Rights statement: The final, definitive version of this article has been published in the Journal, Social Psychological and Personality Science, ? (?), 2021, © SAGE Publications Ltd, 2021 by SAGE Publications Ltd at the Social Psychological and Personality Science page: https://journals.sagepub.com/home/SPP on SAGE Journals Online: http://journals.sagepub.com/
Accepted author manuscript, 394 KB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Final published version
Licence: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks
AU - Dando, Coral
AU - Taylor, Paul
AU - Menacere, Tarek
AU - Ormerod, Thomas
AU - Ball, Linden
AU - Sandham, Alexandra
N1 - The final, definitive version of this article has been published in the Journal, Social Psychological and Personality Science, ? (?), 2021, © SAGE Publications Ltd, 2021 by SAGE Publications Ltd at the Social Psychological and Personality Science page: https://journals.sagepub.com/home/SPP on SAGE Journals Online: http://journals.sagepub.com/
PY - 2024/1/1
Y1 - 2024/1/1
N2 - ObjectiveDevelop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack.BackgroundInsiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage.MethodDuring a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an ‘insider’ by providing information to a provocateur.ResultsResponses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers.ConclusionFindings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack.ApplicationInSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.
AB - ObjectiveDevelop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack.BackgroundInsiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage.MethodDuring a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an ‘insider’ by providing information to a provocateur.ResultsResponses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers.ConclusionFindings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack.ApplicationInSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.
KW - insiders
KW - computer-mediated triage
KW - deception
KW - investigation
U2 - 10.1177/00187208211068292
DO - 10.1177/00187208211068292
M3 - Journal article
VL - 66
SP - 145
EP - 157
JO - Human Factors
JF - Human Factors
SN - 0018-7208
IS - 1
ER -