Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium Businesses
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    CISA Administrative Subpoena
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Signature Verification
    Subpoena Process
Report a Cyber Issue
Breadcrumb
  1. Home
  2. Topics
  3. Physical Security
Share:
image of figures, and cyber node. Image of hand holding a keycard accessing a terminal.

Insider Threat Mitigation

A holistic insider threat mitigation program combines physical security, personnel awareness, and information-centric principles.

Insider Threat Mitigation

  • Defining Insider Threats
  • Detecting and Identifying Insider Threats
  • Assessing Insider Threats
  • Managing Insider Threats
  • Insider Threat Mitigation Resources and Tools

Overview

An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include intentional or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.

Examples of an insider may include: 

  • A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information, such as financial data, business strategy, and organizational strengths and weaknesses. In the context of government functions, this could also include classified information. This person may also have both physical and digital access to sensitive spaces.
  • A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person). 
  • A person to whom the organization has supplied a computer and/or network access. 
  • A person who has intimate knowledge about and possibly helps develop the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.

Insider threat incidents are possible in any sector or organization.

CISA’s Role  

CISA provides information and resources to help individuals, organizations, and communities create or improve existing insider threat mitigation programs. Infrastructure communities can protect the nation by working internally to protect against insider threat and sharing lessons learned. Mature insider threat programs are more resilient to disruptions, should they occur.

The key steps to mitigate insider threat are Define, Detect and Identify, Assess, and Manage. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. Threat assessments are based on behaviors, which are variable in nature. A threat assessment’s goal is to prevent an insider incident, whether intentional or unintentional. When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions. 

Insider Threat Mitigation Fundamentals

Defining Insider Threats

Defining insider threats is a key step in comprehending and establishing an insider threat mitigation program.

Detecting and Identifying Insider Threats

Observing and identifying concerning behavior is a critical step in recognizing an insider threat that requires both human and technological elements.

Assessing Insider Threats

 The goal of assessing a possible insider threat is to prevent an insider incident, whether intentional or unintentional.

Managing Insider Threats

Proactively managing insider threats can stop the trajectory or change the course of events from a harmful outcome to an effective mitigation. 

Insider Threat Video

The Insider Threat video uses security and behavior experts to discuss how insider threats manifest in a variety of ways including terrorism, workplace violence, and breaches of cybersecurity. Understanding how to recognize and respond to these various types of insider threats, whether non-violent or violent, increases an organization’s ability to protect both its people and sensitive information.

NPPD Insider Threat Trailer

CISA’s Insider Threat Mitigation Resources

Explore products and tools designed for CISA Stakeholders to define, detect, assess, and manage insider threats.

Insider Threat Mitigation Resources and Tools

Insider Threat Mitigation Guide

PUBLICATION
The Insider Threat Mitigation Guide provides comprehensive information to help federal, state, local, tribal, and territorial governments; non-governmental organizations; and the private sector establish or enhance an insider threat prevention and mitigation program.
Download File (PDF, 5.4 MB)

Insider Risk Mitigation Program Evaluation (IRMPE)

PUBLICATION
This tool pulls from insider threat planning and preparedness resources to allow users to evaluate the maturity of their insider threat program in one convenient and easy-to-navigate fillable PDF.
View Files
Insider Threat Mitigation Resources and Tools

Contact Us

For more information on insider threat mitigation, please send an email to InTmitigation@cisa.dhs.gov.

In case of an emergency, or to report suspicious activity or events, call 9-1-1 or contact local law enforcement.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback