MERIT Interactive: Insider Threat Cyber Training

10 09 2012

On hearing that it’s time for another information security training session, the common response from employees in many organizations is less than enthusiastic.  Perhaps there is a rolling of the eyes, a comment about what a waste of time the stupid videos are, and then a defeated shrug of the shoulders in recognition of the fact that the session is not optional.  From the get go, this training session has little chance of success in delivering any sort of learning outcome.  But what if the reaction was positive?  What if the training session was viewed as an interesting activity that was provided by the organization and gladly attended to while on the clock?  By making the training session into something that is perceived as being enjoyable and worthwhile, organizations have a much better chance of getting employees engaged in the sessions in a way where those employees will best absorb the learning objectives.  This sort of alignment of interests between the trainer and trainee is the aim of the MERIT Interactive training system that is currently being developed by the folks at CERT.

Cappelli, Moore, and Trzeciak explain that MERIT (Management and Education of the Risks of Insider Threat) is a model which “describes the profile of an insider IT sabotage attack by identifying common patterns in the evolution of the incidents over time” (p. 27)[1].  CERT has been collection information on cases of insider threat for roughly a decade, and the number of cases in their database is currently over 700 (p.7)[2].  The MERIT Interactive project fuses the core principles of MERIT with an attempt to create a training system that is based on playing a video game.  Greitzer explains that this gaming platform “immerses players in a realistic business setting from which they make decisions about how to prevent, detect, and respond to insider actions, and see how their decisions impact key decision metrics”[3].  Greitzer goes on to state that “team orientation is critical because organizations typically identify these problems at an organizational enterprise level rather than at an individual manager or department level”[4].

It follows that another important feature of MERIT Interactive is that participants take part in a variety of roles in any given scenario in the session.  This helps to create a better sense of the bigger information security picture, and of the larger structure of an organization and its variety of roles and functions.  Cappelli, Moore, and Trzeciak explain that for this very reason, they “created system dynamics models representing the patterns, trends, and evolution of insider incidents, to provide a fuller understanding of indicators, precursors, and effective proactive and reactive countermeasures in the face of a possible attack” (p. 334)[5].  The MERIT Interactive prototype was built on this foundation of system dynamics modeling, and while it is focused on insider IT sabotage, there is also the option of expanding and adapting it to include additional topics.  In fact, this flexibility has been intentionally built in to the system from the beginning.  Cappelli, Moore, and Trzeciak explain that “while the focus so far has been on insider IT sabotage, the design is, to some extent, data-driven allowing the implementation of additional scenarios without necessitating changes to the code” (p. 343)[6].  This being the case, MERIT Interactive appears to have a great deal of potential as an effective training tool that may be adapted to a variety of implementations.

If MERIT Interactive wasn’t enough, the folks at CERT have also created a scenario-based training environment called XNET, where “interactive, team-based exercises re-create complex actual insider threat scenarios and challenge participants to prepare for and respond to insider threat incidents”(p. 304)[7].  While an explanation of XNET is beyond the scope of this post, suffice it to say that there’s quite a bit of research and development in cyber training going on at CERT.  The MERIT Interactive training system appears to be a sensible solution that is long overdue.  The videogame design gives it a greater likelihood of actively engaging users in training sessions, and the background in real insider threat case data and system dynamics modeling make it a serious tool for trainers to effectively convey real world  learning objectives.  It will be interesting to see what MERIT Interactive will look like once it emerges as a finished product, and what other aspects of cyber training it will ultimately implement.

[1] D.M. Cappelli, A.P. Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison Wesley, Upper Saddle River, NJ (2012).

[2] Ibid.

[3] F.L. Greitzer, et al., “Combating the Insider Cyber Threat,” Security & Privacy, IEEE, vol. 6, no. 1, Jan-Feb 2008, (p. 61-64).

[4] Ibid.

[5] D.M. Cappelli, A.P. Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison Wesley, Upper Saddle River, NJ (2012).

[6] Ibid.

[7] Ibid.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: