Insider Threat Study
Since 2001, the U.S. Secret Service and the CERT Program have collaborated to identify, assess, and manage potential threats to, and vulnerabilities of, data and critical systems. This collaboration represents an effort to augment security and protective practices by
- finding ways to identify, assess, and mitigate cybersecurity threats to data and critical systems that impact physical security or threaten the mission of organizations
- finding ways to identify, assess, and manage individuals who may pose a threat to those data or critical systems
- developing information and tools that can help private industry, government, and law enforcement identify cybersecurity issues that affect physical or operational security and assess potential threats to, and vulnerabilities in, data and critical systems
The Insider Threat Study (ITS) is a central component of this multiyear collaboration between the Secret Service and the CERT Program. The ITS focuses on employees who use or exceed their authorized access to their organization's information systems to harm to the organization, by stealing intellectual property or other confidential or sensitive information, committing fraud, or sabotaging information technology within critical infrastructure sectors. The project draws from the Secret Service's expertise in behavioral and incident analysis and the CERT Program's technical expertise in networked systems survivability and security.
The overall objective of the ITS is to help private industry, government, and law enforcement better understand, detect, and possibly prevent harmful insider activity. A particular focus of the study is to identify information that may have been discernable prior to the incident from both a behavioral and technical perspective.
The ITS has resulted in a series of case study reports:
These reports are written for a diverse audience that includes
In 2007, Carnegie Mellon CyLab funded the CERT Program to update our library of insider threat cases. After collecting more than 100 additional cases and analyzing all the cases in our database, we presented preliminary findings (pdf) at the
RSA Conference in April 2008.
Since then, our database has grown to more than 700 insider threat cases.
- business executives
- human resources personnel
- technical professionals
- security professionals
- law enforcement professionals