search menu icon-carat-right cmu-wordmark

Insider Threat Mitigation

Organizations struggle to implement effective insider threat programs because insiders present unique challenges to cybersecurity. We investigate ways to reduce insider threats and develop tools for analyzing threat indicators in sociotechnical networks.

Insider Threat Is a Unique Challenge

Government agencies and contractors face increasing security challenges, not only from malicious attackers outside the organization but also from current and former employees. Because insiders have authorized access to an organization’s networks, systems, or data, insider threats require different strategies for handling them and preventing them.

To ensure that government agencies develop these strategies, Executive Order 13587 mandates that all agencies in the Department of Defense (DoD) and U.S. government build such programs. Change 2 to DoD 5220.22-M, the National Industrial Security Program Operating Manual, which went into effect in June 2016, requires contractors to have insider threat programs as part of their security defense. Unfortunately, the INSA Cyber Insider Threat Subcouncil has found serious deficiencies in the insider threat programs of many organizations.

Why do organizations struggle to implement effective insider threat programs? Insider threat programs face the dual challenge of implementing effective insider threat controls and developing controls tuned to the organization’s environment. What methods for detecting and preventing insider threats will work best in your organization? How can you best train your organization’s information security professionals to recognize insider threat? Knowing the answers to these questions is a solid starting point for developing an effective insider threat program.


We work with Dr. Denise Rousseau at the Carnegie Mellon University (CMU) Heinz College and Tepper School of Business to analyze positive incentives for reducing insider threats and Dr. Kathleen Carley at the CMU Center for Computational Analysis of Social and Organizational Systems (CASOS) to analyze insider social networks.

Insider Threat Mitigation Collaborators

The Critical Role of Positive Incentives for Reducing Insider Threat

Traditional insider threat management involves practices that constrain users, monitor their behavior, and detect and punish misbehavior. These negative incentives attempt to force employees to act in the interests of the organization and, when relied on excessively, can result in negative unintended consequences that exacerbate the threat. (See Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls.)

Positive incentives can complement traditional practices by encouraging employees to act in the interests of the organization either extrinsically (e.g., through rewards and recognition) or intrinsically by fostering a sense of commitment to the organization, the work, and their co-workers. Instead of focusing solely on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to the organization only in positive ways.

We conducted exploratory research to assess the potential for positive incentives to complement traditional practices in a way that provides a better balance for organizations’ insider threat programs. We believe there are three dimensions along which we can align an employee’s intrinsic incentive to act consistently with their employer’s interests.

These dimensions are centered on the employee’s job engagement, perceived organizational support, and connectedness with coworkers. Extensive research in these areas has demonstrated their value in terms of employee satisfaction, commitment, performance, and retention. In addition, a related body of research exists to help determine their value for reducing counterproductive work behaviors.

The SEI’s research is bolstering the evidence that positive incentives reduce the more egregious forms of insider threat, such as employee theft and sabotage. Regular employee attitude surveys of government employees by Gallup and the Office of Personnel Management support the applicability of this evidence in the U.S. government context.

During 2015 and 2016, we made significant progress in several related areas:

  • documenting a range of potential negative unintended consequences associated with establishing insider threat programs and avenues for mitigating these consequences
  • analyzing several high-profile insider incidents involving U.S. national security espionage for the levels of job engagement, co-worker connectedness, and perceived organization support evident during the incident timeline
  • conducting a survey of insider threat program managers in U.S. government contractors and industry to establish the relationship between positive incentives and insider threat behaviors
  • developing a simulation model illustrating the value of positive incentives
  • identifying positive incentive-based workforce management practices that can be adopted by organizations to reduce insider threats

Success of this research will enable insider threat programs in the U.S. government and industry to create a balance of positive and negative incentives that deter insider threats before they become realized attacks. Using the right mix of positive and negative incentives in an insider threat program can create a net positive for the employee and the organization—moving an insider threat program from a "big brother" program to a good employer program that improves employees’ work life.

Searching Sociotechnical Networks for Early Warnings of Insider Threat

The sociotechnical nature of the insider threat problem, combined with the difficulty of distinguishing malicious from benign acts, makes this problem both operationally and technically challenging. Sociotechnical networks include social networks, which provide early indications of insider disaffection, and information flow networks, which provide indications of suspicious or illicit information flows on and off the organization’s computing networks. We are investigating the differences between sociotechnical network indications for malicious insiders and those for the baseline user population.

We collaborate with Dr. Kathleen Carley’s group at the CASOS to analyze insider social networks using the Organization Risk Analyzer (ORA). We are exploring whether, over time, a malicious insider’s social-network ties exhibit decreasing strength with co-workers and increasing strength with external adversaries.

Some potential ways of measuring tie strength include communication frequency, volume, duration, reciprocity, emotional intensity, and honesty. We analyze these measures, validate their ability to distinguish malicious from benign acts, and build models of social capital growth and decline based on our findings. These models illustrate how the flow of insider dissatisfaction translates into threat incidents.

Despite the need for new controls for insider threat, our work at partner sites reveals that organizations have limited ability to develop or customize controls on their own. A simulation environment carefully tuned to mimic a specific site greatly enhances development and testing of threat indicators. Using this approach would also allow researchers greater flexibility to analyze threat scenarios without risking disruption to operations.

We are using our unique understanding of real-world insider threat programs to develop a simulation environment that is sufficiently realistic for training and testing approaches for detecting insider threat. Our dynamic environment will allow organizations to easily reconfigure the simulator on demand for selected features.

Looking Ahead

We are preparing to work with individual organizations to focus on what we believe is the key to a successful insider threat program: identifying the mix of positive and negative incentives that creates a net positive for both the employee and the organization.

Our work identifies candidate positive incentive-based principles and practice areas, but this is just a first step. The challenge is that people respond to incentives differently depending on the culture of the organization, the nature of their job, and their personality. Insight into insider social networks can help organizations identify employees who are having difficulties in their work life.

In addition, we will build on existing theories to gain insight into these individual differences and help organizations build a transition process to develop the right balance of positive and negative incentives. Such incentives promote employee satisfaction, performance, and retention and ultimately help organizations become more effective at reducing insider threats.

Learn More

Introduction to the Special Issue on Insider Threat Modeling and Simulation

Introduction to the Special Issue on Insider Threat Modeling and Simulation

April 08, 2016 Article
Andrew P. MooreKirk A. Kennedy (Federal Bureau of Investigation)Thomas J. Dover (Federal Bureau of Investigation)

In this publication, the authors introduce the area of insider threat modeling and simulation generally, and discuss the range of methods used in the research papers of the Special Issue.

Social Network  Dynamics of Insider Threats: A Preliminary Model

Social Network Dynamics of Insider Threats: A Preliminary Model

July 23, 2015 Conference Paper
Andrew P. MooreKathleen Carley (Carnegie Mellon School of Computer Science)Matthew L. CollinsNeal Altman (Carnegie Mellon University)

This paper describes a system dynamics model of insider espionage social networks. The model focuses on two forms of social capital: expectations and social norms.