Visual analytics of e-mail sociolinguistics for user behavioural analysis

Abstract

The cyber-security threat that most organisations face is not one that only resides outside their perimeter attempting to get in, but emanates from the inside too. Insider threats encompass anyone or thing which exploits authorised access to company information and resources to steal, corrupt or disrupt assets. Threat actors could include not only employees, but also contractors, trusted partners and in some cases clients. The nature of their access is usually persistent, as it is valid and required to conduct their roles, and as such abuse of their privileges can pose a serious and real threat to the successful operation of the business. Whilst measures have been proposed for detecting previous attacks or those currently in progress, what would be much more desirable is to detect employees who are possibly becoming vulnerable to coercion or persuasion into conducting an attack of some form – enabling supportive or preventative action by the organisation to avoid escalation of an attack. Research into psychology and behaviour is indicating that it may be possible to detect such human vulnerability through analysis of language used – linguistics. In this paper we present a visual an- alytics tool for the assessment of sociolinguistic behaviours exhibited via e-mail communications, aimed at helping to identify people who are potentially at risk. We discuss the visual designs choices made to provide both detail and overview for the analyst for studying communications within a large group of users, and demonstrate this using a large real-world dataset of over 600 employees. We also show how an analyst can use the tool to construct linguistic behavioural models to identify vulner- able employees. We expect this approach to support wider insider threat prevention and detection systems.