Workshop on Research for Insider Threat (WRIT)

horse-WRIT WRIT 2013

The Westin Hotel  |  San Francisco, CA USA  |  Friday, May 24, 2013

Overview  |  Topics  |  Program  |  Submission & Registration  |  Important Dates
Organizing Committee  |  Contact Information  |  Sponsors

The Workshop on Research for Insider Threat (WRIT) will highlight the challenges and trends specific to the insider threat problem from multiple viewpoints, such as information technology, behavioral sciences, and criminology. Furthermore, the workshop will review existing promising approaches and explore experimental possibilities for evaluation of technical, non-technical, and combined solution approaches. The workshop will be accessible to both non-experts interested in learning about the insider threat problem as well as experts interested in learning about new research and approaches.

WRIT 2013 is part of the IEEE CS Security and Privacy Workshops (SPW) and is co-located with SP 2013, the IEEE Symposium on Security and Privacy.


The threat of malicious insider attacks to organizational security has historically been one of the most difficult challenges to address. Insiders often attack using authorized access and with behavior very difficult to distinguish from normal activities.  Modern insiders are further enabled by immense data storage capabilities, advanced searching algorithms, and the difficulty of comprehensive monitoring of networked systems.  Furthermore, several recent high-profile attacks have been enabled by non-malicious, or unintentional, insiders fooled by exploits from external attackers.

The threat of attack from insiders is real and substantial.  An insider can be defined as a current or former employee, contractor, or other business partner who has authorized access to an organization's network, system, or data.  Malicious insiders are those who intentionally exceed or misuse that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information or information systems.  The problem of insider threats has recently received increased attention in academic, commercial, and government research communities.  While many cases of insider threat are high-profile and receive considerable attention, untold scores of low-level insider attacks occur across organizations on a daily basis.  Malicious insiders are dangerous and difficult to identify because they typically use authorized access and regular business processes to commit crimes such as fraud, theft, sabotage, or espionage.

Therefore, it is imperative that academia and industry work together to find solutions and measures to protect organizations from their own current and/or former employees.  Technical solutions to this problem are emerging, but studies show little significant progress has been made in reducing the numbers or impacts of insider attacks.  There are two main reasons for the relative lack of success in identifying insider threats:

  • The problem is not well understood.  In addition to the complex challenges surrounding collection, correlation, and detection of technical indicators, researchers must also understand underlying human motivations and behaviors.  This is not a traditional area of study for IT security researchers; configuring technical solutions to monitor for human deception is challenging.
  • Data on insider attacks is difficult to obtain.
    • Ground truth data: Organizations suffering insider attacks are often reluctant to share data about those attacks publicly.  Studies show over 70% of attacks are not reported externally, including many of the most common, low-level attacks.  This leads to uncertainty that available data accurately represents the true nature of the problem.
    • Baseline data: The rate of insider attacks is relatively unknown; furthermore, the behaviors of non-malicious users are also not available in large data sets. 


Topics of interest include but are not limited to:

  • Insider threat indicator development
  • Data collection, aggregation, and correlation for threat indicators
  • Anomaly analysis for insider threat detection
  • Machine-learning approaches to insider detection
  • Data collection of baseline user data and behaviors
  • Insider threat case studies
  • Unique aspects of the insider threat problem
  • Novel techniques and new technologies for preventing, detecting, and responding to insider attacks
  • Predictive analytics for identifying potential indicators of insider threat
  • Linguistic approaches to identifying potential behavior of concern
  • Insider attacker behavioral models and analysis
  • Adversarial and game theoretic models of insider threats and attacks
  • Evaluation, experimentation and risk assessment of insider threat detection approaches
  • Cloud computing and insider threats
  • Computer forensics considerations for dealing with insider threats
  • Mobile devices and insider threats
  • Social networking and insider threats
  • Identifying unknown insider attack patterns
  • Sociotechnical approaches to protecting against insider threat attacks
  • Biometric approaches for identifying potential insider threat behavior


View the preliminary program, and contact us if you have questions or comments.

Submission and Registration

Submit Papers: Authors are invited to submit Regular Papers (maximum 8 pages) or Short Papers (maximum 4 pages). Papers accepted by the workshop will be published in the Conference Proceedings published by IEEE Computer Society Press. The Workshop uses EasyChair for all submissions.

Register: Register for WRIT2013 at

Important Dates

February 4, 2013
February 11, 2013
Extended Deadline for Paper Submission

March 12, 2013
Acceptance Notification

April 1, 2013
Camera-Ready Version Due

May 24, 2012

Organizing Committee

Dr. William (Bill) Claycomb, Carnegie Mellon University
Frank Stajano, University of Cambridge

Program Committee

Matt Bishop, University of California at Davis
Deanna C. Caputo, The MITRE Corporation
Anni Coden, IBM
George Cybenko, Dartmouth College
Zheng Dong, Indiana University
Bill Fitzgerald, University of Cambridge
Dieter Gollman, Hamburg University of Technology
Frank Greitzer, PsyberAnalytix
Sam Liles, Purdue University
Debin Liu, PayPal
Roy Maxion, Carnegie Mellon University
Joshua Neil, Los Alamos National Laboratory
Shari Pfleeger, I3P Dartmouth College
Daniel Quist, MIT Lincoln Laboratories
Angela Sasse, University College London
Ted Senator, SAIC
Dongwan Shin, New Mexico Tech
Craig Shue, Worcester Polytechnic Institute
Sean Smith, Dartmouth College
David Stein, Raytheon
Sal Stolfo, Columbia University
Rhys Williams, Ministry of Defence
Jeong Hyun Yi, Soongsil University
Ilsun You, Korean Bible University


IBM           Microsoft Research          Raytheon

Microsoft        Cisco

Indiana University Logo

Site hosting by the SEI