions and terms can facilitate meaningful discussions and research. Case-based insider investigations, in contrast, can be thought of as deductive exercises in which the investigator reasons from a more general foundation (the crime, attack or threat) and tries to develop specic characteristics of the perpetrator from this event. General rules, statistical ndings related to groups of perpetrators are not directly relevant to this process and could even mislead such an effort. We would not displace evidence from an attack concerning the victim, his or her modus
1

Personal communication to the author.

26

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

Table 2 Critical pathway events Subjects Personal/ professional stressors

1. 2. 3. 5. 7. 8. 9. 10. Yes Yes Yes Yes Yes Yes Yes Yes

Pathway event Maladaptive behavioral reactions

Yes Yes Yes Yes Yes Yes Yes Yes

Emotional reactions
Unknown Unknown Unknown Yes Yes Yes Yes Yes

Ofcial attention
Yes Yes No Yes Yes Yes Yes Yes

Ineffective intervention
Yes Yes No Yes Yes Yes Yes Yes

operandi or other data related to the crime with general conclusions from previous experience or group statistical data. Nor has any singular prole that accounts for the range of insider characteristics and activities been found using any inductive or case study approach. So how can the behavioral analysis assist in insider investigations and case management? Nykodym et al. (2005) and Gudaitis (1998) have described the potential role of criminal proling in insider cyber crime with emphasis on applying traditional criminal proling methods in cyber settings. However, there is no singular predictive formula, method or device accepted as the preferred method to identify unknown offenders. This section describes the use of a less traditional approach to cyber insider proling remote assessment that can provide a useful adjunct to traditional proling methods. After a specic remote assessment approach is described, examples of its application to specic insider investigation and case management tasks are given.

3.1.

Remote assessment and content analysis

Remote assessment refers to a portfolio of methods used to evaluate individuals and groups when direct contact methods (interviews, questionnaires, etc.) are not feasible or desirable. Sometimes referred to as Unobtrusive Methods, these techniques have been used by researchers concerned about disturbing the natural environment of their subjects (Webb et al., 1999), security, law enforcement and intelligence groups interested in performing covert assessments (Post, 2003) as well as academic researchers interested in the use of content analysis of historic or elite information when subjects are inaccessible (Winter et al., 1991; Shaw, 2003). Content analysis has also become extremely important in the assessment of threatening communications with many law enforcement groups relying heavily on these approaches to gauge the level of appropriate reaction to anonymous and other aggressive communications (OToole, 2000; Fein et al., 2002). Remote assessment methods in insider cyber crime may be particularly relevant when the subject is unknown but has produced email or other written communications, when contact with a suspected or known subject is currently inadvisable, and when case concerns include not only just identifying the subject but also managing his behavior to achieve case objectives.

This last category subject management deserves special consideration in the context of insider cyber crime. As noted above, insider cyber cases that involve law enforcement may constitute a minority of general insider cases. Given the disadvantages of an organization and the individuals involved of publicity surrounding such events, it seems likely that companies involve law enforcement only when the insider act is especially grievous, when the organization has little control or inuence over the individual involved and requires outside assistance to help terminate their behavior (e.g. search warrants, arrest). Thus in the cases described above, drawn from law enforcement les, terminated employees who attacked remotely are highly represented. The vast majority of insider cyber cases may therefore involve employees where management wants not only to identify the offender but also reduce the net impact of his activities on the company. In some cases this may involve termination and a referral to law enforcement. However, it may also involve a referral to an Employee Assistance Program, efforts to rehabilitate employees with medical or psychological problems, reassignment within the company, etc. For example, in a recent case an employee brought a loaded shotgun to a companys Holiday party after making written and verbal threats. On evaluation the employee was found to have undiagnosed epilepsy. With treatment for this and other medical problems, the employee was returned to work. Even if the employee is terminated immediately, the terms of this arrangement may also be managed to avoid the types of retaliation so frequently reected in the data above (Shaw, 2001). Behavioral contributions are likely to be signicantly more valuable when the specialist works closely with a multidisciplinary team. Depending on the case and organizations involved, team members may include personnel from security, HR, EAP, business operations, legal counsel, IT or other departments. While these team members may bring different agendas to the table, their contributions may also be invaluable at different stages of case management. Remote assessment methods may involve subject observation, work with surveillance teams, interviews with others who have had direct contact, and review of archived materials including personnel records or other investigative products. However, content analysis of subject communications is often central to insider cyber investigation and case management. The balance of this section will review specic methods and

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

27

insider cyber scenarios and cases examples where they are utilized.

3.1.1.

How many subjects

Insider cyber activity often begins in the form of multiple anonymous threats. Prior to developing a prole of the subject, it is often necessary to evaluate whether more than one author is involved. This may involve assessment of other important data in addition to the content of the communications (target, delivery method, time, related organizational events, network trafc, etc.). However, the content will be vital to determining whether the messages are from the same or different sources, including the possibility of multiple authors. One way authorship issues are addressed is by comparing communications on three categories of psychological markers of descending specicity. The most specic individual markers are often errors, idiosyncratic verbal behaviors or specic style characteristics that tend to be quite personal rather than shared by groups of individuals. Psycholinguistic markers refer to vocabulary and use of parts of speech that have specic psychological signicance for emotional state, personality and interpersonal characteristics. These may be specic to individuals but could also be shared by two persons experiencing similar emotions with shared personality characteristics (e.g. two disgruntled individuals with narcissistic traits working in the same organization). The overt content of the communications is also compared for the consistency of message themes or issues. However, two or more individuals within the same group may have shared experiences that can result in similar content themes. In addition, the delivery media and target audience for the communications can have an impact on their similarity. For example, email communications are usually less well organized, more spontaneous, and less likely to be proofed or edited than wordprocessed documents. The author also uses psycholinguistic content analysis software (Shaw and Stroz, 2004) to aid in the objective analysis of these characteristics. Table 3 below displays the results of psycholinguistic analysis of four anonymous threat messages sent to a law rm in

which the author a suspected insider threatened to reveal critical client information to outsiders. The analytical tasks involved determining whether the messages were written by the same author and whether the psycholinguistic characteristics displayed in the notes were consistent with other materials produced by the suspected insider. When the four messages were compared several consistent patterns were noted indicating one author, including:  the lack of use of personal pronouns (I, We, Me);  the lack of use of negatives (no, not, never, etc.) and qualiers (could, may, sort of);  the unusually high use of direct references and evaluators (judgments); and  the unusually high use of rhetorical questions. This distinctive pattern left little doubt that the letters were from the same source just as the highly personal and emotional tone of the messages left little doubt that this was someone from within the organization with strong feelings about the staff. These distinctive characteristics were then compared to a writing sample from a suspected insider, adding conrming data to support her identication. Data from the analysis were then utilized to compile a psychological prole of the suspect to assist the Partners to manage her removal from the ofce and reduce the likelihood of damage to the rm and their clients.

3.1.2.

Subject characteristics

A treatise on remote psychological proling techniques is beyond the scope of this work. However, there are two general categories of content analysis approaches important to summarize. The rst approach involves the quantitative assessment of the distribution of psycholinguistic characteristics to determine psychological traits, as in the example above. The second approach is derived from clinical psychology and involves the inference of psychological characteristics from qualitative analysis of content based on psychological theories and diagnostic criteria.

Table 3 Scores on psycholinguistic variables for four anonymous threat messages Letter date
I We Explainers Feelings Me Negatives Qualiers Retractors Direct references Evaluators Intensiers Rhetorical questions

Message Message Message Message Mean 1 2 3 4 value

0 0 1 2 0 0 0 1 9 17 0 2 0 1 0 3 0 0 0 2 4 19 5 3 0 0 0 1 0 0 0 0 13 8 1 2 0 0 0 3 0 0 0 2 14 13 0 4 0 0.25 0.25 2.25 0 0 0 1.25 6.75 14.25 1.5 2.75

3.1.2.1. Quantitative assessment. There are currently multiple theoretical schools within quantitative psychological content analysis and many authors with various approaches (e.g. Winter et al., 1991; Post, 2003; Pennebaker and Lee, 2002). In casework it is often advantageous to be able to draw on these different approaches depending on the assessment question of interest. For example, some methods are better for determining the psychological state of a subject (Weintraub, 1989) while others are more effective in shedding light on a subjects interpersonal relationships and decision-making processes (Hermann, 1980). Drawing on these and other methods to assess insider communications, it is often useful to review the content for:
 Specic personal markers that may be uniquely associated with an individual. As noted above this may include errors of spelling, grammar or other unusual word usage, format organization, idiosyncratic language or abbreviations, or other specic verbal behavior. These markers can not only

28

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

help establish authorship between communications but may also be associated with specic author traits. For example, poor organization on a page or repeated errors may have implications for the credibility and organizational ability of the subject.  The frequency of specic words with demonstrated psychological implications. For example, Weintraub (1989) has noted the strong association between the frequency of negatives (words like no, not, never) and anger or oppositionality as well as the strong association of the word me with passivity or propensity to feel victimized. The complexity or length of words used as it reveals a subjects vocabulary has also been found to be good indicator of intelligence (Pennebaker and King, 1999) and other authors have linked specic word usage to gender (Mulac et al., 2001). In the example above, the distribution of psychological variables revealed intimate knowledge of, and extreme feelings regarding, fellow employees.  The comparative frequency of different words. For example, Hermann has compared the ratio of high versus low complexity words (e.g. some versus all) to assess the cognitive complexity of an individual (Hermann, 1980). Weintraub (1987) has suggested that the ratio of I to We indicates the propensity to be a team player versus an individual actor.  Psychological algorithms use more complicated mathematical operations on word frequencies to determine psychological characteristics. For example, the extent to which an author may prefer to initiate action rather than react to the actions of others may be derived from his use of I and We divided by his use of me (Weintraub, 1987). In addition to those algorithms that may be calculated from word counts by software, there are also more complex psycholinguistic measures that require human coding that can reveal important information about an authors decisionmaking processes (Shaw, 2003).

have is to have a team member read their assessment and react with Oh my god, its Bill! as they recognize the gure described. Clinical experience with different patient groups as well as offenders is often critical to this capability.

3.1.3.

Subject dangerousness

An important part of the assessment of subject characteristics is the evaluation of dangerousness. Reddy et al. (2001) has summarized and critiqued various approaches to this type of analysis and recommended the use of guided professional judgment in making these assessments. Brantley (1998) has also prepared a checklist of traits of violent offenders to help professionals evaluate this risk. While the use of content analysis alone will not be the most effective form of risk assessment, sometimes it is all that is available. In such cases, the analyst must try to apply general risk criteria and assessment processes translating behavioral criteria to verbal behavior. As soon as a likely subject is identied, more traditional data may be incorporated into the assessment. Examples of the issues examined in this type of analysis of verbal behavior include:  statements of motivation and intentions,  particular statements regarding the victim of the attacks, including perceived characteristics of individuals and organizations,  specic references to aggressive behavior including personal attacks, sabotage or violence,  depersonalization of others, reducing obstacles to attack,  statements of victimization (unusual frequency in the use of me) or blaming others,  information indicating specic plans and the specicity of such plans,  statements reecting the subjects psychological state and mental health,  data reecting the level of the subjects organization and sophistication with relevance for credibility,  references to recent personal and professional stressors, including losses, and  any indicators of the escalation of motivation, intentions, depersonalization, victimization or acceleration in planning or impulsiveness over time. It is also important to be alert for mitigating factors that might modify or reduce risk. For example, threats to le suit, go to the press or other sanctioned forms of protest may not be greeted well by a rms General Counsel, but generally are preferable to acts of violence. It is also recognized that many more people make threats than actually execute them (Reddy et al., 2001). The authors relationship with the victim, referred to in traditional proling methods such as Victimology, (Nykodym et al., 2005; Gudaitis, 1998) is particularly crucial in these investigations. Clues to the subjects perception of the victim may be contained in his remarks but the investigators also need to be aware of victim characteristics that may have contributed to the selection of the target. In an organization these victim factors have ranged from the individual characteristics of leaders, supervisors and employees to organizational and social stressors to organizational policies and practices, to the security vulnerabilities of a network.

3.1.2.2. Qualitative content analysis. Many clinical training programs include coursework in psychological assessment using personal documents and writings. Approaches to these methods vary with some being derived from psychoanalytic or other theories and others from diagnostic guidelines. These methods may focus on word usage, organization or content themes. Although the use of qualitative methods may be less reliable than quantitative methods and depend greatly on the experience and training of the practitioner, this approach can be invaluable to spotting psychological disorders in subjects. For example, extensive problems with organization and errors, marked variations in emotional tone and concerns with vulnerability to outside forces may indicate the presence of serious psychological disorder with implications for the credibility and dangerousness of a threat. The level of knowledge a subject conveys and his depth of feeling for a party in the communication can also provide important clues to his identity. The overall objective in creating a prole of an individual or group posing a threat is to make them come alive off the page. Not only can this help the threat assessment team understand the individual or group they are dealing with but it can also facilitate comparison with potential suspects. One of the most satisfying experiences a proling analyst can

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

29

3.1.4.

Case example

A recent case, originally thought to involve an insider, required a full range of illustrative proling tasks. Rather than being an employee, the subject turned out to share common research facilities with the competitive target rm which had also rejected him for a job. After determining that the ve alleged authors sending threatening material were the same person, the task turned to evaluating his psychological traits and dangerousness. Results from the quantitative content analysis of the subjects threatening emails indicated that the author displayed the following characteristics derived from corresponding psycholinguistic variables:  superior intelligence based on his vocabulary;  arrogance and grandiosity the authors measured self-condence signicantly exceeded his sensitivity to the environment because he did not appreciate the complexity and subtlety in his environment and his over-condence lead to errors;  cognitive rigidity he used many more low complexity than high complexity words;  loner based on his high ratio of I-to-we;  extreme anger toward the target organization use of high numbers of negatives, rhetorical questions and negative evaluators;  growing instability in his mood and psychological state extreme variations in his use of negative and positive evaluators and negative and positive feelings over time with escalations in anger and impulsiveness over the period involved; In addition, the author had rather high scores on measures of instrumental aggression, dehumanization, depression, problems with employment and victimization on the psycholinguistic software categories for these measures (Shaw and Stroz, 2004). Qualitative content analysis lled-out the picture more fully, including indications of a full-blown psychological disorder. These ndings included evidence that the author:  was male and over 30 years old based on his vocabulary and historical references;  had a history of employment problems stemming in part from his poor social skills;  suffered from paranoid fantasies and saw himself as an outsider, a victim of a conspiracy, as well as a soldier behind the lines in a fantasy war;  possessed signicant obsessive traits he appeared preoccupied with details, rules, lists, and appropriate procedures, and placed a major emphasis in life on being in control through intellect and calculation;  was probably a pack rat who collected extensive information (references to his archives), computer equipment, watches, mechanical devices and possibly, rearms;  met qualications for being an injustice collector he felt chronically angry, hurt, resentful, and betrayed. He also believed he has done the right thing but been punished for it and felt others had an unfair advantage due to position, formal educa-

tion, birthplace, and privilege, while he had to work for his gains. He is interested in true learning versus resume building.  has a bad temper and did not suffer fools lightly. He was impulsive and lacked judgment when overwhelmed by feelings; and  cannot accept responsibility for personal and professional set-backs and displaces blame onto others. The author also included extremely negative comments toward women in his communications and attached materials that were sexually explicit and demeaning, adding to the appearance of serious psychological problems. In terms of dangerousness, the author was thought to represent a signicant risk for continued damaging attacks against the target organization as well as a risk of violence. This high risk assessment was based on the sophistication and persistence of his cyber attacks, the fact that he had accomplished prior threats, his high levels of anger, his serious paranoia and sense of victimization, his growing depersonalization of others, and the cyclical and accelerating pattern of his cyber attacks. His apparent mood disorder and variation in his cognitive control and impulsiveness were also of concern. In one of his earliest communications obtained by the assessment team, the subject had also tracked information on ricin. These concerns mounted when the description of the subject was given to the investigative team who found it a convincing match with a possible subject. This individual had mentioned a weapons collection and had once been expelled from a government building for allegedly making a bomb threat. The rest of the prole was also consistent with the information known about the suspect.

3.1.5.

Investigation support

With a possible subject identied team efforts turned toward gathering evidence to support the subjects direct tie to the cyber attacks. The details of this investigation have been reported elsewhere by OBrien (2005) and in Economist.com (2005). Examples of investigation issues where behavioral consultations proved useful included:  the level of surveillance used to link the subject to a computer which could in turn be linked to his cyber attacks the subjects paranoia and obsessive traits argued for light but sophisticated surveillance techniques;  the use of a web bug to trace the subjects location in cyber space the behavioral consultant warned the team that the subjects technical sophistication and paranoia made it likely that the bug would be discovered and have specic psychological effects on the subject. The subject did discover the web bug but its use was still productive to the investigation;  whether it was advisable to establish contact with the subject directly and if so, by who and what message content should be used. Contact was established. Based on assessment of the subjects psychological state when writing to different parties, a company ofcial was selected as the communicating party. However, the team used psycholinguistic analysis of his communications to impersonate

30

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

him and designed the communication based on their assessment of the subject. The subjects responses to the communication were used to assess its effectiveness. The communications bought time during which the subject refrained from attacks and the investigators advanced their case. After the investigative team became assured that the subject was their offender, the case was successfully transferred to law enforcement. However, based on their understanding of the subjects dangerousness and investigative references to weapons, it was recommended that the search warrant for the subjects house be executed when he was not present. Search of the subjects residence while he was arrested with his vehicle did produce weapon components, including the ingredients for weaponizing ricin (OBrien, 2005). In general, behavioral support to investigative efforts in cases of insider cyber crime can include advice regarding the best approaches to, and potential impact of, specic investigative efforts like making direct contact, interview personnel, locations and approaches, as well as surveillance methods. In a recent case involving a threatening cyber stalker, the behavioral consultant produced an observational checklist for the surveillance team designed to collect data on possible psychological disorders or risk factors they might observe. Additional forms of behavioral support to investigative teams have been described by Shaw and Post (1997) and Shaw and Stroz (2004). In the majority of insider cyber cases the scenario may be less dramatic but the assessment issues and intervention challenges may be quite similar. As the cases above indicate, mismanagement of a disgruntled employee especially an individual with sophisticated knowledge of his organization can be quite costly. In such cases, the behavioral consultant can design an assessment strategy and an intervention to minimize risk and disruption. The assessment may involve remote methods, or in some cases, it may be possible for the behavioral consultant, who is a licensed mental health professional, to intervene directly with the subject. As an objective, outsider such consultants are often greeted appreciatively by parties on an escalating collision path where help from individuals without an agenda appears lacking. Sometimes a time-out during which the subject undergoes a return to work assessment is an ideal way to avert a more dramatic outcome. During this period the behavioral consultant or EAP can determine whether the subject is salvageable as an employee. Or, such a period can buy time for the security team to safeguard organizational assets and design a termination plan that will preclude a subsequent remote attack. While good physical and technical security measures are vital to preventing such acts, behavioral planning is also critical. For example, sometimes the best way to deter a technically sophisticated employee on his way out is a visit from local law enforcement or making his severance, benets or future prosecution contingent on future good behavior.

experience argue for the design of appropriate employee screening and more effective management of disgruntled employees at-risk for attacks. Use of EAP and behavioral consulting as part of management of these employees may reduce subsequent risk of anti-social acts and may even assist in turning personnel situations around. The activities of disgruntled insiders before and after their attacks can also have a tremendous impact of employee morale. Behavioral consultants can help management understand these impacts and address employee concerns. Behavioral advisors can also help management understand the relative strengths and weaknesses revealed in staff and policies and practices after an insider event and design programs to address these issues. This may involve coaching with supervisors or revision to security awareness and training programs. They can often assist in the review of related policies and practices that may require revision as a result of lessons learned. One aggressive form of insider risk detection and reduction is the personnel security audit proposed by Shaw et al. (2000) which systematically assesses an organizations exposure to insider risk and its ability to detect and intervene to manage this risk. Shaw and Stroz (2004) are also currently test-bedding communications software designed to detect early signs of risk in employee communications. This program attempts to facilitate earlier detection and assessment of risk without the necessity of human exposure to private employee email correspondence. Finally, when insider cases go to trial, behavioral consultants can provide support similar to other cases. This may involve assistance preparing witness examination strategies and tactics, addressing jury issues and advice regarding effective communications with legal decision-makers.

3.1.7.

Summary

The behavioral consultant can assist investigators in several aspects of insider cyber investigations and case management decision-making. These approaches can range from providing insights into the author(s) of anonymous attacks and communications to advice on specic investigation strategies and tactics. In the private sector where many more cases are resolved without the direct involvement of law enforcement, the behavioral consultants assistance with case management strategies can be critical. This input may be particularly important to designing plans to evaluate the subject, and if necessary, remove him or her from the organization while minimizing the risk of the subsequent attacks that appear so frequently in research cases.

references

3.1.6.

Other insider behavioral support functions

There are other ways in which behavioral consultants have helped organizations experiencing cyber attacks by insiders. For example, both research ndings and investigative

Brantley A. Traits and characteristics of violent offenders. Quantico, VA: Behavioral Sciences Services Unit, FBI Academy; 1998. Economist.com. Dusting for digital ngerprints. Technology quarterly, U.S. edition; March 12, 2005. Fein R, Vossekuil B, Pollack W, Borum R, Modzeleski W, Reddy M. Threat assessment in schools: a guide to managing threatening situations and to creating safe school climates. Washington, DC: U.S. Secret Service and Department of Education; May 2002.

DIGITAL INVESTIGATION

3 ( 2 0 0 6 ) 20 31

31

Fischer LF. Characterizing information systems insider offenders. In: Proceedings of the 45th annual conference of the international military testing association, Pensacola, FL, located at <http://www.internationalmta.org>; 2003. Gordon L, Loeb M, Lucysky W, Richardson R. Tenth annual CSI/FBI computer crime and security survey. Computer Security Institute Publications, <GoCSI.com>; 2005. Gudaitis T. The missing link in information security: three-dimensional proling. CyberPsychology and Behavior 1998;1(4):32140. Hermann M. Explaining foreign policy behavior using the personal characteristics of political leaders. International Studies Quarterly 1980;24:746. Kaarbo J, Beasley R. A practical guide to the comparative case study method in political psychology. Political Psychology 1999;20(2):36991. Keeney J, Kowalski E, Cappelli D, Moore A, Shimeall T, Rogers S. Insider threat study: computer system sabotage in critical infrastructure sectors. Washington, DC; Pittsburgh, PA: National Threat Center, U.S. Secret Service, CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University; May 2005. Mulac A, Bradac J, Gibbons P. Empirical support for the gender as culture hypothesis: an intercultural analysis of male/female language differences. Human Communication Research 2001; 27:12152. Nykodym N, Taylor R, Vilela J. Criminal proling and insider cyber crime. Computer Law and Security Report 2005;21:40814. OBrien T. The rise of the digital thugs. The New York Times August 7, 2005. OToole M. The school shooter: a threat assessment perspective. Quantico, VA: Federal Bureau of Investigation, Critical Incident Response Group, National Center for the Analysis of Violent Crime, FBI Academy; 2000. Pennebaker JW, King LA. Linguistic styles language use as an individual difference. Journal of Personality and Social Psychology 1999;77(6):1296312. Pennebaker J, Lee C. The power of words in social, clinical and personality psychology. Korean Journal of Thinking and Problem Solving 2002;12(2):3543. Post J, editor. The psychological assessment of political leaders with proles of Saddam Hussein and Bill Clinton. Ann Arbor: University of Michigan Press; 2003. Randazzo M, Keeney M, Kowalski E, Cappelli D, Moore A. Insider threat study: illicit cyber activity in the banking and nance sector. Washington, DC; Pittsburgh, PA: National Threat Center, U.S. Secret Service, CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University; August 2004. Reddy M, Borum R, Berglund J, Vossekuil B, Fein R, Modzeleski W. Evaluating risk for targeted violence in schools: comparing

risk assessment, threat assessment and other approaches. Psychology in the Schools 2001;38(2):15772. Ressler R, Burgess AW, Douglas JE. Sexual homicide: patterns and motives. FBI Law Enforcement Journal 1980;49(10):1620. Schudel G, Wood B. Modeling behavior of the cyber-terrorist. Washington, DC: Defense Advanced Research Projects Agency, Information Assurance Program; 2000. Shaw ED, Fischer L. Ten tales of betrayal: an analysis of attacks on corporate infrastructure by information technology insiders, volume one. Monterrey, CA: Defense Personnel Security Research and Education Center; 2005. Shaw ED, Post J. Threats of workplace violence: the role of the mental health professional on the law enforcement and security team. The Police Chief March 1997. Shaw ED, Stroz E. WarmTouch software: the IDS of psychology. In: Parker T, editor. Adversary characterization: auditing the hacker mind. Rockland, MA: Syngress Publications; 2004. Shaw ED, Ruby KG, Post JM. The insider threat to information systems. Security Awareness Bulletin 1998;298:2747. Shaw ED, Post J, Ruby K. Managing the threat from within: the personnel security audit. Information Security July 2000: 6272. Shaw ED. To re or not to re. Information Security January 2001: 4857. Shaw ED. Saddam Hussein: political psychological proling results relevant to his possession, use and possible transfer of weapons of mass destruction (WMD) to terrorist groups. Studies in Conict and Terrorism 2003;26:34764. Shaw ED. The insider threat: can it be managed? In: Parker T, editor. Adversary characterization. Rockland, MA: Syngress Publications; 2004. Shaw ED. Ten tales of betrayal: attacks on corporate infrastructure by information technology insiders, volume two, case studies. Monterrey, CA: Defense Personnel Security Research and Education Center, FOUO; 2005. Shaw ED, Post J, Ruby K. Inside the mind of the insider. Security Management. December 1999. p. 3444. Webb E, Campbell D, Schwartz R, Sechrest L. Unobtrusive measures. In: Sage classics, vol. 2. Sage Publications, Inc.; 1999. Weintraub W. Coding manual and questionnaire response handbook. McLean, VA: Defense Systems, Inc.; 1987. Weintraub W. Verbal behavior in everyday life. New York: Springer; 1989. Winter D, Hermann M, Weintraub W, Walker S. The personalities of Bush and Gorbachev measured at a distance: procedures, portraits and policy. Political Psychology 1991;12(2): 21543. Wood BJ. An insider threat model for adversary simulation. Menlo Park, CA: SRI International, Cyber Defense Research Center; 2000.