Handwriting Analysis Based on Belief of Targeted Individual Supporting Insider Threat Detection ()
1. Introduction
“This article extends the research presented in the peer-reviewed article “A Survey of Unintentional Insider Threat Category,” available at (https://ijcsit.com/ijcsit-v14issue2.php) [1] , and further develops themes from “Emotion Analysis Based on Belief of Targeted Individual Supporting Insider Threat Detection,” accessible at (https://ijsra.net/content/emotion-analysis-based-belief-targeted-individual-supporting-insider-threat-detection) [2] .
The concept of Unintentional Insider Threat underscores that such threats might not always arise from malicious intent and can occur in various domains. This form of threat often involves individuals who, due to underlying medical or psychological issues, perceive themselves as being targeted, inadvertently heightening their risk of becoming insider threats.
Insights from these studies suggest that these perceptions are frequently associated with feelings of anger. Insider Threat programs must incorporate specialized expertise from medicine, psychology, and cybersecurity to mitigate these risks effectively.
This series’ concluding article proposes exploring handwriting analysis as a novel method for detecting potential insider threats, demonstrating the adaptive and interdisciplinary approach required in threat assessment across different sectors.
The background is individuals who believe they are being targeted and may become insider threats.
The focus is on individuals who may have medical problems over psychological problems or detecting actual real-world targeting occurring.
However, this study could consider either of those two cases.
To expand on the first author’s background and experience, it was initially thought to be hypervigilance-causing actions and reactions in their behavior.
For instance, the first author’s phone appeared to start scrolling to words on web pages that directly correlated with the first author’s knowledge and history. This became of significant concern when the correlations appeared to occur across networks that should not be touching and should not have the vectors for the information to flow.
The first author initially thought a R.A.T. (Remote Access Trojan) or similar malware was present.
To date, the correlations are approaching 100 in-context words and phrases. They have run through various people’s names known personally by the first author or that the first author knows of.
The correlations have covered events and locations. Many correlations focus on DoD/IC-related topics, leading the first author to believe a federal investigation or real-world targeting is occurring.
However, after further discussion and many medical tests and brain scans, it was determined to be a combination of two sleep disorders resulting in various known and documented symptoms. The life experience ultimately led the first author to perform this series of studies.
In the latest occurrence, a UTI was found to be present, and this was also found to be the case in each of the initial occurrences, which may play a part in the first author’s targeted belief.
In January 2024, the first author underwent additional psychological testing with Veterans Affairs and physical testing where the UTI was discovered and treated. The correlations decreased close to immediately after treatment of the UTI. The VA medical team stated that the first author has “illusions” where there is a natural stimulus/input, but it is misinterpreted. This is different from delusions or hallucinations; they stated that it is a real-world activity occurring with possibly a misinterpretation of what author one is seeing or hearing at the time.
To date, the correlations have continued. As of this writing, the most recent occurrence was an event on the first author’s front porch. He was speaking to his family about the events of Benghazi, and everyone was discussing how unhappy they were with how it was handled. The first author’s brother mentioned something about the Clintons, and then the conversation moved on to something else.
The next day, the first author was at a medical appointment at the VA in the waiting room with several other people watching the TV that kept going in and out and had various visual distortions. The first author heard the following in sequence correlation, “Monitor Slaughter Clinton”. It was not repeated.
Also of note were the caregivers’ cell phones in the VA sitting on their desks in phone holders beside their government-furnished laptops and being used to perform patient care. The first author experienced this firsthand as the primary care provider looked up medications on their cell phone.
Additionally, note that one computer stated it was still in a video conference and was the last remaining participant, meaning there was potentially still video in the room where the first author was sitting.
The last correlations were the word black and spoken word operators.
While the UTI appears to be a contributing factor, additional analysis should occur into the correlations or the first author’s perception of them.
1.1. Purpose of the Study
The study aims to expand the understanding of insider threat detection by introducing a new dimension where individuals with medical conditions are also considered potential insider threats. This approach contrasts with traditional methods that primarily focus on overt security risks, thus broadening the scope of threat analysis to include health-related vulnerabilities.
1.2. Theoretical Framework
This paper’s theoretical framework analyzes personality and behavior, a recognized approach for assessing individual reactions. The authors have utilized this model to construct profiles indicative of insider threats. Additionally, they have incorporated natural language processing techniques to scrutinize personal content, thereby identifying potential insider threats.
1.3. Nature of the Study
The study will employ the ALIAS machine learning system to analyze handwriting data from individuals who perceive themselves as potential targets and, thus, may pose insider threats.
1.4. Significance of the Study
This study advances research in the field of insider threat detection by concentrating on individuals with medical conditions who perceive themselves as targets, potentially posing as insider threats. While this research does not delve into psychological incidents or actual targeting occurrences, the methodologies applied here could be adapted and refined for further exploration.
Shown in Table 1 appears a sub-set of medical problems that may lead to unintentional insider threat scenarios. In many cases psychosis-like symptoms may occur that could lead the insider to believe events are occurring when they are not. Paranoia and anxiety may also occur increasing the distress of the employee.
2. Research Methodology
2.1. Population
The population for this study consists of two distinct groups. The control set will include samples of the first author’s handwriting collected during basic training, providing a baseline for normal handwriting patterns under non-stressful conditions. For the test set, handwriting samples will be gathered from various events
![]()
Table 1. Table of medical problems.
where different emotional or psychological states are likely to be exhibited. This approach allows for a comprehensive comparison between standard and potentially altered handwriting behavior, aiding in identifying deviations that could indicate insider threats.
2.2. Sample
The sample consists of the first author’s handwriting samples from several years and different parts of life. Specifically, handwriting was selected from a letter home from the U.S. Army Basic Training in 1999 and from handwriting in journals from 2020.
The Basic Training letter (non-diseased) was 1 page on standard notebook paper, A4 in size, and written using ink.
12 journal pages (diseased) were selected for the analysis. The pages were also written using an ink pen. The pages are standard A5 in size.
2.3. Materials/Instruments
The instrument will be ALIAS’s [3] machine learning library of capabilities that will be used to analyze and determine how the research questions will be answered. ALIAS [3] includes a list of machine learning capabilities to be leveraged during the research.
Custom Python code will also be written to clean and transform the dataset into individual letters to be analyzed based on density, height, width, slant, curvature, concavity, elliptical, and circular handwriting attributes selected for the study.
Each letter was individually analyzed using custom Python scripts and machine learning to extract the averages for each handwriting attribute noted in Figure 7.
2.4. Data Collection and Data Analysis
The following examples show data that was collected and analyzed for this research.
The non-diseased data set shown in Figure 1 contained 1732 letters extracted from the letter from U.S. Army Basic Training in 1999.
The diseased data set partially shown in Figure 2 contained 26323 letters extracted from various handwriting performed in 2020 during the initial feelings of being targeted incident.
In Figure 3, logging in to the ALIAS system is completed. From here, author one navigated to the main ALIAS functionality shown in Figure 4 [3] .
From the selections in Figure 4, the micro text selection was chosen due to the tweets being considered micro texts by the ALIAS system [3] .
In Figure 5, the upload tweets as JSON were selected due to the format of the tweets to be uploaded into ALIAS [3] .
In Figure 6, a check is performed to ensure the JSON keys match what ALIAS
![]()
Figure 1. Basic training letter from 1999.
expects for the data ingest. If the keys all match during this step, the filename length check can be performed, and then the upload can continue. However, if this doesn’t pass, the end user must update the JSON until it matches what ALIAS expects for the upload [3] .
In Figure 7, the final check is performed to determine if the filename length is short enough for the system. If the file name is too long, the file must be renamed until the size is correct for ALIAS to allow the upload to continue [3] .
In Figure 8, the user selects the JSON file that was previously validated to be uploaded into the system. Each darker yellow “Click” button is used to upload and process the incoming data. Once the final step is complete on this page, ALIAS navigates the user to the main ALIAS functionality shown in Figure 7 [3] .
Shown in Table 2 are the results of the handwriting analysis.
The research questions asked the following questions:
RQ1: What are the individuals’ handwriting characteristics when they feel targeted? The conclusion is described in the Diseased column of Table 2, which also defines the measurements used for the analysis.
![]()
Table 2. Handwriting analysis results.
RQ2: What are the individuals’ handwriting characteristics when they do not feel targeted? The non-diseased column of Table 2 describes this.
RQ3: Are there any significant differences between the results from RQ1 and RQ2? Differences are noted in the handwriting between the Diseased and Non-Diseased columns of Table 2. Slant offers the most significant deviation in the handwriting analysis performed.
3. Assumptions
The assumption is that all three RQs will be answered given the data samples available.
4. Limitations
The study faces potential limitations primarily related to the effectiveness of the coding and the machine-learning algorithms used for analyzing handwriting samples. The accuracy of the results is contingent upon the sophistication and calibration of these technological tools. Another significant constraint could be the disparity in the sample sizes between handwriting collected in 1999 and those from 2020. This temporal variation might introduce biases or affect the generalizability of the findings, as handwriting styles and the conditions under which they were collected may have evolved. These factors combined could influence the robustness and applicability of the study’s outcomes in real-world settings.
5. Ethical Assurances
The data collection process for this study was meticulously designed to avoid gathering any personally identifying information about the participants, ensuring that privacy and confidentiality were maintained throughout. As such, this article does not contain or generate any publicly identifiable information (PII) about the respondents, except the names listed in the acknowledgments section. This approach reinforces the commitment to ethical research practices by safeguarding participant anonymity and minimizing the risk of privacy breaches.
6. Conclusions
This article delves into the complex relationship between individuals who perceive themselves as targeted and their subsequent potential to become unintentional insider threats. It builds upon a foundation of previous research that has identified both medical and psychological issues as contributing factors that may lead individuals to feel targeted. Such perceptions can significantly alter behavior in ways that are pertinent to the detection of insider threats.
The study underscores the critical need for insider threat programs to integrate medical and psychological expertise. By incorporating insights from these fields, the article highlights how certain conditions, such as urinary tract infections (UTIs) and sleep disorders, may skew an individual’s perceptions, making them feel threatened.
Furthermore, the research aims to broaden the scope of current insider threat detection methods by including medical conditions as a critical variable. It proposes using handwriting analysis as a novel diagnostic tool to identify subtle behavioral shifts that might indicate an insider threat. This innovative approach seeks to enhance detection capabilities and foster a more holistic understanding of the factors influencing insider threats, thus contributing to more effective and nuanced security measures.
The study underscores the potential of integrating medical diagnostics into security protocols, providing a novel approach to understanding and mitigating insider threats.
Overall, the study advocates for a broader, interdisciplinary approach to insider threat detection, integrating medical, psychological, and cybersecurity measures to understand better and mitigate risks posed by individuals who feel unjustly targeted.
Declaration
The author’s affiliation with The MITRE Corporation is provided for identification purposes only and is not intended to convey or imply MITRE’s concurrence with or support for the positions, opinions, or viewpoints expressed by the author.