Assess Suspicious Behavior & Respond Appropriately

A comprehensive insider threat program can involve collecting and analyzing information, that is continuously changing, and from a variety of data sources.  Combining technology that can capture, index, and correlate data with skilled human analysis can better enable proactive insider threat detection and mitigation.     

Implement a System to Collect and Correlate Data

There are numerous off-the-shelf systems specifically designed for advanced behavior analytics of data.  The right system depends on the unique characteristics of an organization.  Consider the following when developing a system:

  • Protect the privacy of those reporting and reported
  • Support the organization’s cultural norms
  • Establish data retention and storage rules
  • Ensure data is acceptable as evidence for legal prosecution
  • Account for all data sources including paper-based reporting
  • Compatible with internal data collection sources
  • Allow for external data collection sources including social media, criminal reporting, and personal finance history

Develop Detection Indicators Based on Data Source

A detection system is only as good as the search indicators applied.  Detection indicators should have a legal and ethics endorsement and approved by executive leadership.  The number of detection indicators can be extensive based on the size and complexity of the organization.  Data sources with associated detection indicators can include: 

  • Removable media use
    • Use of any unauthorized device
    • Transferring a significant amount of data
  • Information uploaded to file-sharing services
    • Significant amounts of data
    • Excessive number of files
  • Web use activity
    • Repeated attempts to access restricted sites
  • Altering or deleting data from servers or shared drives
    • Using any non-approved programs/tools
    • Significant amounts of data or excessive number of files in specified timeframe
  • Attempt to access restricted areas, systems, or information
    • Recurring requests or attempts
  • Conduct a data search for sensitive information
    • Based on designated keywords
  • External sharing of sensitive data
    • Sending any customer or employee personally identifiable information (PII)
  • Access facility during non-work hours
    • Excessive number of times in a specified period
  • Negative reporting
    • Repeated rule violations
    • Recurring co-worker complaints

Refer to the Carnegie Mellon University CERT Analytic Approaches to Detect Insider Threats for additional information about detection indicators.

Form a Threat Management Team to Analyze Suspicious Behavior

Also known as a threat assessment team, this group is responsible for analyzing anomalous behavior and recommending an appropriate response.  Organizations are encouraged to have primary and secondary members assigned to ensure a quick response to deter or mitigate high-risk behavior.  Additional considerations include:   

  • Involve representatives from the organization’s key stakeholders, including but not limited to:
    • Human resources
    • Physical security
    • Information security
    • Information technology
    • Legal
  • Leverage a risk scoring method to determine high-risk personnel
  • Maintain ready access to all data collection sources
  • Able to incorporate ad hoc members to address unique circumstances
  • Establish relationships with investigative and response authority
    • Law enforcement
    • Mental health
    • Employee assistance program

Refer to the FBI Making Prevention a Reality to learn more about effective threat management teams. 

Establish Procedures For Recommending an Appropriate Response

Well defined procedures approved by executive leadership and legal counsel assists threat management teams with determining an appropriate response.  Recommend considering the following when establishing procedures:

  • Create a structure to coordinate response across multiple departments
  • Define responsibilities of all parties involved
  • Describe events that require immediate escalation
  • Explain methods and situations to de-escalate
  • Include procedures to monitor response and ensure risk is minimized
  • Clarify process to notify external response agencies

The Center for the Development of Security Excellence Insider Threat Mitigation Responses offers additional advice for appropriate responses. 

Was this webpage helpful?  Yes  |  Somewhat  |  No