As Randy Trzeciak mentioned in the first blog in this series, we are often asked about the commonalities of insider incidents for a particular sector. These questions invariably begin conversations about which sector-specific best practices and controls are best suited to address the common incident patterns faced by these organizations. To better address this question, we decided to update our model for coding industry sectors1, or what classification system we use to organize the organizations in our insider threat database.

We decided to adopt a hierarchical system for classifying industry sectors to replace the flat classification system that we previously used. This allows us to report findings on broad sectors, such as transportation systems or communication systems, as well as narrower verticals within each sector, such as air transportation or telecommunications. The new classification system serves as the foundation for this blog series on insider threats across industry sectors.

In this post, we discuss why we transitioned to a hierarchical classification system. We also present the new system and explain its utility. We then describe what's next for this series on highlighting insider threat trends across industry sectors.

Previously, we employed a modified version of the Department of Homeland Security Critical Infrastructure Sector classification system. The Presidential Policy Directive 21 (PPD-21) identifies and describes sixteen sectors that contain critical assets or processes that are considered so vital to the United States interests, that "their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."2 It is widely used in identifying and describing such critical sectors and remains a standard for reporting findings for these industries.

As our incident corpus has grown, we found an increasing number of "miscellaneous" insider incidents that could not be appropriately classified with the flat taxonomy that was formerly used. Examples of difficult-to-classify organizations included retail stores, entertainment businesses, and non-profit organizations. Additionally, we found that flatness of the taxonomy prevented us from drilling-down to collect and analyze incidents in specific verticals within the sectors. This is particularly problematic in the Financial Services sector, which has a large number of sub-organization types (such as banks, insurance, and financial services) that are relatively diverse in terms of regulation.

Accordingly, we sought a new, multi-tiered classification system that was broader in coverage (to include sectors not designated as "critical") and had enough depth to enable us to scope our findings to more specific sectors as necessary. We also wanted to maintain compatibility with the DHS Critical Infrastructure taxonomy, as well as with government standard industry classification systems: the North American Industrial Classification System (NAICS) and the Standard Industrial Classification (SIC) system. (NAICS was released in 1997 to replace the SIC standard, although some organizations still use SIC.3)

As we mentioned earlier, our new classification system is hierarchical and designed to map to existing industry sector taxonomies such as the PPD-21 critical infrastructure set, or our previous industry sector model. Our new system is modeled after NAICS, a comprehensive classification system with six tiers and over 100 classes. Our modified version contains just two tiers, with 15 classes at the Tier 1 level and 70 classes at the Tier 2 level. Of the subsectors in Tier 2, we find that 12 are not considered "critical infrastructure". Examples of those include Legal or Professional consulting services, religious institutions, or civic associations.

We modified the NAICS code primarily to reduce the complexity of the lower levels into a two-tiered approach that provided consistent specificity across the sectors. Additionally, we sought to eliminate any overlap between classes and any ambiguity with the class names. We wanted to adopt the standard NAICS classification for our purposes (without creating too much of a burden for our analysts) while preserving the sectors that we regularly report (such as Federal Government versus State/Local Government).

Below is our full taxonomy. For a detailed enumeration of the differences between our new system and the NAICS code, please contact us at insider-threat-feedback@cert.org.

In the next series of blog posts, we'll highlight specific Tier 1 Sectors and Tier 2 Subsectors. We'll explore insider incident trends in a specific industry sector. We'll characterize threats by answering the 5W1H questions (Who? What? When? Where? Why? How?). We'll chronicle story summaries of exemplar incidents and describe unique or interesting findings for the given sector. Additionally, we'll contextualize each sector by discussing germane regulatory mechanisms (such as GLBA or HIPAA) that govern industry security practices to mitigate insider threats. As appropriate, we'll identify applicable controls and resources to help reduce insider risk and increase your threat awareness.

Stay tuned for the next post, where we spotlight the Federal Government subsector, or subscribe to a feed of the Insider Threat blog to be alerted whenever a new post is available.

For more information about the CERT National Insider Threat Center, please contact insider-threat-feedback@cert.org.

1 "Industry sector" encompasses federal departments and agencies underneath the Public Administration industry sector.

2 Department of Homeland Security, Critical Infrastructure Sectors Website. https://www.dhs.gov/critical-infrastructure-sectors

3 Standard Industrial Classification. Wikipedia. https://en.wikipedia.org/wiki/Standard_Industrial_Classification

Entries in the "Insider Threats Across Industry Sectors" series:

• Part 1: Insider Threat Incident Analysis by Sector
• Part 2: Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy
• Part 3: Insider Threats in the Federal Government
• Part 4: Insider Threats in Finance and Insurance
• Part 5: Insider Threats in State and Local Government
• Part 6: Insider Threats in Information Technology
• Part 7: Insider Threats in Healthcare
• Part 8: Insider Threats in Entertainment