Validating Technical and Psychosocial Indicators in Precursor Identification for Malicious Cybersecurity Insider Threat Attack
Dear Participant,

Insider threats continue to be one of the most challenging threat vectors for organizations to mitigate. The impact of insider threat attacks can range from companies going out of business, loss of intellectual property, millions of dollars, to the detriment of critical infrastructures such as electrical power grids, communications, or travel infrastructures. In many insider threat attacks, perpetrators exhibited observable questionable behavior such as disgruntlement, anger, or unreliability, yet coworkers or supervisors did not report the behavior to upper management or human resources personnel. This research offers a practical method for the identification of questionable user activity through the development of a simulated monitoring system utilizing synthesized user data and behaviors. As such, the main goal of this research study is to investigate how different activities or indicators relate as precursors to an insider threat attack.

Please read all the survey questions carefully and select one answer per row. Filling out the survey will take about 15 to 20 minutes. Participating in this survey is completely voluntary and anonymous. No personal information will be collected and the data collected will be used for the purpose of this research only. Completing the survey indicates your voluntary participation in the study.

The survey instrument will be presented as follows: After this initial introduction, three sections for experts to identify technical, Psychosocial, and Life-event indicators will be presented, followed by a section for demographic information.

This survey is conducted in affiliation with Nova Southeastern University, including Yair Levy, Ph.D. acting as Primary Investigator and one of his doctoral students; Angel L. Hueca, acting as Co-Investigator.

If you would like to see a summary of the results please send an email to ah1676@nova.edu with the subject line "results requested." If you have any questions please send an email to the above mentioned email address.

Thank you in advance for your time and assistance. Thank you for taking the time to participate in our research study.

Regards,

Angel L. Hueca

The Following Technical Sources and Logs are IMPORTANT in the Detection of Precursors to Malicious Cybersecurity Insider Threat Activity.
On each of the following indicator provided, please indicate your level of agreement to the LEVEL OF IMPORTANCE that piece of information is in serving as a precursor to malicious cybersecurity insider threat activity. Please respond to the statements with respect to your expert opinion on the subject matter.
System Logs *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
SL1. System activity logs (Administrator)
SL2. Storage Logs
SL3. Endpoint Logs
SL4. Application Logs
SL5. Customized Application Logs
SL6. Authentication Logs
SL7. Physical Security Logs
Network Logs *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
NL1. Email Activity Logs
NL2. Firewall Traffic Logs
NL3. VPN Activity Logs
NL4. Netflow Logs
Technical Communication Logs *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
TL1. HTTP Activity Logs
TL2. Proxy Logs
TL3. DNS Logs
TL4. DHCP Logs
TL5. FTP Logs
TL6. Web Logs
TL7. SQL Logs
Cybersecurity Monitoring and Logging Tools Logs *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
MLT1. Malware Protection Tools (Anti-Virus) Logs
MLT2. Intrusion Detection and Prevention System (IDPS) Logs
MLT3. Data Loss Prevention (DLP) Logs
MLT4. Tools that employ potential malware isolation and investigation (sandbox or virtual execution engines) Logs
MLT5. Other relevant security management appliances or tools
The Following Psychosocial indicators are IMPORTANT in the Detection of Precursors to Malicious Cybersecurity Insider Threat Activity.
On each of the following indicator provided, please indicate your level of agreement to the LEVEL OF IMPORTANCE that piece of information is in serving as a precursor to malicious cybersecurity insider threat activity. Please respond to the statements with respect to your expert opinion on the subject matter.
Psychosocial Indicators *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
PS1. The employee exhibits disgruntlement
PS2. The employee has difficulty accepting feedback
PS3. The employee has anger management issues
PS4. The employee exhibits disengagement
PS5. The employee exhibits disregard for authority
PS6. The employee exhibits poor performance or performance issues
PS7. The employee exhibits stress (appears to be under physical, mental, or emotional strain or tension that he/she has difficulty handling)
PS8. The employee exhibits confrontational behavior (exhibits argumentative or aggressive behavior or is involved in bullying or intimidation
PS9. The employee exhibits difficulty keeping personal issues separate from work
PS10. The employee exhibits self-centeredness (disregard needs or wishes of others)
PS11. The employee exhibits lack of dependability
PS12. The employee exhibits chronic unexplained absenteeism
PS13. The employee has been with the organization 1 to 3 years
PS14. The employee has been with the organization 4 to 6 years
PS15. The employee has been with the organization 6 to 10 years
The employee has been with the organization over 10 years
The Following Life-Event indicators are IMPORTANT in the Detection of Precursors to Malicious Cybersecurity Insider Threat Activity.
On each of the following indicator provided, please indicate your level of agreement to the LEVEL OF IMPORTANCE that piece of information is in serving as a precursor to malicious cybersecurity insider threat activity. Please respond to the statements with respect to your expert opinion on the subject matter.
Life-Event Indicators *
1 - Not at all important
2 - Low importance
3 - Slightly important
4 - Somewhat important
5 - Moderately important
6 - Very important
7 - Extremely important
LE1. The employee suffered a serious illness of injury
LE2. The employee's close relative suffered a serious illness or injury
LE3. The employee suffered a death of a first degree relative including child or spouse
LE4. The employee suffered the death of a close family friend or second degree relative
LE5. The employee is going through a separation due to marital difficulties
LE6. The employee broke-off a serious relationship
LE7. The employee is having a serious problem with a close friend, neighbor, or relative
LE8. The employee is not full-time or seeking full-time work for more than one month
LE9. The employee was terminated from their job
LE10. The employee is having a major financial crisis
LE11. The employee is having problems with Law and/or courts
LE12. The employee had something valuable lost or stolen
LE13. The employee had a minor illness or injury
LE14. The employee had a baby (became father or mother)
LE15. The employee got married
LE16. The employee became engaged or began a serious relationship
LE17. A new person came to live at the employees home
LE18. The employee exhibits a marked improvement in the way they get along with someone else who is close
LE19. The employee is going through a separation from someone important
LE20. The employee completed a course or training
LE21. The employee got a promotion at work
LE22. The employee experience big change in the people, duties, or responsibilities, at work
LE23. The employee started a completely different type of job
LE24. The employee moved to a new residence within their own town or city
LE25. The employee studied for or complete an important exam
LE26. The employee became much better-off financially
LE27. The employee had moderate financial difficulties
Demographics Information
Please provide the following anonymous information about yourself.
D1. The Gender You Identify With *
D2. Age Group *
D3. Your Education Level *
D4. Your Role Within Your Organization *
D5. The Industry You Work In *