Insider Threat: The Latest Research from the SEI
Happy Independence Day from all of us here at the SEI. I'd like to take advantage of this special occasion to keep you apprised of a new technical report from the SEI. It's part of an ongoing effort to keep you informed about the latest work of SEI technologists. This report highlights the latest work of SEI technologists in the fields of insider threat. This post includes a listing of the report, authors, and links where the published reports can be accessed on the SEI website.
As always, we welcome your feedback on our work.
A Preliminary Model of Insider Theft of Intellectual Property
By Andrew P. Moore, Dawn M. Cappelli, Thomas C. Caron, Eric Shaw, Derrick Spooner, & Randall F. Trzeciak
Since 2002, the CERT® Program at Carnegie Mellon University's Software Engineering Institute has been gathering and analyzing actual malicious insider incidents, including information technology (IT) sabotage, fraud, theft of confidential or proprietary information, espionage, and potential threats to the critical infrastructure of the United States. Consequences of malicious insider incidents include financial losses, operational impacts, damage to reputation, and harm to individuals. The actions of a single insider have caused damage to organizations ranging from a few lost staff hours to negative publicity and financial damage so extensive that businesses have been forced to lay off employees and even close operations. Furthermore, insider incidents can have repercussions beyond the affected organization, disrupting operations or services critical to a specific sector, or creating serious risks to public safety and national security.
CERT insider threat work, referred to as MERIT (Management and Education of the Risk of Insider Threat), uses the wealth of empirical data collected by CERT to provide an overview of the complexity of insider events for organizations--especially the unintended consequences of policies, practices, technology, efforts to manage insider risk, and organizational culture over time. As part of MERIT, we have been using system dynamics modeling and simulation to better understand and communicate the threat to an organization's IT systems posed by malicious current or former employees or contractors. Our work began with a collaborative group modeling workshop on insider threat hosted by CERT and facilitated by members of what has evolved into the Security Dynamics Network and the Security Special Interest Group of the System Dynamics Society.
Based on our initial modeling work and our analysis of cases, we have found that different classes of insider crimes exhibit different patterns of problematic behavior and mitigating measures. CERT has found four categories of insider threat cases based on the patterns we have seen in cases identified: IT sabotage, fraud, theft of intellectual property (IP), and national security espionage. We believe that modeling these types of crimes separately can be more illuminating than modeling the insider threat problem as a whole. In this paper, we focus on theft of IP.
We define insider theft of IP as crimes in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data to steal confidential or proprietary information from the organization. This paper is centered on two dominant models found within the cases: the Entitled Independent Scenario (27 cases) and the Ambitious Leader Scenario (21 cases). We first define our approach to building these models. Next, we incrementally build the models, describing them as we go. Finally, we provide general observations and discuss future work. Appendix A summarizes important characteristics of the crimes involving theft of IP. Appendices B and C provide an overview of the models developed. We believe that these models will help people better understand the complex nature of this class of threat. Through improved understanding comes better awareness and intuition regarding the effectiveness of countermeasures against the crime. Our work generates strong hypotheses based on empirical evidence. Future work will involve alignment with existing theory, testing of these hypotheses based on random sampling from larger populations, and analysis of mitigation approaches.
To read the complete report, please visit
For more information about the CERT program, please visit
To read the Insider Threat blog, please visit