Data Loss Prevention

We are looking into providing DLP support for a partner to identify the following keywords related to external/internal corruption. 

Cover up
failed investment
Nobody will find out
Grey area
Gray area
They owe it to me
do not volunteer information
not ethical
Off the books
Pull earnings forward
Friendly payments

Obvious as you can see these keywords will create a high false positive rate when monitoring 3m emails per day.  Have others created any policies related to Anti-Corruption that would help to refine and augment 15 keywords identified?

hello A. de monaco

 this type of policy is what i used to call a "behaviour policy" and it is the most difficult one (i know you have already understand this point if you ask the question). Usually the way i proceed (dont know if it is the best), it is first to check policies in place in the company to define the "normal" behaviour when sharing information with business partners. Then you can define which type of corruption you want to cover because as usual you have to find the good mix between risk coverage and cost to do it.

 then after that if it is anormal behaviour, you can also imagine that email will be "anormal" with respect to other ones. I cant list here all this parameter as it is part of DLP policies for most of my customer but i think that for anormal behaviour you have to know the normal behaviour. you can contact me via MP or email to see if i can help you to go further.

 regards.

As you know there are more chances of false positive as people are not serious to use these words and they might be using in general but still there are chances that u will find something from this.

Thank you for the feedback.  I did not expect an easy solution.  We believe the key is to use the behavioral policy along with other correlated security logs to understand a profile.

I thought some one may have some fresh ideas on the subject but I will continue to build off what we have started.