search menu icon-carat-right cmu-wordmark

Analyzing Insider Threat Data in the MERIT Database


Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider Threat (MERIT) database. The CERT Insider Threat Center began recording cases of insider threat in 2001. To date we've recorded over 800 incidents using publicly available information. Those 800 plus cases span the years 1995 through the present. The MERIT database allows us to analyze and understand the who, what, when, where, and why of insider incidents.

Insider incidents typically fall into one of three main categories: sabotage (24% of MERIT cases), fraud (44%), and theft of intellectual property (16%). The other cases fall into either a miscellaneous category (12%) or represent a combination of the three main categories (4%). Assigning categories to insider incidents allow us to better understand the impact of the incidents and gives us insight into possible insider motivations.

To determine who malicious insiders are, we record data that describes the insider. This data ranges from insiders' general demographics to their affiliation with the organization. In cases with information about the insider's affiliation with the organization, we find that the insider is most often an employee at the victim organization (85% of cases) or a contractor, sub-contractor, or other trusted business partner (15%). Recording information about past insiders allows us to find common traits among insiders who impact the organization's critical assets.

The when and where of insider incidents are tracked by recording when the incident took place relative to the insider's normal working hours and whether the incident occurred remotely or onsite. In cases where the time was known, 28% of insider incidents took place outside of normal working hours and 72% occurred during the insider's normal working hours. In cases where the insider's location was known, the insider acted onsite in 70% of incidents, acted from a remote location in 24% of incidents, and acted from both onsite and remote locations in the remaining 6% of incidents.

Specific information detailing how and why each insider case occurred is also recorded in the database. We consider this information when developing insider threat recommendations in our Common Sense Guide to Mitigating Insider Threats, currently in its 4th edition. For additional information on the structure of the CERT Division's MERIT database, please refer to the blog post The CERT Insider Threat Database.

If you have questions or comments for the Insider Threat Center, we would be happy to hear from you. Please contact us at

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed