Prevention and Detection of Insider Threats
Culminating from three years of research with the United States Secret Service and Carnegie Mellon University CyLab, the ISAlliance has published the Insider Threats best practices guide [available exclusively for ISAlliance members, click here to inquire about joining]. The threat from insiders is examined from a psychological, organization culture, and technological perspective. The document includes 13 best practices that are intended to reach management across an entire private or government organization.

Dawn Cappelli, Sr. Techical Staff Software Engineering Institute

Pictured here is Dawn Cappelli, the technical lead for studying Insider Threats at Carnegie Mellon University's Software Engineering Institute. 

She is delivering a Congressional Briefing to staffers from both the House and Senate chambers, April 28th, 2006: Insider Threats.

Click here to view the PDF file of that presentation.

Insider Threats webinars (weekly webinars available only to members): 

September 8th, 2006 Dawn Cappelli updated the membership on the most recent research being conducted at the Software Engineering Institute and the United States Secret Service on insider threats.

Read the introduction to the best practices guide below. 

February 27, 2007 Eric Shaw presented his ongoing work to aid in forensic investigation of insider threats. His presentation briefed ISAlliance members on a psychological profiling software he is co-developing with the Software Engineering Institute. Not only is the software designed to investigate and detect insider threats, but it also improves relationship management (once you better understand someone, you are in a better position to manage and maintain the relationship) skills thereby decreasing the threat of malicious insiders.  

Each seminar is archived on the ISAlliance/CyLab website for viewing anytime by ISAlliance members.

“Insider attacks are where most of the money's lost, where most of the vulnerabilities are."  

        -Frank Huerta, Vice President Intrusion-Detection Product Delivery, Symantec    

In the Banking and Finance sector, fraud is typically perpetrated by a non-technical current or former employee. Sabotage, on the other hand, is typically led by a technical disgruntled employee, usually a former employee.

        -Dawn Cappelli, Carnegie Mellon University / CERT / Software Engineering Institute      

“The biggest existing network holes [are] where extra connections have been added for the convenience of senior users without attention to security or proper documentation.”                           

        -Scott Borg, Director and Chief Economist, U.S. Cyber Consequences Unit

Technological protection from external threats is indeed important, but human problems cannot be solved with [only] technological solutions.  

    -Eric D. Shaw, Keven G. Ruby, & Jerrold M. Post, Security Awareness Bulletin / RAND  


This report is exclusive to members of the Internet Security Alliance.

The following is taken from the Introduction of the guide: 

    In 2005, the first version of the Commonsense Guide to Prevention and Detection of Insider Threats was published by ISAlliance and Carnegie Mellon University’s CyLab. The document was based on the insider threat research performed by CERT, primarily the Insider Threat Study conducted jointly with the U.S. Secret Service (USSS). CERT has continued analyzing insider threat cases with the USSS. CERT has also conducted additional insider threat research funded by Carnegie Mellon CyLab and the U.S. Department of Defense Personnel Security Research Center. Those projects have involved a new type of analysis of the insider threat problem focused on high-level patterns and trends observed in the cases. Specifically, the projects examine the problem in terms of the interaction of insider psychology, organizational culture, policies, practices, and technology over time.

    CERT and the USSS have previously concentrated on analyzing insider threats according to critical infrastructure sector, specifically banking and finance, information technology (IT), and government. In addition, the research team published a report analyzing insider IT sabotage cases across all critical infrastructure sectors. CERT researchers believe it is now important to perform a different type of analysis – by type of malicious insider activity. Therefore, this version of the Commonsense Guide includes a new section that presents a high-level picture of different types of insider threats: fraud, theft of confidential or proprietary information, and sabotage. This section presents patterns and trends observed in each type of malicious activity.

    In addition, this report includes one new practice–Practice 1: Institute periodic enterprise-wide risk assessments. It has become apparent that one of the overarching problems regarding insider threat is the absence in many organizations of an enterprisewide, risk-based approach to security management. In addition, many simply do not recognize the risk posed to them by insiders. As a result, they are vulnerable to malicious insider activity; and, once attacked, recovery can be much more difficult.

Most of the practices in this guide reflect new insights from the past year’s research at CERT.