Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond to insider threat events.

My name is Derrick Spooner, a member of the technical staff of the CERT Insider Threat Center in the Software Engineering Institute (SEI) at Carnegie Mellon University. Previous posts have introduced several critical components of a formal insider threat program. Today, I discuss supporting infrastructure controls in the following areas:

Why should anyone care about program compliance and effectiveness? The CERT Division's answer to this question is simple: If you're going to have an Insider Threat Program (InTP), you want it to work well and within the limits of the law. We advocate that InTPs comply with all applicable laws, regulations, policies, and established procedures in a way that effectively deters, detects, and mitigates insider threats. Be sure to regularly work with your organization's general council to ensure your insider threat program is complying with federal, state, and local laws.

Hello, this is Jeremy Strozer, Insider Threat Researcher at the CERT Insider Threat Center. The focus of my work is the nexus of where the threat from outside actors meets the insider. As part of this work, I help organizations establish their InTPs. I'd like to use this post to talk about one aspect of program development: Oversight of Program Compliance and Effectiveness.

An effective Insider Threat Program includes participation from the essential business areas of an organization. The National Insider Threat Task Force (NITTF) Minimum Standards identify the particular groups that should be represented in an insider threat program.

Hi, this is Mike Albrethsen of the CERT Insider Threat Center with information about which groups should be included in the operation of an effective InTP and why.

These are the groups that the NITTF recommends participate in InTPs:

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. This week in the third installment of our series, we'll take a look at the first component of an insider threat program: the formalized program itself. In last week's post, I summarized the elements of a successful insider threat program.

Why a formalized program?

A formalized insider threat program demonstrates the commitment of the organization to due care and due diligence in the protection of its critical assets. A formal program is essential to providing consistent and repeatable prevention, detection, and responses to insider incidents in an organization. These mature and well defined processes, designed with input from legal counsel and stakeholders across the organization, ensure that employee privacy and civil liberties are protected.

Before establishing an insider threat program in your organization, you first must understand the required components of such a program. In this second of a series of 18 posts, I will introduce you to the elements of an effective insider threat program.

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. In the previous post, Randy Trzeciak discussed CERT insider threat work and reasons why an organization might want to establish an insider threat program. Today I'll describe the components required for an effective insider threat program. Developing and implementing these program components helps organizations protect and provide appropriate access to their intellectual property, critical assets, systems, and data.

Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is a good idea and summarize the topics my colleagues and I will be covering in this series.

My name is Randy Trzeciak, the Technical Manager of the Insider Threat Center in the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University. For the past 14 years, our team has been researching insider threats in an attempt to understand how insider incidents evolve over time as well as how organizations can prepare themselves to mitigate this complex threat. To date, we have collected and analyzed over 1000 actual insider incidents and have published over 100 reports that describe the threat and best practices for addressing it (

Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents.

For the past year, the CERT Insider Threat Center, sponsored by the Department of Homeland Security, has been publishing reports on UIT. These reports include the initial and follow-on reports: Unintentional Insider Threats: A Foundational Study and Unintentional Insider Threats: Social Engineering.

Following the success of these reports, the Insider Threat Center continued its work on UIT, focusing on the newly designated PHISHING/SOCIAL threat vector and its subvectors, Malware and Credentials. These threat vectors/subvectors represent the use of phishing and/or social engineering as a means to implement malware or gain access to credentials. The intent of this work has been to identify the frequency of incident types that occur in different economic sectors within the United States.