Managing Insider Threats

Click the icons to navigate.



Detect and Identify

Detect & Identify






Proactively managing insider threats can stop the trajectory or change the course of events from a harmful outcome to an effective mitigation. Organizations manage insider threats through interventions intended to reduce the risk posed by a person of concern. The organization must keep in mind that the prevention of an insider threat incident and protection of the organization and its people are the ultimate goals. 

When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions.

I.   Management Strategies 

When enacting insider threat management strategies, it is vital organizations remain mindful of the connectivity between protecting the organization and caring for persons of concern. Best practices in the field take both into consideration simultaneously and demonstrate that focusing on one of these aspects at the expense of the other can have very negative results. 

Management strategies that are effective have the following characteristics:

  • They are holistic, considering the person of concern, potential victims or targets, and the organizational setting/or environment.

  • They sometimes require multiple, concurrent intervention strategies.

  • They have accurate and effective communication with affected stakeholders.

  • They can be short-term or long-term.

  • They can be either active, directly engaging with a subject; or passive, such as monitoring a person of concern.

  • They require continual reassessment, adjustment, and follow-through.

  • They allow each team member to offer a solution based on their specific discipline and resources.

  • They may not work as planned.

  • They must be flexible.  

There is no “one-size-fits-all” approach to threat management. Instead, threat management teams should focus on case-specific, creative solutions based upon communication, partnerships, and leveraging of resources. Flexibility is the key.

II.   Intervention and Prevention Considerations

Intervention strategies incorporate actions that directly involve the person of concern, any potential victims or targets, and the overall organizational environment or setting in which a threat could manifest.

"Focus Areas for Managing the Insider Threat"Consider the person of concern:

  • Take no action if the assessment revealed there is no imminent threat.
  • Watch and wait if a possibility of a threat exists, but not enough information to confirm the assessment has come to light.
  • Consider having a behavioral scientist perform a return-to-work/duty risk assessment, if necessary.
  • Consider administrative actions such as restrictions, suspension, discipline, expulsion, or termination, as appropriate.
  • Explore legal actions, such as restraining orders or trespass warnings.
  • Solicit referrals for professional evaluation, such as mental health, substance abuse, or anger management.
  • Forward an arrest report or a report of criminal activity to law enforcement

Consider the victim or potential target: Threat victims or potential targets may require management intervention, especially if the person of concern can maintain access to a work or organization site. Consider the following options for action to protect potential victims: 

  • Increase vigilance.
  • Be alert to virtual stalking or research on public and private networks.
  • Change work or participation hours.
  • Relocate workspace.
  • Manage social media privacy.
  • Vary routes, routines, and activities.
  • Employ parking lot escorts.
  • Cease communication with the person of concern, if necessary.
  • Conduct personal safety planning.

Consider the organizational setting and/or environment: Increased vigilance and target hardening are advisable when the potential for violence increases. Threat management teams may consider implementing one or several of a number of limited options applicable to person of concern:

  • Increased awareness of the local environment, work, or organizational site
  • Notifications and warnings/information sharing
  • Identity and entry verification
  • Training on security procedures
  • Law enforcement alerts/Be-on-the- Lookouts (BOLOs)
  • Security process reviews
  • Reduction of access points
  • Increased visible security measures
  • Flagging of addresses in the 9-1-1 system

Avoid concluding that a case is closed when the person of concern is fired, expelled, or otherwise removed from the immediate situation. Consider the following:

  • Although sometimes necessary, dismissal from the setting is not a threat management strategy in and of itself.
  • Once a person is barred from an organization, additional planning for safety is often needed and is strongly recommended.

Effective prevention capabilities encompass several major focus areas:

  • Train your personnel to recognize behaviors that indicate a person of concern is progressing toward a malicious incident—every person in your organization can provide helpful information.
  • Instill a positive culture for reporting, and make sure people know the program is designed to help them and the potential person of concern.
  • Establish a threat management team that has the multi-disciplinary capabilities needed to assess all the facts related to a potential insider threat.
  • Develop intervention capabilities and management actions that are respectful, and consider the dignity and privacy of every employee.

III. Use of Law Enforcement in Threat Management

Long before any incident, the organization should establish a cooperative relationship with local law enforcement and outline the circumstances under which the threat management team may request assistance.

Consider requesting the assistance of local law enforcement when:

  • Actual criminal violations exist;
  • A threat of violence is imminent or taking place;
  • An involuntary mental health commitment is necessary;
  • A potentially violent person is being suspended or terminated;
  • An incident of domestic violence threatens the safety of the organization; or
  • Periodic or episodic wellness checks are needed to ensure the safety of a potential victim or the person of concern.

Establishing a relationship with local law enforcement can assist the organization in planning for emergency response. Ensure the police have correct information about an organization in the dispatch system. Law enforcement can also provide additional support during periods of increased risk and better prepare the organization for emergencies.

IV.   Resources

The FBI’s Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks is a practical guide on assessing and managing the threat of targeted violence. (External PDF, File size 1675 KB)

ASIS International’s  Workplace Violence and Active Assailant-Prevention, Intervention, and Response is an overview of policies, processes, and protocols that organizations can adopt to help identify, assess, respond to, and mitigate threatening or intimidating behavior and violence affecting the workplace.

Was this webpage helpful?  Yes  |  Somewhat  |  No