Click the icons to navigate.
Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. This section provides an overview to help frame the discussion of insiders and the threats they pose; defining these threats is a critical step in understanding and establishing an insider threat mitigation program.
I. What is an Insider?
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.
Examples of an insider may include:
- A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.
- A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
- A person to whom the organization has supplied a computer and/or network access.
- A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
- A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.
- A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.
- In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.
II. What Is Insider Threat?
Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. External stakeholders and customers of DHS may find this generic definition better suited and adaptable for their organization’s use.
The Cyber and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the Department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This threat can manifest as damage to the Department through the following insider behaviors:
- Unauthorized disclosure of information
- Corruption, including participation in transnational organized crime
- Workplace violence
- Intentional or unintentional loss or degradation of departmental resources or capabilities
III. What Are the Types of Insider Threats?
- Unintentional Threat
- Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization. Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches.
- Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Organizations can successfully work to minimize accidents, but they will occur; they cannot be completely prevented, but those that occur can be mitigated. Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment that contains a virus within a phishing email, or improperly disposing of sensitive documents.
- Intentional Threats - Intentional threats are actions taken to harm an organization for personal benefit or to act on a personal grievance. The intentional insider is often synonymously referenced as a “malicious insider.” The motivation is personal gain or harming the organization. For example, many insiders are motivated to “get even” due to unmet expectations related to a lack of recognition (e.g., promotion, bonuses, desirable travel) or even termination. Their actions include leaking sensitive information, harassing associates, sabotaging equipment, or perpetrating violence. Others have stolen proprietary data or intellectual property in the false hope of advancing their careers.
- Other Threats
- Collusive Threats – A subset of malicious insider threats is collusive threats, where one or more insiders collaborate with an external threat actor to compromise an organization. These incidents frequently involve cybercriminals recruiting an insider or several insiders to enable fraud, intellectual property theft, espionage, or a combination of the three.
- Third-Party Threats – Additionally, third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work. These threats may be direct or indirect threats.
- Direct threats are individuals who act in a way that compromises the targeted organization.
- Indirect threats are generally flaws in systems that expose resources to unintentional or malicious threat actors.
IV. How Does an Insider Threat Occur?
Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. Expressions of insider threat are defined in detail below.
Expressions of Insider Threat
- Violence – This action includes the threat of violence, as well as other threatening behaviors that create an intimidating, hostile, or abusive environment.
- Workplace/organizational violence is any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying, offensive jokes, or other threatening behavior by a co-worker or associate that occurs in a person’s place of employment or while a person is working.
- Terrorism as an insider threat is an unlawful use of or threat of violence by employees, members, or others closely associated with an organization, against that organization. Terrorism’s goal is to promote a political or social objective.
- Espionage – Espionage is the covert or illicit practice of spying on a foreign government, organization, entity, or person to obtain confidential information for military, political, strategic, or financial advantage.
- Economic Espionage is the covert practice of obtaining trade secrets from a foreign nation (e.g., all forms and types of financial, business, scientific, technical, economic, or engineering information and methods, techniques, processes, procedures, programs, or codes for manufacturing).
- Government Espionage is covert intelligence-gathering activities by one government against another to obtain political or military advantage. It can also include government(s) spying on corporate entities such as aeronautics firms, consulting firms, think tanks, or munition companies. Government espionage is also referred to as intelligence gathering.
- Criminal Espionage involves a U.S. citizen betraying U.S. government secrets to foreign nations.
- Sabotage – Sabotage describes deliberate actions to harm an organization’s physical or virtual infrastructure, including noncompliance with maintenance or IT procedures, contamination of clean spaces, physically damaging facilities, or deleting code to prevent regular operations.
- Physical Sabotage is taking deliberate actions aimed at harming an organization’s physical infrastructure (e.g., facilities or equipment).
- Virtual Sabotage is taking malicious actions through technical means to disrupt or stop an organization’s normal business operations.
- Theft – Theft is the simple act of stealing, whether money or intellectual property.
- Financial Crime is the unauthorized taking or illicit use of a person’s, business’, or organization’s money or property with the intent to benefit from it.
- Intellectual Property Theft is the theft or robbery of an individual’s or organization’s ideas, inventions, or creative expressions, including trade secrets and proprietary products, even if the concepts or items being stolen originated from the thief.
- Cyber - Digital threat includes theft, espionage, violence, and sabotage of anything related to technology, virtual reality, computers, devices, or the internet.
- Unintentional Threats are the non-malicious (frequently accidental or inadvertent) exposure of an organization’s IT infrastructure, systems, and data that causes unintended harm to an organization. Examples include phishing emails, rogue software, and “malvertising” (embedding malicious content into legitimate online advertising).
- Intentional Threats are malicious actions performed by hostile insiders who use technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. This action can involve changing data or inserting malware or other pieces of offensive software to disrupt systems and networks.
V. What Resources Are Available to Learn about Insider Threats?
Carnegie Mellon University Software Engineering Institute’s the CERT Definition of 'Insider Threat' provides an updated definition of insider threat, including the potential for physical acts of harm.