A holistic insider threat mitigation program combines physical security, personnel awareness, and information-centric principles.
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include intentional or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.
Examples of an insider may include:
Insider threat incidents are possible in any sector or organization.
CISA provides information and resources to help individuals, organizations, and communities create or improve existing insider threat mitigation programs. Infrastructure communities can protect the nation by working internally to protect against insider threat and sharing lessons learned. Mature insider threat programs are more resilient to disruptions, should they occur.
The key steps to mitigate insider threat are Define, Detect and Identify, Assess, and Manage. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. Threat assessments are based on behaviors, which are variable in nature. A threat assessment’s goal is to prevent an insider incident, whether intentional or unintentional. When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions.
