{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T10:03:38Z","timestamp":1767261818773,"version":"3.41.2"},"reference-count":39,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2020,6,4]],"date-time":"2020-06-04T00:00:00Z","timestamp":1591228800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,4]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Malicious activities conducted by disgruntled employees via an email platform can cause profound damage to an organization such as financial and reputational losses. This threat is known as an \u201cInsider IT Sabotage\u201d threat. This involves employees misusing their access rights to harm the organization. Events leading up to the attack are not technical but rather behavioural. The problem is that owing to the high volume and complexity of emails, the risk of insider IT sabotage cannot be diminished with rule-based approaches.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Malicious human behaviours that insiders within the insider IT sabotage category would possess are studied and mapped to phrases that would appear in email communications. A large email data set is classified according to behavioural characteristics of these employees. Machine learning algorithms are used to identify occurrences of this insider threat type. The accuracy of these approaches is measured.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>It is shown in this paper that suspicious behaviour of disgruntled employees can be discovered, by means of machine intelligence techniques. The output of the machine learning classifier depends mainly on the depth and quality of the phrases and behaviour analysis, cleansing and number of email attributes examined. This process of labelling content in isolation could be improved if other attributes of the email data are included, such that a confidence score can be computed for each user.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This research presents a novel approach to show that the creation of a prototype that can automate the detection of insider IT sabotage within email systems to mitigate the risk within organizations.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2019-0141","type":"journal-article","created":{"date-parts":[[2020,6,4]],"date-time":"2020-06-04T07:22:36Z","timestamp":1591255356000},"page":"575-589","source":"Crossref","is-referenced-by-count":4,"title":["Discovering \u201cInsider IT Sabotage\u201d based on human behaviour"],"prefix":"10.1108","volume":"28","author":[{"given":"Antonia","family":"Michael","sequence":"first","affiliation":[]},{"given":"Jan","family":"Eloff","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"article-title":"Detection of malicious emails through regular expressions and databases","volume-title":"2019 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)","year":"2019","key":"key2020100112345282500_ref001"},{"issue":"1","key":"key2020100112345282500_ref002","doi-asserted-by":"crossref","first-page":"46","DOI":"10.1016\/j.jksuci.2014.03.014","article-title":"Clustering and classification of email contents","volume":"27","year":"2015","journal-title":"Journal of King Saud University - Computer and Information Sciences"},{"key":"key2020100112345282500_ref003","first-page":"1849","article-title":"Predicting insider threat risks through linguistic analysis of electronic communication","volume-title":"46th HI Int. Conf. Syst. Sci","year":"2013"},{"key":"key2020100112345282500_ref004","first-page":"881","article-title":"IP geolocation suspicious email messages","volume-title":"21st Telecommunications forum TELFOR 2013","year":"2013"},{"volume-title":"The CERT Guide to Insider Threats","year":"2012","key":"key2020100112345282500_ref005"},{"key":"key2020100112345282500_ref006","first-page":"985","article-title":"Determining predisposition to insider threat activities by using text analysis","volume-title":"Future Technologies Conference","year":"2016"},{"key":"key2020100112345282500_ref007","doi-asserted-by":"crossref","first-page":"414","DOI":"10.1109\/ARES.2016.78","article-title":"Threat from within: case studies of insiders who committed information technology sabotage","volume-title":"2016 11th International Conference on Availability, Reliability and Security (ARES)","year":"2016"},{"key":"key2020100112345282500_ref008","first-page":"1","article-title":"Identifying indicators of insider threats: insider it sabotage","volume-title":"2013 47th International Carnahan Conference on Security Technology (ICCST)","year":"2013"},{"key":"key2020100112345282500_ref009","unstructured":"Cukierski, W. (2015), \u201cThe Enron email dataset\u201d, available at: www.kaggle.com\/wcukierski\/enron-email-dataset (accessed 18 January 2018)."},{"key":"key2020100112345282500_ref010","first-page":"4","article-title":"Insiders and insider threat and overview of definitions and mitigation techniques","year":"2011","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications"},{"key":"key2020100112345282500_ref011","first-page":"76","article-title":"An approach to detect spam emails by using majority voting","volume-title":"International Conference on Data Mining, Internet Computing and Big Data (BigData2014)","year":"2014"},{"volume-title":"Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors","year":"2005","key":"key2020100112345282500_ref012"},{"volume-title":"US Secret Service and CERT\/SEI Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector","year":"2008","key":"key2020100112345282500_ref013"},{"key":"key2020100112345282500_ref014","unstructured":"Lepinsky, R. (2013), \u201cAnalyzing keywords in Enron\u2019s email\u201d, available at: https:\/\/rodgersnotes.wordpress.com\/2013\/11\/24\/analyzing-keywords-in-enrons-email\/ (accessed 18 January 2019)."},{"key":"key2020100112345282500_ref015","first-page":"915","article-title":"Use of machine learning in big data analytics for insider threat detection","year":"2015","journal-title":"Milcom 2015 Track 3 \u2013 Cyber Security and Trusted Computing"},{"first-page":"34","volume-title":"A Machine Learning Approach to Detect Insider Threats in Emails Caused by Human Behaviours","year":"2019","key":"key2020100112345282500_ref016"},{"key":"key2020100112345282500_ref017","doi-asserted-by":"crossref","first-page":"9044","DOI":"10.1109\/ACCESS.2017.2702187","article-title":"Email classification research trends","volume":"5","year":"2017","journal-title":"IEEE Access"},{"key":"key2020100112345282500_ref018","first-page":"2401","article-title":"Insider threat behavior factors: a comparison of theory with reported incidents","volume-title":"2012 45th HI International Conference on System Sciences","year":"2012"},{"journal-title":"Computing Research Repository","article-title":"Classifier suites for insider threat detection","year":"2019","key":"key2020100112345282500_ref019"},{"issue":"3\/4","key":"key2020100112345282500_ref020","first-page":"158","article-title":"Using author topic to detect insider threats from email traffic","volume":"4","year":"2007","journal-title":"Digital Investigation"},{"key":"key2020100112345282500_ref021","unstructured":"Pandas (2019), \u201cPython data analysis library\u201d, available at: https:\/\/pandas.pydata.org\/ (accessed 12 March 2019)."},{"key":"key2020100112345282500_ref022","unstructured":"Python (2019), \u201cPython\u201d, available at: www.python.org\/ (accessed 13 March 2019)."},{"article-title":"The author-topic model for authors and documents","volume-title":"Proceedings of the 20th Conference on Uncertainty in Artificial Intelligence","year":"2004","key":"key2020100112345282500_ref023"},{"key":"key2020100112345282500_ref024","unstructured":"Sashikanth, D. (2015), \u201cAnalysis of communication patterns with scammers in Enron corpus\u201d, available at: https:\/\/arxiv.org\/abs\/1509.00705 (accessed 18 January 2018)."},{"key":"key2020100112345282500_ref025","unstructured":"Schwartz, M. (2018), \u201cTesla accuses insider of stealing gigabytes of data\u201d, available at: www.bankinfosecurity.com\/tesla-lawsuit-alleges-insider-stole-gigabytes-data-a-11118 (accessed 01 October 2019)."},{"key":"key2020100112345282500_ref026","first-page":"247","article-title":"Navigating the insider threat tool landscape: low cost technical solutions to jump start an insider threat program","volume-title":"2018 IEEE Symposium on Security and Privacy Workshops","year":"2018"},{"first-page":"56","volume-title":"Are Attributes on Social Media Platforms Usable for Assisting in the Automatic Detection of Identity Deception?","year":"2018","key":"key2020100112345282500_ref027"},{"key":"key2020100112345282500_ref028","doi-asserted-by":"crossref","unstructured":"Verizon (2019), Verizon 2019 Data Breach Investigations Report, available at: https:\/\/enterprise.verizon.com\/resources\/reports\/dbir\/ (accessed 24 October 2019).","DOI":"10.1016\/S1361-3723(19)30060-0"},{"first-page":"233","volume-title":"Implementing PII Honeytokens to Mitigate Against the Threat of Malicous Insiders","year":"2009","key":"key2020100112345282500_ref029"},{"key":"key2020100112345282500_ref030","unstructured":"Whitman, E. (2016), \u201cGoldman sachs employee email surveillance: which terms trigger review amid concerns over losses and insider trading?\u201d, available at: www.ibtimes.com\/goldman-sachs-employee-email-surveillance-which-terms-trigger-review-amid-concerns-2383065 (accessed 16 February 2018)."},{"key":"key2020100112345282500_ref031","first-page":"277","article-title":"Detecting unknown insider threat scenarios","year":"2014","journal-title":"IEEE Security and Privacy Workshops"},{"key":"key2020100112345282500_ref032","unstructured":"Ali, Z. (2018), \u201cInsider threats \u2013 2018 statistics\u201d, available at: www.uscybersecurity.net\/insider-threats-2018-statistics\/ (accessed 14 March 2019)."},{"issue":"2","key":"key2020100112345282500_ref033","first-page":"145","article-title":"Proposed efficient algorithm to filter spam using machine learning techniques","volume":"18","year":"2016","journal-title":"Pacific Science Review A: Natural Science and Engineering"},{"key":"key2020100112345282500_ref034","unstructured":"Cluley, G. (2016), \u201cCitibank IT guy deliberately wiped routers, shut down 90% of firm\u2019s networks across America\u201d, available at: www.tripwire.com\/state-of-security\/featured\/citibank-it-guy-deliberately-wiped-routers-shut-down-90-of-firms-networks-across-america (accessed 14 February 2019)."},{"key":"key2020100112345282500_ref035","unstructured":"IBM (2019), \u201cIBM\u201d, available at: www.ibm.com\/za-en\/ (accessed 14 March 2019)."},{"key":"key2020100112345282500_ref036","unstructured":"Leber, J. (2018), \u201cThe immortal life of the Enron emails\u201d, available at: www.technologyreview.com\/s\/515801\/the-immortal-life-of-the-enron-e-mails\/ (accessed 7 February 2018)."},{"issue":"3","key":"key2020100112345282500_ref037","doi-asserted-by":"crossref","first-page":"169","DOI":"10.1016\/j.eij.2014.07.002","article-title":"Detection of fraudulent emails by employing advanced feature abundance","volume":"15","year":"2014","journal-title":"Egyptian Informatics Journal"},{"key":"key2020100112345282500_ref038","unstructured":"NLTK (2019), \u201cNLTK 3.4 documentation\u201d, available at: www.nltk.org\/ (accessed 13 March 2019)."},{"key":"key2020100112345282500_ref039","unstructured":"Tribolet, M. (2016), \u201cInvestigating Enron\\u2019s email corpus: the trail of Tim Belden\u201d, available at: https:\/\/linkurio.us\/blog\/investigating-the-enron-email-dataset\/ (accessed 18 January 2018)."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0141\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0141\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:27Z","timestamp":1753406607000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/4\/575-589\/112451"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,4]]},"references-count":39,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,6,4]]}},"alternative-id":["10.1108\/ICS-12-2019-0141"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2019-0141","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2020,6,4]]}}}