search menu icon-carat-right cmu-wordmark
2022 Year in Review

Keeping Ahead of Insider Risk

Some of the most damaging security incidents to organizations come from within. According to a 2020 Ponemon Institute study, 60 percent of organizations surveyed had at least 20 insider threat incidents per year, each costing an average of $756,760. Public administration organizations are a fifth of insider victims.

The SEI released the seventh edition of the Common Sense Guide to Mitigating Insider Threats in September 2022. The CERT National Insider Threat Center updated the long-running guide to include a new best practice and a mapping to the National Institute of Standards and Technology (NIST) Privacy Framework.

The new edition comes at a time of change in the insider threat landscape. An increasingly fluid workforce, with many remote workers and a high resignation rate, has exacerbated risks to companies’ confidential information. Federal agencies are being targeted with more and more misinformation or malinformation campaigns. These are just the latest changes the SEI’s National Insider Threat Center has seen over the 20 years it has studied insider threat, helped hundreds of organizations build and evaluate their insider risk management programs, taught insider threat courses, and iterated the Common Sense Guide.

We are transitioning the techniques we use to gather and analyze our [insider] incident corpus.

Dan Costa
Technical Manager, Enterprise Threat and Vulnerability Management, SEI CERT Division

The guide details 22 best practices that organizations can use to manage insider risk. The new best practice, “Learn from Past Insider Threat Incidents,” has guidance on developing and analyzing a repository of insider trends within an organization and its sector. “We see organizations not learning from institutional knowledge,” said Dan Costa, technical manager of the CERT Division’s Enterprise Threat and Vulnerability Management team. “With this best practice, we are transitioning the techniques we use to gather and analyze our incident corpus,” he said, referring to a CERT database drawn from public records of more than 3,000 insider threat incidents.

The practices are mapped to the CERT Resilience Management Model (CERT-RMM) and security and privacy standards, such as, among others, ISO/IEC 27002:2013, the NIST Cybersecurity Framework, and—new to this edition—the NIST Privacy Framework.

“Because our best practices encompass cybersecurity, information security, and operational resilience, it’s important to connect them to a broad array of standards so organizations can find the best guidance for their circumstances,” said Costa. The NIST Privacy Framework mapping helps organizations balance security with insider privacy as instantiated in the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Common Sense Guide takes a tool-agnostic approach that organizations can apply to any insider monitoring solution. During insider threat vulnerability assessments, SEI experts work with an organization’s solution vendors. The vendors provide the raw tools and telemetry, and the SEI provides expertise on how incidents evolve, what defines normal activity, and how to refine sensors and analytics. The SEI’s final assessment report details the organization’s exposure to insider threats along multiple vectors, including technical, behavioral, process, and policy.

“We serve that gap-bridging role of a federally funded research and development center,” Costa said. “We know the technical capabilities, the government customer, and how to help the customer and their vendors communicate.”

Download the Common Sense Guide at Learn more about the SEI’s insider threat research at