Much of our insider threat research begins with the CERT insider threat database, which documents more than 700 insider threat cases. We use system dynamics modeling to characterize the nature of the insider threat problem, explore dynamic indicators of insider threat risk, and identify and experiment with administrative and technical controls for insider threat mitigation.
The CERT insider threat lab provides a foundation on which to identify, tune, and package technical controls as an extension of our modeling efforts. We developed an assessment framework based on our fraud, theft of intellectual property, and IT sabotage case data. We used this same data to help organizations identify their technical and nontechnical vulnerabilities to insider threats as well as executable countermeasures.
In 2007, Carnegie Mellon CyLab funded the CERT Division's work to update its library of insider threat cases. After collecting more than 100 additional cases and analyzing all the cases in the database, CERT researchers presented preliminary findings at the 2008 RSA Conference.