Please paraphrase the below
Detection and Mitigation
Forensics appears to be highly undeveloped when addressing insider threats. Insider behaviour may be close to the expected behaviour, and the still often used audit trail is generally inadequate (redundant, misleading, missing data), and often lacks time correlation. The number of appropriate characteristics to observe may be large, resulting in overwhelming amounts of data. While we have decent tools as the result of a large body of work on intrusion detection, it is unclear how these tools help with insider threats. Current forensics tools often require assumptions such as "only one person had access" or "the owner of the machine is in complete control". Therefore, forensics remains an art, and as an art questions such as what to log or determining the relevance of log data elude clear answers. Detection, forensics, and response must also wrestle with how to distinguish mo- tive and intent. Malicious acts may be equivalent to acts due to accidents or na ¨ivete ´. Insiders may legitimately use domains in unexpected ways that might trigger false alarms. Outsiders, insiders acting with malicious intent, insiders acting without ma- licious intent, and accidental behaviour may all result in similar effects on the or- ganization. Hence there are always going to be gray areas in how security policies define both insider misuse and proper behaviour. Furthermore, actions are context bound, but most security polices only inadequately capture the nuances of context. Monitoring. While monitoring can help with technical aspects, it does potentially worsen behavioural aspects. The deciding factor is how much monitoring is accept- able (both ethically and legally), and whether it is at all beneficial. The noteworthy
point here is that this question arises at all levels in an organization, from individual actors, to groups, to companies, to the society as a whole. The problem is that not only may the same actor have different opinions depending on at which level he is asked, but also that different answers for different individuals may exist at the same level.
An interesting observation is that in certain settings with significantly enhanced monitoring, the number of identified incidents has stayed almost constant. At the same time, and even more worrying, cases such as Kerviel and the Liechtenstein case [8, 15] had in common that the attacker intimately knew the monitoring system and knew how to play it. It is often hypothesized that malicious insiders seek to avoid setting off monitoring alarms by slowly adjusting their profiles, but it seems unclear how easy current behavioural systems can be tricked.
In summary, trust in insiders is a behavioural expectation that still needs to be controlled. While the easy solution to reducing the number of insider cases would be to remove all restrictions (making the illegal actions legal by changing the semantics of the term "legal"), we aim for making the monitoring as efficient as possible, where in different situations the term "efficient" may have different interpretations. An important aspect that can not be underestimated are legal restrictions and privacy aspects of data collection, which may be even harder to follow in multi-national settings.
The goal of monitoring (or observing in general) should be to only monitor what is needed to identify the threat in question. Since currently trust can often be trans- ferred, for example by handing over a code card, it is important to isolate transferred trust as much as possible, not least to allow the result of monitoring to be used to bind actions to actors.