search menu icon-carat-right cmu-wordmark

Suspicious and Disruptive Behavior Monitoring and Response (Part 4 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Tracy Cassidy

The fourth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 4: Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. In this post, I discuss the importance of early identification of suspicious and disruptive behavior in the workplace to mitigate potential insider threats.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The fourth of the 20 best practices follows.

Practice 4: Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior

Knowing who your applicants are before they join your team is essential. Your organization should conduct background checks (following all legal guidelines) that include previous criminal convictions, credentials, past employment, and credit reports.

General Counsel should be consulted when developing a framework for monitoring and responding to suspicious or disruptive behavior. You should involve your legal team in determining how to collect and share employee information, monitoring legally allowable employee communications, and using arrest records when determining suitability for employment. Teams working with issues of employee privacy (if applicable) should also be consulted.

You should conduct background checks uniformly for all potential employees, including contractors and subcontractors. You can assign risk levels to positions of higher risk or higher trust and periodically re-investigate employees in these positions with legal counsel's approval. Background investigations are also discussed in best practice 6: Consider threats from insider and business partners in enterprise-wide risk assessments.

Supervisors and co-workers must be trained on how to identify and respond to employees who are exhibiting concerning behaviors. Management plays an integral part in providing needed support and corrective actions to employees experiencing difficulties in their professional or personal lifes prior to the situation escalating. Consider offering an Employee Assistance Program (EAP) to provide employees a safe and confidential place to discuss their stressors and concerns, potentially decreasing the amount of disruptive or concerning behaviors they exhibit in the workplace.

Management can also provide positive incentives to aid in mitigating insider threats. The CERT Division has conducted research on this subject. See the report The Critical Role of Positive Incentives for Reducing Insider Threats for more information.

Some employees, who may be progressing down the path to becoming an insider threat, may first test the waters with less egregious actions. When not impeded, they may feel emboldened to commit more significant acts or repeat violations that could intensify over time. In our research, we have found that employees who commit repeat violations have an increased risk of committing a malicious incident

Co-workers need to know how to report fellow employees who are exhibiting concerning or disruptive behaviors, including inappropriate workplace behavior or unexplained financial wealth. Workplace violence prevention or threat assessment programs (if applicable) should be involved in this process, as the escalation of concerning behaviors can sometimes turn into workplace violence incidents rapidly. Document and investigate all incidents of concerning and disruptive behavior for future reference.

Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back next week to read Practice 5: Anticipate and manage negative issues in the work environment, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see, or contact

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed