How big data could track the next Snowden
This post is also available in: 
עברית (Hebrew)
Several recommendations have been proposed to DOD concerning the threat of an insider attack. These include ensuring that more people with top secret clearance have at least one person sign off on work assignments involving sensitive information; stricter punishments for minor infractions involving data loss, glitches and “spillage;” mandating that all software fixes comply with a single new standard; and the creation of a Joint Information Environment (JIE) allowing all of the services to share information in one secure cloud setting and far more effective monitoring of employee communication and activity. The Pentagon already has a JIE in place for email, and this will be extended across other military branches soon.
The question remains what are the Snowden-like signals to watch for in this new, more transparent environment? Few people involved in insider threat programs in Washington are eager to talk about what makes a potential traitor conspicuous, but several interesting findings have been published out of Palo Alto, California.
Researchers at PARC (Palo Alto Research Center) told Defense One they have set up a number of experiments to observe potential insider threat behavior in closed online environments. The team is seeking a scientific understanding of how insider threats actually develop in real time.
They looked at the mass-multiplayer online game World of Warcraft, which allows users to build characters, join large organizations called guilds and go on missions and assignments. Players hunting dragons and orcs wind up collaborating with team mates, applying for positions and earning rewards in somewhat the same way that work teams go about attacking big projects.
The game thus served as a suitable proxy for a real-world work environment. A player who quits the guild has the potential to damage it, perhaps even absconding with goods in much the same way that Edward Snowden defected with flash drives of classified information.
The team then expanded the research to the real world using big data. They looked to determine if email patterns could predict quitting (attrition) and began by examining two data sets, a small company of 43 employees and a large company of 3,600, for a period of about 20 weeks.
They found some important clues that can predict potential insider threat behavior, and they were counterintuitive. The team had expected that the strongest signal of a quitting event to be emails with a highly negative tone, full of spit and spite. In fact, the best attrition symptom was fewer emails, fewer messages after hours, fewer attachments: fewer words all together.
