This chart depicts the MIIRA framework for a government agency.  MIIRA stands for Malicious Insider Iterative Risk Assessment.

MIIRA

Description:  MIIRA uses well established forensic techniques to travel back in time in the host computer operating system (stored and volatile memory) to collect time- stamped data elements which are aggregated into a timeline. The timeline is augmented with network logs, other available time-stamped digital data, and secondary/tertiary observables.  No host or network agent is necessary.  Using current best practices in forensic techniques the following determinations can be made:

What: the behavior or projected behavior, based on an observed trend that is of concern because it raises or is projected to raise the malicious insider risk to a level beyond the accepted residual risk level.

Who: users who exceed the mean for peers performing similar tasks or users associated with outliers or series of suspicious actions.  Users associated with an event whether time based, network based, or file/document based.

When:  all activity clustered around a particular time or span of time.

Where: disposition/exfiltration points, transition/pivot points, and network/host/file locations involved in suspicious events.

How: enumeration of the steps taken in the suspicious event or around the target time for the purpose of developing triggers or scans.

Why: the reason for the appearance of an outlier or an anomaly may be constructed from analysis of an expanded timeline with other analog observables added for context.