Determinación de niveles intracelulares de NAD + y NADH

As it has been discussed in the data analysis, the components of the model have been well accepted receiving a rating above 70% by the participants. However, there is constructive feedback that has been forwarded by the participants, which will be used to further refine the model in the second iterations.

One of the parts of the motive component which has been severely criticized relates to the keyboard stroke analyser. Participants argue that the keyboard stroke analyser may result in false positives, as typing patterns may change due to factors like the passion of employees in different workplaces, the proficiency of the insiders in the language they use, the familiarity of the employees with the working environment and exceptional cases with professionals like coders.

As a solution to the problem related to false positives, some of the participants recommended a learning feature, which can be added to the component so that different scenarios will be considered, and the normal typing pattern will be learned. Similar criticisms related to false positives have raised issues with the resource usage analyser. Considering the suggestions by the experts, a learning feature has been proposed to be included in the model, namely a pattern recognition model, using the Bayesian Network and the Hidden Markov model (HMM) to learn the normal behaviour of insiders in their typing pattern and resource usage. It is also able to detect any change in their stress levels and their resource usage behaviour so as to predict any risk factors for insider abuse. The learning feature added to the model is very useful to learn the new behaviour of insiders. The research also suggests organizations to use continuous auditing to collect audit information in real-time using computerized tools so that they will detect any new fraudulent activities that deviate from normal behaviour in the model without delay. Continuous auditing has been studied by various researchers for its applicability to insider threat and found effective (Thomas & Marathe, 2012; Montelibano & Moore, 2012).

With regard to the opportunity component, it was suggested that the insiders’ level of expertise should also be considered as one opportunity factor. However, the model considers assessing users’ expertise as part of the capability component in user profiling since it is more related to the capability than the opportunity component of the model. It has also been suggested by some of the participants to learn the behaviours of a user in terms of his/her capability, such as the motive component. This suggestion has also been included in the model.

There is also a suggestion that social media interactions of employees should be monitored to check whether they will use an opportunity to commit a crime however this will be in conflict with one of the objectives of the study, namely to preserve the privacy of insiders. The researcher accepts the recommendation of some of the participants that there should be an annual audit of administrators to assess opportunity but such actions should be done with respect to balancing their privacy.

Some of the participants raised a legal issue with regard to implementing honeytokens to monitor employees, as it is illegal in some countries. The researcher has suggested that organizations confirm the legality of all the components in this model before implementing it in their organizations. Honeytokens have also been criticized for breaching the privacy of employees and the researcher has suggested to organizations that they inform their employees that the organization will monitor their resource usage activities without including the contents of their communication to preserve their privacy. Some respondents were concerned that honeytokens may turn honest users into perceived criminals, as insiders may interact with honeytokens without the intention of committing a crime. For this reason, the model considers other factors like motive and capability before labelling employees as at-risk insiders to reduce the chance of false positives. Nevertheless, the model is not punitive; it rather creates awareness about the

organizations’ information security policies.

Some of the participants have criticized the error and warning messages analyser of the capability component. They feel that it does not consider factors like the familiarity of the employee with specific versions of an application, frequency of errors in a short period of

time and a systems fault error. The researcher has accepted these suggestions and has modified the component to include a frequency of errors variable and to exclude system’s fault errors. The component should work on an application with which a user is familiar so as to avoid any false positives due to a change in different versions of the same application. This may cause a user to make many errors due to unfamiliarity with the specific application.

Some of the participants have suggested that it is important to consider the training and the certification programs employees attend as well as books and manuals they have read. However, the researcher believes that the skills factor should be assessed continuously, as employees’ skills change over time. The insiders’ profiles can be updated to include their qualifications; however, the user sophistication component of the model to assess the employees’ skills is done at run-time by assessing their current applications and other computer resources usage.

The importance of the capability component has been criticized as less important by one of the participants. He has justified his view by saying that committing a crime is easy and therefore does not require sophisticated IT skills. While the assertion may be true in some environments which do not have tight security systems, it still requires a certain amount of capability to abuse an information system equipped with a strong security system. Perhaps in some environments, the capability component could be disabled. Some of the participants also recommended information security awareness to be added to the model. The remove-excuse techniques of the situational crime prevention theory is included within the neutralization mitigation component however it also creates an awareness of information security policies as part of removing excuses for any breach of the organizational policy as demonstrated in the prototype.

One participant suggested an expansion of the model from individual insider threats to collusion threats. Collusion threats refer to threats which occur when two or more individuals (insiders and/or outsiders) collaborate to commit a crime (Sogbesan, Ibidapo, Zavarsky, Ruhl & Lindskog, 2012). The researcher believes that the idea of including collusion threats is relevant however the Fraud Diamond theory on which forms the

cornerstone of this model is proposed based on the assumption that fraud is committed by individuals. The researcher recommends that future research investigate the application of the Fraud Diamond for collision detection which is a major research endeavour in itself. The lack of a mechanism to counter collusion is a limitation of the model.