search menu icon-carat-right cmu-wordmark

Insider Threat

Created December 2017

Insiders can pose a considerable threat to your organization. They can bypass many of your security measures using their knowledge of and access to your proprietary systems. CERT researchers devise strategies to help you prevent and detect insider threats and respond should an insider intentionally or unintentionally cause harm to your critical assets.

The Challenges of Insider Threats

The threat of attack from insiders, or an insider causing harm without malicious intent, is real and substantial. To prevent harm to their assets, historically, organizations focused on external-facing security mechanisms, such as firewalls, intrusion detection systems, and electronic building access systems. However, to stay secure, organizations must expand their defense to include insiders as potential threats.

Insiders have a significant advantage over external attackers. They are not only aware of their organization’s policies, procedures, and technology; they are also aware of its vulnerabilities (for example, loosely enforced policies or exploitable flaws in networks). A malicious insider can even be the one who configured the organization’s security measures.

The 2016 U.S. State of Cybercrime Survey found that 27% of electronic crimes were suspected or known to be caused by insiders. The survey also revealed that 30% of the respondents thought that damage caused by insider attacks was more severe than damage caused by outsider attacks.

Insider incidents occur in all organizational sectors, often causing significant damage. These incidents include national security espionage; modifying or stealing confidential or sensitive information for personal gain; stealing trade secrets or customer information to be used for business advantage or to give to a foreign government or organization; sabotaging the organization’s data, systems, or networks; unintentionally exposing organizational critical assets to external adversaries; or causing physical harm in a workplace violence incident.

Cyber or physical attacks from employees and other insiders are a common problem that you should plan for and work to prevent. If you are a federal agency or defense contractor that operates or accesses classified computer networks, you must comply with Executive Order 13587 (NISPOM Conforming Change 2) by creating a formal insider threat program and developing and implementing insider threat anomaly detection capabilities. We can help.

A Strategy to Prevent, Detect, and Respond to Insider Threat

Dealing with insider threats requires a different strategy from other cybersecurity challenges because their inherent nature is different. CERT researchers are devoted to combating all types of cybersecurity issues, including insider threats. The approaches our experts developed help you identify potential and realized insider threats in your organization, institute ways to prevent and detect them, and establish processes to deal with them if they do happen.

Studying more than 1,300 cases of fraud, theft of intellectual property, espionage, workplace violence, IT sabotage, and non-malicious insider incidents, we’ve learned a lot about insider threats and how they tend to evolve over time. We transformed what we’ve learned into an array of offerings to help you defend against insider threats.

Our Insider Threat Vulnerability Assessment helps you identify technical vulnerabilities, business process gaps, management issues, and your organization’s ability to integrate behavior analytics into its threat assessment process. Our Program Development Workshop helps you develop an insider threat program in your organization. If you already have a program, our Insider Threat Program Evaluation helps you determine its effectiveness and identify a roadmap to move beyond minimum standards.

We’ve also developed courses that help you understand the nature of insider threats and what to do about them. Our certificate programs enable you to become an expert in preventing, detecting, and responding to insider threats.

Benefit from our experience. Our assessments, evaluations, courses, workshops, and certificates help you learn about insider threats, how well your insider threat program is working, and how to establish an effective insider threat program.

Read our Insider Threat blog or learn how you can earn an Insider Threat certificate.

Read about related projects:

Looking Ahead

We are transforming the Anomaly Detection at Multiple Scales (ADAMS) program at DARPA into a National Insider Threat Center, creating a capability across the DoD, U.S. government, law enforcement, industry, and academia to perform research, develop potential insider anomaly detection capabilities, evaluate insider threat solutions, and provide training for all member of an insider threat program team.

Managed by expert researchers at the Software Engineering Institute, this national center will combine subject-matter expertise, scientific rigor, and a wide range of partners and stakeholders to significantly advance the state of the art in insider threat prevention, detection, response, and training.

Learn More

Common Sense Guide to Mitigating Insider Threats, Sixth Edition

Common Sense Guide to Mitigating Insider Threats, Sixth Edition

February 27, 2019 Technical Report
Michael C. TheisRandall F. TrzeciakDaniel L. Costa

The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.

CERT Insider Threat Center

CERT Insider Threat Center

November 22, 2017 Brochure
CERT Insider Threat Center

This booklet describes the CERT Insider Threat Center's purpose, products, and services, including assessments, workshops, courses, and certificate programs.

How to Build an Effective Insider Threat Program to Comply With the New NISPOM Mandate

How to Build an Effective Insider Threat Program to Comply With the New NISPOM Mandate

July 15, 2016 Webinar
Randall F. Trzeciak

In this webinar, Randy Trzeciak, Technical Manager of the CERT Insider Threat Center, described the summary of new requirements mandated by NISPOM Change 2 and the impact it will have on DoD contracting organizations.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

January 24, 2012 Book
Dawn M. CappelliAndrew P. MooreRandall F. Trzeciak

In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.