Blog Post
See All Blog Posts

A Look at Insider Threat Risk Indicator Decay

By Frank L. Greitzer, Ph.D.

In my new article titled "When an Insider Threat is No Longer an Insider Threat: A Look at Risk Decay," published in the IEEE Engineering Management Review journal, I discuss the concept of insider risk indicator decay — the idea that the relevance or contribution of an insider risk indicator may diminish over time.


The concept of decay - such as an almost-ripe banana gong black after a week out on the kitchen counter - is familiar to most people. Similarly, the impact of a potential risk indicator on a risk analyst's assessment can attenuate over time.

The impact of a risk indicator may decrease due to the passage of time, or because of positive interventions by the organization. Different indicators have different decay rates, with some indicators, like technical authentication failures, decaying quickly, while others, like abusive behavior, decaying slowly.

The article also addresses the challenges of estimating decay rates, which can be labor-intensive. Organizations may be tempted to treat all indicators as static to avoid missing potential threats, but this approach can lead to false positives and alienate employees.

Research on the decay of risk indicators shows varying rates for different types of indicators. Personality traits tend to have low decay rates, while technical indicators have higher decay rates. However, exceptions exist, such as the introduction of malicious code, which has little decay.

In summary, the article emphasizes the importance of understanding and incorporating insider risk indicator decay in threat assessments to avoid costly mistakes and improve the accuracy of identifying insider threats. Further research is needed to refine decay parameters and explore factors that diminish the impact of risk indicators.

Reference:

  • Greitzer, FL. (2026). When an insider threat is no longer an insider threat: A look at risk decay. Engineering Management Review, pp. 1-6. DOI: 10.1109/EMR.2026.3661857

You can obtain the published copy of this article at the journal's website, above, or you can access a pre-publication article here.

Recent Related Stories

Insider Risk Management
Why Centralized Insider Risk Management Is Essential in Modern Organizations
Insider threats are among the most persistent and costly challenges facing organizations today. Unlike external attacks—which often follow recognizable patterns…
Read More
Company News
Cogility Achieves CMMC Level 1 Security Compliance with the U.S. Department of War
By earning CMMC Level 1 compliance, Cogility reinforces its dedication to maintaining a secure digital environment and protecting sensitive government…
Read More
Industry Insights
What Makes an Effective Insider Threat Program
Insider threats remain one of the most persistent and damaging challenges facing both government and private organizations. The potential consequences…
Read More

Categories

Industry Insights (18)
Release Notes (9)
Company News (7)
Decision Intelligence (16)
Insider Risk Management (18)
Real-time Analytics (6)
Decision Support (11)
Apache Open Source (4)
Cyber Security (2)

Connect