{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:33:07Z","timestamp":1759091587111,"version":"3.41.2"},"reference-count":34,"publisher":"Emerald","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006,8,1]]},"abstract":"<jats:sec>\n                  <jats:title>Purpose<\/jats:title>\n                  <jats:p>This paper presents the process of constructing a language tailored to describing insider threat incidents, for the purposes of mitigating threats originating from legitimate users in an IT infrastructure.<\/jats:p>\n               <\/jats:sec>\n               <jats:sec>\n                  <jats:title>Design\/methodology\/approach<\/jats:title>\n                  <jats:p>Various information security surveys indicate that misuse by legitimate (insider) users has serious implications for the health of IT environments. A brief discussion of survey data and insider threat concepts is followed by an overview of existing research efforts to mitigate this particular problem. None of the existing insider threat mitigation frameworks provide facilities for systematically describing the elements of misuse incidents, and thus all threat mitigation frameworks could benefit from the existence of a domain specific language for describing legitimate user actions.<\/jats:p>\n               <\/jats:sec>\n               <jats:sec>\n                  <jats:title>Findings<\/jats:title>\n                  <jats:p>The paper presents a language development methodology which centres upon ways to abstract the insider threat domain and approaches to encode the abstracted information into language semantics. The language construction methodology is based upon observed information security survey trends and the study of existing insider threat and intrusion specification frameworks.<\/jats:p>\n               <\/jats:sec>\n               <jats:sec>\n                  <jats:title>Originality\/value<\/jats:title>\n                  <jats:p>This paper summarizes the picture of the insider threat in IT infrastructures and provides a useful reference for insider threat modeling researchers by indicating ways to abstract insider threats.<\/jats:p>\n               <\/jats:sec>","DOI":"10.1108\/09685220610690826","type":"journal-article","created":{"date-parts":[[2006,9,26]],"date-time":"2006-09-26T05:17:18Z","timestamp":1159247838000},"page":"361-381","source":"Crossref","is-referenced-by-count":20,"title":["Towards an insider threat prediction specification language"],"prefix":"10.1108","volume":"14","author":[{"given":"G.B.","family":"Magklaras","sequence":"first","affiliation":[{"name":"Network Research Group, School of Computing, Communications and Electronics, University of Plymouth, Plymouth, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"S.M.","family":"Furnell","sequence":"additional","affiliation":[{"name":"Network Research Group, School of Computing, Communications and Electronics, University of Plymouth, Plymouth, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"P.J.","family":"Brooke","sequence":"additional","affiliation":[{"name":"School of Computing, University of Teesside, Middlesbrough, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"unstructured":"Aslam, T.\n          , Krsul, I. and Spafford, E. (1996), \u201cUse of a taxonomy of security faults\u201d, Technical Report TR-96-051, COAST Laboratory, Department of Computer Sciences, Purdue University, IN.","key":"2025072819444803900_b1"},{"unstructured":"Bach, M.\n           (1986), The Design of the UNIX Operating System, Prentice-Hall, Englewood Cliffs, NJ.","key":"2025072819444803900_b3"},{"doi-asserted-by":"crossref","unstructured":"Beale, J.\n          , Foster, J.C. and Posluns, J. (2003), Snort 2.0 Intrusion Detection, Syngress Publishing, Rockland, MA.","key":"2025072819444803900_b2","DOI":"10.1016\/B978-193183674-6\/50006-3"},{"doi-asserted-by":"crossref","unstructured":"Caelli, W.\n          , Longley, D. and Shain, M. (1991), Information Security Handbook, Stockton Press, New York, NY.","key":"2025072819444803900_b4","DOI":"10.1007\/978-1-349-12209-7_23"},{"unstructured":"CNN.com\n           (2002), \u201cThe case against Robert Hanssen\u201d, available at: http:\/\/edition.cnn.com\/SPECIALS\/2001\/hanssen\/.","key":"2025072819444803900_b5"},{"doi-asserted-by":"crossref","unstructured":"Consel, C.\n           (2004), \u201cFrom a program family to a domain-specific language\u201d, in Lengauer, C., Batory, D., Consel, C. and Odersky, M. (Eds), Domain-Specific Program Generation, Lecture Notes in Computer Science 3016, Springer-Verlag, New York, NY, pp. 19-29.","key":"2025072819444803900_b6","DOI":"10.1007\/978-3-540-25935-0_2"},{"unstructured":"Curry, D.\n          , Debar, H. and Feinstein, B. (2004), \u201cThe intrusion detection message exchange format\u201d, internet draft, Intrusion Detection Exchange Format Working Group, Internet Engineering Task Force, 8 July.","key":"2025072819444803900_b7"},{"unstructured":"Doyle, J.\n           (1999), Some Representational Limitations of the Common Intrusion Specification Language, Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA, November.","key":"2025072819444803900_b8"},{"unstructured":"Endorf, C.\n          , Schultz, E. and Mellander, J. (2003), Intrusion Detection and Prevention: The Authorative Guide to Detecting Malicious Activity, McGraw Hill, New York, NY.","key":"2025072819444803900_b9"},{"unstructured":"Feiertag, R.\n          , Kahn, C., Porras, P., Schnackenberg, D., Staniford-Chen, S. and Tung, B. (1999), \u201cA common intrusion specification language (CISL)\u201d, available at: www.isi.edu\/ \u223c\u2009brian\/cidf\/drafts\/language.txt, 11 June.","key":"2025072819444803900_b10"},{"unstructured":"Feinstein, B.\n          , Matthews, G. and White, J. (2002), \u201cThe intrusion detection exchange protocol (IDXP)\u201d, Internet Draft, Intrusion Detection Exchange Format Working Group, Internet Engineering Task Force, 22 April 2003, available at: www.ietf.org\/internet-drafts\/draft-ietf-idwg-beep-idxp-07.txt.","key":"2025072819444803900_b11"},{"unstructured":"Frykholm, N.\n           (2000), \u201cCountermeasures against buffer overflow attacks\u201d, White Paper, RSA Laboratories.","key":"2025072819444803900_b12"},{"unstructured":"Furnell, S.\n          , Magklaras, G., Papadaki, M. and Dowland, P. (2001), \u201cA generic taxonomy for intrusion specification and response\u201d, Proceedings of Euromedia 2001, Valencia, Spain, 18-20 April 2001, pp. 125-31.","key":"2025072819444803900_b13"},{"unstructured":"Gibbons, R.\n           (1992), A Primer in Game Theory, Prentice-Hall, Englewood Cliffs, NJ.","key":"2025072819444803900_b14"},{"unstructured":"Helbig, K.\n           (1993) Modelling the Earth for Oil Exploration: Final Report of the CEC's Geoscience I Program 1990-1993, Pergamon Publishing, Oxford.","key":"2025072819444803900_b15"},{"unstructured":"Magklaras, G.\n           (2005), \u201cAn architecture for insider misuse threat prediction in IT systems\u201d, MPhil Thesis, School of Computing, Communications and Electronics, University of Plymouth, Plymouth.","key":"2025072819444803900_b16"},{"issue":"1","key":"2025072819444803900_b17","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1016\/S0167-4048(02)00109-8","article-title":"Insider threat prediction tool: evaluating the probability of IT misuse","volume":"21","author":"Magklaras","year":"2002","journal-title":"Computers & Security"},{"unstructured":"Magklaras, G.\n           and Furnell, S. (2004), \u201cThe insider misuse threat survey: investigating IT misuse from legitimate users\u201d, Proceedings of the 5th Australian Information Warfare & Security Conference, Perth Western Australia, 25-26 November 2004, pp. 42-51.","key":"2025072819444803900_b18"},{"doi-asserted-by":"crossref","unstructured":"Moore, D.\n          , Voelker, G. and Savage, S. (2001), \u201cInferring internet denial of service activity\u201d, Proceedings of the 10th USENIX Security Symposium, Washington DC, August 2001, pp. 9-22.","key":"2025072819444803900_b19","DOI":"10.21236\/ADA400003"},{"unstructured":"NSTISSAM\n           (1999), The Insider Threat To US Government Information Systems, NSTISSAM INFOSEC \/1-99, US National Security Telecommunications And Information Systems Security Committee, available at: www.cnss.gov\/Assets\/pdf\/nstissam_infosec_1-99.pdf.","key":"2025072819444803900_b20"},{"unstructured":"Pfleeger, C.\n           and Pfleeger, S. (2003), Security in Computing, 3rd ed., Prentice-Hall, Englewood Cliffs, NJ.","key":"2025072819444803900_b21"},{"doi-asserted-by":"crossref","unstructured":"Postel, J.\n           and Reynolds, J. (1983), \u201cTELNET protocol specification\u201d, Request For Comments (RFC) 854, IETF Network Working Group, May.","key":"2025072819444803900_b22","DOI":"10.17487\/rfc0854"},{"unstructured":"PWC\n           (2004) Information Security Breaches Survey 2004 \u2013 Technical Report, available at: www.pwc.com\/images\/gx\/eng\/about\/svcs\/grms\/2004Technical_Report.pdf.","key":"2025072819444803900_b23"},{"doi-asserted-by":"crossref","unstructured":"Richardson, R.\n           (2003), \u201c2003 CSI\/FBI computer crime and security survey\u201d, Computer Security Institute. Spring.","key":"2025072819444803900_b24","DOI":"10.1016\/S1361-3723(03)00208-2"},{"unstructured":"Richter, J.\n           (1997), Advanced Windows, Microsoft Press, Redmond, DC.","key":"2025072819444803900_b25"},{"issue":"6","key":"2025072819444803900_b26","doi-asserted-by":"crossref","first-page":"526","DOI":"10.1016\/S0167-4048(02)01009-X","article-title":"A framework for understanding and predicting insider attacks","volume":"21","author":"Schultz","year":"2002","journal-title":"Computers & Security"},{"unstructured":"Sharda, N.\n           (1999), Multimedia Information Networking, Chapter 12, Prentice-Hall, Englewood Cliffs, NJ.","key":"2025072819444803900_b27"},{"unstructured":"Slashdot\n           (2001), \u201cSpying and technology: Robert Philip Hanssen\u201d, posting on Slashdot.org, 22 February 2001, available at: http:\/\/slashdot.org\/articles\/01\/02\/22\/0622249.shtml.","key":"2025072819444803900_b28"},{"unstructured":"Tuglular, T.\n           (2000), \u201cA preliminary structural approach to insider computer misuse incidents\u201d, EICAR 2000 Best Paper Proceedings, pp. 105-25.","key":"2025072819444803900_b29"},{"unstructured":"W3C\n           (2006), \u201cExtensible markup language, architecture domain, world wide web consortium (W3C)\u201d, available at: www.w3.org\/XML\/.","key":"2025072819444803900_b30"},{"unstructured":"Wood, B.\n           (2000), \u201cAn insider threat model for adversary simulation\u201d, SRI International, Research on Mitigating the Insider Threat to Information Systems \u2013 #2 Proceedings of a Workshop Held by RAND, August 2000.","key":"2025072819444803900_b31"},{"unstructured":"Ylonen, T.\n           (1995), \u201cThe SSH (secure shell) remote login protocol\u201d, Internet Draft, IETF Network Working Group, 15 November 1995, available at: www.free.lp.se\/fish\/rfc.txt.","key":"2025072819444803900_b32"},{"unstructured":"Ziegler, R.\n           (2002), LINUX Firewalls, 2nd ed., Chapter 2, New Riders Publishing, Indianapolis, IN, pp. 48-50.","key":"2025072819444803900_b33"},{"unstructured":"Zwicky, E.D.\n          , Cooper, S. and Chapman, D.B. (2000), \u201cBuilding Internet Firewalls\u201d, 2nd ed., O'Reilly & Associates, Sebastopol, CA.","key":"2025072819444803900_b34"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220610690826","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/ics\/article-pdf\/14\/4\/361\/1203912\/09685220610690826.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/www.emerald.com\/ics\/article-pdf\/14\/4\/361\/1203912\/09685220610690826.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T23:44:59Z","timestamp":1753746299000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.emerald.com\/ics\/article\/14\/4\/361\/176982\/Towards-an-insider-threat-prediction-specification"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,8,1]]},"references-count":34,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2006,8,1]]}},"URL":"https:\/\/doi.org\/10.1108\/09685220610690826","relation":{},"ISSN":["0968-5227","1758-5805"],"issn-type":[{"type":"print","value":"0968-5227"},{"type":"electronic","value":"1758-5805"}],"subject":[],"published":{"date-parts":[[2006,8,1]]}}}