Insider Threat Research

Organizational Security Resilience Management Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents

The CERT Insider Threat Center

The CERT Insider Threat Center conducts empirical research and analysis to develop and transition socio-technical solutions to combat insider cyber threats. We have been doing research on this problem since 2001 in partnership with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.

The foundation of our work is our database of more than 700 insider threat cases. We use system dynamics modeling to characterize the nature of the insider threat problem, explore dynamic indicators of insider threat risk, and identify and experiment with administrative and technical controls for insider threat mitigation. The CERT insider threat lab provides a foundation to identify, tune, and package technical controls as an extension of our modeling efforts. We have developed an assessment framework based on the fraud, theft of intellectual property, and IT sabotage case data that we have used to help organizations identify their technical and nontechnical vulnerabilities to insider threats as well as executable countermeasures.

The CERT Insider Threat Center is uniquely positioned as a trusted broker to assist the community in the short term and through our ongoing research.

Our work consists of the following:

Insider Threat Risk Assessments

Case Analysis and Best Practices

Modeling and Simulation

Training Materials

Virtual Interactive Simulation for Insider Threat Risk Management

Insider Threats in the Software Development Lifecycle

Annual eCrime Watch Survey

Espionage Research

Learn more about our work.

Case Analysis and Best Practices

In 2002, the Insider Threat Study team, composed of U.S. Secret Service (USSS) behavioral psychologists and CERT information security experts, collected approximately 150 insider threat cases that occurred in US critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. A series of four reports has been published as a result of this work: cases in the banking and finance sector, the IT sector, the government sector, and all critical infrastructure sectors.

Learn more about our case studies and best practices work.

Common Sense Guide to Prevention and Detection of Insider Threats (pdf). A CyLab-funded guide to best practices for the prevention and detection of insider threat.

Modeling and Simulation

The CERT Program's insider threat modeling, referred to as MERIT (Management and Education of the Risk of Insider Threat), uses empirical data collected by CERT staff members to convey the "big picture" of the insider threat problem. The MERIT project, funded by Carnegie Mellon's CyLab, employs system dyanmics modeling and simulation to convey the complexity of the problem. Learn more about modeling and simulation.

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
Technical Report, May 2008
Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage (pdf)
The MERIT Project

The CERT Program also conducts espionage research, those efforts began with the DoD Personnel Security Research Center (PERSEREC). PERSEREC funded a study to investigate similarities and differences between insider IT sabotage and espionage cases to assess the feasibility of the development of a single analytical framework based on system dynamics modeling.

CyberSecurity Watch Survey

The Insider Threat team has also teamed with the U.S. Secret Service and CSO magazine to conduct, analyze, and publish findings from an annual CyberSecurity Watch Survey from research that was conducted to attempt to identify electronic crime fighting trends and techniques, including best practices and emerging trends.

2011 Press Release (pdf) | Data (pdf)
2010 Summary (pdf)
2007 Summary (pdf)
2006 Summary (pdf)
2005 Detailed Findings (pdf) | Summary of Findings (pdf) | Press Release (pdf)
2004 Summary (pdf)

Insider Threat Blog

The latest post from the Insider Threat team:

Preparing for Negative Workplace Events - Managing Employee Expectations

more...

What's New

Resources

Insider Threat Services

Insider Threat Workshop (pdf)
Registration Details
Customized Insider Threat Executive Workshop (pdf)
Insider Threat Vulnerability Assessment (pdf)

Reports

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (pdf)
A Preliminary Model of Insider Theft of Intellectual Property (pdf)
An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases (pdf)
Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data (pdf)
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model (pdf)
First International Workshop on Managing Insider Security Threats (MIST 2009) on 15-19 June 2009
Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1 (pdf)
The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures (pdf)
Technical Report, May 2008
Combating the Insider Cyber Threat (pdf)
Published in IEEE Security & Privacy
Protecting Against Insider Threat
Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis (pdf)

Articles

Presentations

Insider Threats: Actual Attacks by Current and Former Software Engineers (pdf)
SEPG Europe 2011
Combat IT Sabotage: Technical Solutions From The CERT Insider Threat Lab (pdf)
RSA Conference February 15, 2011
The Key to Successful Monitoring for Detection of Insider Attacks (pdf)
RSA Conference March 4, 2010
Risk Mitigation Strategies: Lessons Learned from Actual Attacks (pdf)
RSA Conference April 8, 2008

All Presentations

Podcasts and Videos

Contact Us

We welcome your feedback. Contact us at the following email address if you have questions or comments, if you are interested in collaborating with us, or if you would like more information:

Last updated March 4, 2011