Visual Analytics of E-mail Sociolinguistics for User Behavioural Analysis

Philip Legg, Oliver Buckley, Michael Goldsmith, Sadie Creese

Research output: Contribution to journalArticlepeer-review


The cyber-security threat that most organisations face is not one that only resides outside their perimeter attempting to get in, but emanates from the inside too. Insider threats encompass anyone or thing which exploits authorised access to company information and resources to steal, corrupt or disrupt assets. Threat actors could include not only employees, but also contractors, trusted partners and in some cases clients. The nature of their access is usually persistent, as it is valid and required to conduct their roles, and as such, abuse of their privileges can pose a serious and real threat to the successful operation of the business. Whilst measures have been proposed for detecting previous
attacks or those currently in progress, what would be much more desirable is to detect employees who are possibly becoming vulnerable to coercion or persuasion into conducting an attack of some form – enabling supportive or preventative action by the organisation to avoid escalation of an attack.
Research into psychology and behaviour is indicating that it may be possible to detect such human vulnerability through analysis of language used – linguistics. In this paper we present a visual analytics tool for the assessment of sociolinguistic behaviours exhibited via e-mail communications, aimed
at helping to identify people who are potentially at risk. We discuss the visual designs choices made to provide both detail and overview for the analyst for studying communications within a large group of users, and demonstrate this for a large real-world dataset of over 600 employees. We show how an
analyst can use the tool to construct linguistic behavioural models to identify vulnerable employees. We propose that this approach could support wider insider threat prevention and detection systems.
Original languageEnglish
JournalJournal of Internet Services and Information Security
Issue number4
Publication statusPublished - Nov 2014


  • E-mail analysis
  • Behavioural analysis
  • Security visualisation

Cite this