CERT-SEI

Case Analysis

Since 2002, the Insider Threat Study team has collaborated with the U.S. Secret Service to identify, assess, and manage potential threats to, and vulnerabilities of, data and critical systems. This work augments security and protective practices by

  • finding ways to identify, assess, and mitigate cybersecurity threats to data and critical systems that impact physical security or threaten the mission of organizations
  • finding ways to identify, assess, and manage individuals who may pose a threat to those data or critical systems
  • developing information and tools that can help organizations and law enforcement identify cybersecurity issues

The team draws from the Secret Service's expertise in behavioral and incident analysis and the CERT Division's technical expertise in networked systems survivability and security to help private industry, government, and law enforcement better understand, detect, and possibly prevent harmful insider activity. A particular focus of case analysis is to identify behavioral and technical indicators that may have been discernible prior to the incident.

The Insider Threat Study is a central component of the multi-year collaboration between the Secret Service and the CERT Division. The study focuses on employees who use or exceed their authorized access to their organization's information systems to harm the organization by stealing intellectual property or other confidential or sensitive information, by committing fraud, or by sabotaging information technology within critical infrastructure sectors. The study was the first comprehensive analysis of the insider threat problem and has led to analyses of several different public and private sectors.

Financial and Banking Services Sector

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector was published in July 2012 and funded by the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate. This report examines patterns from internal and external fraud cases in the U.S. financial services sector and presents insights and risk indicators of malicious insider activity in this sector. A booklet was also published that summarizes the findings.

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector was published in August 2004. This paper examines 23 incidents of insider threat in the banking and finance sector.

Critical Infrastructure Sector

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors was published in May 2005. This report examines 49 insider incidents across critical infrastructure sectors in which the insider's primary goal was to sabotage some aspect of the organization (e.g., business operations, information/data files, system/network, reputation) or to direct specific harm toward an individual.

Information Technology and Telecommunications Sector

Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector was published in January 2008. This report presents findings on 52 incidents in which the target organizations were in the information technology and telecommunications sector. An executive summary is also available.

Government Sector

Insider Threat Study: Illicit Cyber Activity in the Government Sector was published in January 2008. This report examines 36 incidents of illicit cyber insider activity in the government sector. An executive summary is also available.