In 2007, Carnegie Mellon University's CyLab funded us to update our case library with more recent cases. We have now collected over 100 additional cases, bringing the total count of cases in our insider threat database to more than 250. We recently began analyzing all of the cases; preliminary findings were presented at the RSA Conference in April 2008.

Carnegie Mellon University's Cylab also funded development of a guide to best practices for prevention and detection of insider threat. An updated version, which will include findings from all 250 cases, is slated for publication in 2008.

Modeling and Simulation

CERT also uses methods to convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time. CERT's MERIT (Management and Education of Risks of Insider Threat) project, funded by Carnegie Mellon's CyLab, employs system dynamics modeling and simulation to convey the complexity of the problem.

The MERIT team, composed of CERT's technical experts, and psychologists, uses system dynamics to

• model and analyze the dynamic nature of the insider threat problem
• simulate and graph behavior over time
• produce educational materials based upon the models developed

The team focused initial modeling efforts on insider IT sabotage. CyLab has funded the team to produce two new models: one for insider theft of confidential information and one for insider fraud.

The MERIT project led to two additional areas of work

• DOD PERSEREC funded the MERIT team to use system dynamics modeling to compare IT sabotage and espionage
• CyLab funded development of an innovative training mechanism for insider threat: a virtual interactive simulation of the MERIT model: MERIT-Interactive

MERIT-Interactive

The CERT Insider Threat Team worked jointly with a team at Carnegie Mellon University’s Entertainment Technology Center (ETC) to develop a stand-alone tool that can be used for widespread training for managers on insider threat risk mitigation. We used state of the art multi-media technologies to develop a training simulator, which we call MERIT-Interactive, that immerses users in a realistic business setting from which they make decisions regarding how to prevent, detect, and respond to insider actions and see the impacts of their decisions in terms of key performance metrics.  Refer to the Executive Overview for a more detailed description of this project.

Insider Threats in the Software/System Development Life Cycle (SDLC)

Current and former employees and contractors have exploited vulnerabilities in the software/system development life cycle (SDLC) to commit fraud, theft of sensitive information, and IT sabotage. A recent presentation, Insider Threats in the SDLC, presented at the SEPG 2007 conference, presented numerous cases involving malicious code inserted into production applications, violations of automated critical business processes, sabotage of source code and/or backups, crimes facilitated by ineffective role-based-access controls, unauthorized modification of production data by system developers, and much more. You can also learn more by listening to the podcast, Insider Threat and the Software Development Life Cycle. 

E-Crime Watch Survey

The Insider Threat Team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual E-Crime Watch survey. In 2004, 2005, and 2006, research was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.