search menu icon-carat-right cmu-wordmark

Organizational Resilience to Insider Threats

Daniel Costa

This September is the federal government's second annual insider threat awareness month, and this year's theme is resilience. The SEI has a significant body of research in resilience, and in the CERT National Insider Threat Center, we apply many of the principles and best practices for resilience to the insider threat problem. In this blog post, we will discuss the relationship between resilience and insider threat, discuss how to make organizations operationally resilient to insider threats, present strategies for making your insider threat program resilient, and highlight some of the key activities the CERT National Insider Threat Center will be conducting in support of National Insider Threat Awareness Month.

Making Your Organization Operationally Resilient to Insider Threats

Operational resilience as an emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit. Operational resilience isn't something an organization does. An organization is operationally resilient, or aspires to be.

Operational resilience can also be thought of across multiple types of operational stress and disruption - an organization can be operationally resilient to some types (for example, environmental threats such as fires and floods), and not operationally resilient to others (insider threats, for example). The question, then, is how do I make my organization operationally resilient?

The CERT Resilience Management Model (CERT-RMM) is a collection of best practices for managing operational resilience. Organizations can use CERT-RMM to determine their current capabilities for managing operational resilience, identify capability gaps, and develop plans to close those gaps. The model contains 26 process areas, and goals and specific practices within each process area. Many of the CERT-RMM process areas are directly applicable to insider threats:

  • Asset definition and management--What critical assets must the organization protect from authorized access misuse by insiders?
  • Organizational training and awareness--How does the organization ensure its workforce understands the threats to its critical assets that insiders pose, and what are the responsibilities of individual employees to protect the organization's critical assets from misuse?
  • Risk management--What is the impact and likelihood of insider attacks based on the organization's current capabilities, and how can the organization prioritize investments in reducing the impacts and likelihoods of certain attacks?
  • Access management--How can the organization ensure that authorized access to its critical assets is granted only to those with a critical business need?
  • Monitoring--How can the organization detect not only the harmful acts associated with insider misuse of authorized access, but the concerning behavior and activity that precede the harmful acts as well?

The CERT-RMM process areas listed above just scratch the surface of how to make an organization operationally resilient to insider threats. Nearly every process provides guidance and recommendations applicable to making your organization operationally resilient to insider threats.

The past year has emphasized the need for organizations to focus on operational resilience to insider threats, as the COVID-19 pandemic has placed employees under significant personal and professional stress, changed what "normal" operations and access to critical assets look like, and highlighted the need for mature, institutionalized processes that can adapt to an ever-changing risk landscape.

Building a Resilient Insider Threat Program

Organizations can also apply the principles of operational resilience management directly to insider threat program operations. A number of CERT-RMM process areas can help organizations mature their formalized insider threat programs:

  • Knowledge and information management--Detailed and thorough documentation of insider threat data collection and analysis strategies can ensure that the same inputs produce the same outputs, regardless of who performs the analysis, and can avoid biased insider threat analysis.
  • People management--Insider threat analysts can be exposed to traumatic information while collecting and analyzing data, particularly for insider threat programs with workplace violence in their scope. Insider threat programs should ensure that they provide their team members adequate resources, supports, and coping mechanisms.
  • Risk management--Adopting risk management principles into insider threat program operations can help with scoping an insider threat program, determining threat impact and likelihood, and measuring insider threat program effectiveness.
  • Compliance--Insider threat program detection and response mechanisms should be tied closely to the organization's policies and procedures that govern authorized access to the organization's critical assets and how critical business processes should be conducted.

The insider threat program of the future is an integrated, proactive, risk-based mission enabler that makes its organization operationally resilient against insider threats. This future state can be realized by

  • expanding relationships with traditionally under-represented insider threat program stakeholders
  • clearly articulating program goals and risk appetite
  • emphasizing process institutionalization, yielding more stable processes that produce consistent results over time that are retained during times of stress

More from the CERT National Insider Threat Center

The CERT National Insider Threat Center will engage in a variety of activities in support of National Insider Threat Awareness Month this September:

  • We will be updating the Insider Threat Blog weekly, with new insights and analysis from our ongoing research in the insider risk management domain. Blog posts will cover topics such as technical detection, trusted business partner management, and the latest insights and analysis from our insider threat incident corpus. Subscribe to the Insider Threat Blog via RSS.
  • We will be holding the seventh annual CERT NITC Symposium on September 10 and 24. The theme of this year's live, online, two-day event is "From Mitigating Insider Threats to Managing Insider Risk." The symposium will feature panels and keynote presentations from government and industry experts on topics such as applying the principles of operational resilience and risk management to the counter insider threats, managing insider risks during a pandemic, and adopting a risk and resilience focus to mature an insider threat program. You can register for the event and check out the agenda on our website.
  • We will be speaking at several additional events, including the Social and Behavioral Sciences Summit and the Insider Risk Summit. We encourage you to register for these events and check out the presentations from our experts.

We also encourage you to check out our insider threat courses, which the SEI has successfully transitioned to live, online delivery formats over the past several months. We look forward to engaging with you further in subsequent blog posts, our symposium, and many other events this month. As always, you can reach us directly at

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed