Insider Threat Program Development
Created September 2017
Cyber attacks from employees and other insiders are common problems that DoD and U.S. government departments or agencies and their contractors should plan to prevent. We offer training and services to help you build an insider threat program in your organization.
The Growing Impact of Insider Threat
Did you know that cyber attacks from employees and other insiders are common problems that you should plan to prevent? Insiders pose a substantial threat to your organization because they have access to proprietary systems that allows them to bypass security measures through legitimate means. Because of these characteristics, insider threats are different from other cybersecurity challenges; a different strategy is required to prevent and mitigate them.
Recent high-profile insider incidents have affected government, industry, and academia. These incidents included sabotage, theft of information, fraud, and national-security espionage as well as incidents involving insiders who unintentionally caused harm. To address these threats, many organizations recognize the need to build insider threat programs to protect their critical assets. In addition, Executive Order 13587 requires certain contractors and government agencies to establish and maintain such programs.
For the past 14 years, we have been researching insider threats to understand how insider incidents evolve over time and how organizations can prepare themselves to mitigate this complex threat. We analyzed over 1,300 actual insider incidents and published over 100 reports that describe the threat and the best practices that can be used to address it. If your organization needs to develop an insider threat program or measure its effectiveness, we can help.
Who Needs to Develop an Insider Threat Program?
- If you are a contractor, Change 2 to DoD 5220.22-M, the National Industrial Security Program Operating Manual, which went into effect June 2016, requires you to establish and maintain an insider threat program to detect, deter, and mitigate insider threats.
- If you are a member of the DoD or a U.S. government department or agency that operates or accesses classified computer networks, Executive Order 13587 requires you to implement insider threat detection and prevention programs.
- If you are concerned with protecting your organization’s critical assets and you have not yet taken an enterprise risk-assessment approach, you need to plan a strategy for recognizing threats that originate from outside and inside your organization, including both malicious and non-malicious threats.
How Will You Develop an Insider Threat Program
Before developing an insider threat program in your organization, you must first understand the components your program needs. Through our extensive research of insider threats, we identified a set of key components that are necessary for an effective insider threat program. These 13 key components include organization-wide participation, protection of employees’ civil liberties, confidential reporting procedures, and integrated data collection and analysis.
The figure below shows all 13 components of an effective insider threat program. Developing and implementing these components helps you protect and provide appropriate access to your organization’s intellectual property, critical assets, systems, and data. For more detail about each component of this framework, see our 18-part series on developing an insider threat program.
We also offer in-depth training for senior executives and insider threat program teams as part of our Insider Threat Program Manager Certificate. This training covers all the important steps of developing and implementing an insider threat program in your organization.
Need More Help?
A single insider threat strategy may not be appropriate for all organizations. Our Insider Threat Program Development Workshop, described in the CERT Insider Threat Catalog, helps you develop a strategic plan and create a program that suits your needs. In this facilitated workshop, we work with executives in your organization to design and tailor an insider threat program. Using data from your organization, we help you determine actionable steps to better manage the risk of insider threats within your organization’s unique corporate culture.
How Do You Know If Your Insider Threat Program Is Effective?
Does your insider threat program have all the components it needs to be effective? Our confidential Insider Threat Program Evaluation helps you reduce risk to critical assets by determining the efficacy of your insider threat program. We use an evaluation method to review the elements of your program, including mitigation strategies, procedures, analysis tools, measures, and more. Our review of your insider threat program also includes a comparison of your program to others based on the CERT Common Sense Guide to Mitigating Insider Threat.
November 03, 2016 Conference Paper
In this paper, the authors describe automated repairs for three types of bugs: integer overflows, missing array bounds checks, and missing authorization checks.read
July 27, 2016 Blog Post
This is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use,...read
July 26, 2016 Blog Post
This is the first part of a two-part series that explores open source, free, or low-cost solutions to help you get the technical portion of your insider threat program started. As defined by opensource.com, open source software is "software with...read
October 16, 2015 White Paper
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.read
March 04, 2015 Blog Post
Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is...read
This seven (7) hour online course provides a thorough understanding of the organizational models for an insider threat program, the necessary components to have an effective program, the key stakeholders who need to be involved in the process, and basic education on the implementation and guidance of the program. This training is based upon the...