SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Insider Threat Case Trends of Technical and Non-Technical Employees

Posted on by in

This is the second of two blog entries that explore questions we were asked during a recent meeting with leaders from the U.S. financial services sector. In this entry, we focus on what role malicious insiders typically hold in an organization: a non-technical position, a technical position, or both. "Non-technical" includes positions such as management, sales, and auditors. "Technical" includes positions such as system or database administrators, programmers, and helpdesk employees. "Both" includes overlapping jobs such as IT managers.

The statistics in this entry were generated from the cases that we have collected and observed. Your organization may see a very different breakdown of the positions held by malicious insiders, especially if you have a different allocation of technical and non-technical positions.

In our repository, we have data about the organizational position for perpetrators of 355 malicious insider incidents. Of those cases, 54% held non-technical positions, 41% held technical positions, and 5% held both. Looking specifically at the banking and finance sector, we had employment data for 73 incidents. Of those cases, 66% held non-technical positions, 33% held technical positions, and only 1% held both. It is interesting to note that we did not observe a drastic difference between the position breakdown in the banking and finance incidents and in our larger sample of cases. However, the results do seem to indicate that the majority of crimes that we have observed in banking and finance involve insiders in non-technical positions. If we examine the type of crime for all malicious insider incidents, 40% of the cases are fraud. Within only the banking and finance incidents, the percent of fraud cases increases to 70%. Our research indicates that non-technical employees perpetrate the majority of insider fraud crimes, so the difference in number of fraud cases may account for the increased percentage of non-technical positions within the banking and finance sector.

We also collect data on when the crimes occur, so we can compare technical versus non-technical crimes over the last ten years. Incidents that occurred in 2010 may still be reported, so we did not include 2010 in these graphs. The first graph includes all incidents where we knew the start date of the incident.


The next graph only includes financial sector incidents where we knew the start date of the incident.


Looking at the graphs, the ebb and flow of technical versus non-technical insiders could follow U.S. economic indicators. The steady increase in non-technical crimes leading up to 2006 in both graphs may coincide with the U.S. economic downturn. Are there other possibilities? Maybe one of you in the financial service sector can compare our timeline of incidents (from this blog entry and our previous blog entry) to some meaningful measures of the U.S. economy or to other general indicators of employee well-being?

Another aspect of this issue is whether damages differ between incidents involving technical versus non-technical insiders. For example, would technical insiders have more access to IT systems and therefore be able to cause more damage? Or would non-technical insiders with much more restricted access but more knowledge of the data in the systems be able to cause more damage? Before we answer these questions, keep in mind that, for now, our case repository only includes cases that organizations report to law enforcement. Therefore, our data might exclude lower damage incidents that organizations handle internally.

In our repository, the average impact between technical and non-technical cases in the financial services sector is relatively similar. The average damages for our technical cases were more than $750,000. The average damages for our non-technical insiders were more than $800,000. (Note: The average value for non-technical incidents does exclude one outlier case of a theft that spanned several years and resulted in almost $700,000,000 worth of damages.)

How has your organization allocated resources for preventing, detecting, and responding to threats posed by technical and non-technical employees? Does your organization focus on one type of employee and not the other? Our observations indicate that there is not a substantial difference between organizational roles of malicious insiders, so organizations must consider each category of employee when implementing security controls. Insider threat could come from anyone.

As always, we welcome your feedback.

More from CERT Insider Threat Center


View other blog posts by CERT Insider Threat Center.