SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

CERT Definition of 'Insider Threat' - Updated

Posted on by in

Insider Threat - the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

As the insider threat landscape facing organizations continues to evolve, so too has the CERT Insider Threat Center's body of work as we fulfill our mission of conducting empirical research and analysis to develop and transition socio-technical solutions to combat insider threats.

With our team's recent publication of Workplace Violence and IT Sabotage: Two Sides of the Same Coin, work that describes the relationship between the potential risk indicators for incidents of insider workplace violence and insider cyber sabotage, we recognized the need to update our definition of insider threat to include the potential for physical acts of harm. In doing so, we chose to develop a single definition for insider threat that

  • covers malicious and non-malicious (unintentional) insider threats
  • covers cyber and physical impacts
  • applies to both government and industry
  • is clear, concise, consistent with existing definitions of 'threat', and broad enough to cover all insider threats

Many definitions of insider threat exist, but we could not find one among them that met the above criteria, so we decided to build our own definition. We started with our definition of insider threat from the CERT Guide to Insider Threats:

A malicious insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

As our intent was to formulate a definition that covered both malicious and unintentional acts, we also incorporated aspects of the working definition for unintentional insider threat from the report Unintentional Insider Threats: A Foundational Study:

An unintentional insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization's information or information systems.

We combined these two definitions and modified the result to address physical threats as well. The result is a new definition for insider threat:

Insider Threat - the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

The following provides some insight into our rationale for making certain design decisions in developing this new definition for insider threat:

We generalized the definition. In our working definition, we moved away from attempting to enumerate what types of threat actors are considered insiders, what types of assets insiders have access to, and what types of harm could be done to the organization. Providing a generalized definition allows for these complex ideas to be expanded to meet the specific needs and priorities of a given organization. "Unpacking" these broad terms outside of the definition of insider threat also ensures forward-compatibility of the definition. As additional threat actors begin to be considered insider threats and other types of impacts result from insider activities, this definition will still be applicable. Nonetheless, it is important for these ideas to be expanded and described in the definition to ensure the scope of the threat and its potential impacts are understood. To assist with this goal, we developed the following diagram:

it-def2.png

View full-size image.

We differentiated the threat from the actor. We added "potential for" to the beginning of the definition to differentiate the threat from the threat actor, which is consistent with the definitions of both terms from the CERT Resilience Management Model.

We included indirect as well as direct impact. We added the word "could" before "negatively affect" to include the scenario where an insider action may not directly affect the organization, but increases the likelihood for negative impacts to occur.

We welcome any comments and feedback on our updated definition of insider threat. Please send your input using our contact form on our website.

More from Daniel Costa

Posts


View other blog posts by Daniel Costa.