July 1, 2025—Insiders perpetrate more than a third of data breaches, posing a significant cyber risk to organizations. While the field of insider risk management has grown, the difficulty of capturing and sharing information about insider incidents in a standardized way has hindered practitioners and researchers. The SEI recently released version 1.0 of the Insider Incident Data Exchange Standard (IIDES), the first comprehensive schema for classifying and sharing insider incident information.

IIDES includes structures for collecting and analyzing a variety of technical, nontechnical, organizational, and incident response information to meet the needs of insider risk management researchers and practitioners. IIDES allows practitioners to build, maintain, deidentify, and share insider threat case data with an eye toward building more robust data for analysis and insights that benefit their organizations and the whole community.

“IIDES supports national security initiatives that aim to quantifiably reduce insider risk by enabling deeper research, facilitating threat intelligence information sharing, and reducing the resources required to continuously evaluate and improve threat detection and response capabilities within the commercial and defense domains,” said Dan Costa, technical manager of the SEI’s Enterprise Threat and Vulnerability Management team.

The schema, coded in JSON, comprises seven core components: incident, insider, organization, job, detection, response, and tactic, technique, and procedure (TTP). Some components have subcomponents, and the schema’s vocabularies provide consistent terminology across incident data. One of the standout features of IIDES is its relationship mapping, which shows how all the pieces of information about an incident go together to form a complete picture.

“IIDES draws from our years of experience developing our own insider threat datasets and from working with practitioners in the field,” said Austin Whisnant, a senior researcher in the SEI’s CERT Division and the IIDES project lead. “We’ve incorporated quantifiable methods into IIDES while keeping it simple and flexible for a range of end user needs.”

Whisnant’s team hopes that IIDES supports a more consistent mapping of recommendations and best practices for response, detection, and mitigation of insider threats in the future. The SEI will continue to improve IIDES by aligning its core components and vocabularies with the needs of insider threat programs and researchers and adjusting it to changes in technology and work culture. The SEI will also develop a suite of IIDES-associated tools for capturing and sharing insider threat data.

The CERT Division of the SEI has conducted groundbreaking research into insider threat and risk management since 2001. Its experts have partnered with the Department of Defense, the Department of Homeland Security, the Secret Service, and many federal agencies, as well as with private industry, academia, and the vendor community. The SEI’s database of more than 3,000 insider incidents informs its modeling and simulation, insider threat lab, and organizational insider risk assessments. Government and industry have adopted the best practices described in the SEI’s Common Sense Guide to Mitigating Insider Threats.

Access IIDES version 1.0 and leave feedback on the SEI’s GitHub site. Learn more about IIDES from Whisnant and other CERT researchers in the SEI Blog, podcast series, and webcast archive.