Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy (Part 2 of 9: Insider Threats Across Industry Sectors)

Posted on by in

As Randy Trzeciak mentioned in the first blog in this series, we are often asked about the commonalities of insider incidents for a particular sector. These questions invariably begin conversations about which sector-specific best practices and controls are best suited to address the common incident patterns faced by these organizations. To better address this question, we decided to update our model for coding industry sectors1, or what classification system we use to organize the organizations in our insider threat database.

We decided to adopt a hierarchical system for classifying industry sectors to replace the flat classification system that we previously used. This allows us to report findings on broad sectors, such as transportation systems or communication systems, as well as narrower verticals within each sector, such as air transportation or telecommunications. The new classification system serves as the foundation for this blog series on insider threats across industry sectors.

In this post, we discuss why we transitioned to a hierarchical classification system. We also present the new system and explain its utility. We then describe what's next for this series on highlighting insider threat trends across industry sectors.

Why Adopt a Hierarchical System?

Previously, we employed a modified version of the Department of Homeland Security Critical Infrastructure Sector classification system. The Presidential Policy Directive 21 (PPD-21) identifies and describes sixteen sectors that contain critical assets or processes that are considered so vital to the United States interests, that "their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."2 It is widely used in identifying and describing such critical sectors and remains a standard for reporting findings for these industries.

As our incident corpus has grown, we found an increasing number of "miscellaneous" insider incidents that could not be appropriately classified with the flat taxonomy that was formerly used. Examples of difficult-to-classify organizations included retail stores, entertainment businesses, and non-profit organizations. Additionally, we found that flatness of the taxonomy prevented us from drilling-down to collect and analyze incidents in specific verticals within the sectors. This is particularly problematic in the Financial Services sector, which has a large number of sub-organization types (such as banks, insurance, and financial services) that are relatively diverse in terms of regulation.

Accordingly, we sought a new, multi-tiered classification system that was broader in coverage (to include sectors not designated as "critical") and had enough depth to enable us to scope our findings to more specific sectors as necessary. We also wanted to maintain compatibility with the DHS Critical Infrastructure taxonomy, as well as with government standard industry classification systems: the North American Industrial Classification System (NAICS) and the Standard Industrial Classification (SIC) system. (NAICS was released in 1997 to replace the SIC standard, although some organizations still use SIC.3)

The New Classification System for Incident Analysis

As we mentioned earlier, our new classification system is hierarchical and designed to map to existing industry sector taxonomies such as the PPD-21 critical infrastructure set, or our previous industry sector model. Our new system is modeled after NAICS, a comprehensive classification system with six tiers and over 100 classes. Our modified version contains just two tiers, with 15 classes at the Tier 1 level and 70 classes at the Tier 2 level. Of the subsectors in Tier 2, we find that 12 are not considered "critical infrastructure". Examples of those include Legal or Professional consulting services, religious institutions, or civic associations.

We modified the NAICS code primarily to reduce the complexity of the lower levels into a two-tiered approach that provided consistent specificity across the sectors. Additionally, we sought to eliminate any overlap between classes and any ambiguity with the class names. We wanted to adopt the standard NAICS classification for our purposes (without creating too much of a burden for our analysts) while preserving the sectors that we regularly report (such as Federal Government versus State/Local Government).

Below is our full taxonomy. For a detailed enumeration of the differences between our new system and the NAICS code, please contact us at insider-threat-feedback@cert.org.

Tier I Sector

Tier II Subsector

Agriculture and Mining

Agriculture and Forestry

Fishing and Hunting

Mining and Quarrying

Oil and Gas Extraction

Utilities

Energy (Electric Power, Natural Gas)

Water, Sewage, and Waste Collection

Nuclear (Power, Materials, Waste)

Waste Collection

Dams

Construction

Residential (Home Builder)

Non-Residential (Complexes and Offices)

Civil (Bridges, Roads, Etc.)

Architecture

Manufacturing (Minus Medical Equipment)

Food and Beverage

Chemical

Aerospace, Auto, Marine, and Machinery

Electronics

General Manufacturing

Trade

Retail Trade (Automotive, Clothing, Gas Stations, Health and Personal Care, Electronics and Appliances)

Wholesale Trade

E-Commerce

Transportation and Support Services

Air

Rail

Water

Truck

Transit

Pipeline

Courier Services

Supply Chain Services

Information Technology

Software Publishers & Web Developers

Telecommunications

IT, Data Processing, Hosting, Etc.

Finance and Insurance

Banks & Credit Unions

Insurance (Home, Auto, Life, Etc.)

Other Financial Services

Real Estate and Rental/Leasing

Real Estate Sales/Rentals

Warehousing & Storage

Automotive & Machinery Rental/Leasing

Religious Institutions, Charities, and Non-Profits

Religious Institution

Charity

Non-Profit

Civic Association

Professional Services

Legal

Consulting

Scientific Research and Development

Manual Labor and Related Services

Labor Unions

Business Services (Marketing, PR, Etc.)

Education

Elementary/High School

Colleges/Universities

Technical/Industry Training

Health Care and Social Assistance

Private Practice, Walk-In Clinics, At Home Care, Etc.

Diagnostics, Support Services, and Medical Manufacturing

Advocacy Services

Psychological Practice

Pharmacology

Hospital

Health Network

Health Care Insurance

Arts, Entertainment, Recreation, and Hospitality

Performing Arts & Spectator Sports

Museums & Historical Sites

Content Publishers

Hotels, Amusement, Gambling, Restaurants

Public Administration

Federal Government

State Government

Local Government

Defense Industrial Base

Correctional Facilities

Postal Services

Emergency Services

What's Next?

In the next series of blog posts, we'll highlight specific Tier 1 Sectors and Tier 2 Subsectors. We'll explore insider incident trends in a specific industry sector. We'll characterize threats by answering the 5W1H questions (Who? What? When? Where? Why? How?). We'll chronicle story summaries of exemplar incidents and describe unique or interesting findings for the given sector. Additionally, we'll contextualize each sector by discussing germane regulatory mechanisms (such as GLBA or HIPAA) that govern industry security practices to mitigate insider threats. As appropriate, we'll identify applicable controls and resources to help reduce insider risk and increase your threat awareness.

Stay tuned for the next post, where we spotlight the Federal Government subsector, or subscribe to a feed of the Insider Threat blog to be alerted whenever a new post is available.

For more information about the CERT National Insider Threat Center, please contact insider-threat-feedback@cert.org.

Notes

1 "Industry sector" encompasses federal departments and agencies underneath the Public Administration industry sector.

2 Department of Homeland Security, Critical Infrastructure Sectors Website. https://www.dhs.gov/critical-infrastructure-sectors

3 Standard Industrial Classification. Wikipedia. https://en.wikipedia.org/wiki/Standard_Industrial_Classification

More from Carrie Gardner

Posts


View other blog posts by Carrie Gardner.

Other Publications

Visit the SEI Digital Library for other publications by Carrie.