The CERT Insider Threat Center
To enable effective insider threat programs
by performing research, modeling, analysis, and outreach to define socio-technical best practices
so that organizations are better able to deter, detect, and respond to evolving insider threats.
A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.
The CERT Insider Threat Center conducts empirical research and analysis to develop and transition socio-technical solutions to combat insider cyber threats. We have been doing research on this problem since 2001 in partnership with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.
The foundation of our work is our database of more than 700 insider threat cases. We use system dynamics modeling to characterize the nature of the insider threat problem, explore dynamic indicators of insider threat risk, and identify and experiment with administrative and technical controls for insider threat mitigation. The CERT insider threat lab provides a foundation to identify, tune, and package technical controls as an extension of our modeling efforts. We have developed an assessment framework based on the fraud, theft of intellectual property, and IT sabotage case data that we have used to help organizations identify their technical and nontechnical vulnerabilities to insider threats as well as executable countermeasures.
The CERT Insider Threat Center is uniquely positioned as a trusted broker to assist the community in the short term and through our ongoing research.
Our work consists of the following:
- Case analysis and best practices
- Modeling and simulation
- Espionage research
- Mitigation controls, patterns, and pattern languages
- Identifying and detecting early-warning indicators
- Developing and conducting assessments and workshops
- Insider threat blog
- Insider threats in the software development lifecycle
- Annual eCrime Watch Survey
Download an information sheet about the CERT Insider Threat Center.
Learn more about our work.
Case Analysis and Best Practices
Modeling and Simulation
The CERT Program's insider threat modeling, referred to as MERIT (Management and Education of the Risk of Insider Threat), uses empirical data collected by CERT staff members to convey the "big picture" of the insider threat problem. The MERIT project, funded by Carnegie Mellon's CyLab, employs system dynamics modeling and simulation to convey the complexity of the problem. Learn more about modeling and simulation.
The CERT Program also conducts espionage research, those efforts began with the DoD Personnel Security Research Center (PERSEREC). PERSEREC funded a study to investigate similarities and differences between insider IT sabotage and espionage cases to assess the feasibility of the development of a single analytical framework based on system dynamics modeling.
U.S. State of Cybercrime Survey
The Insider Threat team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual Cybercrime Survey from research that was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends. Over the years, the name of the survey has changed from CyberSecurity Watch Survey and E-Crimes Watch Survey to U.S. State of Cybercrime Survey.
The latest post from the Insider Threat team:
Insider Threat Services
Unintentional Insider Threat
Theft of Intellectual Property
Insider IT Sabotage
Podcasts and Videos|
We welcome your feedback. Contact us at the following email address if
you have questions or comments, if you are interested in collaborating
with us, or if you would like more information: