Detecting and Identifying Insider Threats

Click the icons to navigate.



Detect and Identify

Detect & Identify






Successful insider threat programs proactively use a mitigation approach of detect and identify, assess, and manage to protect their organization. The foundation of the program’s success is the detection and identification of observable, concerning behaviors or activities.

Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team.

I.   Threat Detection

Detecting and identifying potential insider threats requires both human and technological elements. An organization’s own personnel are an invaluable resource to observe behaviors of concern, as are those who are close to an individual, such as family, friends, and co-workers. People within the organization will often understand an individual’s life events and related stressors, and may be able to put concerning behaviors into context.

  • People as SensorsAn organization’s personnel are the human component for the detection and identification of an insider threat. Co-workers, peers, friends, neighbors, family members, or casual observers are frequently positioned for insight into and awareness of predispositions, stressors, and behaviors of an insider who may be considering malicious acts. When observing human behavior, bear in mind two important qualities:
    • Listen through the other person’s frame of reference, not your own. Do not assume that somebody will ask for help or ask to be stopped, or that they will talk about their intentions in the same way you would.
    • Listen to the other person with your eyes. People often disclose their intentions through non-verbal means.
  • Insider Activity Monitoring – Vulnerabilities can also be detected through technology employed in conjunction with human sensors to detect and prevent insider threats.

II.   Threat Indicators 

Insider threat programs help organizations detect and identify individuals who may become insider threats by categorizing potential risk indicators. These indicators are observable and reportable behaviors that indicate individuals who are potentially at a greater risk of becoming a threat.

  • Personal Indicators are a combination of predisposition attributes and personal stressors currently impacting the insider.
  • Background Indicators are events that happen before an individual is hired by an organization or before an individual obtains network organizational access.
  • Behavioral Indicators are actions directly observable by peers, HR personnel, supervisors, and technology. Over time, behaviors create a baseline of activities from which changes may be considered a threat indicator.
  • Technical Indicators involve network and host activity and require direct application of IT systems and tools to detect.
  • Organizational/Environmental Indicators:
    • Organizational policies and cultural practices can play a significant role in creating or managing an insider threat.
    • Environmental factors can escalate or mitigate stressors that may contribute to behavioral changes and an individual’s progression from trusted insider to insider threat. These factors are often related to organizational policies and cultural practices.
  • Violence Indicators are specific behaviors or collections of behaviors that can instill fear or generate a concern that a person might act; these behaviors include, but are not limited to, intimidation, harassment, and bullying.

III.   Progression of an Insider toward a Malicious Incident

While virtually every person will experience stressful events, most do so without resorting to disruptive or destructive acts. For those insiders that turn to malicious activity, researchers have found that the acts are rarely spontaneous; instead, they are usually the result of a deliberate decision to act.


The progression includes, first, grievance and ideation. Second, preparation: conduct research; develop a plan; devote time to gathering materials, tools, equipment, etc. Three, exploration: recruitment or tipping point. Four, experimentation: conducting surveillance, reconnaissance, and testing. Five, execution: exploitation and use of weaknesses and/or access to commit hostile act. Six, escape: exfiltration to evade and obfuscate.


Researchers of insider threats describe an evolution from trusted insider to insider threat as a critical pathway. On this road, the subject’s personal predispositions and background, which make them susceptible to the temptation of a malicious act, interact with their personal stressors and the organizational environment. Together, these factors move the insider down a pathway toward a malicious incident.

Moving from ideation to action involves the following steps shown on the pathway above to a malicious incident.

  • Grievance and Ideation: Expressing ideas through speech, writings, actions, etc.
  • Preparation: Conducting research and developing a plan; gathering materials, tools, equipment, etc.
  • Exploration: Recruitment of accomplices (sometimes); can be a tipping point
  • Experimentation: Conducting surveillance, reconnaissance, and testing
  • Execution: Exploiting one’s trusted access and information, including the use of weaknesses and/or authorities to commit a hostile act
  • Escape: Exfiltration, attempting to evade, and/or obfuscating to cover one’s insider actions

Learn more about the progression of an insider toward a malicious incident from the white paper, Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall. (External PDF, File Size 362KB)

IV.   Detecting and Identifying Insider Threats Resources

CISA Interagency Security Committee’s Violence in the Federal Workplace: A Guide for Prevention and Response and Appendicies, provides guidance on how agencies can develop a workplace violence program capable of preparing for, preventing, and responding to incidents of workplace violence.

Carnegie Mellon University Software Engineering Institute's Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors literature can help organizations fully understand the insider threat. (External PDF, File Size 165.01 KB)

Carnegie Mellon University Engineering Institute’s technical report An Insider Threat Indicator Ontology provides an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated. (External PDF, File Size 5.67 MB)

The FBI's Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks is a practical guide on assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB)

The NATO Cooperative Cyber Defence Center of Excellence Insider Threat Detection Study focuses on the threat to information security posed by insiders. (External PDF, File Size 1.09MB)

The USSS’s National Threat Assessment Center provides an analysis of Mass Attacks in Public Spaces that identifies stressors that may motivate perpetrators to commit an attack. (External PDF, File Size 3.04MB)

Was this webpage helpful?  Yes  |  Somewhat  |  No