taking behavior and to frame insider decisions on taking actions such as theft of information, sabotage, and fraud in organizations.

Fischhoff et al. [ 7 ] investigated perceptions of risk, and particularly ways to determine when a product is acceptably safe. Their model can be adopted and used to define insider risk associated with misbehavior: 1. Does the insider voluntarily get involved in the risk situation (voluntariness)? 2. To what extent is the risk of consequence from the insider’s action to him/her immediate (immediacy of effect)? 3. To what extent are the risks known (precisely) by the insider who is exposed to those risks (knowledge about risk)? 4. To what extent are the risks precisely known and quantified (knowledge to science)? 5. To what extent can the insider, by personal skill or diligence, avoid the consequences to him/her while engaging in the untoward activity (control over risk)? 6. Does the risk affect the insider over time or is it a risk that affects a larger number of people at once (chronic-catastrophic)? 7. Are these risks new to the insider or is there some prior experience/conditioning (newness)? 8. Is this a risk that the insider has rationalized and can think about reasonably calmly (common-dread)? 9. When the risk from the activity is realized in the form of consequences to the insider (severity of consequences)?

It has been shown that unknown risk and dread risk can be used to account for about 80 percent of the results generated by using all nine variables that were originally introduced by Fischhoff and his colleagues (e.g., [ 8 ]). (We note that the nine risk factors given above may not apply in extreme cases involving drugs or ideology.)

We formulated a model based on the psychometric model of risk perception developed by Fischhoff, Slovic and others, in which characteristics of a risk are correlated with its acceptance. We then modified that model to accommodate factors present in insider misuse and to condense Fischhoff’s nine variables of risk – listed above – by considering understanding (familiarity and experience) and consequences (scope, duration, and impact) to the insider as the two principal characteristics of information security and privacy risks.

If we explore the fear insiders have of the potential effects to them of the risks of perpetrating IT misuse, we can model the consequences of the breach to the insider. To model this, we consider three main questions: 1) How serious are effects perceived by insiders? 2) How immediate are effects on insiders, and 3) How much do insiders fear the effects? Analyzing these questions enables us to assign a simple metric to this dimension of the model. We define five levels of consequence: 1. Level 1: Effects are trivial, temporary and commonplace 2. Level 2: Effects are potentiality serious but treatable/recoverable 3. Level 3: Effects are serious, long term but considered normal 4. Level 4: Effects are serious, ongoing and raise deep concerns 5. Level 5: Effects are catastrophic, ongoing and highly feared

The level definitions (‘trivial,’ ‘serious,’ etc.) are based on those published by the National Institute of Standards and Technology (see [ 9 ]). Level 5 and level 1 represent the highest and lowest level of consequences to insiders, respectively.

For the second dimension, understanding, we can explore the factors motivating users to consider certain risks while dismissing others. These questions are intended to identify affective factors that influence users’ cognitive understanding of cause and effect. This resolves into two main questions: 1) who (among the insider group) understand the hazard? 2) What do insiders know?

Our framework for categorizing understanding is based on the work of Bloom and Krathwhol [ 10 ]. In this, our interest is in understanding risk causes and effects using the cognitive domain, and what adds to insiders’ motivation to increase understanding using the affective domain. We obtain the following sixlevel metric for the understanding dimension of our model by answering these questions: 1. Level 1: Evaluation: Can the insider make judgments about the value of ideas or materials? 2. Level 2: Synthesis: Can the insider build a structure or pattern from diverse elements? 3. Level 3: Analysis: How insiders distinguish between facts and inferences. 4. Level 4: Application: How insiders use a concept in a new situation or unprompted use of an abstraction. 5. Level 5: Comprehension: Can the insider understand the problem, for e.g.

state a problem in his/her own words? 6. Level 6: Knowledge: Can the insider recall data or information?

Level 6 and level 1 represent the lowest and the highest level of understanding, respectively.

The perceived risk in our model is a function of consequence and understanding. An approximate perceived risk score may be constructed from the consequence metric and the inverse of the understanding metric. The perceived risk score therefore increases whenever the consequences are more severe for insiders, and decreases as the insider gains deeper understanding of the nature and limits of the risk. Some cases may not match this model exactly but this score is nonetheless a good match for many case studies and the experiences of the experts interviewed in our validation study.

If managers understand the dynamic processes by which insiders learn about risk, they can then use that knowledge to choose among alternatives that have different uncertainties, risks and benefits. Our research addresses the dynamics of perception by including a variable time element in our model that causes the risk score to decay with time. That extension will not be discussed here (for full details of this model see [ 11 ]) but may be employed as part of a more extensive evaluation of risk perception. 3

To validate our model, we presented it to thirty-five senior information security executives in industry and governmental organizations across the U.S. Following a ten-minute description of our model, we conducted our studies in structured one-on-one meetings and telephone interviews.

During the meetings/interviews we asked these executives if they were able to map the perceived risk of the worst information security incident that they had experienced into our model. We also asked questions such as: Were those incidents caused by insiders or outsiders? How do you describe the level of the consequences and understanding of risks of those incidents? Do you believe this level was the same for all the stakeholders?

These executives each had at least a decade of experience with a large range of information security issues. All these executives were able to map their perceived risk into our model. They were also able to estimate the range of perceived risk by different stakeholders. However, the interviewees stated that perceived risk is not the only factor that we should investigate in modeling insider risk and framing insider decisions, and the perceived benefit is likely to play a more important role in insider decisions. 4

Most of the law enforcement agents who were interviewed in our research indicated the Fraud Triangle was a model that they regularly used when investigating insider crime. Joseph T. Wells [ 12 ], a retired law enforcement agent, developed this model as a model of elements supporting and motivating fraud. Mr. Wells’s model was influenced by the research of Donald R. Cressey (1919 – 1987), a sociologist known for his work in organized crime investigation. Motive, opportunity, and rationalization are the three elements of Wells’s model, also known as the Fraud Triangle.

Combining our model for risk perception with Wells’s model indicates that management should ensure that discovered misuse is punished appropriately, and that appropriate audit controls are in place. The combination further suggests that opportunity may be countered by random observation and unpublicized controls, thus introducing additional uncertainty to the perception of risk. 5

Similar to the arguments made by decision scientists about the role of affect in human decision making (e.g., [ 13 ]), we argue that insiders use an affect heuristic to make judgments. That is, representations of events in insiders’ minds are tagged to varying degrees with affect. Insiders consult or refer to an affective pool in the process of making judgments. Using an overall and affective impression can be far easier than weighing the pros and cons or retrieving from memory many relevant examples, especially when the required judgment is complex and includes many unknown variables.

The affect heuristic also predicts that using time pressure to reduce the opportunity for analytic deliberation should enhance the inverse relationship between perceived benefits and risks—the higher the perceived benefit, the lower the perceived risk, and vice versa. Finucane et al. [ 13 ] showed that the inverse relationship between perceived risks and benefits increased greatly under time pressure as predicted. This is consistent with Zajonc’s findings [ 14 ] that affect influences judgment directly and is not simply a response to a prior analytic evaluation.

Kahneman and Lovallo [ 15 ] explain the concept of inside view–a forecast is generated by focusing on the case at hand, for e.g., by considering the plan and the obstacles to its completion, and outside view–a focus on the statistics of a class of cases similar in respects to the present one. Our findings indicate that insiders are normally biased in favor of the inside view and tend to neglect the statistics of the past. This characteristic makes them capable of two biases– also known as isolation errors ([ 15 ]): Their forecasts of future outcome are often anchored on plans and scenarios of success rather than on past results, and are therefore optimistic; their evaluations of single risky prospects neglect the possibilities of pooling risks.

Another explanation for the inverse relationship between perceived risk and benefit by insiders could be that perceived benefits–compared to perceived risks– are simply more evaluable, largely they are conceptualized unidimensionally, and are psychologically represented in terms of a convenient and numerical scale ([ 16 ]). Lichtenstein and Slovic [ 17 ] also explain that the amount to win can directly translate to an amount to bid–in an insider’s case to take different approaches to commit the crime, or to commit or not to commit the crime at all. Probabilities of winning and losing, presented in probability units, are more difficult to translate into monetary units. This can lead insiders to decisions that are highly correlated with the amount to win but poorly reflect the variations in probabilities and amount to lose. 6

Classical decision theory ([ 18 ], [ 19 ]) frame the choice people make in terms of four basic elements: 1. A Set of potential actions (Ai) to choose between, 2. A set of events or world states (Ej), 3. A set of consequences obtained (Cij ) for each combination of action and event, and 4. A set of probabilities (Pij ) for each combination of action and event

According to classical decision theory, the expected value of an action is calculated by weighting its consequences over all events by the probability the event will occur. Classical decision theories neither adequately explain the insider behavior nor do they assist managers in selecting appropriate control measure(s) to prevent/minimize damage or loss caused by insider misuse. For example, a manger might be deciding whether to install misuse detection software in his company’s network. Installing or not installing software responds to two actions A1 and A2. The expected consequences of either action depend upon whether misuse occurs. Misuse occurring or not occurring corresponds to two events E1 and E2. Installing misuse detection software may reduce the consequences (C11) of misuse occurring. As the probability of misuse occurrence increases, use of software seems to be more attractive.

From probability theory, it can be shown that the return to a manager is maximized by selecting the alternative with the greatest expected value. The expected value of an action Ai is calculated by weighting its consequences Cik over all events k, by the probability Pik the event will occur. The expected value of a given action Ai is therefore: (1) (2) EV [Ai] =

Among the different decision theories that we investigated, Prospect Theory by Amos Tversky and Daniel Kahneman (who won the 2002 Nobel Prize in Economics for its development) – best describes the behavior of insiders.

Prospect Theory distinguishes two phases in choice processes: framing and valuation ([ 27 ]). In the framing phase, the insider constructs a representation of acts, contingencies, and outcomes that are relevant to the decision. In the valuation phase, the insider assesses the value of each prospect and chooses accordingly.

From the cases that we discussed with our interviewees we found that decision theories based on the expected utility theory–where risk aversion and risk seeking are determined solely by the utility function–do not adequately explain the risk taking behavior of insiders. Insiders normally make decisions based on change of wealth rather than total gain–a behavior that is well explained by Prospect Theory. This also correlates with our model, in that insiders may not fully understand the risks of a crime that might be immensely favorable if successful.

This finding is also consistent with the results of some previous studies. For example Wood [ 28 ] finds insiders to be risk averse and their ultimate fear is to be discovered before they have mounted a successful attack. Risk aversion is the reluctance of an insider to accept a bargain with an uncertain payoff rather than another bargain with more certain, but possibly lower expected payoff. Expected value maximization is problematic in framing an insider’s decision because it does not allow decision makers to exhibit risk aversion.

Prospect Theory has been successful in explaining individual differences that have been observed in the laboratory and outside the laboratory studies ([ 29 ]; [ 30 ]; [ 31 ]). However, some studies do not completely support applications of Prospect Theory in the real world ([ 32 ]; [ 33 ]).

Following Kahneman and Tversky, we can parameterize the value function in Prospect Theory as a power function (see Figure 2):

V (x) = xα −λ(−x)β x ≥ 0 x < 0

Where α, β > 0 measure the curvature of the value function for gains and losses, respectively, and k is the coefficient of loss aversion. Thus, the value function for gains (losses) is increasingly concave (convex) for smaller values of α(β) < 1, and loss aversion is more pronounced for larger values of λ > 1. Tversky and Kahneman estimated median values of α = β = .88, and λ = 2.25 among their sample of college students. The degree of curvature of the value function represents the insider’s sensitivity to increasing units gained or lost.

Expected utility theory and most normative models of decision making under risk assume the principle of description invariance: Preferences among prospects should not be affected by how they are described. Decision makers act as if they are assessing the impact of options on final assets ([ 31 ]). Prospect Theory acknowledges that choices are influenced by how prospects are cognitively represented in terms of losses versus gains and their associated probabilities–this characteristic of Prospect Theory explains the influence of perceptions on insider decisions.

We argue that the significant ability of Prospect Theory in framing and editing operations, compared to other decision theories, best describes the behavior of insiders.

The Weighting function in Prospect Theory can be shown as follow: w(p) =

δpγ δpγ + (1 − p)γ

Where δ > 0 measures the elevation of the weighting function and γ > 0 measures its degree of curvature. Figure 3 represents shape of this weighting function:

The inverse-S-shaped weighting function is characterized by a tendency to overweight low probabilities and underweight moderate to high probabilities. Although the shape of the value function implies risk aversion for gains and risk seeking for losses, this pattern seems to be reversed for low-probability events and reinforced for high-probability events. This paper describes on the role of perceptions of risk and benefit of insiders in taking actions such as theft of information, sabotage, and fraud in organizations. We use the theoretical foundation of perception of risk built by Baruch Fischhoff, Paul Slovic, and of behavioral economics by Daniel Kahneman and Amos Tversky. We identify consequences and understanding as two main characteristics of perceived risk by insiders. We contend that perceived benefit plays an important role in insider decisions and that classical decision theories cannot adequately explain insider behavior.

Making effective decisions to confront insider threats requires understanding insiders’ risk taking behavior and their decision heuristic. We believe that there is significant value to including risk perception management as part of a comprehensive security plan. Technical controls continue to be important, especially when coping with outsider attacks and unexpected failures. However, not all security problems can be addressed with IT-based defenses. Our research results provide one more approach to defending important computing assets against insider misuse. 9

This material is based in part upon work supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College. The views and conclusions contained in this document should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College. Sponsors of the Center Education and Research in Information Assurance and Security (CERIAS) also supported portions of this work. The authors would also like to acknowledge the contribution of Mr. William Keck in literature review.