Using Internet Activity Profiling for Insider-threat Detection

Bushra A. Alahmadi, Philip A. Legg, Jason R. C. Nurse


The insider-threat problem continues to be a major risk to both public and private sectors, where those people who have privileged knowledge and access choose to abuse this in some way to cause harm towards their organisation. To combat against this, organisations are beginning to invest heavily in deterrence monitoring tools to observe employees’ activity, such as computer access, Internet browsing, and email communications. Whilst such tools may provide some way towards detecting attacks afterwards, what may be more useful is preventative monitoring, where user characteristics and behaviours inform about the possibility of an attack before it happens. Psychological research advocates that the behaviour and preference of a person can be explained to a great extent by psychological constructs called personality traits, which could then possibly indicate the likelihood of an individual being a potential insider threat. By considering how browsing content relates to psychological constructs (such as OCEAN), and how an individual’s browsing behaviour deviates over time, potential insider-threats could be uncovered before significant damage is caused. The main contribution in this paper is to explore how Internet browsing activity could be used to predict the individual’s psychological characteristics in order to detect potential insider-threats. Our results demonstrate that predictive assessment can be made between the content available on a website, and the associated personality traits, which could greatly improve the prospects of preventing insider attacks.


  1. Allport, G. W. (1962). The general and the unique in psychological science1. Journal of personality, 30(3):405-422.
  2. Axelrad, E. T., Sticha, P. J., Brdiczka, O., and Shen, J. (2013). A bayesian network model for predicting insider threats. In Security and Privacy Workshops (SPW), 2013 IEEE, pages 82-89. IEEE.
  3. Barrick, M. R. and Mount, M. K. (1991). The big five personality dimensions and job performance: a metaanalysis. Personnel psychology, 44(1):1-26.
  4. Cappelli, D. M., Moore, A. P., and Trzeciak, R. F. (2012). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley.
  5. Chorley, M. J., Whitaker, R. M., and Allen, S. M. (2015). Personality and location-based social networks. Computers in Human Behavior, 46(0):45 - 56.
  6. Davis, C. and Fox, J. (1993). Excessive exercise and weight preoccupation in women. Addictive Behaviors, 18(2):201 - 211.
  7. Ehrman, K., Jagid, B., and Loosmore, N. B. (1997). Electronic control system/network. US Patent 5,682,142.
  8. Golbeck, J., Robles, C., Edmondson, M., and Turner, K. (2011a). Predicting personality from Twitter. In Privacy, security, risk and trust (PASSAT), 2011 IEEE third international conference on and 2011 IEEE third international conference on social computing (socialcom), pages 149-156. IEEE.
  9. Golbeck, J., Robles, C., and Turner, K. (2011b). Predicting personality with social media. In CHI'11 Extended Abstracts on Human Factors in Computing Systems, pages 253-262. ACM.
  10. Goldberg, L. R. (1999). A broad-bandwidth, public domain, personality inventory measuring the lower-level facets of several five-factor models. Personality psychology in Europe, 7:7-28.
  11. Grc?ar, M., Mladenic, D., and Grobelnik, M. (2005). User profiling for interest-focused browsing history. In In SIKDD 2005 at Multiconference IS 2005.
  12. Greitzer, F. L. and Frincke, D. A. (2010). Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In Insider Threats in Cyber Security, pages 85-113. Springer.
  13. Hamburger, Y. and Ben-Artzi, E. (2000). The relationship between extraversion and neuroticism and the different uses of the internet. Computers in Human Behavior, 16(4):441 - 449.
  14. Hunker, J. and Probst, C. W. (2011). Insiders and insider threats-an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2(1):4-27.
  15. Jolliffe, I. (2005). Principal Component Analysis. Wiley Online Library.
  16. Kaupins, G. and Minch, R. (2005). Legal and ethical implications of employee location monitoring. In System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on, pages 133a-133a. IEEE.
  17. Kosinski, M., Bachrach, Y., Kohli, P., Stillwell, D., and Graepel, T. (2014). Manifestations of user personality in website choice and behaviour on online social networks. Machine Learning, 95(3):357-380.
  18. Kruskal, J. B. and Wish, M. (1978). Multidimensional scaling, volume 11. Sage.
  19. Legg, P., Moffat, N., Nurse, J. R. C., Happa, J., Agrafiotis, I., Goldsmith, M., and Creese, S. (2013). Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 4(4):20-37.
  20. Liang, T.-P. and Lai, H.-J. (2002). Discovering user interests from web browsing behavior: An application to internet news services. In System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference on, pages 2718-2727. IEEE.
  21. Marcus, B. and Schuler, H. (2004). Antecedents of counterproductive behavior at work: a general perspective. Journal of Applied Psychology, 89(4):647.
  22. Nord, G. D., McCubbins, T. F., and Nord, J. H. (2006). Emonitoring in the workplace: privacy, legislation, and surveillance software. Communications of the ACM, 49(8):72-77.
  23. Nurse, J. R. C., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R., and Whitty, M. (2014). Understanding insider threat: A framework for characterising attacks. In Workshop on Research for Insider Threat (WRIT) held as part of the IEEE Computer Society Security and Privacy Workshops (SPW14), in conjunction with the IEEE Symposium on Security and Privacy (SP). IEEE.
  24. O'Connor, B. P. and Dyce, J. A. (1998). A test of models of personality disorder configuration. Journal of Abnormal Psychology, 107(1):3.
  25. Paulhus, D. L. and Williams, K. M. (2002). The dark triad of personality: Narcissism, machiavellianism, and psychopathy. Journal of research in personality, 36(6):556-563.
  26. Pennebaker, J. W., Francis, M. E., and Booth, R. J. (2001). Linguistic inquiry and word count: Liwc 2001. Mahway: Lawrence Erlbaum Associates, 71:2001.
  27. Phyo, A. and Furnell, S. (2004). A detection-oriented classification of insider IT misuse. In Third Security Conference.
  28. Pocius, K. E. (1991). Personality factors in humancomputer interaction: A review of the literature. Computers in Human Behavior, 7(3):103-135.
  29. PWC (2014). US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US state of cybercrime survey.
  30. Schultz, E. E. (2002). A framework for understanding and predicting insider attacks. Computers & Security, 21(6):526-531.
  31. Schwartz, H. A., Eichstaedt, J. C., Kern, M. L., Dziurzynski, L., Ramones, S. M., Agrawal, M., Shah, A., Kosinski, M., Stillwell, D., Seligman, M. E., et al. (2013). Personality, gender, and age in the language of social media: The open-vocabulary approach. PloS one, 8(9):e73791.
  32. Shaban, K. B., Chan, J., and Szeto, R. (2010). Interestdetermining web browser. In Advances in Data Mining. Applications and Theoretical Aspects, pages 518- 528. Springer.
  33. Shaw, E., Ruby, K., and Post, J. (1998). The insider threat to information systems: The psychology of the dangerous insider. Security Awareness Bulletin, 2(98):1-10.
  34. Shaw, E. D., Stock, H. V., et al. (2011). Behavioral risk indicators of malicious insider theft of intellectual property: Misreading the writing on the wall. White Paper, Symantec, Mountain View, CA.
  35. Shen, J., Brdiczka, O., and Liu, J. (2013). Understanding email writers: Personality prediction from email messages. In User Modeling, Adaptation, and Personalization, pages 318-330. Springer.
  36. Spitzner, L. (2003). Honeypots: Catching the insider threat. In Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pages 170-179. IEEE.
  37. Sumner, C., Byers, A., Boochever, R., and Park, G. J. (2012). Predicting dark triad personality traits from twitter usage and a linguistic analysis of tweets. In Machine Learning and Applications (ICMLA), 2012 11th International Conference on, volume 2, pages 386-393. IEEE.
  38. Surhone, L. M. (2010). KNIME: R (programming Language), WEKA, Java. Betascript Publishing.
  39. Urbaczewski, A. and Jessup, L. M. (2002). Does electronic monitoring of employee internet usage work? Communications of the ACM, 45(1):80-83.
  40. Wiggins, J. S. (1996). The five-factor model of personality: Theoretical perspectives. Guilford Press.
  41. Yarkoni, T. (2010). Personality in 100,000 words: A large-scale analysis of personality and word use among bloggers. Journal of research in personality, 44(3):363-373.

Paper Citation

in Harvard Style

Alahmadi B., Legg P. and Nurse J. (2015). Using Internet Activity Profiling for Insider-threat Detection . In Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015) ISBN 978-989-758-097-0, pages 709-720. DOI: 10.5220/0005480407090720

in Bibtex Style

author={Bushra A. Alahmadi and Philip A. Legg and Jason R. C. Nurse},
title={Using Internet Activity Profiling for Insider-threat Detection},
booktitle={Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015)},

in EndNote Style

JO - Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015)
TI - Using Internet Activity Profiling for Insider-threat Detection
SN - 978-989-758-097-0
AU - Alahmadi B.
AU - Legg P.
AU - Nurse J.
PY - 2015
SP - 709
EP - 720
DO - 10.5220/0005480407090720