Insider Threat Mitigation
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include intentional or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.
Examples of an insider may include:
- A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information, such as financial data, business strategy, and organizational strengths and weaknesses. In the context of government functions, this could also include classified information. This person may also have both physical and digital access to sensitive spaces.
- A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
- A person to whom the organization has supplied a computer and/or network access.
- A person who has intimate knowledge about and possibly helps develop the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
Insider threat incidents are possible in any sector or organization.
CISA provides information and resources to help individuals, organizations, and communities create or improve existing insider threat mitigation programs. Infrastructure communities can protect the nation by working internally to protect against insider threat and sharing lessons learned. Mature insider threat programs are more resilient to disruptions, should they occur.
The key steps to mitigate insider threat are Define, Detect and Identify, Assess, and Manage. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. Threat assessments are based on behaviors, which are variable in nature. A threat assessment’s goal is to prevent an insider incident, whether intentional or unintentional. When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions.
Insider Threat Mitigation Fundamentals
Defining Insider Threats
Defining insider threats is a key step in comprehending and establishing an insider threat mitigation program.
Detecting and Identifying Insider Threats
Observing and identifying concerning behavior is a critical step in recognizing an insider threat that requires both human and technological elements.
Assessing Insider Threats
The goal of assessing a possible insider threat is to prevent an insider incident, whether intentional or unintentional.
Managing Insider Threats
Proactively managing insider threats can stop the trajectory or change the course of events from a harmful outcome to an effective mitigation.
Insider Threat Video
The Insider Threat video uses security and behavior experts to discuss how insider threats manifest in a variety of ways including terrorism, workplace violence, and breaches of cybersecurity. Understanding how to recognize and respond to these various types of insider threats, whether non-violent or violent, increases an organization’s ability to protect both its people and sensitive information.
CISA’s Insider Threat Mitigation Resources
Explore products and tools designed for CISA Stakeholders to define, detect, assess, and manage insider threats.
Insider Threat Mitigation Guide
Insider Risk Mitigation Program Evaluation (IRMPE)
For more information on insider threat mitigation, please send an email to InTmitigation@cisa.dhs.gov.
In case of an emergency, or to report suspicious activity or events, call 9-1-1 or contact local law enforcement.