Assessing Insider Threats

Click the icons to navigate.



Detect and Identify

Detect & Identify






Threat assessment is the process of compiling and analyzing information about a person of concern who may have the interest, motive, intention, and capability of causing harm to an organization or persons. Threat assessment for insiders is a unique discipline requiring a team of individuals to assess a person of concern and determine the scope, intensity, and consequences of a potential threat.

Threat assessments are based on behaviors, not profiles, and behaviors are variable in nature. The goal of a threat assessment is to prevent an insider incident, whether intentional or unintentional. No one-size-fits-all approach to a threat assessment exists. It should be holistic, respectful, and focused on helping the person of concern, recommending intervention strategies to prevent an insider incident, and mitigating the effects if a hostile act does occur.

I.   Threat Management Team

A multi-disciplinary threat management team is the backbone of an insider threat mitigation program and integral to the program’s success. The team is essential to assessing and managing threats. This entity will provide the analysis and management strategies an organization will consider in mitigating insider threats.

Establish a multi-disciplinary threat management team. When forming the team, ensure a multi-disciplinary approach by including different entities from within the organization. Consider the following:

A Threat Management Team should include an Investigator or Law Enforcement Officer (LEO); External Risk Screening Professional, Counselor, Medical or Mental Health; Insider Threat Analyst(s); Supervisor & Coworkers; Trusted Sources; Human Resources; General Counsel; Operations & Administration; CIO/CISO; and Chief Security Officer.Leverage organic and existing functions. (dark blue)

Involve external resources on a case-by-case basis. (bright blue)

Gather information from trusted sources. (green)

For some entities of sufficient size, complexity, or risk, consider a dedicated insider threat analyst. (grey)

Organizations should arrange for regular, and even unannounced, audits from an external team to ensure that individual information and privacy is protected.

Train threat management teams. Consider requiring team members to complete continuous specialized training on the following topics:

  • Mental health guidelines;
  • Laws and regulations regarding collection, integration, retention, and safeguarding of data;
  • Civil liberties protections and privacy laws; and
  • How to conduct interviews, refer to investigations, and request referrals or prosecution.  

At a minimum, the threat management team should receive training in basic threat assessment, safety, suicide prevention, legal considerations, and domestic violence. Training regarding the basics is available, often at no cost, from community groups or agencies that provide support services.

Plan and execute. Successful programs require committed support from all levels within an organization. To establish the program for success, plan for the following features:

  • Sell the program.
  • Encourage a culture of reporting.
  • Implement a formal training and awareness program for all employees.
  • Evaluate and improve – conduct exercises and provide oversight and compliance.

II.   Threat Assessment Process

The threat assessment process is a pre-established set of operational activities employed by a threat management team that combine an investigative process and information-gathering strategies. This process applies in both urgent situations that potentially require emergency intervention to protect life, safety, or property; as well as in non-urgent/non-emergency situations.

This chart depicts the threat assessment process for both non-urgent and emergency situations.


The process includes 1) Identification, 2) Initial Screening, 3) Assessment, 4) Manage, and 5) Intervention. There are additional steps following intervention: Follow Up or Monitoring. If emergency intervention is needed, begin with identification and skip to Manage. If concern is unwarranted, skip from initial screening to follow up. Refer back to Manage if monitoring a threat.


Although circumstances, fact patterns, and other factors will drive the specific actions an organization should take, follow these general steps:

  1. When potential insider threat information is reported, activate the team, and conduct an initial screening to determine the validity of the concern.
  • Is the concern unwarranted, is a non-emergent assessment needed, or is an emergency intervention needed?
  1. If the reported behavior or incident does not raise a concern, management should engage in non-risk-related follow-up of the individual.
  2. If concern is warranted:
  • Conduct a complete risk assessment.
  • Consider and recommend appropriate intervention actions.
  1. For emergency cases involving an immediate threat to physical safety, activate your organization’s emergency response plan (ERP), and contact security and/or local law enforcement.

Threat management teams should use a risk rubric initially to assess and then re-assess a person of concern’s specific level of risk to determine if the individual is progressing toward a malicious act, and, if so, at what rate. It is important to note that these models are best used after a person of concern has been identified and is known to be progressing toward a malicious act. Establishing baseline behaviors will make deviations or anomalies stand out from normal activities.

While data analytics shorten the detection time of an insider threat, these systems still require an experienced investigator to review the data for accuracy and contextual understanding.

Regardless of the tools selected, determine the psychological and threat assessment triggers that require professional mental health and violence assessments.

IV.   Assessment Considerations

When conducting assessments, organizations should consider each threat as plausible and investigate all persons who make threats. Organizations should promptly investigate whether there is a true expression of an intent to carry out an insider threat, a leakage of violent thought(s), or merely an inappropriate statement.

Threat management teams need to ensure they do not become overly reliant on their threat assessment tools or checklists. A tool cannot do all the work of assessing the reports it generates. Consider the following when conducting assessments:

  • Trained investigators must properly understand the data. These investigators are subject matter expertise and organizational staff who can explain the value of the data and provide contextual information about the behavior that triggered an inquiry. 
  • Context is critical and will be a differentiator in building a case.
  • Ensure the investigators know the law and the required evidence needed for cases where the organization may be required to establish an evidentiary basis for a future case management action.
  • The threat assessment team must involve external law enforcement in a timely manner to stop an insider act or to deploy investigative tools to build the case.

V.   Assessing Insider Threats Resources

The Federal Bureau of Investigation’s (FBI) Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks provides a practical guide to assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB)

The FBI examines specific behaviors that may precede an attack and identifies indicators that might be useful in identifying, assessing, and managing those who may be on a pathway to violence in its A Study of Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013 . The study covers active shooter incidents in the United States between 2000 and 2013.  (External PDF, File Size 2054 KB)

The U.S. Department of Justice National Institute of Justice provides a report on Protective Intelligence and Threat Assessment Investigations on monitoring, controlling, and redirecting a subject and, when it is appropriate, to close a case. (External PDF, File Size 216.86 KB)

The U.S. Secret Service’s National Threat Assessment Center provides an analysis of Mass Attacks in Public Spaces that identifies stressors that may motivate a perpetrator to commit an attack. (External PDF, File Size 3.04MB)

Was this webpage helpful?  Yes  |  Somewhat  |  No