Software Engineering Institute

Insider threat analysis comes in many shapes and forms, each with its own use cases, prerequisites, and pros and cons. The purpose of this paper is to lay out a framework that will help organizations understand and examine different analytical techniques, applications, and use cases so they can select and apply the most effective methods to improve their capabilities for analysis. The first section of this paper outlines various process constructs that you can apply to insider threat analysis. In the second section, we discuss the process of collecting data and analyzing it to get observables. The second section also covers how to obtain indicators from observables, and behaviors from indicators. The third section examines how these concepts apply to several common insider threat analysis goals. Finally, the last section discusses how to measure the effectiveness of the insider threat analysis you use at your organization.