Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.
The information and resources available from the Cybersecurity and Infrastructure Security Agency (CISA) will help individuals, organizations, and communities create or improve an existing insider threat mitigation program. Organizations putting such a program into practice must remain adaptable. As infrastructure communities work internally at protecting against insider threat and share lessons learned, they can protect the Nation. And if insider threat disruptions should occur, organizations with mature programs can prove resilient.
The key steps to mitigate insider threat are Define, Detect and Identify, Assess, and Manage. Click on the icons below to learn more about each step.
Several CISA products are available on the Insider Threat Mitigation Resources site. The primary resource, the Insider Threat Mitigation Guide, provides comprehensive information on how to establish or enhance an insider threat prevention and mitigation program. Federal, state, local, tribal, and territorial governments, as well as non-governmental organizations and the private sector, are encouraged to use these resources freely to enhance their own security postures. Visit CISA's Insider Threat - Cyber page for a list of resources that can help organizations better protect their proprietary or sensitive information.
New Product Alert: The Insider Risk Mitigation Program Evaluation (IRMPE) Assessment Instrument
CISA created the IRMPE tool in collaboration with Carnegie Mellon University’s Software Engineering Institute to help stakeholders explore and gauge their readiness for a potential insider threat incident. The tool pulls from insider threat planning and preparedness resources to allow users to evaluate the maturity of their insider threat program in one convenient and easy-to-navigate fillable PDF. CISA urges its partners to share and use the new self-assessment tool to assist in increasing their own organizational security and resilience. The protective measures organizations incorporate into their security practices today can pay for themselves many times over by preventing an insider threat or mitigating the impacts of an attack in the future. You can find the tool and more information under the “Resources” section.
Insider Risk Mitigation Program Evaluation (IRMPE): Assessment Instrument (.pdf, 5.7 MB)
IRMPE Question Set and Guidance (.pdf, 785.13 KB)
IRMPE Quick Start Guide (.pdf, 1.12 MB)
IRMPE User Guide (.pdf, 1.02 MB)
IRMPE One-Pager (.pdf, 607.01 KB)
IRMPE Crosswalk Document (.pdf, 1016.6 KB)
Keys to a Successful Insider Threat Mitigation Program
A holistic insider threat mitigation program combines physical security, personnel awareness, and information-centric principles. The program aims to understand the insider’s interaction within an organization, monitor that interaction within appropriate, legal boundaries, and intervene to manage interactions when the insider’s behavior threatens the organization.
Successful insider threat mitigation programs accomplish these objectives while addressing three core principles, which apply to organizations of all sizes and maturity levels:
- Promoting a protective and supportive culture throughout the organization;
- Safeguarding organizational valuables while protecting privacy, rights, and liberties; and
- Remaining adaptive as the organization evolves and its risk tolerance changes.
Insider threat mitigation programs are designed to help organizations intervene before an individual with privileged access or an understanding of the organization makes a mistake or commits a harmful or hostile act. The program development should span the entire organization and serve as a system to help individuals, rather than be an aggressive enforcement or “sting” program.
Several key factors apply to successful insider threat mitigation programs of all organizations, regardless of size and maturity level.
|Know Your People — An organization must know and engage its people; this awareness enables an organization to achieve an effective level of personnel assurance.|
|Identify the Organization’s Assets and Prioritize Risks — Determine where the organization’s assets reside and who can access them. This knowledge allows a broader classification of each asset’s vulnerability and enables the development of risk-based mitigation strategies.|
|Establish the Proven Operational Approach of Detect & Identify–Assess–Manage — By gathering and investigating incident and threat information, assess and categorize those risks; then implement management strategies to mitigate the threats.|
Insider Threat Videos
The Understanding the Insider Threat video describes how insider threats can manifest as terrorism, workplace violence, and cybersecurity breaches. Security and behavioral experts discuss how to effectively recognize and respond to these insider threats.
The Understanding the Insider Threat trailer is a tool to promote and increase awareness for the Understanding the Insider Threat video.
The Pathway to Violence video describes the behavioral indicators that insiders often demonstrate before they attack, highlighting six progressive steps often observable to colleagues.
CISA products and resources are available on the Insider Threat Mitigation Resources site.
Insider threats pose significant risk to the safety and security of America’s critical infrastructure and the organizations that keep infrastructure operational. The Insider Risk Self-Assessment is a tool to assist owners and operators or organizations, especially small and mid-sized ones who may not have in-house security departments, to gauge their vulnerability to an insider threat incident.
CISA provides insider threat mitigation tools and resources with no endorsement of any specific company, entity, or content. The tools and resources identified are a starting point for an organization’s insider threat mitigation program and do not encompass all resources.
Carnegie Mellon University Software Engineering Institute’s CERT Definition of 'Insider Threat - Updated' provides an updated definition of insider threat to include potential for physical acts of harm.
Detect and Identify
CISA’s Interagency Security Committee (ISC)’s 2019 Edition - Violence in the Federal Workplace: A Guide for Prevention and Response provides guidance on how agencies can develop a workplace violence program capable of preparing for, preventing, and—if prevention fails—responding to incidents of workplace violence.
Carnegie Mellon University Software Engineering Institute's Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors describes a study the institute conducted to help organizations fully understand the insider threat. (External PDF, File Size 165.01 KB)
Carnegie Mellon University Engineering Institute’s technical report An Insider Threat Indicator Ontology provides an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated. (External PDF, File Size 5.67 MB)
The Federal Bureau of Investigation (FBI)’s Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks is a practical guide to assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB)
The NATO Cooperative Cyber Defence Centre of Excellence Insider Threat Detection Study focuses on the threat to information security posed by insiders. (External PDF, File Size 1.09MB)
The U.S. Secret Service (USSS)’s National Threat Assessment Center provides an analysis of Mass Attacks in Public Spaces that identifies stressors that may motivate perpetrators to commit an attack. (External PDF, File Size 3.04MB)
The FBI’s Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks and appendices provides a practical guide on assessing and managing the threat of targeted violence. (External PDF, File Size 1675 KB)
The FBI examines specific behaviors that may precede an attack and thus might be useful in identifying, assessing, and managing those who may be on a pathway to violence by providing A Study of Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013. The analysis covers active shooter incidents in the United States between 2000 and 2013. (External PDF, File Size 2054 KB)
The U.S. Department of Justice National Institute of Justice provides a report on Protective Intelligence and Threat Assessment Investigations on monitoring, controlling, and redirecting a subject and when it is appropriate to close a case. (External PDF, File Size 216.86 KB)
The USSS’s National Threat Assessment Center provides an analysis of Mass Attacks in Public Spaces that identifies stressors that may motivate perpetrators to commit an attack. (External PDF, File Size 3.04MB)
The FBI’s Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks is a practical guide on assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB)
The American Society for Industrial Security (ASIS) Workplace Violence and Active Assailant-Prevention, Intervention, and Response is an overview of policies, processes, and protocols that organizations can adopt to help identify, assess, respond to, and mitigate threatening or intimidating behavior and violence affecting the workplace.
For more information on insider threat mitigation, please send an email to InTmitigation@cisa.dhs.gov.
In case of an emergency, or to report suspicious activity or events, call 9-1-1 or contact local law enforcement.