CERT-SEI

Insider Threat

Insider Threat Program Manager Certificate

Registration is now open for the CERT Insider Threat Program Manager (ITPM) Certificate training and exam.
Sign up for the ITPM certificate program

Common Sense Guide to Mitigating Insider Threats

The 4th edition provides the most current recommendations of the CERT Division, based on research and analysis of an expanded database of more than 700 insider threat cases.
Download the guide

The CERT Guide to Insider Threats

Our book, the CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, is available at book stores and online.
Learn more about the book

Custom Onsite Workshops

Learn how to develop an effective, comprehensive strategy that helps you to monitor for insider activity.
Learn about custom onsite workshops

Assessment Services

Our vulnerability assessments help you safeguard your critical infrastructure by using our technical and behavioral expertise to assess your organization's vulnerability to insider threat.
Safeguard your critical infrastructure

Insider Threat Database

Our work is based on analyses of information in the CERT insider threat database, which documents more than 700 insider threat cases.
Learn more about the insider threat database

Our Mission: We enable effective insider threat programs by performing research, modeling, analysis, and outreach to define socio-technical best practices so that organizations are better able to deter, detect, and respond to evolving insider threats.

A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

Since 2001, the CERT Insider Threat Center has conducted empirical research and analysis to develop and transition socio-technical solutions to combat insider cyber threats. We partner with the U.S. Department of Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.

The CERT Insider Threat Center is uniquely positioned as a trusted broker that can provide short-term assistance to organizations and conduct ongoing research. Learn about the history of our work.

We create technical controls and indicators.

Using our wealth of socio-technical information on insider crimes, our CERT insider threat lab creates controls and indicators for preventing, detecting, and responding to insider attacks.

We conduct case analyses and develop best practices.

In 2002, we collected approximately 150 insider threat cases in the U.S. critical infrastructure sectors and examined them from technical and behavioral perspectives. Today, the scope and body of our case analyses and best practices continue to grow.

We model and simulate insider threat.

Our MERIT project combines empirical data and system dynamics modeling and simulation to illustrate the big picture and complexity of the insider threat problem. We also collaborate with the U.S. Department of Defense on espionage research.

We assess your insider threat vulnerabilities.

Our insider threat vulnerability assessment explores your entire organization to
find problems, including technical vulnerabilities, business process gaps,
management issues, and the inability to deal effectively with behavioral
issues.

Combat Insider Threats

Insider threats involve real people, so our research and solutions depend on engagements with the real world. Work with us to combat insider threats.

Engage with Us

News & Announcements

Publications & Media

Fraud

Common Sense Guide to Mitigating Insider Threats, 4th Edition
In this report, the authors define insider threats and outline current insider threat patterns and trends.

Insider Fraud in Financial Services
In this brochure, the authors present the findings of a study that analyzed computer criminal activity in the financial services sector.

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Service Sector
In this report, the authors describe insights and risk indicators of malicious insider activity in the banking and finance sector.

Insider Threats in the SDLC: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information and IT Sabotage
In this 2006 presentation, the authors describe the lessons they learned from analyzing real-life fraud, theft, and sabotage incidents.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

Theft of Intellectual Property

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property.

A Preliminary Model of Insider Theft of Intellectual Property
In this report, the authors describe general observations about and a preliminary system dynamics model of insider crime based on our empirical data.

An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases
In this report, the authors provide an overview of techniques used by malicious insiders to steal intellectual property.

Common Sense Guide to Mitigating Insider Threats, 4th Edition
In this report, the authors define insider threats and outline current insider threat patterns and trends.

Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model
In this paper, the authors describe general observations about, and a preliminary system dynamics model of, insider crime based on our empirical data.

Intellectual Property Protection For Software
In this curriculum module, the authors provide an overview of the U.S. intellectual property laws that govern software creation, allocation, and enforcement.

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
In this report, the authors justify applying the pattern "Increased Review for Intellectual Property (IP) Theft by Departing Insiders."

Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations
In this report, the authors provide a snapshot of individuals involved in insider threat cases and recommends how to mitigate the risk of similar incidents.

Sabotage

A Risk Mitigation Model: Lessons Learned From Actual Insider Sabotage
In this presentation, the authors describe an interactive case example of insider threat, discuss key sabotage observations, and provide an overview of MERIT.

Chronological Examination of Insider Threat Sabotage: Preliminary Observations
In this paper, the authors examine 15 cases of insider threat sabotage of IT systems to identify points in the attack time-line.

Combat IT Sabotage: Technical Solutions From The CERT Insider Threat Lab
In this presentation, the authors discuss crime profiles and countermeasures related to insider IT sabotage.

Common Sense Guide to Mitigating Insider Threats, 4th Edition
In this report, the authors define insider threats and outline current insider threat patterns and trends.

Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis
In this report, the authors examine the psychological, technical, organizational, and contextual factors that contribute to espionage and insider sabotage.

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors
In this report, the authors seek to close the gaps in the literature that make it difficult for organizations to fully understand the insider threat.

Insider Threats in the SDLC: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information and IT Sabotage
In this 2006 presentation, the authors describe the lessons they learned from real-world fraud, theft, and sabotage incidents.

Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks
In this 2006 report, the authors describe MERIT insider threat model and simulation results.

Preventing Insider Sabotage: Lessons Learned From Actual Attacks
In this 2005 presentation, Dawn Cappelli discusses preventing insider threat sabotage.

Secret Service and CERT Release Report Analyzing Acts of Insider Sabotage via Computer Systems in Critical Infrastructure Sectors
This press release describes the second in a series of reports focusing on insider threats to information systems and data in critical infrastructure sectors.

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures
In this report, the authors describe seven observations about insider IT sabotage based on their empirical data and study findings.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

Espionage

Common Sense Guide to Mitigating Insider Threats, 4th Edition
In this report, the authors define insider threats and outline current insider threat patterns and trends.

Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis
In this report, the authors examine the psychological, technical, organizational, and contextual factors that contribute to espionage and insider sabotage.

Related Training