search menu icon-carat-right cmu-wordmark

Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks

Technical Note
In this 2006 report, the authors describe MERIT insider threat model and simulation results.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2006-TN-041
DOI (Digital Object Identifier)
10.1184/R1/6575231.v1

Abstract

The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University's Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences that increase risk of insider attack. The problem is exacerbated by a lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results. To develop such tools is the goal of Carnegie Mellon University's Management and Education of the Risk of Insider Threat (MERIT) project. MERIT uses system dynamics to model and analyze insider threats and produce interactive learning environments. These tools can be used by policy makers, security officers, information technology and human resource personnel, and management. The tools help these users to understand the problem and assess risk from insiders based on simulations of policies, and on cultural, technical, and procedural factors. This technical note describes the MERIT insider threat model and simulation results.

Cite This Technical Note

Cappelli, D., Desai, A., Moore, A., Shimeall, T., Weaver, E., & Willke, B. (2007, March 1). Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks. (Technical Note CMU/SEI-2006-TN-041). Retrieved April 13, 2024, from https://doi.org/10.1184/R1/6575231.v1.

@techreport{cappelli_2007,
author={Cappelli, Dawn and Desai, Akash and Moore, Andrew and Shimeall, Timothy and Weaver, Elise and Willke, Bradford},
title={Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks},
month={Mar},
year={2007},
number={CMU/SEI-2006-TN-041},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6575231.v1},
note={Accessed: 2024-Apr-13}
}

Cappelli, Dawn, Akash Desai, Andrew Moore, Timothy Shimeall, Elise Weaver, and Bradford Willke. "Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks." (CMU/SEI-2006-TN-041). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, March 1, 2007. https://doi.org/10.1184/R1/6575231.v1.

D. Cappelli, A. Desai, A. Moore, T. Shimeall, E. Weaver, and B. Willke, "Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2006-TN-041, 1-Mar-2007 [Online]. Available: https://doi.org/10.1184/R1/6575231.v1. [Accessed: 13-Apr-2024].

Cappelli, Dawn, Akash Desai, Andrew Moore, Timothy Shimeall, Elise Weaver, and Bradford Willke. "Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks." (Technical Note CMU/SEI-2006-TN-041). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Mar. 2007. https://doi.org/10.1184/R1/6575231.v1. Accessed 13 Apr. 2024.

Cappelli, Dawn; Desai, Akash; Moore, Andrew; Shimeall, Timothy; Weaver, Elise; & Willke, Bradford. Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks. CMU/SEI-2006-TN-041. Software Engineering Institute. 2007. https://doi.org/10.1184/R1/6575231.v1