{"id":22,"date":"2015-05-26T22:56:53","date_gmt":"2015-05-26T22:56:53","guid":{"rendered":"http:\/\/magazine.hmc.edu\/spring-2015\/?p=22"},"modified":"2015-08-28T10:34:44","modified_gmt":"2015-08-28T17:34:44","slug":"decoding-bad","status":"publish","type":"post","link":"https:\/\/magazine.hmc.edu\/spring-2015\/decoding-bad\/","title":{"rendered":"Decoding Bad"},"content":{"rendered":"<p><strong>HOW DO YOU SPOT THE GOVERNMENT EMPLOYEE WHO<\/strong> is about to sell state secrets, the worker who plans to loot his company or the employee plotting to harm his co-workers?<\/p>\n<p>One answer may be cyber surveillance, widely used by corporations and the federal government. Such efforts monitor vast quantities of cyber data, looking for evidence of crime. But Frank Greitzer, who did research on decision making and intelligence\/counterintelligence analysis at the Department of Energy\u2019s Pacific Northwest National Laboratory, doubts that cyber surveillance by itself will work.<\/p>\n<p>\u201cIf you focused on cyber data alone, you soon would be overloaded with information,\u201d says Greitzer \u201968, a mathematics alumnus whose undergraduate preparation included a fair dose of courses in psychology. His passion for the topic led him to combine the mathematical and physical sciences with the behavioral through the mathematical psychology program at UCLA, where he received his PhD. His applied research on human behavior, information processing and decision making spans more than 40 years. Among his peer-reviewed papers, Greitzer has published about 20 papers in scientific journals and books and over 64 papers for technical conferences.<\/p>\n<p>\u201cUsing traditional cyber monitoring methods, by the time you find evidence of an insider threat, the attack would most likely already have occurred,\u201d Greitzer says.<\/p>\n<p>He favors a more comprehensive approach that would also identify unusual patterns of employee behavior that might indicate wrongdoing is in the works. Greitzer has long been interested in the interplay between psychology and online behavior. In 2010, while researching behavioral factors in insider threat, he came across a series of papers by researchers in the fields of personality and social psychology. These papers examined the intersection of language, personality and behavior. The researchers studied samples of informal writing in social media and found that subtle but meaningful differences in the use of common words provide clues to an individual\u2019s psychological state. \u201cThis research suggested to me that a statistical analysis\u00a0of certain word categories\u2014such as negative, angry or profane words\u2014may reveal attitudes or personality traits that might indicate a higher risk of committing insider crimes,\u201d Greitzer says.<\/p>\n<blockquote><p>Behind cyber attacks, terrorism or espionage, there is a human being. I try to characterize that behavior so that we have a chance of identifying suspicious activity before something happens.<\/p>\n<p><cite>\u2013 Frank Greitzer &#8217;68<\/cite><\/p><\/blockquote>\n<p>He has theorized that companies or government agencies might be able to spot potential troublemakers by analyzing word use in employee emails. Importantly, such scans wouldn\u2019t examine the content of the emails, but rather only word frequencies. The appeal of including this \u201cpsycholinguistic approach\u201d to threat detection is that it is less intrusive because it maintains privacy of semantic content. Also, it has a stronger legal standing because organizations own employee emails generated through corporate email systems, says Greitzer.<\/p>\n<p>Nevertheless, he warns that there may be innocent explanations for seemingly odd behavior.<\/p>\n<p>\u201cIf someone starts working odd hours, begins accessing parts of the network he or she doesn\u2019t normally access and exhibits concerning behaviors or possible personality issues, this doesn\u2019t tell you that he or she is doing something wrong,\u201d he says. \u201cIt might turn out that an employee is working odd hours to meet a deadline.\u201d And behavioral or personality issues might be explained by things going on outside the job\u2014serious health problems, for example. But these risk indicators do suggest that there are things to be concerned about that ought to be looked at more closely.<\/p>\n<p>He has outlined his ideas in a series of scientific journal articles. Anticipating questions about privacy issues surrounding this form of monitoring, Greitzer was among the first to address ethical and privacy concerns as part of a comprehensive approach that included both cyber and behavioral monitoring.<\/p>\n<p>Greitzer, who spent most of his career doing research for the federal government, continues to perform human factors research in cyber security\u00a0through his consulting firm, PsyberAnalytix. His most recent consulting work supported government-funded research on insider threat and cybersecurity job performance. He also has consulted informally with financial institutions that expressed interest in his work.<\/p>\n<p>Efforts to head off catastrophic crimes took a quantum leap forward as a result of the attacks of 9\/11. Some officials said there had been a failure to connect the dots that could have spotted the terrorists before they crashed airliners into the World Trade Center and the Pentagon and into a field in Pennsylvania. For instance, several of the terrorists took flight-simulation lessons but never showed any interest in learning how to land an airliner. After the attacks, it became obvious why.<\/p>\n<p>Greitzer believes the job of spotting terrorists or cyber criminals before they act is a far more complex matter than just \u201cconnecting the dots.\u201d He says that this task is more like reassembling several jigsaw puzzles that have been randomly thrown together with pieces shredded. Moreover, the puzzle boxes have been thrown away, so there aren\u2019t any guiding pictures.<\/p>\n<p>\u201cYou literally don\u2019t know what you\u2019re looking for,\u201d he says. \u201cYou\u2019re reconstructing the puzzle, looking for some kind of pattern that\u2019s indicative of something wrong.\u201d For that reason, a variety of tools are needed to solve the puzzle.<\/p>\n<p>\u201cBehind cyber attacks, terrorism or espionage, there is a human being,\u201d he says. \u201cI try to characterize that behavior so that we have a chance of identifying suspicious activity before something happens.\u201d But, he says, he would never propose using his tools in isolation, as a stand-alone method of spotting potential perpetrators.<\/p>\n<p>Criminals aren\u2019t the only focus of his work. It\u2019s long been known that employees who are stressed, pre-occupied or sick can make mistakes\u2014 potentially disastrous ones if they work in critical \u00a0functions, such as an operator at a nuclear power plant. Greitzer argues that these behavioral analytic methods could be used to spot at-risk employees and get them help before they make a costly mistake.<\/p>\n<p>Greitzer emphasizes that his ideas need formal testing before they can be implemented. And any combination of cyber and behavioral monitoring should be accompanied by appropriate privacy safeguards, he says, lest we take a step toward the nightmarish society portrayed in 1984, George Orwell\u2019s novel of a totalitarian surveillance state.<\/p>\n<p>\u201cYou don\u2019t want somebody committing an attack,\u201d he says. \u201cBut you don\u2019t want to live in Orwell\u2019s world either.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HOW DO YOU SPOT THE GOVERNMENT EMPLOYEE WHO is about to sell state secrets, the worker who plans to loot [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":445,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-features"],"acf":[],"_links":{"self":[{"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":0,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/media\/445"}],"wp:attachment":[{"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/magazine.hmc.edu\/spring-2015\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}