Home > Research > Publications & Outputs > Sorting Insiders from Co-workers: Remote synchr...

Electronic data

  • ms_final

    Rights statement: The final, definitive version of this article has been published in the Journal, Social Psychological and Personality Science, ? (?), 2021, © SAGE Publications Ltd, 2021 by SAGE Publications Ltd at the Social Psychological and Personality Science page: https://journals.sagepub.com/home/SPP on SAGE Journals Online: http://journals.sagepub.com/

    Accepted author manuscript, 394 KB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

Links

Text available via DOI:

View graph of relations

Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks. / Dando, Coral; Taylor, Paul; Menacere, Tarek et al.
In: Human Factors, Vol. 66, No. 1, 01.01.2024, p. 145-157.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

Dando, C, Taylor, P, Menacere, T, Ormerod, T, Ball, L & Sandham, A 2024, 'Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks', Human Factors, vol. 66, no. 1, pp. 145-157. https://doi.org/10.1177/00187208211068292

APA

Vancouver

Dando C, Taylor P, Menacere T, Ormerod T, Ball L, Sandham A. Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks. Human Factors. 2024 Jan 1;66(1):145-157. Epub 2022 Mar 7. doi: 10.1177/00187208211068292

Author

Dando, Coral ; Taylor, Paul ; Menacere, Tarek et al. / Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks. In: Human Factors. 2024 ; Vol. 66, No. 1. pp. 145-157.

Bibtex

@article{136b65654b724547a720b219a6ba34a5,
title = "Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks",
abstract = "ObjectiveDevelop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack.BackgroundInsiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage.MethodDuring a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an {\textquoteleft}insider{\textquoteright} by providing information to a provocateur.ResultsResponses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers.ConclusionFindings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack.ApplicationInSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.",
keywords = "insiders, computer-mediated triage, deception, investigation",
author = "Coral Dando and Paul Taylor and Tarek Menacere and Thomas Ormerod and Linden Ball and Alexandra Sandham",
note = "The final, definitive version of this article has been published in the Journal, Social Psychological and Personality Science, ? (?), 2021, {\textcopyright} SAGE Publications Ltd, 2021 by SAGE Publications Ltd at the Social Psychological and Personality Science page: https://journals.sagepub.com/home/SPP on SAGE Journals Online: http://journals.sagepub.com/ ",
year = "2024",
month = jan,
day = "1",
doi = "10.1177/00187208211068292",
language = "English",
volume = "66",
pages = "145--157",
journal = "Human Factors",
issn = "0018-7208",
publisher = "SAGE Publications Inc.",
number = "1",

}

RIS

TY - JOUR

T1 - Sorting Insiders from Co-workers: Remote synchronous computer-mediated triage for investigating insider attacks

AU - Dando, Coral

AU - Taylor, Paul

AU - Menacere, Tarek

AU - Ormerod, Thomas

AU - Ball, Linden

AU - Sandham, Alexandra

N1 - The final, definitive version of this article has been published in the Journal, Social Psychological and Personality Science, ? (?), 2021, © SAGE Publications Ltd, 2021 by SAGE Publications Ltd at the Social Psychological and Personality Science page: https://journals.sagepub.com/home/SPP on SAGE Journals Online: http://journals.sagepub.com/

PY - 2024/1/1

Y1 - 2024/1/1

N2 - ObjectiveDevelop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack.BackgroundInsiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage.MethodDuring a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an ‘insider’ by providing information to a provocateur.ResultsResponses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers.ConclusionFindings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack.ApplicationInSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.

AB - ObjectiveDevelop and investigate the potential of a remote, computer-mediated and synchronous text-based triage, which we refer to as InSort, for quickly highlighting persons of interest after an insider attack.BackgroundInsiders maliciously exploit legitimate access to impair the confidentiality and integrity of organizations. The globalisation of organisations and advancement of information technology means employees are often dispersed across national and international sites, working around the clock, often remotely. Hence, investigating insider attacks is challenging. However, the cognitive demands associated with masking insider activity offer opportunities. Drawing on cognitive approaches to deception and understanding of deception-conveying features in textual responses, we developed InSort, a remote computer-mediated triage.MethodDuring a 6-hour immersive simulation, participants worked in teams, examining password protected, security sensitive databases and exchanging information during an organized crime investigation. Twenty-five percent were covertly incentivized to act as an ‘insider’ by providing information to a provocateur.ResultsResponses to InSort questioning revealed insiders took longer to answer investigation relevant questions, provided impoverished responses, and their answers were less consistent with known evidence about their behaviours than co-workers.ConclusionFindings demonstrate InSort has potential to expedite information gathering and investigative processes following an insider attack.ApplicationInSort is appropriate for application by non-specialist investigators and can be quickly altered as a function of both environment and event. InSort offers a clearly defined, well specified, approach for use across insider incidents, and highlights the potential of technology for supporting complex time critical investigations.

KW - insiders

KW - computer-mediated triage

KW - deception

KW - investigation

U2 - 10.1177/00187208211068292

DO - 10.1177/00187208211068292

M3 - Journal article

VL - 66

SP - 145

EP - 157

JO - Human Factors

JF - Human Factors

SN - 0018-7208

IS - 1

ER -