Insider Threat Research

Enterprise Security Resiliency Engineering Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities

Insider Threat Study

Since 2001, the U.S. Secret Service and CERT have collaborated in an array of efforts to identify, assess, and manage potential threats to, and vulnerabilities of, data and critical systems. This collaboration represents an effort to augment security and protective practices by

finding ways to identify, assess, and mitigate cyber security threats to data and critical systems that impact physical security or threaten the mission of the organization
finding ways to identify, assess, and manage individuals who may pose a threat to those data or critical systems
developing information and tools that can help private industry, government, and law enforcement identify cyber security issues that affect physical or operational security and assess potential threats to, and vulnerabilities in, data and critical systems

The Insider Threat Study (ITS) is a central component of this Secret Service/CERT multi-year collaboration. The ITS focuses in particular on the people who use or exceed their authorized access to information systems to perpetrate harm to organizations. The project draws from the Secret Service's expertise in behavioral and incident analysis and CERT's technical expertise in network systems survivability and security.

In 2007, Carnegie Mellon CyLab funded us to update our case library with more recent cases. We have now collected over 100 additional cases, bringing the total count of cases in our insider threat database to more than 250. We recently began analyzing all of the cases; preliminary findings were presented at the RSA Conference in April 2008.

The Insider Threat Study explores employees who have perpetrated acts of harm against an organization via computer systems or networks to include theft of intellectual property or other confidential or sensitive information, fraud, and acts of IT sabotage within critical infrastructure sectors. The overall objective of the ITS is to help private industry, government, and law enforcement better understand, detect and possibly prevent harmful insider activity. A particular focus of the study is to identify information that may have been discernable prior to the incident from both a behavioral and technical perspective.

Reports from this study are written for a diverse audience that includes

business executives
human resources personnel
technical professionals
security professionals
law enforcement professionals
legislators
prosecutors

The study has resulted in a series of four case study reports:

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector (pdf), published in August 2004, examined 23 incidents of insider threat in the banking and finance sector.

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors (pdf), published in May 2005, examined 49 insider incidents across critical infrastructure sectors in which the insider's primary goal was to sabotage some aspect of the organization (for example, business operations, information/data files, system/network, and/or reputation) or direct specific harm toward an individual. Executive Summary.

Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector (pdf), presents findings on 52 incidents in which the target organizations were in the Information Technology and Telecommunications Sector. Executive Summary (pdf).

Insider Threat Study: Illicit Cyber Activity in the Government Sector (pdf), examines 36 incidents of illicit cyber insider activity that fall within the government sector. Executive Summary (pdf).

Last updated May 20, 2008