Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT sabotage and initial results from a review of 46 cases from the CERT Insider Threat Database (MERIT Database).

Each pattern was developed to prevent or detect potentially malicious actions related to insider threat IT sabotage cases. We examined the potential effectiveness of these patterns with statistical analysis of data in the MERIT Database. We also consider statistical significance, including a discussion of inter-rater reliability (IRR) and dataset size.

This is Matt Collins, Insider Threat Researcher at the CERT Insider Threat Center. In this post, I cover statistics related to a group of cases in the CERT Division's insider threat database related to the theft of intellectual property (IP).

The CERT database was started in 2001 and contains insider threat cases that can be categorized into one of four groupings:

  1. Fraud
  2. Sabotage
  3. Theft of Intellectual Property (IP)
  4. Miscellaneous

Today I'm discussing cases in our database that involve the theft of IP. As of the date of this post, we have 103 insider threat cases in the MERIT Database that include the theft of IP. (All statistics are reported as a percentage of the cases that had relevant information available.)

Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider Threat (MERIT) database. The CERT Insider Threat Center began recording cases of insider threat in 2001. To date we've recorded over 800 incidents using publicly available information. Those 800 plus cases span the years 1995 through the present. The MERIT database allows us to analyze and understand the who, what, when, where, and why of insider incidents.

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on unintentional insider threats, in particular social engineering.

Earlier this year, the CERT Division's Insider Threat Team published the report Unintentional Insider Threats: A Foundational Study that documents results of a study of unintentional insider threats (UIT), which was sponsored by the Department of Homeland Security Federal Network Resilience (FNR). Following the success of that report, we on the Insider Threat Team continued our work on UIT, focusing on one aspect of the threat: social engineering.

Hi, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division. Organizations may be searching for products that address insider threats but have no real way of knowing if a product will meet their needs. In the recently released report, Insider Threat Attributes and Mitigation Strategies, I explore the top seven attributes that insider threat cases have according to our database of over 700 insider incidents. These attributes can be used to develop characteristics that insider threat products should possess.

This is Dave Mundie, senior member of the technical staff in the CERT Division.

Previous SEI blog posts ("Protecting Against Insider Threats with Enterprise Architecture Patterns" and "Effectiveness of a Pattern for Preventing Theft by Insiders") have described the the pattern language for insider threat that my colleague Andrew Moore and I have been developing. This pattern language consists of 26 mitigation patterns derived from the examination of more than 700 insider threat cases in our database. The goal of our research is to help organizations balance the cost of security controls with the risk of insider compromise.

My most recent blog post is the third installment in the series, and describes our efforts to organize our pattern language in a way that makes it as usable as possible. I discuss our explorations into categorization and classification systems, and outline our rationale for moving away from a rigid, top-down, linear hierarchical categorization system. Please read the post, and let me know if you have comments or suggestions.

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on the unintentional insider threat. Organizations often suffer from individuals who have no ill will or malicious motivation, but whose actions cause harm. The CERT Insider Threat Center conducts work, sponsored by the Department of Homeland Security's Federal Network Resiliency Division, that examines such cases. We call this category of individuals the "unintentional insider threat" (UIT).