{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T19:11:27Z","timestamp":1776885087702,"version":"3.51.2"},"reference-count":180,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2019,4,2]],"date-time":"2019-04-02T00:00:00Z","timestamp":1554163200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2020,3,31]]},"abstract":"Insider threats are one of today\u2019s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers\u2019 efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders\u2019 behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.<\/jats:p>","DOI":"10.1145\/3303771","type":"journal-article","created":{"date-parts":[[2019,4,4]],"date-time":"2019-04-04T18:38:37Z","timestamp":1554403117000},"page":"1-40","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":206,"title":["Insight Into Insiders and IT"],"prefix":"10.1145","volume":"52","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0790-0875","authenticated-orcid":false,"given":"Ivan","family":"Homoliak","sequence":"first","affiliation":[{"name":"STE-SUTD Cyber Security Laboratory and Brno University of Technology, Czech Republic"}]},{"given":"Flavio","family":"Toffalini","sequence":"additional","affiliation":[{"name":"STE-SUTD Cyber Security Laboratory, Singapore"}]},{"given":"Juan","family":"Guarnizo","sequence":"additional","affiliation":[{"name":"STE-SUTD Cyber Security Laboratory, Singapore"}]},{"given":"Yuval","family":"Elovici","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev"}]},{"given":"Mart\u00edn","family":"Ochoa","sequence":"additional","affiliation":[{"name":"STE-SUTD Cyber Security Laboratory and Cyxtera Technologies"}]}],"member":"320","published-online":{"date-parts":[[2019,4,2]]},"reference":[{"key":"e_1_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2016.04.007"},{"key":"e_1_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995962"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995971"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/11427995_47"},{"key":"e_1_2_2_5_1","volume-title":"Proceedings of the International Command and Control Research and Technology Symposium.","author":"AlGhamdi G.","unstructured":"G. AlGhamdi , K. B. Laskey , E. J. Wright , D. Barbar\u00e1 , and K. Chang . 2006. Modeling insider behavior using multi-entity Bayesian networks . In Proceedings of the International Command and Control Research and Technology Symposium. G. AlGhamdi, K. B. Laskey, E. J. Wright, D. Barbar\u00e1, and K. Chang. 2006. Modeling insider behavior using multi-entity Bayesian networks. In Proceedings of the International Command and Control Research and Technology Symposium."},{"key":"e_1_2_2_6_1","volume-title":"Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE","author":"Ali G.","unstructured":"G. Ali , N. A. Shaikh , and Z. A. Shaikh . 2008. Towards an automated multiagent system to monitor user activities against insider threat . In Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE , Los Alamitos, CA, 1--5. G. Ali, N. A. Shaikh, and Z. A. Shaikh. 2008. Towards an automated multiagent system to monitor user activities against insider threat. In Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE, Los Alamitos, CA, 1--5."},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2016.01.008"},{"key":"e_1_2_2_8_1","volume-title":"Proceedings of the Information Assurance and Security Workshop (IAW\u201907)","author":"Althebyan Q.","unstructured":"Q. Althebyan and B. Panda . 2007. A knowledge-base model for insider threat prediction . In Proceedings of the Information Assurance and Security Workshop (IAW\u201907) . IEEE, Los Alamitos, CA, 239--246. Q. Althebyan and B. Panda. 2007. A knowledge-base model for insider threat prediction. In Proceedings of the Information Assurance and Security Workshop (IAW\u201907). IEEE, Los Alamitos, CA, 239--246."},{"key":"e_1_2_2_9_1","volume-title":"Proceedings of the International Conference on Digital Information Management. IEEE","author":"Althebyan Q.","unstructured":"Q. Althebyan and B. Panda . 2008. Performance analysis of an insider threat mitigation model . In Proceedings of the International Conference on Digital Information Management. IEEE , Los Alamitos, CA, 703--709. Q. Althebyan and B. Panda. 2008. Performance analysis of an insider threat mitigation model. In Proceedings of the International Conference on Digital Information Management. IEEE, Los Alamitos, CA, 703--709."},{"key":"e_1_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0749-5978(02)00037-7"},{"key":"e_1_2_2_11_1","volume-title":"Proceedings of the International Conference of the System Dynamics Society. 25--29","author":"Andersen D. F.","year":"2004","unstructured":"D. F. Andersen , D. Cappelli , J. J. Gonzalez , M. Mojtahedzadeh , A. Moore , E. Rich , 2004 . Preliminary system dynamics maps of the insider cyber-threat problem . In Proceedings of the International Conference of the System Dynamics Society. 25--29 . D. F. Andersen, D. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. Moore, E. Rich, et al. 2004. Preliminary system dynamics maps of the insider cyber-threat problem. In Proceedings of the International Conference of the System Dynamics Society. 25--29."},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2013.35"},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCSS.2014.2377811"},{"key":"e_1_2_2_15_1","unstructured":"S. R. Band D. M. Cappelli L. F. Fischer A. P. Moore E. D. Shaw and R. F. Trzeciak. 2006. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Technical Report. DTIC Document. S. R. Band D. M. Cappelli L. F. Fischer A. P. Moore E. D. Shaw and R. F. Trzeciak. 2006. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Technical Report. DTIC Document."},{"key":"e_1_2_2_16_1","volume-title":"Methodology, Advances, Applications, and Practice","author":"Banks J.","unstructured":"J. Banks . 1998. Handbook of Simulation: Principles , Methodology, Advances, Applications, and Practice . John Wiley 8 Sons. J. Banks. 1998. Handbook of Simulation: Principles, Methodology, Advances, Applications, and Practice. John Wiley 8 Sons."},{"key":"e_1_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2295136.2295168"},{"key":"e_1_2_2_18_1","volume-title":"Insider Attack and Cyber Security. Advances in Information Security","author":"Bellovin S. M.","unstructured":"S. M. Bellovin . 2008. The insider attack problem nature and scope . In Insider Attack and Cyber Security. Advances in Information Security , Vol. 39 . Springer , 1--4. S. M. Bellovin. 2008. The insider attack problem nature and scope. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 1--4."},{"key":"e_1_2_2_19_1","unstructured":"M. Bertacchini and P. Fierens. 2008. A survey on masquerader detection approaches. In Congreso Iberoamericano de Seguridad Inform\u00e1tica Universidad de la Rep\u00fablica de Uruguay. 46--60. M. Bertacchini and P. Fierens. 2008. A survey on masquerader detection approaches. In Congreso Iberoamericano de Seguridad Inform\u00e1tica Universidad de la Rep\u00fablica de Uruguay. 46--60."},{"key":"e_1_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966916"},{"key":"e_1_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1629501.1629520"},{"key":"e_1_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1146269.1146288"},{"key":"e_1_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2014.40"},{"key":"e_1_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1595676.1595678"},{"key":"e_1_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2009.104"},{"key":"e_1_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1413140.1413158"},{"key":"e_1_2_2_27_1","volume-title":"Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation.","author":"Brackney R. C.","unstructured":"R. C. Brackney and R. H. Anderson . 2004 . Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation. R. C. Brackney and R. H. Anderson. 2004. Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation."},{"key":"e_1_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2012.29"},{"key":"e_1_2_2_29_1","volume-title":"Proceedings of the International Conference on Information Fusion. IEEE","author":"Buford J. F.","unstructured":"J. F. Buford , L. Lewis , and G. Jakobson . 2008. Insider threat detection using situation-aware MAS . In Proceedings of the International Conference on Information Fusion. IEEE , Los Alamitos, CA, 1--8. J. F. Buford, L. Lewis, and G. Jakobson. 2008. Insider threat detection using situation-aware MAS. In Proceedings of the International Conference on Information Fusion. IEEE, Los Alamitos, CA, 1--8."},{"key":"e_1_2_2_30_1","volume-title":"Enron Email Dataset. Retrieved","author":"Project CALO","year":"2019","unstructured":"CALO Project . 2015. Enron Email Dataset. Retrieved February 7, 2019 from http:\/\/www.cs.cmu.edu\/∼enron\/. CALO Project. 2015. Enron Email Dataset. Retrieved February 7, 2019 from http:\/\/www.cs.cmu.edu\/∼enron\/."},{"key":"e_1_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2013.08.022"},{"key":"e_1_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2016.2571679"},{"key":"e_1_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25324-9_15"},{"key":"e_1_2_2_34_1","volume-title":"Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)","author":"Cappelli D. M.","year":"2012","unstructured":"D. M. Cappelli , A. P. Moore , and R. F. Trzeciak . 2012 . The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) . Addison-Wesley . D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley."},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2009.67"},{"key":"e_1_2_2_36_1","volume-title":"Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189","author":"Chen T.","unstructured":"T. Chen , F. Kamm\u00fcller , I. Nemli , and C. W. Probst . 2015. A probabilistic analysis framework for malicious insider threats . In Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189 . T. Chen, F. Kamm\u00fcller, I. Nemli, and C. W. Probst. 2015. A probabilistic analysis framework for malicious insider threats. In Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189."},{"key":"e_1_2_2_37_1","doi-asserted-by":"crossref","unstructured":"R. Chinchani D. Ha A. Iyer H. Q. Ngo and S. Upadhyaya. 2010. Insider threat assessment: Model analysis and tool. In Network Security. Springer 143--174. R. Chinchani D. Ha A. Iyer H. Q. Ngo and S. Upadhyaya. 2010. Insider threat assessment: Model analysis and tool. In Network Security. Springer 143--174.","DOI":"10.1007\/978-0-387-73821-5_7"},{"key":"e_1_2_2_38_1","first-page":"4","article-title":"Chronological examination of insider threat sabotage: Preliminary observations","volume":"3","author":"Claycomb W. R.","year":"2012","unstructured":"W. R. Claycomb , C. L. Huth , L. Flynn , D. M. McIntire , and T. B. Lewellen . 2012 . Chronological examination of insider threat sabotage: Preliminary observations . Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3 , 4 (2012), 4 -- 20 . W. R. Claycomb, C. L. Huth, L. Flynn, D. M. McIntire, and T. B. Lewellen. 2012. Chronological examination of insider threat sabotage: Preliminary observations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3, 4 (2012), 4--20.","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2012.113"},{"key":"e_1_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866886.1866894"},{"key":"e_1_2_2_41_1","volume-title":"Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress.","author":"Cole E.","year":"2005","unstructured":"E. Cole and S. Ring . 2005 . Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress. E. Cole and S. Ring. 2005. Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress."},{"key":"e_1_2_2_42_1","unstructured":"M. L. Collins M. C. Theis R. F. Trzeciak J. R. Strozer J. W. Clark D. L. Costa etal 2016. Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.). CERT Software Engineering Institute Carnegie Mellon University Pittsburgh PA. M. L. Collins M. C. Theis R. F. Trzeciak J. R. Strozer J. W. Clark D. L. Costa et al. 2016. Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.). CERT Software Engineering Institute Carnegie Mellon University Pittsburgh PA."},{"key":"e_1_2_2_43_1","volume-title":"Insider Threats in Cyber Security. Advances in Information Security","volume":"49","author":"Crampton J.","unstructured":"J. Crampton and M. Huth . 2010. Towards an access-control framework for countering insider threats . In Insider Threats in Cyber Security. Advances in Information Security , Vol. 49 . Springer, 173--195. J. Crampton and M. Huth. 2010. Towards an access-control framework for countering insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 173--195."},{"key":"e_1_2_2_44_1","doi-asserted-by":"crossref","unstructured":"A. Cummings T. Lewellen D. McIntire A. P. Moore and R. Trzeciak. 2012. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Technical Report. CERT. A. Cummings T. Lewellen D. McIntire A. P. Moore and R. Trzeciak. 2012. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Technical Report. CERT.","DOI":"10.21236\/ADA610430"},{"key":"e_1_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995974"},{"key":"e_1_2_2_46_1","volume-title":"Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129","author":"Dimkov T.","unstructured":"T. Dimkov , W. Pieters , and P. Hartel . 2010. Portunes: Representing attack scenarios spanning through the physical, digital and social domain . In Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129 . T. Dimkov, W. Pieters, and P. Hartel. 2010. Portunes: Representing attack scenarios spanning through the physical, digital and social domain. In Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129."},{"key":"e_1_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1080\/19361610.2011.529413"},{"key":"e_1_2_2_48_1","volume-title":"Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM\u201909)","author":"Eberle W.","unstructured":"W. Eberle and L. Holder . 2009. Mining for insider threats in business transactions and processes . In Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM\u201909) . IEEE, Los Alamitos, CA, 163--170. W. Eberle and L. Holder. 2009. Mining for insider threats in business transactions and processes. In Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM\u201909). IEEE, Los Alamitos, CA, 163--170."},{"key":"e_1_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.02.001"},{"key":"e_1_2_2_50_1","volume-title":"Preventing and Detecting Insider Attacks Using IDS. Retrieved","author":"Einwechter N.","year":"2019","unstructured":"N. Einwechter . 2010. Preventing and Detecting Insider Attacks Using IDS. Retrieved February 7, 2019 from https:\/\/www.symantec.com\/connect\/articles\/preventing-and-detecting-insider-attacks-using-ids. N. Einwechter. 2010. Preventing and Detecting Insider Attacks Using IDS. Retrieved February 7, 2019 from https:\/\/www.symantec.com\/connect\/articles\/preventing-and-detecting-insider-attacks-using-ids."},{"key":"e_1_2_2_51_1","volume-title":"Proceedings of the International Conference on Privacy, Security, and Trust. IEEE","author":"Masri A. El","unstructured":"A. El Masri , H. Wechsler , P. Likarish , and B. B. Kang . 2014. Identifying users with application-specific command streams . In Proceedings of the International Conference on Privacy, Security, and Trust. IEEE , Los Alamitos, CA, 232--238. A. El Masri, H. Wechsler, P. Likarish, and B. B. Kang. 2014. Identifying users with application-specific command streams. In Proceedings of the International Conference on Privacy, Security, and Trust. IEEE, Los Alamitos, CA, 232--238."},{"key":"e_1_2_2_52_1","volume-title":"Proceedings of the International Conference on Advanced Communication Technology. IEEE","author":"Eom J.","unstructured":"J. Eom , M. Park , S. Park , and T. Chung . 2011. A framework of defense system for prevention of insider\u2019s malicious behaviors . In Proceedings of the International Conference on Advanced Communication Technology. IEEE , Los Alamitos, CA, 982--987. J. Eom, M. Park, S. Park, and T. Chung. 2011. A framework of defense system for prevention of insider\u2019s malicious behaviors. In Proceedings of the International Conference on Advanced Communication Technology. IEEE, Los Alamitos, CA, 982--987."},{"key":"e_1_2_2_53_1","volume-title":"Proceedings of the International Workshop on Managing Insider Security Threats. 22","author":"Farahmand F.","unstructured":"F. Farahmand and E. H. Spafford . 2009. Insider behavior: An analysis of decision under risk . In Proceedings of the International Workshop on Managing Insider Security Threats. 22 . F. Farahmand and E. H. Spafford. 2009. Insider behavior: An analysis of decision under risk. In Proceedings of the International Workshop on Managing Insider Security Threats. 22."},{"key":"e_1_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10796-010-9265-x"},{"key":"e_1_2_2_55_1","volume-title":"Proceedings of the Conference of the International Military Testing Association.","author":"Fischer L. F.","year":"2003","unstructured":"L. F. Fischer . 2003 . Characterizing information systems insider offenders . In Proceedings of the Conference of the International Military Testing Association. L. F. Fischer. 2003. Characterizing information systems insider offenders. In Proceedings of the Conference of the International Military Testing Association."},{"key":"e_1_2_2_56_1","volume-title":"Proceedings of the International Conference on Availability, Reliability, and Security. 446--453","author":"Franqueira V. N.","unstructured":"V. N. Franqueira , A. van Cleeff , P. van Eck , and R. Wieringa . 2010. External insider threat: A real security challenge in enterprise value webs . In Proceedings of the International Conference on Availability, Reliability, and Security. 446--453 . V. N. Franqueira, A. van Cleeff, P. van Eck, and R. Wieringa. 2010. External insider threat: A real security challenge in enterprise value webs. In Proceedings of the International Conference on Availability, Reliability, and Security. 446--453."},{"key":"e_1_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.5555\/2896454.2896458"},{"key":"e_1_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2006.359"},{"key":"e_1_2_2_59_1","volume-title":"Proceedings of the 2006 IEEE Information Assurance Workshop. IEEE","author":"Garg A.","unstructured":"A. Garg , R. Rahalkar , S. Upadhyaya , and K. Kwiat . 2006. Profiling users in GUI based systems for masquerade detection . In Proceedings of the 2006 IEEE Information Assurance Workshop. IEEE , Los Alamitos, CA, 48--54. A. Garg, R. Rahalkar, S. Upadhyaya, and K. Kwiat. 2006. Profiling users in GUI based systems for masquerade detection. In Proceedings of the 2006 IEEE Information Assurance Workshop. IEEE, Los Alamitos, CA, 48--54."},{"key":"e_1_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1186\/s41044-016-0006-0"},{"key":"e_1_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2013.37"},{"key":"e_1_2_2_62_1","volume-title":"Proceedings of the Conference on Advances in Neural Information Processing Systems. 2672--2680","author":"Goodfellow I.","year":"2014","unstructured":"I. Goodfellow , J. Pouget-Abadie , M. Mirza , B. Xu , D. Warde-Farley , S. Ozair , 2014 . Generative adversarial nets . In Proceedings of the Conference on Advances in Neural Information Processing Systems. 2672--2680 . I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, et al. 2014. Generative adversarial nets. In Proceedings of the Conference on Advances in Neural Information Processing Systems. 2672--2680."},{"key":"e_1_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1287\/opre.50.3.501.7745"},{"key":"e_1_2_2_64_1","volume-title":"Using Unix: Collected Traces of 168 Users. Technical Report. Department of Computer Science","author":"Greenberg S.","year":"1988","unstructured":"S. Greenberg . 1988 . Using Unix: Collected Traces of 168 Users. Technical Report. Department of Computer Science , University of Calgary , Calgary, Canada . S. Greenberg. 1988. Using Unix: Collected Traces of 168 Users. Technical Report. Department of Computer Science, University of Calgary, Calgary, Canada."},{"key":"e_1_2_2_65_1","volume-title":"Insider Threats in Cyber Security. Advances in Information Security","volume":"49","author":"Greitzer F. L.","unstructured":"F. L. Greitzer and D. A. Frincke . 2010. Combining traditional cyber security audit data with psychosocial data: Towards predictive modeling for insider threat mitigation . In Insider Threats in Cyber Security. Advances in Information Security , Vol. 49 . Springer, 85--113. F. L. Greitzer and D. A. Frincke. 2010. Combining traditional cyber security audit data with psychosocial data: Towards predictive modeling for insider threat mitigation. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 85--113."},{"key":"e_1_2_2_66_1","volume-title":"Complex Systems: Interdisciplinary Perspectives. IGI Global","author":"Greitzer F. L.","year":"2010","unstructured":"F. L. Greitzer , D. A. Frincke , and M. Zabriskie . 2010 . Social\/ethical issues in predictive insider threat monitoring. In Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives. IGI Global , Hershey, PA , 132--161. F. L. Greitzer, D. A. Frincke, and M. Zabriskie. 2010. Social\/ethical issues in predictive insider threat monitoring. In Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives. IGI Global, Hershey, PA, 132--161."},{"key":"e_1_2_2_67_1","doi-asserted-by":"crossref","unstructured":"F. L. Greitzer L. J. Kangas C. F. Noonan C. R. Brown and T. Ferryman. 2013. Psychosocial modeling of insider threat risk based on behavioral and word use analysis. e-Service Journal 9 1 (2013) 106--138. F. L. Greitzer L. J. Kangas C. F. Noonan C. R. Brown and T. Ferryman. 2013. Psychosocial modeling of insider threat risk based on behavioral and word use analysis. e-Service Journal 9 1 (2013) 106--138.","DOI":"10.2979\/eservicej.9.1.106"},{"key":"e_1_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2014.256"},{"key":"e_1_2_2_69_1","volume-title":"Proceedings of the International Conference on New Technologies, Mobility, and Security. IEEE","author":"Gritzalis D.","unstructured":"D. Gritzalis , V. Stavrou , M. Kandias , and G. Stergiopoulos . 2014. Insider threat: Enhancing BPM through social media . In Proceedings of the International Conference on New Technologies, Mobility, and Security. IEEE , Los Alamitos, CA, 1--6. D. Gritzalis, V. Stavrou, M. Kandias, and G. Stergiopoulos. 2014. Insider threat: Enhancing BPM through social media. In Proceedings of the International Conference on New Technologies, Mobility, and Security. IEEE, Los Alamitos, CA, 1--6."},{"key":"e_1_2_2_70_1","doi-asserted-by":"crossref","unstructured":"M. Hanley and J. Montelibano. 2011. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. Technical Report. DTIC Document. M. Hanley and J. Montelibano. 2011. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. Technical Report. DTIC Document.","DOI":"10.21236\/ADA610463"},{"key":"e_1_2_2_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3139923.3139929"},{"key":"e_1_2_2_72_1","first-page":"1","article-title":"The wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition","volume":"9","author":"Harilal Athul","year":"2018","unstructured":"Athul Harilal , Flavio Toffalini , Ivan Homoliak , John Castellanos , Juan Guarnizo , Soumik Mondal , 2018 . The wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition . Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 9 , 1 (March 2018), 54--85. Athul Harilal, Flavio Toffalini, Ivan Homoliak, John Castellanos, Juan Guarnizo, Soumik Mondal, et al. 2018. The wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 9, 1 (March 2018), 54--85.","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"e_1_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2016.343"},{"key":"e_1_2_2_75_1","volume-title":"Social Computing, Behavioral Modeling, and Prediction","author":"S. M. Ho.","unstructured":"S. M. Ho. 2008. Attribution-based anomaly detection: Trustworthiness in an online community . In Social Computing, Behavioral Modeling, and Prediction . Springer , 129--140. S. M. Ho. 2008. Attribution-based anomaly detection: Trustworthiness in an online community. In Social Computing, Behavioral Modeling, and Prediction. Springer, 129--140."},{"key":"e_1_2_2_76_1","first-page":"4","article-title":"Insiders and insider threats: An overview of definitions and mitigation techniques","volume":"2","author":"Hunker J.","year":"2011","unstructured":"J. Hunker and C. W. Probst . 2011 . Insiders and insider threats: An overview of definitions and mitigation techniques . Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2 , 1 (2011), 4 -- 27 . J. Hunker and C. W. Probst. 2011. Insiders and insider threats: An overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2, 1 (2011), 4--27.","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"e_1_2_2_77_1","volume-title":"Proceedings of the International Conference of Information Security and Privacy.","author":"Jabbour G.","unstructured":"G. Jabbour and D. Menasc\u00e9 . 2009a. Stopping the insider threat: The case for implementing autonomic defense mechanisms in computing systems . In Proceedings of the International Conference of Information Security and Privacy. G. Jabbour and D. Menasc\u00e9. 2009a. Stopping the insider threat: The case for implementing autonomic defense mechanisms in computing systems. In Proceedings of the International Conference of Information Security and Privacy."},{"key":"e_1_2_2_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSE.2009.278"},{"key":"e_1_2_2_79_1","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995960"},{"key":"e_1_2_2_80_1","volume-title":"Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust. 234--246","author":"Kamm\u00fcller F.","unstructured":"F. Kamm\u00fcller , J. R. C. Nurse , and C. W. Probst . 2016. Attack tree analysis for insider threats on the IoT using Isabelle . In Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust. 234--246 . F. Kamm\u00fcller, J. R. C. Nurse, and C. W. Probst. 2016. Attack tree analysis for insider threats on the IoT using Isabelle. In Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust. 234--246."},{"key":"e_1_2_2_81_1","volume-title":"Proceedings of the International Conference on Network and System Security. 220--235","author":"Kandias M.","unstructured":"M. Kandias , K. Galbogini , L. Mitrou , and D. Gritzalis . 2013a. Insiders trapped in the mirror reveal themselves in social media . In Proceedings of the International Conference on Network and System Security. 220--235 . M. Kandias, K. Galbogini, L. Mitrou, and D. Gritzalis. 2013a. Insiders trapped in the mirror reveal themselves in social media. In Proceedings of the International Conference on Network and System Security. 220--235."},{"key":"e_1_2_2_82_1","volume-title":"Lecture Notes in Computer Science","volume":"6264","author":"Kandias M.","unstructured":"M. Kandias , A. Mylonas , N. Virvilis , M. Theoharidou , and D. Gritzalis . 2010. An insider threat prediction model. In Trust, Privacy, and Security in Digital Business . Lecture Notes in Computer Science , Vol. 6264 . Springer, 26--37. M. Kandias, A. Mylonas, N. Virvilis, M. Theoharidou, and D. Gritzalis. 2010. An insider threat prediction model. In Trust, Privacy, and Security in Digital Business. Lecture Notes in Computer Science, Vol. 6264. Springer, 26--37."},{"key":"e_1_2_2_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/UIC-ATC.2013.12"},{"key":"e_1_2_2_84_1","volume-title":"Proceedings of the International Workshop on Critical Information Infrastructures Security. 93--103","author":"Kandias M.","unstructured":"M. Kandias , N. Virvilis , and D. Gritzalis . 2011. The insider threat in cloud computing . In Proceedings of the International Workshop on Critical Information Infrastructures Security. 93--103 . M. Kandias, N. Virvilis, and D. Gritzalis. 2011. The insider threat in cloud computing. In Proceedings of the International Workshop on Critical Information Infrastructures Security. 93--103."},{"key":"e_1_2_2_85_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2010.06.002"},{"key":"e_1_2_2_86_1","unstructured":"M. Keeney E. Kowalski D. Cappelli A. Moore T. Shimeall S. Rogers etal 2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Technical Report. National Threat Assessment Center Washington DC. M. Keeney E. Kowalski D. Cappelli A. Moore T. Shimeall S. Rogers et al. 2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Technical Report. National Threat Assessment Center Washington DC."},{"key":"e_1_2_2_88_1","unstructured":"E. Kowalski T. Conway S. Keverline M. Williams D. Cappelli B. Willke etal 2008. Insider Threat Study: Illicit Cyber Activity in the Government Sector. U.S. Secret Service SEI CMU. E. Kowalski T. Conway S. Keverline M. Williams D. Cappelli B. Willke et al. 2008. Insider Threat Study: Illicit Cyber Activity in the Government Sector. U.S. Secret Service SEI CMU."},{"key":"e_1_2_2_89_1","volume-title":"Proceedings of the National Information Systems Security Conference","volume":"377","author":"Lane T.","unstructured":"T. Lane and C. E. Brodley . 1997. An application of machine learning to anomaly detection . In Proceedings of the National Information Systems Security Conference , Vol. 377 . 366--380. T. Lane and C. E. Brodley. 1997. An application of machine learning to anomaly detection. In Proceedings of the National Information Systems Security Conference, Vol. 377. 366--380."},{"key":"e_1_2_2_90_1","volume-title":"Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD\u201998)","author":"Lane T.","unstructured":"T. Lane and C. E. Brodley . 1998. Approaches to online learning and concept drift for user identification in computer security . In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD\u201998) . 259--263. T. Lane and C. E. Brodley. 1998. Approaches to online learning and concept drift for user identification in computer security. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining (KDD\u201998). 259--263."},{"key":"e_1_2_2_91_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2010.02.002"},{"key":"e_1_2_2_92_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(03)00007-5"},{"key":"e_1_2_2_93_1","doi-asserted-by":"publisher","DOI":"10.1108\/09685220210424104"},{"key":"e_1_2_2_94_1","first-page":"20","article-title":"Towards a conceptual model and reasoning structure for insider threat detection","volume":"4","author":"Legg P.","year":"2013","unstructured":"P. Legg , N. Moffat , J. R. C. Nurse , J. Happa , I. Agrafiotis , M. Goldsmith , 2013 . Towards a conceptual model and reasoning structure for insider threat detection . Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 4 (2013), 20 -- 37 . P. Legg, N. Moffat, J. R. C. Nurse, J. Happa, I. Agrafiotis, M. Goldsmith, et al. 2013. Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 4 (2013), 20--37.","journal-title":"Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications"},{"key":"e_1_2_2_95_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2015.2438442"},{"key":"e_1_2_2_96_1","first-page":"62","article-title":"OWL: A recommender system for organization-wide learning","volume":"3","author":"Linton F.","year":"2000","unstructured":"F. Linton , D. Joy , H. Schaefer , and A. Charron . 2000 . OWL: A recommender system for organization-wide learning . Educational Technology and Society 3 , 1 (2000), 62 -- 76 . F. Linton, D. Joy, H. Schaefer, and A. Charron. 2000. OWL: A recommender system for organization-wide learning. Educational Technology and Society 3, 1 (2000), 62--76.","journal-title":"Educational Technology and Society"},{"key":"e_1_2_2_97_1","volume-title":"Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX\u201900)","volume":"2","author":"Lippman R. P.","year":"2000","unstructured":"R. P. Lippman , D. J. Fried , I. Graf , J. W. Haines , K. R. Kendall , D. McClung , 2000 . Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation . In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX\u201900) , Vol. 2 . IEEE, Los Alamitos, CA, 12--26. R. P. Lippman, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung, et al. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX\u201900), Vol. 2. IEEE, Los Alamitos, CA, 12--26."},{"key":"e_1_2_2_98_1","volume-title":"Proceedings of the 6th Annual IEEE Systems, Man and Cybernetics, Information Assurance Workshop. 341--347","author":"Liu A.","unstructured":"A. Liu , C. Martin , T. Hetherington , and S. Matzner . 2005. A comparison of system call feature for insider threat detection . In Proceedings of the 6th Annual IEEE Systems, Man and Cybernetics, Information Assurance Workshop. 341--347 . A. Liu, C. Martin, T. Hetherington, and S. Matzner. 2005. A comparison of system call feature for insider threat detection. In Proceedings of the 6th Annual IEEE Systems, Man and Cybernetics, Information Assurance Workshop. 341--347."},{"key":"e_1_2_2_99_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2008.08.001"},{"key":"e_1_2_2_100_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03549-4_1"},{"key":"e_1_2_2_101_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2009.390"},{"key":"e_1_2_2_102_1","doi-asserted-by":"publisher","DOI":"10.2307\/249574"},{"key":"e_1_2_2_103_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2015.423"},{"key":"e_1_2_2_104_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(02)00109-8"},{"key":"e_1_2_2_105_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2004.10.003"},{"key":"e_1_2_2_106_1","volume-title":"IProceedings of the 9th International Network Conference (INC\u201912)","author":"Magklaras G.","unstructured":"G. Magklaras and S. Furnell . 2012. The insider threat prediction and specification language . In IProceedings of the 9th International Network Conference (INC\u201912) . 51--61. G. Magklaras and S. Furnell. 2012. The insider threat prediction and specification language. In IProceedings of the 9th International Network Conference (INC\u201912). 51--61."},{"key":"e_1_2_2_107_1","volume-title":"Proceedings of the International Workshop on Recent Advances in Intrusion Detection. 146--166","author":"Maloof M. A.","unstructured":"M. A. Maloof and G. D. Stephens . 2007. Elicit: A system for detecting insiders who violate need-to-know . In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. 146--166 . M. A. Maloof and G. D. Stephens. 2007. Elicit: A system for detecting insiders who violate need-to-know. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. 146--166."},{"key":"e_1_2_2_108_1","volume-title":"Proceedings of the DARPA Information Survivability Conference and Exposition","volume":"1","author":"Markham T.","unstructured":"T. Markham and C. Payne . 2001. Security at the network edge: A distributed firewall architecture . In Proceedings of the DARPA Information Survivability Conference and Exposition , Vol. 1 . IEEE, Los Alamitos, CA, 279--286. T. Markham and C. Payne. 2001. Security at the network edge: A distributed firewall architecture. In Proceedings of the DARPA Information Survivability Conference and Exposition, Vol. 1. IEEE, Los Alamitos, CA, 279--286."},{"key":"e_1_2_2_109_1","doi-asserted-by":"publisher","DOI":"10.1145\/1346325.1346328"},{"key":"e_1_2_2_110_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.03.001"},{"key":"e_1_2_2_111_1","volume-title":"Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID\u201910)","author":"Mathew S.","unstructured":"S. Mathew , M. Petropoulos , H. Q. Ngo , and S. J. Upadhyaya . 2010. A data-centric approach to insider attack detection in database systems . In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID\u201910) . 382--401. S. Mathew, M. Petropoulos, H. Q. Ngo, and S. J. Upadhyaya. 2010. A data-centric approach to insider attack detection in database systems. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection (RAID\u201910). 382--401."},{"key":"e_1_2_2_112_1","volume-title":"Proceedings of the International Conference on Information Fusion. IEEE","author":"Mathew S.","unstructured":"S. Mathew , S. Upadhyaya , D. Ha , and H. Q. Ngo . 2008. Insider abuse comprehension through capability acquisition graphs . In Proceedings of the International Conference on Information Fusion. IEEE , Los Alamitos, CA, 1--8. S. Mathew, S. Upadhyaya, D. Ha, and H. Q. Ngo. 2008. Insider abuse comprehension through capability acquisition graphs. In Proceedings of the International Conference on Information Fusion. IEEE, Los Alamitos, CA, 1--8."},{"key":"e_1_2_2_113_1","volume-title":"Proceedings of the International Conference on Dependable Systems and Networks. IEEE","author":"Maxion R. A.","unstructured":"R. A. Maxion and T. N. Townsend . 2002. Masquerade detection using truncated command lines . In Proceedings of the International Conference on Dependable Systems and Networks. IEEE , Los Alamitos, CA, 219--228. R. A. Maxion and T. N. Townsend. 2002. Masquerade detection using truncated command lines. In Proceedings of the International Conference on Dependable Systems and Networks. IEEE, Los Alamitos, CA, 219--228."},{"key":"e_1_2_2_114_1","unstructured":"M. Maybury P. Chase B. Cheikes D. Brackney S. Matzner T. Hetherington etal 2005. Analysis and Detection of Malicious Insiders. Technical Report. DTIC Document. M. Maybury P. Chase B. Cheikes D. Brackney S. Matzner T. Hetherington et al. 2005. Analysis and Detection of Malicious Insiders. Technical Report. DTIC Document."},{"key":"e_1_2_2_115_1","volume-title":"Proceedings of the 2015 IEEE Military Communications Conference (MILCOM\u201915)","author":"Mayhew M.","unstructured":"M. Mayhew , M. Atighetchi , A. Adler , and R. Greenstadt . 2015. Use of machine learning in big data analytics for insider threat detection . In Proceedings of the 2015 IEEE Military Communications Conference (MILCOM\u201915) . IEEE, Los Alamitos, CA, 915--922. M. Mayhew, M. Atighetchi, A. Adler, and R. Greenstadt. 2015. Use of machine learning in big data analytics for insider threat detection. In Proceedings of the 2015 IEEE Military Communications Conference (MILCOM\u201915). IEEE, Los Alamitos, CA, 915--922."},{"key":"e_1_2_2_116_1","doi-asserted-by":"publisher","DOI":"10.1145\/382912.382923"},{"key":"e_1_2_2_117_1","volume-title":"Proceedings of the International Conference of the System Dynamics Society. 20--24","author":"Melara C.","unstructured":"C. Melara , J. M. Sarriegui , J. J. Gonzalez , A. Sawicka , and D. L. Cooke . 2003. A system dynamics model of an insider attack on an information system . In Proceedings of the International Conference of the System Dynamics Society. 20--24 . C. Melara, J. M. Sarriegui, J. J. Gonzalez, A. Sawicka, and D. L. Cooke. 2003. A system dynamics model of an insider attack on an information system. In Proceedings of the International Conference of the System Dynamics Society. 20--24."},{"key":"e_1_2_2_118_1","doi-asserted-by":"publisher","DOI":"10.7326\/0003-4819-151-4-200908180-00135"},{"key":"e_1_2_2_119_1","doi-asserted-by":"crossref","unstructured":"A. P. Moore D. M. Cappelli T. C. Caron E. Shaw D. Spooner and R. F. Trzeciak. 2011. A Preliminary Model of Insider Theft of Intellectual Property. Technical Report. CERT. A. P. Moore D. M. Cappelli T. C. Caron E. Shaw D. Spooner and R. F. Trzeciak. 2011. A Preliminary Model of Insider Theft of Intellectual Property. Technical Report. CERT.","DOI":"10.21236\/ADA589594"},{"key":"e_1_2_2_120_1","doi-asserted-by":"crossref","unstructured":"A. P. Moore D. M. Cappelli and R. F. Trzeciak. 2008. The \u201cBig Picture\u201d of Insider IT Sabotage Across US Critical Infrastructures. Technical Report. Carnegie Mellon University Pittsburgh PA. A. P. Moore D. M. Cappelli and R. F. Trzeciak. 2008. The \u201cBig Picture\u201d of Insider IT Sabotage Across US Critical Infrastructures. Technical Report. Carnegie Mellon University Pittsburgh PA.","DOI":"10.21236\/ADA482452"},{"key":"e_1_2_2_121_1","volume-title":"Cybersecurity Breaches and Issues Surrounding Online Threat Protection. IGI Global","author":"Moore M.","unstructured":"M. Moore . 2016. Cybersecurity Breaches and Issues Surrounding Online Threat Protection. IGI Global , Hershey, PA . M. Moore. 2016. Cybersecurity Breaches and Issues Surrounding Online Threat Protection. IGI Global, Hershey, PA."},{"key":"e_1_2_2_122_1","doi-asserted-by":"publisher","DOI":"10.1145\/1558607.1558670"},{"key":"e_1_2_2_123_1","volume-title":"Game Theory","author":"Myerson R. B.","unstructured":"R. B. Myerson . 1997. Game Theory . Harvard University Press , Cambridge, MA . R. B. Myerson. 1997. Game Theory. Harvard University Press, Cambridge, MA."},{"key":"e_1_2_2_124_1","volume-title":"Proceedings of the 2014 Smart Grid Conference (SGC\u201914)","author":"Nasr P. M.","unstructured":"P. M. Nasr and A. Y. Varjani . 2014. Alarm based anomaly detection of insider attacks in SCADA system . In Proceedings of the 2014 Smart Grid Conference (SGC\u201914) . IEEE, Los Alamitos, CA, 1--6. P. M. Nasr and A. Y. Varjani. 2014. Alarm based anomaly detection of insider attacks in SCADA system. In Proceedings of the 2014 Smart Grid Conference (SGC\u201914). IEEE, Los Alamitos, CA, 1--6."},{"key":"e_1_2_2_125_1","volume-title":"Insider Threats in Cyber Security. Advances in Information Security","author":"Neumann P. G.","unstructured":"P. G. Neumann . 2010. Combatting insider threats . In Insider Threats in Cyber Security. Advances in Information Security , Vol. 49 . Springer , 17--44. P. G. Neumann. 2010. Combatting insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 17--44."},{"key":"e_1_2_2_126_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2014.38"},{"key":"e_1_2_2_127_1","doi-asserted-by":"publisher","DOI":"10.5555\/1359018.1359022"},{"key":"e_1_2_2_128_1","doi-asserted-by":"crossref","unstructured":"J. Ophoff A. Jensen J. Sanderson-Smith M. Porter and K. Johnston. 2014. A Descriptive Literature Review and Classification of Insider Threat Research. Technical Report. Department of Information Systems University of Cape Town Cape Town South Africa. J. Ophoff A. Jensen J. Sanderson-Smith M. Porter and K. Johnston. 2014. A Descriptive Literature Review and Classification of Insider Threat Research. Technical Report. Department of Information Systems University of Cape Town Cape Town South Africa.","DOI":"10.28945\/2010"},{"key":"e_1_2_2_129_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10796-010-9252-2"},{"key":"e_1_2_2_130_1","doi-asserted-by":"crossref","unstructured":"J. S. Park and S. M. Ho. 2004. Composite Role-Based Monitoring (CRBM) for Countering Insider Threats. Springer 201--213. J. S. Park and S. M. Ho. 2004. Composite Role-Based Monitoring (CRBM) for Countering Insider Threats. Springer 201--213.","DOI":"10.1007\/978-3-540-25952-7_15"},{"key":"e_1_2_2_131_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICTAI.2011.176"},{"key":"e_1_2_2_132_1","doi-asserted-by":"publisher","DOI":"10.5555\/1771881.1771896"},{"key":"e_1_2_2_133_1","volume-title":"Proceedings of the 3rd Security Conference.","author":"Phyo A. H.","unstructured":"A. H. Phyo and S. M. Furnell . 2004. A detection-oriented classification of insider IT misuse . In Proceedings of the 3rd Security Conference. A. H. Phyo and S. M. Furnell. 2004. A detection-oriented classification of insider IT misuse. In Proceedings of the 3rd Security Conference."},{"key":"e_1_2_2_134_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.05.002"},{"key":"e_1_2_2_135_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.35"},{"key":"e_1_2_2_136_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2008.87"},{"key":"e_1_2_2_137_1","volume-title":"Proceedings of the International Workshop on Formal Aspects in Security and Trust. 127--142","author":"Probst C. W.","unstructured":"C. W. Probst , R. R. Hansen , and F. Nielson . 2006. Where can an insider attack? In Proceedings of the International Workshop on Formal Aspects in Security and Trust. 127--142 . C. W. Probst, R. R. Hansen, and F. Nielson. 2006. Where can an insider attack? In Proceedings of the International Workshop on Formal Aspects in Security and Trust. 127--142."},{"key":"e_1_2_2_138_1","doi-asserted-by":"crossref","unstructured":"C. W. Probst and J. Hunker. 2010. The risk of risk analysis and its relation to the economics of insider threats. In Economics of Information Security and Privacy. Springer 279--299. C. W. Probst and J. Hunker. 2010. The risk of risk analysis and its relation to the economics of insider threats. In Economics of Information Security and Privacy. Springer 279--299.","DOI":"10.1007\/978-1-4419-6967-5_14"},{"key":"e_1_2_2_139_1","unstructured":"C. W. Probst J. Hunker M. Bishop and D. Gollmann. 2008. Summary\u2014Countering insider threats. In Countering Insider Threats (Dagstuhl Seminar). Leibniz-Zentrum fuer Informatik Germany. C. W. Probst J. Hunker M. Bishop and D. Gollmann. 2008. Summary\u2014Countering insider threats. In Countering Insider Threats (Dagstuhl Seminar). Leibniz-Zentrum fuer Informatik Germany."},{"key":"e_1_2_2_140_1","volume-title":"Insider Threats in Cyber Security. Advances in Information Security","volume":"49","author":"Probst C. W.","unstructured":"C. W. Probst , J. Hunker , D. Gollmann , and M. Bishop . 2010. Aspects of insider threats . In Insider Threats in Cyber Security. Advances in Information Security , Vol. 49 . Springer, 1--15. C. W. Probst, J. Hunker, D. Gollmann, and M. Bishop. 2010. Aspects of insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 1--15."},{"key":"e_1_2_2_141_1","volume-title":"Global Economic Crime Survey 2016: US Results. Retrieved","author":"PWC.","year":"2019","unstructured":"PWC. 2017. Global Economic Crime Survey 2016: US Results. Retrieved February 7, 2019 from https:\/\/www.pwc.com\/us\/en\/forensic-services\/economic-crime-survey-us-supplement.html. PWC. 2017. Global Economic Crime Survey 2016: US Results. Retrieved February 7, 2019 from https:\/\/www.pwc.com\/us\/en\/forensic-services\/economic-crime-survey-us-supplement.html."},{"key":"e_1_2_2_142_1","unstructured":"M. R. Randazzo M. Keeney E. Kowalski D. Cappelli and A. Moore. 2005. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. Technical Report. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA. M. R. Randazzo M. Keeney E. Kowalski D. Cappelli and A. Moore. 2005. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. Technical Report. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA."},{"key":"e_1_2_2_143_1","doi-asserted-by":"publisher","DOI":"10.1145\/1900546.1900563"},{"key":"e_1_2_2_144_1","doi-asserted-by":"publisher","DOI":"10.1007\/11555827_14"},{"key":"e_1_2_2_145_1","doi-asserted-by":"crossref","unstructured":"J. Reason. 1990. Human Error. Cambridge University Press. J. Reason. 1990. Human Error. Cambridge University Press.","DOI":"10.1017\/CBO9781139062367"},{"key":"e_1_2_2_146_1","volume-title":"Proceedings of the International Conference of the System Dynamics Society. 17--21","author":"Rich E.","year":"2005","unstructured":"E. Rich , I. J. Martinez-Moyano , S. Conrad , D. M. Cappelli , 2005 . Simulating insider cyber-threat risks: A model-based case and a case-based model . In Proceedings of the International Conference of the System Dynamics Society. 17--21 . E. Rich, I. J. Martinez-Moyano, S. Conrad, D. M. Cappelli, et al. 2005. Simulating insider cyber-threat risks: A model-based case and a case-based model. In Proceedings of the International Conference of the System Dynamics Society. 17--21."},{"key":"e_1_2_2_147_1","volume-title":"System dynamics. Encyclopedia of Operations Research and Management Science","author":"Richardson G. P.","unstructured":"G. P. Richardson . 2001. System dynamics. Encyclopedia of Operations Research and Management Science . Springer US , 807\u2013810. G. P. Richardson. 2001. System dynamics. Encyclopedia of Operations Research and Management Science. Springer US, 807\u2013810."},{"key":"e_1_2_2_148_1","doi-asserted-by":"publisher","DOI":"10.1111\/1468-2389.00189"},{"key":"e_1_2_2_149_1","volume-title":"Insider Attack and Cyber Security. Advances in Information Security","volume":"39","author":"Salem M. B.","unstructured":"M. B. Salem , S. Hershkop , and S. J. Stolfo . 2008. A survey of insider attack detection research . In Insider Attack and Cyber Security. Advances in Information Security , Vol. 39 . Springer, 69--90. M. B. Salem, S. Hershkop, and S. J. Stolfo. 2008. A survey of insider attack detection research. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 69--90."},{"key":"e_1_2_2_150_1","volume-title":"Technical Report CUCS-027-09. Computer Science Department","author":"Salem M. B.","year":"2009","unstructured":"M. B. Salem and S. J. Stolfo . 2009 . Masquerade Attack Detection Using a Search-Behavior Modeling Approach . Technical Report CUCS-027-09. Computer Science Department , Columbia University, New York , NY. M. B. Salem and S. J. Stolfo. 2009. Masquerade Attack Detection Using a Search-Behavior Modeling Approach. Technical Report CUCS-027-09. Computer Science Department, Columbia University, New York, NY."},{"key":"e_1_2_2_151_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_10"},{"key":"e_1_2_2_152_1","volume-title":"Proceedings of the International Conference on Communications","volume":"5","author":"Sankaranarayanan V.","unstructured":"V. Sankaranarayanan , S. Pramanik , and S. Upadhyaya . 2006. Detecting masquerading users in a document management system . In Proceedings of the International Conference on Communications , Vol. 5 . IEEE, Los Alamitos, CA, 2296--2301. V. Sankaranarayanan, S. Pramanik, and S. Upadhyaya. 2006. Detecting masquerading users in a document management system. In Proceedings of the International Conference on Communications, Vol. 5. IEEE, Los Alamitos, CA, 2296--2301."},{"key":"e_1_2_2_153_1","doi-asserted-by":"publisher","DOI":"10.1109\/WIIAT.2008.376"},{"key":"e_1_2_2_154_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897795.2897799"},{"key":"e_1_2_2_155_1","doi-asserted-by":"publisher","DOI":"10.1214\/ss\/998929476"},{"key":"e_1_2_2_156_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(02)01009-X"},{"key":"e_1_2_2_157_1","volume-title":"Incident Response: A Strategic Guide to Handling System and Network Security Breaches. SAMS.","author":"Schultz E.","year":"2001","unstructured":"E. Schultz and R. Shumway . 2001 . Incident Response: A Strategic Guide to Handling System and Network Security Breaches. SAMS. E. Schultz and R. Shumway. 2001. Incident Response: A Strategic Guide to Handling System and Network Security Breaches. SAMS."},{"key":"e_1_2_2_158_1","doi-asserted-by":"publisher","DOI":"10.1145\/2487575.2488213"},{"key":"e_1_2_2_159_1","doi-asserted-by":"publisher","DOI":"10.1145\/3007204"},{"key":"e_1_2_2_160_1","doi-asserted-by":"crossref","unstructured":"A. Shabtai Y. Elovici and L. Rokach. 2012. A Survey of Data Leakage Detection and Prevention Solutions. Springer Science 8 Business Media. A. Shabtai Y. Elovici and L. Rokach. 2012. A Survey of Data Leakage Detection and Prevention Solutions. Springer Science 8 Business Media.","DOI":"10.1007\/978-1-4614-2053-8"},{"key":"e_1_2_2_161_1","doi-asserted-by":"publisher","DOI":"10.1145\/2995959.2995968"},{"key":"e_1_2_2_162_1","first-page":"1","article-title":"The insider threat to information systems: The psychology of the dangerous insider","volume":"2","author":"Shaw E.","year":"1998","unstructured":"E. Shaw , K. Ruby , and J. Post . 1998 . The insider threat to information systems: The psychology of the dangerous insider . Security Awareness Bulletin 2 , 98 (1998), 1 -- 10 . E. Shaw, K. Ruby, and J. Post. 1998. The insider threat to information systems: The psychology of the dangerous insider. Security Awareness Bulletin 2, 98 (1998), 1--10.","journal-title":"Security Awareness Bulletin"},{"key":"e_1_2_2_163_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.01.006"},{"key":"e_1_2_2_164_1","doi-asserted-by":"crossref","unstructured":"E. D. Shaw and L. F. Fischer. 2005. Ten Tales of Betrayal: The Threat to Corporate Infrastructure by Information Technology Insiders Analysis and Observations. Technical Report. DTIC Document. E. D. Shaw and L. F. Fischer. 2005. Ten Tales of Betrayal: The Threat to Corporate Infrastructure by Information Technology Insiders Analysis and Observations. Technical Report. DTIC Document.","DOI":"10.21236\/ADA441293"},{"key":"e_1_2_2_165_1","volume-title":"Proceedings of the International Conference on Communication Systems and Networks. IEEE","author":"Sibai F. M.","unstructured":"F. M. Sibai and D. A. Menasc\u00e9 . 2011. Defeating the insider threat via autonomic network capabilities . In Proceedings of the International Conference on Communication Systems and Networks. IEEE , Los Alamitos, CA, 1--10. F. M. Sibai and D. A. Menasc\u00e9. 2011. Defeating the insider threat via autonomic network capabilities. In Proceedings of the International Conference on Communication Systems and Networks. IEEE, Los Alamitos, CA, 1--10."},{"key":"e_1_2_2_166_1","volume-title":"Insider Attack and Cyber Security. Advances in Information Security","volume":"39","author":"Sinclair S.","unstructured":"S. Sinclair and S. W. Smith . 2008. Preventative directions for insider threat mitigation via access control . In Insider Attack and Cyber Security. Advances in Information Security , Vol. 39 . Springer, 165--194. S. Sinclair and S. W. Smith. 2008. Preventative directions for insider threat mitigation via access control. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 165--194."},{"key":"e_1_2_2_167_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2012.19"},{"key":"e_1_2_2_168_1","doi-asserted-by":"publisher","DOI":"10.2307\/249551"},{"key":"e_1_2_2_169_1","first-page":"529","article-title":"Cyber insider threats situation awareness using game theory and information fusion-based user behavior predicting algorithm","volume":"8","author":"Tang K.","year":"2011","unstructured":"K. Tang , M. Zhao , and M. Zhou . 2011 . Cyber insider threats situation awareness using game theory and information fusion-based user behavior predicting algorithm . Journal of Information and Computational Science 8 , 3 (2011), 529 -- 545 . K. Tang, M. Zhao, and M. Zhou. 2011. Cyber insider threats situation awareness using game theory and information fusion-based user behavior predicting algorithm. Journal of Information and Computational Science 8, 3 (2011), 529--545.","journal-title":"Journal of Information and Computational Science"},{"key":"e_1_2_2_170_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2005.05.002"},{"key":"e_1_2_2_171_1","volume-title":"Proceedings of the Security and Privacy Workshops. IEEE","author":"Toffalini F.","unstructured":"F. Toffalini , I. Homoliak , A. Harilal , A. Binder , and M. Ochoa . 2018. Detection of masqueraders based on graph partitioning of file system access events . In Proceedings of the Security and Privacy Workshops. IEEE , Los Alamitos, CA, 217--227. F. Toffalini, I. Homoliak, A. Harilal, A. Binder, and M. Ochoa. 2018. Detection of masqueraders based on graph partitioning of file system access events. In Proceedings of the Security and Privacy Workshops. IEEE, Los Alamitos, CA, 217--227."},{"key":"e_1_2_2_172_1","volume-title":"SEI Cyber Minute: Insider Threats. Retrieved","author":"Trzeciak R. F.","year":"2019","unstructured":"R. F. Trzeciak . 2017. SEI Cyber Minute: Insider Threats. Retrieved February 7, 2019 from http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=496626. R. F. Trzeciak. 2017. SEI Cyber Minute: Insider Threats. Retrieved February 7, 2019 from http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=496626."},{"key":"e_1_2_2_173_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2012.499"},{"key":"e_1_2_2_174_1","doi-asserted-by":"publisher","DOI":"10.1057\/sj.2012.1"},{"key":"e_1_2_2_175_1","doi-asserted-by":"publisher","DOI":"10.1145\/1562164.1562198"},{"key":"e_1_2_2_176_1","volume-title":"Proceedings of the International Workshop on Information Systems Security Research. 127--144","author":"Willison R.","unstructured":"R. Willison and M. Warkentin . 2009. Motivations for employee computer crime: Understanding and addressing workplace disgruntlement through the application of organisational justice . In Proceedings of the International Workshop on Information Systems Security Research. 127--144 . R. Willison and M. Warkentin. 2009. Motivations for employee computer crime: Understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Workshop on Information Systems Security Research. 127--144."},{"key":"e_1_2_2_177_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2013\/37.1.01"},{"key":"e_1_2_2_178_1","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2011.51"},{"key":"e_1_2_2_179_1","volume-title":"Research on Mitigating the Insider Threat to Information Systems 2","author":"Wood B.","year":"2000","unstructured":"B. Wood . 2000. An insider threat model for adversary simulation. SRI International , Research on Mitigating the Insider Threat to Information Systems 2 ( 2000 ), 1--3. B. Wood. 2000. An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems 2 (2000), 1--3."},{"key":"e_1_2_2_180_1","doi-asserted-by":"publisher","DOI":"10.1109\/IPTC.2011.17"},{"key":"e_1_2_2_181_1","doi-asserted-by":"publisher","DOI":"10.1109\/SKG.2011.31"},{"key":"e_1_2_2_182_1","volume-title":"Proceedings of the International Conference on Distributed Computing and Internet Technology. 267--277","author":"Yaseen Q.","unstructured":"Q. Yaseen and B. Panda . 2011. Enhanced insider threat detection model that increases data availability . In Proceedings of the International Conference on Distributed Computing and Internet Technology. 267--277 . Q. Yaseen and B. Panda. 2011. Enhanced insider threat detection model that increases data availability. In Proceedings of the International Conference on Distributed Computing and Internet Technology. 267--277."},{"key":"e_1_2_2_183_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSMCB.2009.2033564"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3303771","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3303771","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:53:39Z","timestamp":1750204419000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3303771"}},"subtitle":["A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures"],"short-title":[],"issued":{"date-parts":[[2019,4,2]]},"references-count":180,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,3,31]]}},"alternative-id":["10.1145\/3303771"],"URL":"https:\/\/doi.org\/10.1145\/3303771","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,4,2]]},"assertion":[{"value":"2018-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-04-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}