search menu icon-carat-right cmu-wordmark
Our Research

Insider Threat

Insider threat research aims to understand how different types of insider incidents evolve over time, what vulnerabilities exist within organizations that enable insiders to carry out their attacks, and how to most effectively prevent, detect, and respond to insider threats.

The SEI adopts a holistic approach to insider threat research to understand not only the “how” of insider incidents, but also the “why.” In most cases, employees don’t join their organizations with the intent to do harm. Rather, employees can become motivated to carry out attacks against their employers when they experience a series of stressors, when they exhibit concerning behaviors, and when employers address those behaviors in some maladaptive way. When that happens, employees can become easy and willing targets of pressure from criminals and foreign agents, or they might become disgruntled and careless on the job. A major goal of insider threat research, therefore, is to understand root causes of stressors and concerning behaviors to detect them early and offer employees better help before they commit a harmful act.

All insider incidents involve misuse of authorized access to an organization’s critical assets, which presents unique security challenges. Perimeter-based security strategies aren’t effective at identifying stressors and concerning behaviors from insiders. Moreover, insiders know which assets are most critical and how their organization protects them. Static and traditional security models focused on threats from external threat actors, therefore, are ineffective against insider threats.

The insider risk landscape is constantly evolving and expanding. Organizations increasingly rely on expanding their business through technology, which opens more opportunities for threat. To meet the challenges of managing insider risk, organizations need forward-facing techniques that can continuously evaluate those risks, and practical methods for measuring the effectiveness of their insider threat controls. Increasingly, we must find ways of expanding our current understanding of security controls to include a well-balanced approach between positive deterrence and traditional security.


Insider Threat [is] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

Daniel Costa SEI Technical Manager, Enterprise Threat and Vulnerability Management

Rethinking Security Strategies

At the SEI, we help organizations use their data and their resources to get a clearer picture of possible threats in their workforce and in the supply chains and contractors they work with. Our goal is to advance the state of insider threat research through the development of capabilities for preventing, detecting, and responding to evolving cyber and physical threats.

We focus on building repeatable, verified, and context-aware processes and preventative controls based on careful research and empirical evidence. We develop techniques that improve detection through tools that quickly detect patterns and anomalies; that automate prediction of risk and prevention controls; and that quickly and accurately identify indicators of various insider attack types.

The SEI is leading this effort thanks to our unique combination of experience and expertise. Since 2001, we have partnered with government agencies—such as the Department of Defense, the Department of Homeland Security, Secret Service, and many federal agencies—as well as with private industry, academia, and the vendor community. We are also leaders in modeling and simulation, software engineering, cybersecurity, and data science, and we engage in collaborative research relationships with a cadre of multidisciplinary experts in the social and behavioral sciences. As a result, we are the only source for a data-driven, risk-based, socio-technical approach to insider threats.

We have a database of over 3,000 insider incidents that we use to characterize the nature of the evolving insider threat problem, develop indicators of insider risk, and prototype and transition technical and administrative controls for insider threat mitigation. In our insider threat lab, we measure the effectiveness of new tools, indicators, and analytic techniques. We’ve developed assessments to help organizations identify their vulnerabilities to insider threats, and several training courses on establishing and operating an insider threat program.

Our solutions have been adopted as best practices by numerous government and industry organizations, many government agencies have adopted our state-of-the-art threat detection strategies. We help organizations protect themselves and we provide evidence that measures what really works.

We can help you benefit from our experience. Our assessments, evaluations, courses, workshops, and certificates help you learn about insider threats, how well your insider threat program is working, and how to establish an effective insider threat program.

What We Offer

Our Vision for the Future of Insider Threat

The future of the SEI’s insider threat research focuses on two key areas:

  • Producing evidence that suggests the most effective combinations of data sources, analytic techniques, and response options for measuring different types of insider risk in various organizational contexts.
  • Proving the efficacy of using positive incentives to reduce insider risk, and devising strategies and tools that enable organizations to deploy a balanced and dynamic set of controls that use both positive and negative incentives.

To learn more about the future of insider threat research, contact us.

Contact Us