Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT sabotage and initial results from a review of 46 cases from the CERT Insider Threat Database (MERIT Database).

Each pattern was developed to prevent or detect potentially malicious actions related to insider threat IT sabotage cases. We examined the potential effectiveness of these patterns with statistical analysis of data in the MERIT Database. We also consider statistical significance, including a discussion of inter-rater reliability (IRR) and dataset size.

Although the requirements for statistical significance could not be met by our data, this paper describes how we used the MERIT Database by adding notations to IT sabotage case data to help us analyze mitigation patterns and their effectiveness.

The four mitigation patterns we identified are

1. Constrain remote work outside of normal hours.
2. Increase monitoring within a time window of a negative workplace event.
3. Monitor for insiders' machines using co-workers' accounts remotely.
4. Eliminate potential methods of access after termination.

For each pattern, we discuss the problems common across multiple cases that inspired our pattern and show an example of how the mitigation pattern might be implemented. Additionally, we provide a more detailed design rationale, references to related patterns, and diagrams to further explain each pattern. We describe data that would be needed to make a statistically significant analysis of effectiveness of this kind of pattern, offer suggestions about how to gather this kind of data, and discuss issues that complicate results of the analysis of IT sabotage case data.

These considerations are important for analyzing empirical data about IT attacks (whether from insiders or outsiders) and making sure that lessons learned and strategies employed for mitigation make sense given the scope and limitations of data supporting a hypothesis.

We hope you find this paper interesting, and we welcome feedback and questions related to the paper or insider threat in general. The CERT Insider Threat Center is available for comments or questions at the Insider Threat Comment Form.