According to a 2023 Ponemon study, the number of reported insider risk incidents and the costs associated with them continues to rise. With more than 7,000 reported cases in 2023, the average insider risk incident cost organizations over $600,000. To help organizations assess their insider risk programs and identify potential vulnerabilities that could result in insider threats, the SEI CERT Division has released two tools available for download on its website. Previously available only to licensed partners, the Insider Threat Vulnerability Assessment (ITVA) and Insider Threat Program Evaluation (ITPE) toolkits provide practical methods to assess your organization’s ability to manage insider risk. This post describes the purpose and use of the toolkits, with a focus on the workbook components of the toolkits that are the primary methods of program assessment.

The ITVA and ITPE Toolkits

The lITVA and ITPE toolkits are intended to assess distinct areas of an insider risk program. The ITVA toolkit helps programs assess their capacity to prevent, detect, and respond to threats to an organization's critical assets and processes, and is derived from vulnerabilities coded in the CERT insider threat case corpus. The ITPE toolkit evaluates the components of an insider risk program at an enterprise level. It benchmarks them against National Insider Threat Task Force (NITTF) standards along with CERT best practices. Each toolkit includes several workbooks and a variety of useful content to help facilitate insider risk program assessments, including interview and logistics guidance, pre-assessment information collection worksheets, and participant briefing templates.

The Workbooks

The workbooks included with each toolkit are the primary methods of assessment. The workbooks are organized by the functional area that they assess, and utilize the Goals, Questions, Indicators, and Measures (GQIM) framework to measure effectiveness. The tables below show the names of the workbooks for the ITVA and ITPE (in bold), as well as their respective capability areas:

Insider Threat Program Evaluation (ITPE) Workbooks

As shown in Figure 1 below, ITPE is organized by three functional area workbooks: Program Management, Personnel and Training, and Data Collection and Analysis. Each workbook is broken down into individual capability areas.

Figure 1: The Insider Threat Program Evaluation (ITPE) is organized by three functional area workbooks: Program Management, Personnel and Training, and Data Collection and Analysis.

Insider Threat Vulnerability Assessment (ITVA) Workbooks

Similar to the ITPE workbooks, the ITVA workbooks are named after seven functional areas: Data Owners, Human Resources, Information Technology, Legal, Physical Security, Software Engineering, and Trusted Business Partners (Figure 2). Each workbook is broken down into individual capability areas.

Figure 2: The Insider Threat Vulnerability Assessment (ITVA) is organized by seven functional area workbooks: Data Owners, Human Resources, Information Technology, Legal, Physical Security, Software Engineering, and Trusted Business Partners.

Workbook Scoring Methodology

As mentioned above, each workbook in the ITVA and ITPE toolkits is descomposed into functional areas and their individual capabilities. These capabilities are defined as a designated activity, process, policy, or responsibility considered good practice or a requirement for an insider threat program. For instance, the Information Technology workbook has seven capabilities that will be assessed: Access Control, Modification of Data or Disruption of Services or Systems, Unauthorized Access, Download, or Transfer of Assets, Detection and Identification, Incident Response, and Termination

Each capability uses several indicators to determine whether the relevant activities are performed. Indicators are individual questions related to controls, practices, processes, or other activities that must be answered and substantiated (via interviews, observations, or document review) to determine capability scoring levels. A capability is scored based on the indicator level achieved. Figure 3 shows the relationship between workbooks, capabilities, and indicators/indicator scoring levels.

Figure 4 below describes the scoring level definitions used by the ITVA and ITPE.

Figure 4: Scoring level definitions used by the ITVA and ITPE.

Scoring Example

Capability scores are attained by evaluating the indicators at each level. Level scores can then be compiled to provide overall scoring for the workbook. The following are example indicators from the Access Control/Expired Accounts capability in the Information Technology workbook. Note the different indicators and substantiation requirements for each of the four levels.

After all capabilities are scored, cumulative workbook scoring can be produced. The circle graph in Figure 6 below is an example visualization of capability scoring from the Information Technology workbook in the ITVA. The Information Technology workbook contains 50 capabilities and more than 300 indicators. The scoring levels are represented by color, along with the number of capabilities at each scoring level. While twenty-six of the capabilities are scored as Level 4 “robust,” three function at an “enhanced” Level 3, nine are at a “core” Level 2, and two capabilities are Level 1 “not performed.” Detailed workbook capability scoring allows organizations to drill down to specific indicators and distinctly identify strengths and weaknesses of their program, reveal potential gaps in processes and procedures, and provides a baseline for future assessments.

Additional Workbook Content

The ITVA and ITPE workbooks also include additional sections to help assessment teams understand capabilities and assist with assessment activities:

• Clarification/Intent provides easy-to-understand explanations of the workbook capabilities and their intended purpose.
• Assessment Team Guidance offers detailed direction from CERT to help assessment teams evaluate the workbook capabilities.
• Organization Response, Evidence Sought, Additional Information outlines additional workbook fields used by the assessment team to document the various assessment data collected.

Insider Risk-Measures of Effectiveness (IRM-MOE)

For organizations looking for detailed guidance on the use of the ITVA and ITPE toolkits, CERT’s new IRM-MOE course offers instruction and assistance with different ways to assess your insider risk program. This three-day course covers using the ITVA and ITPE toolkits, and also reviews CISA’s Insider Risk Mitigation Program Evaluation (IRMPE) instrument. The IRMPE is a lightweight tool with built-in reporting used to help evaluate your insider risk program. The tool is easy to use, and can typically be completed in under 4 hours. In addition, the IRM-MOE course provides instruction for metric development using the Goal-Question-Indicator-Measure (GQIM) framework. This framework enables insider risk programs to create custom metrics based on their organization’s criteria.

Toolkits Add Value to Your Insider Risk Program

The ITVA and ITPE toolkits can be valuable assets to your insider risk program. The accompanying ITVA and ITPE workbooks help organizations assess their insider risk programs and identify potential vulnerabilities associated with insider risk behavior. Using the toolkits as part of your program’s routine assessment procedures can help align your program with best practices and NITTF standards, identify potential vulnerabilities, and produce scoring to benchmark your program’s progress.