Behavioral anomaly detection: A socio-technical study of trustworthiness in virtual organizations

Shuyuan Mary Ho, Syracuse University


This study examines perceptions of human trustworthiness as a key component in countering insider threats. The term insider threat refers to situations where a critical member of an organization behaves against the interests of the organization, in an illegal and/or unethical manner. Identifying and detecting how an individual's behavior varies over time - and how anomalous behavior can be detected - are important elements in the preventive control of insider threat behaviors. The research focuses on understanding how anomalous behavior is detected by observers. While human observations are fallible, this study adopts the concept of human-observed changes in behavior as analogous to a group of "sensors" on a computer network. Using online team-based game-playing, this study seeks to re-create realistic insider threat situations in which human sensors have the opportunity to observe changes in the behavior of a focal individual. A full-scale experiment was designed and conducted for data collection and analysis. Transcripts of communications, and participants' emic and etic observations during the game-playing situation are analyzed extensively in order to understand how human sensors attribute meaning to an individual's potentially suspicious behavior. Results of this study show that observed changes in behavior can identify a downward shift in the trustworthiness of a critical member in a virtual organization. The intellectual merit of this socio-technical study lies in its capability to tackle complex insider threat problems by adopting a social psychological theory on predicting human trustworthiness in a virtual collaborative environment. The study contributes to a theoretical framework of trustworthiness attribution; and findings may contribute to research in geographic dispersed virtual teams, online communities, virtual organizations, and virtual worlds. The broader impact of this study may lead to the development of semi-automated socio-technical system: an intelligence-based sensor system that analyzes trustworthiness based on human virtual interactions and conversations, in an attempt to predict the potential for malfeasance.