Percolation Model of Insider Threats to Assess the Optimum Number of Rules

Rules, regulations, and policies are the basis of civilized society and are used to coordinate the activities of individuals who have a variety of goals and purposes. History has taught that over-regulation (too many rules) makes it difficult to compete and under-regulation (too few rules) can lead to crisis. This implies an optimal number of rules that avoids these two extremes. Rules create boundaries that define the latitude an individual has to perform their activities. This paper creates a Toy Model of a work environment and examines it with respect to the latitude provided to a normal individual and the latitude provided to an insider threat. Simulations with the Toy Model illustrate four regimes with respect to an insider threat: under-regulated, possibly optimal, tipping-point, and over-regulated. These regimes depend up the number of rules (N) and the minimum latitude (Lmin) required by a normal individual to carry out their activities. The Toy Model is then mapped onto the standard 1D Percolation Model from theoretical physics and the same behavior is observed. This allows the Toy Model to be generalized to a wide array of more complex models that have been well studied by the theoretical physics community and also show the same behavior. Finally, by estimating N and Lmin it should be possible to determine the regime of any particular environment.

💡 Research Summary

The paper tackles a fundamental managerial dilemma: how many rules should an organization maintain to balance operational efficiency with security against insider threats? The authors begin by observing that both over‑regulation (too many rules) and under‑regulation (too few rules) have historically led to failure—over‑regulation stifles competition and productivity, while under‑regulation creates opportunities for crises and malicious behavior. From this premise they introduce a “Toy Model” of a work environment that abstracts the essential geometry of rule placement and individual latitude.

In the Toy Model the work space is represented as a one‑dimensional line of total length (L_{\text{total}}). A set of (N) rules is placed uniformly along this line, each rule acting as a boundary that partitions the line into intervals. The distance between two adjacent boundaries is defined as the “latitude” available to an individual for performing tasks. A normal employee requires a minimum latitude (L_{\min}) to complete routine work; if the interval is smaller than (L_{\min}), the employee’s activity is blocked. An insider threat, by contrast, seeks intervals that are large enough to hide malicious actions while remaining indistinguishable from normal activity.

The key insight is that this simple construction maps directly onto the classic one‑dimensional percolation model from statistical physics. In percolation theory, sites (or bonds) are occupied with probability (p); as (p) increases, clusters of occupied sites grow, and at a critical probability (p_c) an infinite cluster appears, marking a phase transition. In the authors’ mapping, the occupation probability corresponds to the density of rules, (p = N a / L_{\text{total}}) where (a) is the average “size” of a rule. By running Monte‑Carlo simulations across a wide range of (N) and (L_{\min}) values, the authors observe four distinct regimes for insider threat dynamics:

1. Under‑regulated regime – (N) is so low that most intervals exceed (L_{\min}). Normal employees operate unhindered, but the large free space also gives insider threats ample room to act unnoticed.

2. Possibly optimal regime – (N) is close to the ratio (L_{\text{total}}/L_{\min}) but still below the percolation threshold. Normal latitude is sufficient, while the distribution of interval sizes keeps insider‑friendly zones limited.

3. Tipping‑point regime – (N) approaches the critical density (p_c L_{\text{total}}). Small changes in rule count cause a dramatic shift in the size and frequency of intervals that meet both normal and malicious requirements, indicating a fragile balance.

4. Over‑regulated regime – (N) far exceeds the critical density. Intervals shrink below (L_{\min}) for most employees, crippling legitimate work. Insider threat latitude also drops, but the organization suffers from severe inefficiency and high compliance costs.

These regimes are quantified by measuring the percolation probability (the likelihood that a randomly chosen interval is large enough for a given activity) and the average cluster size of “usable” intervals. The transition from regime 2 to 3 mirrors the classic percolation phase transition: the system’s susceptibility to rule changes spikes, and the variance of interval sizes diverges.

To make the model actionable, the authors propose a three‑step empirical procedure for any real organization:

1. Count the rules – Catalog policies, procedures, and regulatory constraints to obtain an estimate of (N).

2. Estimate (L_{\min}) – Use task‑analysis, time‑motion studies, or employee surveys to determine the smallest continuous stretch of freedom required for routine work.

3. Determine (L_{\text{total}}) – Define the total operational “space” (e.g., total work‑hours per week, total physical floor area, or total process steps).

With these quantities, one computes the effective rule density (p) and compares it to the known percolation threshold for the chosen dimensionality (for 1‑D, (p_c = 1)). If (p) lies near (p_c), the organization is in the tipping‑point regime and should prioritize fine‑tuning its rule set. If (p) is well below the threshold, the organization may be under‑regulated and should consider adding targeted constraints. If (p) is far above, it is over‑regulated and should look to streamline policies.

The authors also discuss extensions beyond the 1‑D case. By embedding the model in higher‑dimensional lattices or complex networks (e.g., organizational charts, information flow graphs), one can capture more realistic interdependencies among rules and tasks. Existing results from percolation on scale‑free networks, bootstrap percolation, and dynamical percolation can then be leveraged to predict how rule changes propagate through an organization over time.

In summary, the paper provides a rigorous, physics‑inspired framework for quantifying the trade‑off between regulatory burden and insider‑threat risk. By translating abstract policy counts into a measurable percolation parameter, it offers a practical diagnostic tool that can guide managers in locating the “sweet spot” of rule density, avoiding both the paralysis of over‑regulation and the vulnerability of under‑regulation.