Our Research
Insider Threat
Insider threat research aims to understand how different types of insider incidents evolve over time, what vulnerabilities exist within organizations that enable insiders to carry out their attacks, and how to most effectively prevent, detect, and respond to insider threats.
The SEI adopts a holistic approach to insider threat research to understand not only the “how” of insider incidents, but also the “why.” In most cases, employees don’t join their organizations with the intent to do harm. Rather, employees can become motivated to carry out attacks against their employers when they experience a series of stressors, when they exhibit concerning behaviors, and when employers address those behaviors in some maladaptive way. When that happens, employees can become easy and willing targets of pressure from criminals and foreign agents, or they might become disgruntled and careless on the job. A major goal of insider threat research, therefore, is to understand root causes of stressors and concerning behaviors to detect them early and offer employees better help before they commit a harmful act.
All insider incidents involve misuse of authorized access to an organization’s critical assets, which presents unique security challenges. Perimeter-based security strategies aren’t effective at identifying stressors and concerning behaviors from insiders. Moreover, insiders know which assets are most critical and how their organization protects them. Static and traditional security models focused on threats from external threat actors, therefore, are ineffective against insider threats.
The insider risk landscape is constantly evolving and expanding. Organizations increasingly rely on expanding their business through technology, which opens more opportunities for threat. To meet the challenges of managing insider risk, organizations need forward-facing techniques that can continuously evaluate those risks, and practical methods for measuring the effectiveness of their insider threat controls. Increasingly, we must find ways of expanding our current understanding of security controls to include a well-balanced approach between positive deterrence and traditional security.
Insider Threat [is] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
Daniel Costa SEI Technical Manager, Enterprise Threat and Vulnerability Management
Rethinking Security Strategies
At the SEI, we help organizations use their data and their resources to get a clearer picture of possible threats in their workforce and in the supply chains and contractors they work with. Our goal is to advance the state of insider threat research through the development of capabilities for preventing, detecting, and responding to evolving cyber and physical threats.
We focus on building repeatable, verified, and context-aware processes and preventative controls based on careful research and empirical evidence. We develop techniques that improve detection through tools that quickly detect patterns and anomalies; that automate prediction of risk and prevention controls; and that quickly and accurately identify indicators of various insider attack types.
The SEI is leading this effort thanks to our unique combination of experience and expertise. Since 2001, we have partnered with government agencies—such as the Department of Defense, the Department of Homeland Security, Secret Service, and many federal agencies—as well as with private industry, academia, and the vendor community. We are also leaders in modeling and simulation, software engineering, cybersecurity, and data science, and we engage in collaborative research relationships with a cadre of multidisciplinary experts in the social and behavioral sciences. As a result, we are the only source for a data-driven, risk-based, socio-technical approach to insider threats.
We have a database of over 3,000 insider incidents that we use to characterize the nature of the evolving insider threat problem, develop indicators of insider risk, and prototype and transition technical and administrative controls for insider threat mitigation. In our insider threat lab, we measure the effectiveness of new tools, indicators, and analytic techniques. We’ve developed assessments to help organizations identify their vulnerabilities to insider threats, and several training courses on establishing and operating an insider threat program.
Our solutions have been adopted as best practices by numerous government and industry organizations, many government agencies have adopted our state-of-the-art threat detection strategies. We help organizations protect themselves and we provide evidence that measures what really works.
We can help you benefit from our experience. Our assessments, evaluations, courses, workshops, and certificates help you learn about insider threats, how well your insider threat program is working, and how to establish an effective insider threat program.
What We Offer
The Latest from the SEI Blog

The 13 Key Elements of an Insider Threat Program
October 23, 2023 • Blog Post
Daniel L. Costa, Randall F. Trzeciak
COVID-19 changed the nature of the workplace. In this evolving climate, organizations need to be increasingly vigilant against insider incidents. In this post, we present the 13 key elements of an insider threat...
read
How to Mitigate Insider Threats by Learning from Past Incidents
October 31, 2022 • Blog Post
Daniel L. Costa
This post summarizes a new best practice added to the new 7th edition of the Common Sense Guide to Mitigating Insider Threats, "Learn from Past Insider Threat...
readExplore Our Insider Threat Projects
Our Vision for the Future of Insider Threat
The future of the SEI’s insider threat research focuses on two key areas:
- Producing evidence that suggests the most effective combinations of data sources, analytic techniques, and response options for measuring different types of insider risk in various organizational contexts.
- Proving the efficacy of using positive incentives to reduce insider risk, and devising strategies and tools that enable organizations to deploy a balanced and dynamic set of controls that use both positive and negative incentives.
To learn more about the future of insider threat research, contact us.