1. Field of Invention
This invention relates to biometrics, contactless tags and sensors specifically used to monitor and track an individual's activity. Through the utilization of rule-based software, said systems will detect abnormalities in behavior and alert authorized security personnel and supervisors so they may initiate further investigation.
2. Description of Prior Art
Internal threats (Insider threats), account for more damage to an organization than external ones. An organization's resources are typically used to prevent external threats with an implicit trust applied to those individuals within the system. Currently, basic human observation is the main form of detection used when an organization suspects an insider of abnormal activity. The inherent problem with this approach is the reliance on co-workers or employees to recognize one of their own as a possible threat. Employees, in most cases, rationalize suspicious insider activity due to their inability to conceive any co-worker as a threat. Consequently, investigating employees do not take action until significant damage has occurred. It is this uninformed view of threats by both the organization and its employees that sets the stage for this kind of activity.
In a recent study of 100 information security systems, violations by personnel with authorized access to their respective information systems occurred under the following intent classifications: 45% were clearly malicious, 13% were possibly malicious, 10% were criminal, and 33% were believed to be human errors. At least half of the personnel who caused the insider damage were information technology professionals. Of this 50%, 19% were top-level system administrators and 31% were assistant system administrators. Of the other 50%, 40% had limited system access and 8% were basic users.
Typically, in the event of suspicious activity, personnel know the individual and tend not to believe this person is a participant in such an event. In essentially every instance, co-workers know the individual has all, and sometimes a higher level of the appropriate clearance. It is too difficult to report a fellow employee without confronting the individual. Typically, the investigating employee makes an inquiry of the individual regarding the suspicious activity, and is satisfied with the suspect's answer. The insider continues these activities but is now more careful.
When reviewing previous insider cases, all the indications were present, yet co-workers rationally justified inappropriate behavior, and the insider's activities continued. Many insiders were caught only when extraordinary evidence was presented, i.e. a friendly insider from the other side intercepted correspondence, or a major insider blunder occurred that pointed directly to the suspected individual. It was only after one or both of these events occurred that the insider was brought to management's attention.
Currently, crude, documentation-based tracking systems exist and range from personnel signing in with a guard for after-hours access to electronically logging them in whenever the individual enters the facility. In an attempt to control access to classified materials, tracking within the facility is generally limited to combination locks and a paper roster that requires the employee to sign a log when entering and exiting secure areas. Access to copying or printing classified files is not normally tracked.
Most systematic approaches involve tedious and labor-intensive procedures in an attempt to detect abnormalities. Such efforts may track personnel who go to their office after regularly scheduled work hours. Others attempt to track personnel who access classified information, make copies, or attempt access into areas of which they are not authorized.
Another common method for detecting insiders is through routine polygraph tests. This method has demonstrated merit but is not conclusive. Once a polygraph indicates a suspected case of deception, it does not indicate the extent of damage caused by the insider. Determining the extent of the damage caused leads management into to a whole spectrum of new problems.