Addressing Bias in Insider Risk Monitoring
By Chris Denbigh-White, Chief Security Officer, Next
Preventing the loss of sensitive information can be difficult for organizations. Enterprises often take similar steps to protect data from internal and outside threats, where teams analyze activities to identify potential risks. Security operations centers (SOCs) defending against these threats must look at employees, partners, and threat actors through a similar lens to pinpoint potential data leaks. However, when surveilling for insider threats, there is the added concern of potential bias.
Defining Monitoring Bias
Monitoring bias is the unfounded, often discriminatory observation of specific employees or departments irrespective of their conduct. This can generate unsupported, negative conclusions about the credibility and trust an organization should have about an employee or department, resulting in intrusive monitoring. Conversely, it can lead to data leaks if biases prevent other employees from being adequately monitored.
Monitoring bias affects how businesses analyze insider risks, resulting in errors that can prevent identifying potential threats. This type of discrimination comes in many forms:
- Unequal Monitoring: Monitoring specific members of your organization without holding others to the same standard can result in low visibility of vulnerabilities that, when spotted, can prevent insider threats.
- Selective Attention: Concentrating on specific actions or behaviors instead of considering other risk indicators.
- Attribution Bias: Judging specific employees or departments as presenting a heightened or lowered risk for an organization without considering their behaviors is attribution bias. This leads to inaccuracies when developing risk profiles.
- Group Identity Bias: Stereotyping employees and assuming they present a higher risk based on their backgrounds can generate inaccurate assessments of their level of risk.
- Confirmation Bias: Monitoring bias can cause organizations to believe data that supports preconceived assumptions is far more trustworthy than it is, resulting in a lack of focus on contradictory information.
These biases can inadvertently make security teams fail to see risky activities from other employees, partners, or threat actors. The Intelligence and National Security Alliance finds that unfounded monitoring of individuals due to biases can lead to issues like:
- Increased risk from unfounded confidence due to threat hunters and SOC teams concentrating on the wrong issues and individuals.
- Wasted resources from spending too much time observing the wrong users due to biases.
- Legal liability if protected groups are wrongfully monitored due to biases or privacy laws are violated.
- Reputational damage due to unfavorable news reports because of biased investigations.
Legacy Approaches Don’t Address Bias
Older, legacy Data Loss Prevention and Insider Risk Management solutions use dated blueprints to run locally within organizational firewalls. These solutions often only utilize keystroke logging, screen recording, or web monitoring for users individually, therefore losing sight of the “bigger picture” and promoting bias.
Eliminate Bias and Improve Data Protection
It is best practice to reduce bias when monitoring employees by pinpointing activities involving sensitive data that can jeopardize sensitive information. Using technology that anonymizes employees while monitoring activities to maintain organizational security is crucial for eliminating bias. This monitoring technology still allows teams to unveil users displaying suspicious activity by providing ‘scoped investigations,’ giving audited data access to investigators with limited access to maintain privacy regulations.
Protecting and identifying employee information helps security teams detect risks without the interference of bias. This form of anonymity in monitoring provides teams with a holistic view of organizational activities that help detect threats and reduce monitoring bias, supporting an impartial management program that employees can trust.
About the Author
Chris Denbigh-White is the Chief Security Officer for Next. He has over 14 years of experience in the cyber security space including in the office of the CISO at Deutsche Bank as well as cyber intelligence for the Metropolitan Police. Chris can be reached online at https://www.linkedin.com/in/chris-dw/?originalSubdomain=uk and at our company website https://www.nextdlp.com/