Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

An effective Insider Threat Program includes participation from the essential business areas of an organization. The National Insider Threat Task Force (NITTF) Minimum Standards identify the particular groups that should be represented in an insider threat program.

Hi, this is Mike Albrethsen of the CERT Insider Threat Center with information about which groups should be included in the operation of an effective InTP and why.

These are the groups that the NITTF recommends participate in InTPs:

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. This week in the third installment of our series, we'll take a look at the first component of an insider threat program: the formalized program itself. In last week's post, I summarized the elements of a successful insider threat program.

Why a formalized program?

A formalized insider threat program demonstrates the commitment of the organization to due care and due diligence in the protection of its critical assets. A formal program is essential to providing consistent and repeatable prevention, detection, and responses to insider incidents in an organization. These mature and well defined processes, designed with input from legal counsel and stakeholders across the organization, ensure that employee privacy and civil liberties are protected.

Before establishing an insider threat program in your organization, you first must understand the required components of such a program. In this second of a series of 18 posts, I will introduce you to the elements of an effective insider threat program.

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. In the previous post, Randy Trzeciak discussed CERT insider threat work and reasons why an organization might want to establish an insider threat program. Today I'll describe the components required for an effective insider threat program. Developing and implementing these program components helps organizations protect and provide appropriate access to their intellectual property, critical assets, systems, and data.

Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is a good idea and summarize the topics my colleagues and I will be covering in this series.

My name is Randy Trzeciak, the Technical Manager of the Insider Threat Center in the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University. For the past 14 years, our team has been researching insider threats in an attempt to understand how insider incidents evolve over time as well as how organizations can prepare themselves to mitigate this complex threat. To date, we have collected and analyzed over 1000 actual insider incidents and have published over 100 reports that describe the threat and best practices for addressing it (

Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents.

For the past year, the CERT Insider Threat Center, sponsored by the Department of Homeland Security, has been publishing reports on UIT. These reports include the initial and follow-on reports: Unintentional Insider Threats: A Foundational Study and Unintentional Insider Threats: Social Engineering.

Following the success of these reports, the Insider Threat Center continued its work on UIT, focusing on the newly designated PHISHING/SOCIAL threat vector and its subvectors, Malware and Credentials. These threat vectors/subvectors represent the use of phishing and/or social engineering as a means to implement malware or gain access to credentials. The intent of this work has been to identify the frequency of incident types that occur in different economic sectors within the United States.

Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT sabotage and initial results from a review of 46 cases from the CERT Insider Threat Database (MERIT Database).

Each pattern was developed to prevent or detect potentially malicious actions related to insider threat IT sabotage cases. We examined the potential effectiveness of these patterns with statistical analysis of data in the MERIT Database. We also consider statistical significance, including a discussion of inter-rater reliability (IRR) and dataset size.

This is Matt Collins, Insider Threat Researcher at the CERT Insider Threat Center. In this post, I cover statistics related to a group of cases in the CERT Division's insider threat database related to the theft of intellectual property (IP).

The CERT database was started in 2001 and contains insider threat cases that can be categorized into one of four groupings:

  1. Fraud
  2. Sabotage
  3. Theft of Intellectual Property (IP)
  4. Miscellaneous

Today I'm discussing cases in our database that involve the theft of IP. As of the date of this post, we have 103 insider threat cases in the MERIT Database that include the theft of IP. (All statistics are reported as a percentage of the cases that had relevant information available.)

Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider Threat (MERIT) database. The CERT Insider Threat Center began recording cases of insider threat in 2001. To date we've recorded over 800 incidents using publicly available information. Those 800 plus cases span the years 1995 through the present. The MERIT database allows us to analyze and understand the who, what, when, where, and why of insider incidents.