Risk Assessment of Insider Threats Based on IHFACS-BN

Abstract

Insider threats, as one of the pressing challenges that threaten an organization’s information assets, usually result in considerable losses to the business. It is necessary to explore the key human factors that enterprise information security management should focus on preventing to reduce the probability of insider threats effectively. This paper first puts forward the improved Human Factors Analysis and Classification System (IHFACS) based on actual enterprise management. Then, the enterprise internal threat risk assessment model is constructed using the Bayesian network, expert evaluation, and fuzzy set theory. Forty-three classic insider threat cases from China, the United States, and Israel during 2009–2021 are selected as samples. Then, reasoning and sensitivity analysis recognizes the top 10 most critical human factors of the accident and the most likely causal chain of unsafe acts. The result shows that the most unsafe behavior was not assessing employees’ familiarity with the company’s internal security policies. In addition, improving the organizational impact of information security can effectively reduce internal threats and promote the sustainable development of enterprises.

1. Introduction

With the development of information management technologies, such as the Internet and mobile applications, the information security problems faced by enterprises have become increasingly serious, and information security risks have penetrated into all aspects of enterprise operation and management. alit is well-know that every company has internal sensitive data types, such as business plans, core technology, customer information data, and intellectual property. Therefore, an attack on an organization’s primary technical information may result in significant losses. The main sources of security threats for businesses today are insiders with access to sensitive data and systems—both malicious insiders and careless insiders [1]. IBM X-Force Threat Intelligence Index [2] showed that insider attacks were the most common type of cyberattack in 2017, around 60%. The 2020 Insider Threat Report [3] finds that almost all organizations feel vulnerable to insider attacks (95%), and 68% feel moderate to highly vulnerable to insider attacks. In addition, there are numerous causes of insider information security incidents, with human factors (HFs) dominating [4].

1.1. Insider Threat Definition

What is a definition of an insider threat? First, an insider has been legitimately empowered with the right to access or use organizational assets. Assets may involve privileged accounts, core technical data, and other sensitive information. Alternatively, as commonly stated, an insider includes an employee (current or former), trusted business partner, or subcontractor [5]. Additionally, an insider threat was defined as: “intentional or unintentional activities by an insider cause damage to the organization’s assets and/or negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems [6].”

1.2. Insider Threat Incidents

Malicious or unintentional actions by insiders can cause equal harm to their organizations, leaking and deleting confidential internal data, or even giving external attackers an opportunity. Recently, a few internal accidents caused the company substantial financial loss and operational risk, which have aroused widespread concern. For example, an insider attack accident happened in a company at JD on 18 June 2021. This accident was caused by an intern programmer who maliciously deleted the project R&D database, causing delays in the project. In September 2017, a Wells Fargo employee mistakenly sent an email that compromised the information of 50,000 customers due to carelessness [7]. The Bank of Bahrain went bankrupt after a serious internal security incident caused by an employee error that resulted in a loss of $1.4 billion [8]. It can be seen from these examples that there are two main types of insider threats: intentional and malicious insider threats. The “unintentional insider threats” of human negligence and inadequate preparation, often the least detectable types of insider threats, may pose a more serious risk than the former [9]. In short, insider threats are essentially related to “human” factors [10]. The prevention and control of HFs can have a beneficial effect on decreasing insider threats in the enterprise.

This study aims to construct a human-causal analysis model of insider threats in an organization to gain insight into the various insecure behaviors and their influencing factors that lead to information security incidents within an organization. This paper will give important references for identifying what make insider threats in organizations happen and how to mitigate them more effectively.

The remainder of this paper is organized as follows: current research on insider threats examines various detection and preventive techniques in Section 2. Section 3 presents a hybrid model that integrates fuzzy set theory (FST), expert judgment, and an improved Human Factors Analysis and Classification System (IHFACS) into Bayesian networks (BN), called IHFACS-BN. Section 4 presents the application of the hybrid model in analyzing the key HFs that lead to insider threats in the enterprise and provides constructive comments based on the model’s inference results. Section 5 concludes the research and advises future studies. Finally, future work is presented in Section 6. Figure 1 depicts the organizational structure of this article.

2. Related Work

In recent years, the academic community has paid considerable attention to insider threats, and experts and scholars have proposed different solutions for insider threats in network information security. These methods can be separated into two primary categories: detection and prevention.

2.1. Detection Methods

Insider threat detection approaches are mainly technical and non-technical. Traditional insider threat detection techniques rely primarily on machine learning [11], user commands [12], and biometrics [13], with security events, such as Trojans and viruses, serving as the primary detection objects. With the diversification of insider attackers and attack methods, traditional threat detection techniques have long failed to meet the demand. Insider threat discovery methods are primarily used to detect insider threats through the finding of behavioral traces of insider users and constructing related insider user behavior models. As a result, current insider threat detection approaches are based on aberrant behavior and formal modeling [14].

The anomaly-based threat detection method mainly relies on big data and artificial intelligence technology to classify how users behave, then determine if there is any abnormal behavior that could be an insider threat. The approach may efficiently detect threats posed by unidentified patterns. Currently, it is the most used way. Lane et al. devised two methods based on instance learning and the hidden Markov model to solve this problem. The goal was to create a model of how system users typically work and find abnormal conditions as long-term deviations from expected behavior patterns. Both methods can identify anomalies well enough for low-level “focus of attention” detectors in multi-layer security systems, but they are not good enough for comprehensive security solutions [15]. Happa et al. modeled normal employee behavior using Gaussian mixture models with likelihood and criterion scores as anomaly detection metrics and incorporated pertinent expert knowledge, thereby improving the detection accuracy [16]. With the development of neural networks, deep learning techniques for analyzing the behavior of users and entities have become widespread for detecting insider threats. Zhang et al. proposed an insider threat detection model based on LSTM-Attention that takes full advantage of the LSTM (Long Short-term Memory) network and Attention to handle long sequences but also considers the unique characteristics of insiders [17]. Haq et al. developed two DL (Deep Learning) hybrid LSTM models integrated with Word2vec LSTM GLoVe (Global Vectors for Word Representation) LSTM and compared the performance of these models to detect insider threats with state-of-the-art ML (Machine Learning) models. It was found that ML-based models outperformed the DL-based ones [18]. Several studies have also begun to apply Feedforward Neural Networks [19] and Recurrent Neural Networks [20] to develop a new automatic anomaly detection method.

Insider threat detection methods based on anomalous behavior rely heavily on the accuracy and comprehensiveness of data acquisition and require a large amount of existing insider behavior data, which limits them. Applying non-technical detection methods (e.g., psychological, sociological) is also beneficial for reducing insider threats when there are few or no sample data available. However, the former can determine users’ psychological states from their network or host use, and the latter can infer malicious motives from their social performance [21].

2.2. Prevention Methods

We found that most research has focused on using technology to “detect” threats rather than “prevent” them, so most enterprise cybersecurity programs tend to take a “detection-centric” approach to protection. The approaches for detecting insider threats described in the preceding section suffer from some drawbacks: they are inefficient and take a long time to discover and detect. Some research is theoretical and cannot be applied universally within organizations. Moreover, the primary limitation of a detection-centric approach to security is that it is inherently reactive, acting only on threats that have been identified. A prevention-centric approach tries to stop insider attacks before they happen. As many cybersecurity threats result from human error or a lack of awareness, Rajamäki et al. proposed a proactive and resilient education framework to develop corresponding cybersecurity education and training programs for different categories of employees [22]. Chowdhury et al. [23] proposed a framework for enterprise network security training based on learning theory and the Delphi method.

When security technology cannot protect an organization from insider threats, the human element is usually the weakest link in the information security chain [24]. The current situation in enterprise security preparedness is that the human element is usually the most vulnerable part of the information security chain when the use of security technology fails to protect the organization from insider threats. Thus, human factors are receiving increasing attention. Although frameworks and assessment models for insider threats containing HFs have been proposed in the literature, they lack systematicity and relevance.

Effective accident prevention requires incorporating HFs into accident analysis models [25,26]. This study uses the HFACS model [27], which Shapell and Wiegmann developed to study HFs in accidents based on the Swiss cheese model by analyzing a large amount of aviation accident data. Due to its effective evaluation framework, content integrity, and practicability, the model has been applied in different fields, such as coal mines, maritime transport, and laboratory explosions [28,29,30]. Considering that insider threats are distinct from general safety incidents, this paper proposes an IHFACS framework for insider threat assessment items, adapted from the frameworks in the “Related Studies” section. At the same time, a hybrid model for insider threat HFs analysis is constructed based on BN. The hybrid model is then used to identify high-frequency human causes of insider threats and the causal relationships among HFs at each level to provide a reference for preventing insider threats and further reducing hazards and losses. The main novelties of this study are summarized as follows:

• An IHFACS framework is proposed to be applied to the HFs analysis of insider enterprise threats.
• An IHFACS-BN model is used to assess the risk of insecure behavior within the enterprise.
• HFACS, expert knowledge, the triangular fuzzy number estimation probability method, the Noisy-OR gate model, and BN are integrated into this model.
• BN-based reasoning identifies key risk factors and the interdependence of HFs at different and the same levels.
• Compared with traditional accident analysis methods, this method focuses more on the explicit and implicit correlations between HFs.

3. Material and Methods

This section outlines the methodology used to develop the IHFACS-BN model. The model was developed using the HFACS framework, expert assessment method, triangular fuzzy number estimation probability method, and BN to comprehensively identify the risk factors of inside-the-business threats. To achieve better analysis results, the hybrid model combines qualitative and quantitative analysis methods.

3.1. IHFACS

It is well known that HFACS is a widespread and popular framework for human error analysis [28]. According to the HFACS model, “primary causes cause accidents, and potential causes cause primary causes,” where the primary causes are analyzed at four levels: “unsafe human behavior, potential factors refer to the preconditions of unsafe behavior, unsafe supervision, and organizational influence” [31]. Figure 2 [31] shows that the primary causes are analyzed at four levels: “unsafe human behavior; potential factors referring to the preconditions of unsafe behavior; unsafe supervision; and organizational influence.” The HFACS model is highly flexible and adaptable to industry-specific characteristics [32]. In this paper, we examined the literature on insider threat, investigated the current state of information security management in enterprises, and conducted a thorough examination of insider threat survey reports. We found that insider threats are high-risk, hidden, and multiple; the types of enterprises, security management policies, and employee quality vary. It makes the risk transmission process strongly coupled, ambiguous, and dynamic. Therefore, the HFs classification of the original HFACS framework is not fully applicable to insider enterprise threats. For example, the original HFACS framework focuses on the lack of inadequate supervision of crew members in aviation accidents at the unsafe supervision level, while enterprise network security protection uses computer technology to monitor user behavior characteristics in real time. In light of the preceding, this paper revises some of the HFs of the HFACS model by collecting and analyzing data on security incidents and referencing relevant studies. In addition, experts in this field hold a safety meeting to investigate the root of incidents and briefly describe the HFs professionally. Finally, the IHFACS model for insider threat analysis in enterprises is developed.

3.2. Fuzzy Bayesian Network (FBN)

3.2.1. Fuzzy Theory and Expert Elicitation

It is well known that, as a scientific consensus, the expert judgment method can be utilized to judge the identified HFs significantly. Analytic Hierarchy Process (AHP) has a strong ability to deal with complex decision-making problems [33,34,35]. However, because of the subjectivity of qualitative criteria, experts are commonly reluctant to express their opinions clearly and intuitively. Due to this, Laarhoven proposed this method, using fuzzy triangular numbers to calculate [36], and extended the AHP. A combination of FST and subjective opinion help raters more effectively estimate the impact rate of identified each HF [28,35].

In fuzzy judgment, the expert language is quantified as TFN by the affiliation degree function. According to the definition of fuzzy number, the adopted TFN is denoted as A = (a, m, b), and the affiliation degree function of TFN [35] can be expressed as follows:

$$\mathsf{\mu }{\mathrm{A}}_{ }(\mathrm{x})=\{\begin{array}{c}\left(\mathrm{x}-\mathrm{a}\right)/\left(\mathrm{m}-\mathrm{a}\right) \mathrm{a}\le \mathrm{x}\le \mathrm{m}\\ \left(\mathrm{b}-\mathrm{x}\right)/\left(\mathrm{b}-\mathrm{m}\right) \mathrm{m}\le \mathrm{x}\le \mathrm{b}\\ 0 \mathrm{otherwise}\end{array}$$

(1)

In Formula (1), A denotes the fuzzy set on the specified universe x, μ_A(x) denotes the membership function of x to the fuzzy set A, and m denotes the mean value of the fuzzy number A, where a and b denote the upper and lower bounds of TFNs. In fuzzy judgment, the membership function is used to convert the qualitative linguistic expression of experts into fuzzy triangular numbers. When making preference judgments for pairs of elements in a group, as in AHP, the number of elements in a set should be limited to seven plus or minus two [37]. As a result, five linguistic variables are introduced: VL, L, M, H, and VH. The judgment results of TFNs are qualitatively described in

Table 1. Judgment of triangular fuzzy numbers.

Likelihood	Linguistic Expressions	TFNs
1	Very low (VL)	(0, 0.1, 0.2)
2	Low (L)	[0.2, 0.3, 0.4]
3	Medium(M)	[0.4, 0.5, 0.6)
4	High (H)	[0.6, 0.7, 0.8)
5	Very high (VH)	[0.8, 0.9, 1]

.

The weight factor is used to represent the quality of experts in order to ensure the reliability of experts’ subjective evaluations. The experts’ abilities are primarily evaluated based on four aspects (S_n, n = 1,2,3,4): working years, education level, age, and professional positions, combined with the company’s internal information security management practices. Depending on the background of the invited experts, the composite score ${\mathrm{E}}_{\mathrm{i}}$ of the ith expert can be obtained by Equation (2) using the scoring rules in

Table 2. Weighting scores of experts.

Group	Classification	Score
Professional position (S1)	Senior Project Supervisor	5
	Manager of Network Administration	4
	Engineer	3
	Technician	2
	Worker	1
Age (years) (S2)	≥35	5
	30–34	4
	25–29	3
	22–24	2
	≤22	1
Experience (years) (S3)	≥10	5
	7–9	4
	4–6	3
	2–3	2
	≤1	1
Education Level (S4)	PhD	5
	Master	4
	Bachelor	3
	HND	2
	School level	1

. Then, the respective weights (${\mathsf{\omega }}_{\mathrm{E}}^{\mathrm{i}}$) are determined according to the following Formulas (3) for five experts in different enterprise security fields.

$${\mathrm{E}}_{\mathrm{i}}={\mathrm{S}}_1+{\mathrm{S}}_2+{\mathrm{S}}_3+{\mathrm{S}}_4$$

(2)

$${\mathsf{\omega }}_{\mathrm{E}}^{\mathrm{i}}={\mathrm{E}}_{\mathrm{i}}∕{\displaystyle \sum }_{\mathrm{u}=1}^{\mathsf{\lambda }}{\mathrm{E}}_{\mathrm{i}} \left(\mathsf{\lambda }=1,2 \dots ,5\right)$$

(3)

After obtaining the corresponding fuzzy numbers for the linguistic variables of the experts, the opinions of different experts are aggregated according to the linear joint prior method, namely:

$$P_j={\displaystyle \sum }_{i=1}^n\left(q_{ij}\otimes {\omega }_E^i\right), j=1,2,\dots ,\lambda$$

(4)

In this formula: P_j is the aggregated fuzzy number of nodes, ${\omega }_E^i$ is the weight of experts, q_ij is the language evaluation of node j given by expert i, $\lambda$ is the number of experts, n is the number of nodes.

In FST, the defuzzification process produces quantifiable results. Then, the method of Mean area method (MAM) can be used to get the fuzzy value of the node (N*), as the following Formula (5):

$$N^{*}=\left(a+2m+b\right)∕4$$

(5)

In this paper, the prior probability of each node can be obtained by converting N* into probability of an impact rate (PIR) using the Formulas (6) and (7) [36].

$$K=2.301\times {\left(\frac{1}{N^{*}}-1\right)}^{\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$3$}\right.}$$

(6)

$$PIR=\{\begin{array}{c}{10}^{-k},N^{*}\ne 0\\ 0,N^{*}=0\end{array}$$

(7)

3.2.2. BN

BN is a probabilistic reasoning-based graphical network with functions such as causal analysis, bidirectional reasoning, and prediction. Due to its ability to better simulate human thought processes, BN has become an increasingly popular modeling technology in network security, such as information security risk assessment and intelligent grid security [38,39]. Moreover, it has recently been used to study insider threats in models [40,41]. Therefore, we introduce a BN model to this study since its causal relationship is very suitable for the study and application of risk problems.

BN is usually composed of two parts: BN structure and BN parameters. (1) The structure of BN is also called a directed acyclic graph (DAG), which is mainly a qualitative analysis of the BN, consisting of nodes representing each event and directed edges connecting each node, as shown in Figure 3. There are three main types of nodes: target nodes, intermediate nodes, and evidence nodes. (2) The parameter of BN is also called the Conditional Probability Table (CPT), a quantitative analysis of BN that represents the strength of connections between network nodes. BN can be expressed as:

$$\mathrm{B}=\langle \mathrm{G},\mathrm{P}\rangle =\langle (\mathrm{V}, \mathrm{M}),\mathrm{P}\rangle$$

(8)

where (V, M) is a DAG with n nodes, M is the direct edge of these nodes, P is the CPT of each node and X = {X1, X2,..., Xn} is a set of random variables. The JPD (joint probability distribution) of BN is:

$$\mathrm{P}\left(\mathrm{X}\right)=\mathrm{P}\left({\mathrm{X}}_1,{\mathrm{X}}_2,\cdots {\mathrm{X}}_{\mathrm{n}}\right)={\displaystyle \prod }_{\mathrm{i}=1}^{\mathrm{n}}\mathrm{P}\left({\mathrm{X}}_{\mathrm{i}}|\mathsf{\pi }\left({\mathrm{X}}_{\mathrm{i}}\right)\right)$$

(9)

where, $\mathsf{\pi }\left({\mathrm{X}}_{\mathrm{i}}\right)$ represents the parent node of X_i. In addition, this study will combine Noisy-OR gate model and expert judgment to implement CPT.

4. Application of the Methodology

4.1. Application of HFACS Framework

To identify as many contributing factors to the insider threat as possible, we first compiled insider threat incidents from 2009 to 2021 in various countries using Weibo, Baidu, and the existing literature. We filtered the collected data to identify enterprise security incidents in which unsafe acts were the leading cause. This paper compiles 43 enterprise insider threat incidents in China and other nations (including the United States and Israel) between 2009 and 2021. Then, based on the direct and indirect causes in the incident reports and concerning related studies [41,42,43,44,45,46], the HFs of insider enterprise threats were categorized and aggregated according to the item categories of the IHFACS model. Second, a workshop on information security within enterprises was held to compensate for the dearth of sample data, with the participation of experts in the field, such as senior project supervisors, network management managers, and IT engineers from various businesses. The improved HFACS model adheres to the four levels of the original HFACS framework; only specific subcategories were revised. Finally, these failures were classified into four levels based on the HFACS model: organizational influence (N = 12), unsafe supervision failures (N = 13), preconditions for unsafe acts (N = 8), and unsafe acts (N = 9). It can be seen that unsafe supervision and organizational failure contribute to insider threats most frequently.

Table 3. Symbols and descriptions of HFs in the IHFACS.

IHFACS Level	Sub Level	Failure Symbol and Its Description
Organizational influences (A)	(A1) Resource management	A11—Insufficient safety education and training.
		A12—Security costs are under-invested.
		A13—Internal information access control and security detection system deployment are flawed.
	(A2) Organizational climate	A21—The internal safety culture of the enterprise is not in place.
		A22—Managers don’t pay enough attention to the internal security organization.
		A23—Lack of humanistic care for employees who are inclined to leave.
		A24—Enterprise talent mobility is large.
	(A3) Organizational Process	A31—The internal safety rules and regulations of the enterprise are not perfect.
		A32—The internal information security policy is not detailed.
		A33-=—Not all employees are familiar with cybersecurity policies.
		A34—Employees do not strictly comply with the organization’s safety management policies.
		A35—Outsourcing of in-house security services.
Unsafe supervision (B)	(B1) Technical monitoring of vulnerabilities	B11—Technology to detect software or systems with vulnerabilities.
		B12—The database security system lacks multi-hand management for intrusion avoidance. (i.e., less than three levels of system response) [44]
		B13—There is no activity logging for employee email, online activity, and network traffic.
		B14—The frequency of confidential supervision and monitoring is low, the sampling rate is low, and the inspection radiation surface is limited.
		B15—There is a lack of supervision mechanisms for the declassification period after the departure of personnel involved in secrets.
	(B2) Planned inappropriate operations	B21—Regulatory authorities that do not break down internal and external threats.
		B22—Insider threat technology detects infrequently.
		B23—Failure to pay attention to security within the partner.
	(B3) Failed to correct Known problems	B31—The security inspection system has a high rate of false negatives.
		B32—The security inspection system has a high rate of false positives.
	(B4) Supervisory violation	B41—Staff network activity logs were not monitored as required.
		B42—The supervisor is absent from the review of the storage or transmission of confidential data.
		B42—Violations found in confidentiality supervision have not been punished.
Preconditions for unsafe acts (C)	(C1) Personal factors [41]	C11—Bad motives. (e.g., tempted by money and power, antisocial personality)
		C12—Opportunities. (expiration of contract; position; expiration of term; authority.)
		C13—Competence. (e.g., unclear responsibility, weak sense of confidentiality, irregular operation.)
	(C2) Environment factors	C21—Poor working environment. (e.g., failure to implement formalization of security personnel, work incentive compensation)
		C22—Poor technical environment. (i.e., Server security, personal computer security, update and maintenance of security systems, and/or backward security technology are/is poor.)
	(C3) Personal status	C31—Poor mental state. (e.g., chronic illness, low productivity)
		C32—There are contradictions in internal personnel relations. (e.g., discord with colleagues, contradictions with superior leaders, and lack of communication between the team.)
		C33—High working pressure levels.
Unsafe acts (D)	(D1) Violation	D11—Failure to conduct pre-employment background checks on employees or pre-job reviews of confidential personnel is mere formalities.
		D12—Employees’ familiarity with the company’s internal safety policy/low level of mastery of safety skills.
		D13—Information and technology within the enterprise are not subject to access control and key management according to the level of confidentiality.
		D14—Failure to sign confidentiality contracts or non-compete agreements with classified employees.
		D15—Secret personnel install remote control software without authorization and access internal information systems [45].
	(D2) Errors	D21—Misuse of internal system resources by employees or partners; mishandling of data.
		D22—Installing unauthorized applications and using unapproved workarounds.
		D23—Secret personnel mistakenly clicked unsolicited emails or phishing URLs.
		D24—There is a mistake in removing access to internal information and retiring confidential documents and equipment when confidential employees leave their jobs.

lists the IHFACS contributory failures, along with their compliance and specific manifestations.

4.2. Establishment of Interdependencies for the Identified HFs

For mapping the IHFACS model into BN, the identified HFs are transformed into a hierarchy of nodes in BN. In the traditional HFACS framework, it is generally considered that the relationship between the four levels is that the upper level influences the lower level. The bottom layer (unsafe behavior) directly determines the occurrence of the accident. It often ignores the connections between different levels and within the same level. In practice, we find that this interaction relationship has an important impact on the occurrence of insider threats.

This study proposes two hypotheses as a result. The first is that the higher-level HFs in IHFACS would influence the lower-level HFs, and the second is that HFs at the same level could influence one another. First, the human factors of 43 insider threat events were classified and counted using the established IHFACS model. The frequency of HFs was then calculated, followed by the probability of the layers interacting. For example, when A11 occurs, the frequency of C12 is 18, and the proportion of its total frequency (20) is 0.9, indicating that A11 and C12 have a 0.9 correlation value. We establish the threshold value at 0.8. Experts score (0–1) the association between upper and lower levels with each same-level factor according to IHFACS and get the association probability by weighted average. Two sets of association probabilities were derived after expert scoring and statistical analysis of case data. There are three scenarios to consider.

Scenario 1: When the case’s association probability exceeds the threshold value, the factors are deemed highly associated regardless of whether the expert’s scoring value for the group of factors is greater than or less than the threshold value. An edge links two nodes together.

Scenario 2: When the case data count a set of factors whose association values are all less than the threshold and the expert scores for that set of factors are also less than the threshold, this means that the pair of factors does not hold in both hypotheses and is not considered.

Scenario 3: When the calculated association value for the case is less than the threshold and the expert’s scoring value for the group of factors’ association is greater than the threshold, factor weighting is necessary to determine the analysis. The calculation is weighted with a ratio of 0.8:0.2. For example, the statistical value of 20% and the expert’s score of 80% can be weighted independently. If the weighted value is less than the threshold value, the group of factors is deemed irrelevant or insufficient and is not considered. The graphical structure of BN is built according to the IHFACS hierarchy by connecting nodes between the upper and lower levels of HFACS and within the same level with edges, as shown in Figure 4. All directed edges connecting nodes in the model of Figure 4 are shown in

Table A1. All directed edges connecting nodes in the model.

A11→A1	B22→B2	D14→D1	A23→ C11	C22→D22
A12→A1	B23→B2	D15→D1	A24→ C12	C31→C32
A13→A1	B31→B3	D21→D2	A32→A33	C33→C32
A21→A2	B32→B3	D22→D2	B13→B41	D12→D21
A22→A2	B41→B4	D23→D2	B14→B22	D12→D22
A23→A2	B42→B4	D24→D2	B15→D24	D12→D23
A24→A2	B43→B4	A11→A21	B41→C11	A1→A
A31→A3	C11→C1	A11→C13	B42→D21	A2→A
A32→A3	C12→C1	A12→A13	C11→D11	A3→A
A33→A3	C13→C1	A13→B31	C11→D13	B1→B
A34→A3	C21→C2	A13→B32	C12→D13	B2→B
A35→A3	C22→C2	A22→A12	C12→D14	B3→B
B11→B1	C31→C3	A22→A35	C12→D15	B4→B
B12→B1	C32→C3	A22→B12	C13→D12	C1→C
B13→B1	C33→C3	A22→ B13	C13→D21	C2→C
B14→B1	D11→D1	A22→ C21	C13→D22	C3→C
B15→B1	D12→D1	A22→ C22	C13→D23	D1→D
B21→B2	D13→D1	A23→A24	C22→D13	D2→D

.

4.3. Bayesian Network Assignment

In BN of the information security incident risk, the state of each node is considered to have two states. “Yes” means it has an impact on the occurrence of the accident, and “No” means it has no impact on the accident. The next step is determining the nodes’ prior probabilities and CPTs. Due to the relatively general statistics of insider threat events, some qualitative influencing factors cannot be obtained through statistical data. Therefore, this paper adopts fuzzy, expert elicitation, and Noisy-OR gate model to obtain the prior probability of the evidence nodes and CPTs for intermediate nodes. For this purpose, a method of scoring rules is established to calculate the competence of each expert and assign their respective weights. The contents of the expert rating scale are in Table 2, and the expert weights are shown in

Table 4. Weights of employed experts.

Expert	Weight
Expert 1 (E1)	0.24
Expert 2 (E2)	0.20
Expert 3 (E3)	0.19
Expert 4 (E4)	0.22
Expert 5 (E5)	0.15

.

Table 5. Expert opinions for HFs, defuzzify aggregated, and probability value.

Symbols	E1	E2	E3	E4	E5	N*	PIR
A11	L	M	H	VH	M	0.578	0.00847
A12	VL	N	VL	M	M	0.328	0.00120
A13	M	H	M	H	H	0.614	0.01069
A21	L	L	L	H	L	0.388	0.00210
A22	H	M	M	VH	M	0.636	0.01229
A23	M	L	L	M	VL	0.362	0.00166
A24	VH	L	L	L	VL	0.414	0.00261
A31	VH	M	M	H	M	0.64	0.01261
A32	L	H	L	M	L	0.424	0.00283
A33	VL	M	M	H	H	0.478	0.00427
A34	M	H	M	M	H	0.57	0.00804
A35	M	H	H	VL	M	0.49	0.00466
B11	L	H	M	H	H	0.566	0.00783
B12	H	M	L	L	H	0.496	0.00486
B13	VH	VH	H	H	M	0.758	0.02675
B14	L	M	M	L	M	0.408	0.00248
B15	VH	H	M	M	M	0.636	0.01229
B21	VL	L	L	L	M	0.282	0.00072
B22	H	L	M	M	H	0.538	0.00650
B23	VH	L	H	H	H	0.668	0.01504
B31	L	M	VH	VL	H	0.47	0.00403
B32	VL	L	H	L	H	0.388	0.00210
B41	H	L	M	L	M	0.464	0.00385
B42	VH	VH	H	M	L	0.684	0.01664
B43	M	M	M	L	M	0.456	0.00363
C11	VH	M	H	VH	H	0.752	0.02572
C12	VH	M	M	M	M	0.596	0.00952
C13	H	M	M	H	VH	0.652	0.01360
C21	L	L	L	L	H	0.36	0.00163
C22	VH	L	L	L	VH	0.534	0.00633
C31	VL	VL	VL	VH	M	0.336	0.00130
C32	M	VL	L	H	M	0.426	0.00287
C33	L	VL	VL	H	VL	0.28	0.00070
D11	L	H	L	H	H	0.48	0.00433
D12	M	M	M	H	H	0.574	0.00825
D13	M	VH	H	H	H	0.692	0.01751
D14	VH	H	M	M	H	0.666	0.01485
D15	VH	VH	VH	H	VH	0.856	0.05368
D21	M	VH	H	VH	VH	0.766	0.02820
D22	H	VH	H	M	VH	0.726	0.02173
D23	M	H	VH	H	H	0.69	0.01728
D24	H	H	M	L	VH	0.604	0.01002

summarizes all expert opinions on the likelihood of HFs failures, and corresponding defuzzified aggregated and PIR values.

In this BN model, the conditional probability table of only one D1(“violation”) node requires 2⁵ = 32 CPTs. The amount of data required is too large. In order to reduce the required data, the Noisy-OR gate model is introduced to estimate the CPT in this study. In the BN based on the Noisy-OR gate model, each variable has only two states, that is, “yes” and “no,” and each variable is independent of the other [47]. Meanwhile, only one variable A_i is enough to cause the result Y to appear when the other variables do not. Only A_i is “yes”, and the other parent nodes is “no.” The probability expression of the occurrence of node Y is as in Equation (10), and then CPTs for the child node Y are calculated using Equation (11).

$$P_{\mathrm{i}}=P\left(Y|{\overline{A}}_1,{\overline{A}}_2,\cdots A_i,\cdots ,{\overline{A}}_n\right)$$

(10)

$$\mathrm{P}\left(\mathrm{Y}|{\mathrm{A}}_{\mathrm{p}}\right)=1-{\displaystyle \prod }_{\mathrm{i}:{\mathrm{A}}_{\mathrm{i}}ϵ{\mathrm{A}}_{\mathrm{n}}}\left(1-{\mathrm{P}}_{\mathrm{i}}\right)$$

(11)

4.4. Inverse Reasoning (IR) and Sensitivity Analysis (SA)

The FBN model inputs the prior model and CPTs to make it simulated and run in the GeNIe 2.3 Academic program and get the risk probability inference result of accidents. Deductive reasoning is one of the unique and specific characteristics of BN, which can reason regarding HFs that are not fully reflected in accident investigation reports, thereby improving accident investigation reports and contributing to future accident prevention. According to the reverse inference rule of BN, the calculation result is obtained, and the probability that the accident state is “yes” is set to 100%. As shown in Figure 5, the sum of the four probabilities of organizational influences (A), unsafe supervision (B), preconditions of unsafe acts (C), and unsafe acts (D) is significantly greater than 1, demonstrating the existence of interactions within all four HFACS levels and among their peers. Notably, the probability of unsafe behavior is the largest, followed by the premise of unsafe behavior. Continue to infer the reverse, assuming that the probability of bad conditions for accidents A, B, and C is 100%, the results show that the probability of unsafe behavior is as high as 99%, and A13 has the highest probability in parent nodes. The most likely cause-and-effect chain leading to unsafe behaviors is A13→A1→A→D. The most likely causal chain that leads to unsafe behavior begins with a flawed security detection system, then passes to poor resource management and organizational influences.

Sensitivity analysis is used to determine the degree of influence of each factor on insider threat incidents. In Figure 6, the darker the node’s color, the more sensitive the node is. The most sensitive events are A22, A11, A23, A24, C13, A13, A12, B13, D12, C12, and C11. Among them, the top five contributing root events are “managers don’t pay enough attention to internal security organization (A22),” “insufficient safety education and training (A11),” “lack of humanistic care for employees who are inclined to leave (A23),” “enterprise talent mobility is large (A24),” and “competence (C13).” Moreover, it is worth noting that the largest proportion (60%) of the accident occurrence comes from organizational influences (A) among the top 10 contributing HFs (

Table 6. Top 10 riskiest factors in insider threats.

Symbol	Rank	Category
A22 (Managers don’t pay enough attention to the internal security organization.)	1	Organizational influences
A11 (Insufficient safety education and training.)	2
A23 (Lack of humanistic care for employees who are inclined to leave.)	3
A24 (Enterprise talent mobility is large.)	4
C13 (Competence.)	5	Preconditions for unsafe acts
A13 (Internal information access control and security detection system deployment are flawed)	6	Organizational influences
A12 (Security costs are under-invested.)	7
B13 (There is no activity logging for employee email, online activity, and network traffic.)	8	Unsafe supervision
D12 (Employees’ familiarity with the company’s internal safety policy / low level of mastery of safety skills.)	9	Unsafe acts
C12 (Opportunities.)	10	Preconditions for unsafe acts

).

4.5. Suggestions for Enterprise Information Security Management

(1)

For the most fundamental factor of imperfect security detection systems, enterprises, especially SMEs, should pay attention to their investment in insider threat detection technology and promptly update detection tools to strengthen database security management. Suggestions for the prevention of internal threats are made for key causal factors.

(2)

At the organizational impact A level, enterprises should focus on preventing insider threats, setting up an internal information security management department, and establishing a sound internal attack emergency response mechanism. In addition, continuous information security awareness training and education are crucial to enterprise security management.

(3)

Talent is the core resource for an enterprise’s sustainable and healthy development. The loss of high-level talents can easily lead to the leakage of the enterprise’s commercial secrets and core technologies. Focusing on humanistic care for employees is one of the most important ways to retain talent. In addition, it is building an early warning mechanism for high-level talent loss to prevent it before it happens.

5. Conclusions

To identify and rank the most highly contributing HFs in insider threats, this paper proposes a hybrid model based on FST, BN, and IHFACS. The model facilitated the identification, characterization, and ranking of human factors from the perspective of accident causation. Deficiencies in resource management (e.g., A11, A12, and A13), poor organizational climate, technical detection vulnerabilities, and bad personal factors were the most critical root events related to the occurrence of insider threats. At the same time, behavior violation was the most important unsafe behavior leading to accidents, among which the factor with the most significant influence is “employees’ familiarity with the company’s internal safety policy/low level of mastery of safety skills” (D12).

The study’s most striking finding was that organizational influence is the primary contributor to the top 10 basic events. In addition, the study discovered that HFs influencing different levels of insider threat have an influential relationship not only between factors at the next level associated with the previous level, but also between factors across levels and within the same level. The most likely causal chain for the occurrence of insecure behaviors was: “Inadequate detection system deployment and system access control settings→resource management failure→organizational management failure→insecure behaviors.”

Despite the lack of available datasets to compare our methods, the results of other insider threat studies could be used to corroborate each other. Elmrabit et al. [48] proposed a BN-based insider threat risk prediction model, which predicts that cases with the highest likelihood of insider threats are due to a high level of risk in human factors, including capabilities, opportunities, and motivation. Small companies pay less attention to insider threats, invest less in technical factors, and have lower detection levels. Furthermore, inadequate occupational safety training, which leads to insufficient safety awareness among employees and predisposes them to unsafe behaviors, is an essential human factor prevalent in insider threats [23]. These were consistent with the results of this study.

Insider threat is one of the toughest challenges to the sustainable development of enterprises currently, and the insider threat risk assessment model proposed in this study has certain application value. Based on the obtained results, more reasonable control measures and improvement suggestions are put forward for the internal risk prevention of the enterprise.

6. Future Work

This paper has some limitations. Since insider threat incidents are corporate scandals, many security incident investigation reports are not publicly available, making the sample size of cases in this paper small. At the same time, because subjective factor data mostly involves personal privacy and corporate secrets, it is more difficult to obtain than objective factor data. Although the integration of expert judgment and fuzzy theory is used to solve the problem of insufficient historical data and help risk assessment overcome possible ambiguity, the reasoning process and results of the study are largely related to the completeness of the cases and the expertise of the expert group.

In our future work, we will design privacy and secret filtering protection mechanisms to ensure the threat pattern data is based on the user’s or enterprise’s concerns in response to the problem of difficult access to some data. Through this approach, we can collect as many different security events as possible within the enterprise to expand the sample size. Based on these data, we plan to incorporate machine learning into the BN model in order to improve the model’s accuracy and credibility in risk assessment.