In 2002, the Insider Threat Study team, comprised of U.S. Secret Service (USSS) behavioral psychologists and CERT information security experts, collected approximately 150 actual insider threat cases that occurred in US critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. A series of four reports has been published as a result of this work: a report of cases in the banking and finance sector, the IT sector, the government sector, and all critical infrastructure sectors.

Learn more about our case studies and best practices work.

Common Sense Guide to Prevention and Detection of Insider Threats (pdf). A CyLab funded guide to best practices for the prevention and detection of insider threat.

CERT's insider threat modeling, referred to as MERIT (Management and Education of the Risk of Insider Threat), uses empirical data collected by CERT to convey the "big picture" of the insider threat problem. The MERIT project, funded by Carnegie Mellon's CyLab, employs system dyanmics modeling and simulation to convey the complexity of the problem. Learn more about modeling and simulation.

• The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
  Technical Report, May 2008
• Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage (pdf)
  
• The MERIT Project
  

 

CERT also conducts espionage research, those efforts began with the DoD Personnel Security Research Center (PERSEREC). PERSEREC funded a study to investigate similarities and differences between insider IT sabotage and espionage cases to assess the feasibility of the development a single analytical framework based on system dynamics modeling.

The Insider Threat Team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual E-Crime Watch survey from research that was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.

• 2007 Summary (pdf)
• 2006 Summary (pdf)
• 2005 Detailed Findings (pdf) | Summary of Findings (pdf) | Press Release (pdf)
• 2004 Summary (pdf)

• The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
  Technical Report, May 2008
• Combating the Insider Cyber Threat (pdf)
  Published in IEEE Security & Privacy
• Risk Mitigation Strategies: Lessons Learned from Actual Attacks (pdf)
  RSA Conference April 8, 2008

Presentations

• Risk Mitigation Strategies: Lessons Learned from Actual Attacks (pdf)
  RSA Conference April 8, 2008
• Insider Threats in the SDLC: Lessons Learned From Actual Incidents of Fraud, Theft of Sensitive Information, and IT Sabotage (pdf)
  Presentation at the SEPG Conference in Austin, TX - March 27, 2007

All Presentations

Reports

• Combating the Insider Cyber Threat (pdf)
  Published in IEEE Security & Privacy
• Protecting Against Insider Threat
• Common Sense Guide to Prevention and Detection of Insider Threats, Version 2.1 (pdf)
  
• Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis (pdf)
  

Podcasts

• Insider Threat and the Software Development Life Cycle
  
• Protecting Against Insider Threat
  
• CERT Execs on the 2006 E-Crime Watch Survey
  

We welcome your feedback. Contact us at the following email address if you have questions or comments, if you are interested in collaborating with us, or if you would like more information: