search menu icon-carat-right cmu-wordmark

New Edition of Common Sense Guide to Mitigating Insider Threats Released

New Edition of Common Sense Guide to Mitigating Insider Threats Released
• Article

September 8, 2022—The Software Engineering Institute today announced the release of the seventh edition of the Common Sense Guide to Mitigating Insider Threats. Members of the SEI’s CERT National Insider Threat Center updated the guide to include a new best practice and a mapping to the NIST Privacy Framework. The guide is available to download from the SEI’s Digital Library.

The guide defines insider threat as “the potential for an individual who has or had authorized access to an organization’s critical assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization” and insider risk as “the impact and likelihood associated with the realization of an insider threat.”

The SEI is releasing the new edition of the Common Sense Guide at a time of change in the insider threat landscape, when a large remote workforce and a wave of resignations have exacerbated risks to a company’s confidential information. “The guide’s best practice on adopting positive incentives, as well as the inclusion of more specific guidance around insider risk-based decision making, are timely resources for today’s challenges,” said Dan Costa, technical manager of the CERT Division’s Enterprise Threat and Vulnerability Management team.

The Common Sense Guide consists largely of 22 best practices that organizations can use to manage insider risk. Each practice includes recommendations for quick wins and high-impact solutions, implementation guidance, and additional resources. The practices are also mapped to the CERT Resilience Management Model (CERT-RMM) and security and privacy standards, such as, among others, the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and—new to this edition—the NIST Privacy Framework.

“We’ve done the hard work to ensure that our recommendations on insider threat mitigation best practices align with as many applicable standards and frameworks as possible,” said Costa. “These mappings will help insider threat programs demonstrate their alignment to broader cybersecurity, privacy, and risk management frameworks, which is key to fostering enterprise-wide collaboration.”

Also new is best practice 22, “Learn from Past Insider Threat Incidents.” The practice offers guidance for developing a repository of insider trends within an organization and its sector. Gathering such data, analyzing it, and engaging with external information sharing bodies can bolster an organization’s insider risk mitigation program. “This activity is essential to ensuring that analytics stay operating effectively and risk determinations are being made using the best available data,” said Costa. “It also forms the foundation for return-on-investment cases to be made for insider threat programs.”

The Common Sense Guide springs from more than 20 years of insider threat research at the SEI, much of it underpinned by the CERT Division’s insider threat database, which is drawn from public records of more than 3,000 insider threat incidents. In 2005, the U.S. Secret Service sponsored the SEI’s first published study of the topic. Since then, CERT research has helped mature the organizational practices for mitigating insider threats and managing their risk.

The guide, first published in 2005, has evolved with changes in the threat landscape, technological mitigations, and shifts in data privacy policies. The seventh edition continues this evolution with new and updated practices, improved layout and imagery to enhance usability, and more refined terms. It has also added research from management science to its multidisciplinary approach.

Download the Common Sense Guide to Mitigating Insider Threats, Seventh Edition, from the SEI’s Digital Library. Find out more about the SEI’s insider threat and insider risk research on our website.