Dr Deanna Caputo
Chief Scientist for Insider Threat Capabilities, MITRE
Evaluating skills-based training for employee risk recognition and reporting of malicious elicitations via email and text message.
Dr. Deanna D. Caputo is the Chief Scientist for Insider Threat Capabilities and a Senior Principal Behavioral Psychologist at The MITRE Corporation, applying her deep expertise in the behavioral sciences to insider threat efforts across a broad work program. Deanna is an internationally recognized expert in insider threat, and at the intersection of cybersecurity and behavioral sciences. She has 25 years of experience designing, conducting, and analyzing research with human participants using experimental, quantitative, and qualitative analyses. During her 15-year career at MITRE, she has built and led MITRE’s Human Behavior and Cybersecurity capability area and dedicated team, focusing on operational research and consultation on human behavior and cybersecurity, particularly usable security and technology adoption, cyber risk perceptions and awareness, and cybersecurity teams and exercise assessment.
Simultaneously, Dr. Caputo built and currently leads MITRE’s Insider Threat Capability and multi-disciplinary team. She created and pioneered the development of data-driven, cyber-physical, and psycho-social Insider Threat solutions as repeatable offerings for all government sponsors and critical infrastructure industry partners. These include 18 IP disclosures and the creation of an air-gapped, secure MITRE Insider Threat Lab. Dr. Caputo created MITRE’s Insider Threat Behavioral Risk Framework after years of working within insider threat programs and conducting applied research. She uses rigorous behavioral science methodologies and analytics to deter, detect, and mitigate insider risks and threats by collecting data from real employees. This real-life data is used to identify and analyze how human behavior manifests in cyber and non-cyber sensors and develop evidence-based solutions to identify and change employee attitudes, intentions, and/or behaviors. Dr. Caputo was the only researcher trusted to curate and analyze for four years all of the Project Slammer data from 45 convicted spies to develop the first psycho-social insider risk indicators.
There are numerous security domains and risk behaviors that could benefit from improving risk recognition and reporting through effective security training. This report describes a study conducted by MITRE behavioral scientists to empirically measure the extent to which the skills-based training model improves real employee performance in risk recognition and reporting behaviors for a specific security domain above the current awareness-based training model.
A total of 72 employees of The MITRE Corporation were recruited as participants for the 28-week study focused on improving risk recognition and reporting of malicious elicitation. Employees in the control and experimental groups were asked to review the same awareness-based security training materials. The 36 participants in the experimental group also completed skills-based security training. Unbeknown to all participants, the testing phase of the study continued for 26-weeks to allow researchers to evaluate differences in risk recognition (i.e., what to report) and reporting (i.e., how to report) over time. A key finding from the study indicated that random assignment to the skills-based training group (vs. awareness-based training group) significantly increased reporting of malicious elicitation messages in subsequent testing. Skills-based training model appears to improve information retention, risk recognition, and skill application compared to awareness-based model. Findings indicated that the skills-based training model is effective across employees.