Advancing Insider Threat Management – A Short Primer on Trends, Technology, and Whole Person Risk Assessment

Understanding Insider Threats

Insider threat management is a critical concern across both government and commercial sectors due to rising incidents. These threats involve trusted individuals misusing their authorized access to steal data, commit fraud, engage in espionage, sabotage systems, or even perpetrate workplace violence. Organizations are increasingly investing in new technologies and methodologies to strengthen their insider threat programs.

This blog is derived from a more expanded companion webinar and white paper. Its intent is to provide insights from an industry survey and expert opinions — exploring how organizations perceive insider threats, key insider threat technologies, and the advantages of a whole person approach to risk assessment. Additionally, it offers recommendations on how to migrate to a proactive, whole person Counter-Insider Threat (C-InT) strategy.

Insider Threat Landscape and Perceptions

A recent Cybersecurity Insiders survey¹ of over 400 cybersecurity professionals found that 71% of organizations feel vulnerable to insider threats, with a third considering themselves at significant risk. Alarmingly, more than a third admitted their existing programs are only nominally effective. This highlights the need for improved strategies and technologies to mitigate insider risks.

Organizations rely on technical security controls—including identity management, endpoint protection, network security, and cloud monitoring—to combat these threats. However, many are now extending their scope by incorporating behavioral indicators, such as HR data, legal records, and publicly available information (PAI). A whole person approach combines both of these diverse data sources to proactively detect insider risks before they escalate.

The Challenges of Insider Threat Management

Detecting insider threats is inherently difficult because insiders have legitimate access to sensitive data. Additionally, privacy regulations and legal constraints can hinder monitoring efforts. In most cases, responding to an insider threat requires substantial documented evidence before organizations can take corrective action, such as termination or legal intervention.

To address these complexities, insider threat programs must involve cross-functional collaboration between security teams, HR, legal advisors, and executive leadership. With clear policies, security controls, and advanced analytics, organizations can create a robust insider threat management framework that balances security with compliance.

Key Technologies in Insider Threat Detection

Modern C-InT solutions integrate security tools to correlate user activity across various data points, such as access logs, file transfers, communication monitoring, and application usage. User and Entity Behavior Analytics (UEBA), Security Information and Event Management (SIEM), and Identity and Access Management (IAM) tools play a critical role in detecting unusual behavior. More organizations are also incorporating PAI to enhance their risk assessments. Keep in mind that security technical controls used for insider threat detection result in a reactive stance – as the material insider damages have already occurred.

A recent QKS-Group Insider Risk Management market report² identified several essential capabilities in modern C-InT solutions:

• User and device monitoring to track abnormal behavior.
• Extended Detection and Response (XDR) for rapid threat containment.
• Security automation to trigger alerts and responses.
• Comprehensive analytics and dashboards for risk visualization.
• Case management to help streamline analyst workload and coordinated response.

According to the QKS-Group, by applying AI and machine learning, C-InT systems can detect patterns and anomalies more effectively, filtering out redundant alerts and false positives to identify insider actions with greater precision – albeit still reactionary. However, AI approaches often exhibit limited explainability and can be prone to hallucination and bias - significant gaps considering the high-consequence decision affecting a person’s livelihood and reputation.

The Whole Person Approach: A Game Changer

Traditional insider threat management focuses primarily on technical indicators, such as unauthorized data access, data leakage, and privilege abuse. However, a whole person approach enhances detection and afford preemptive mitigation by incorporating and analyzing behavioral potential risk indicators (PRIs) alongside technical PRIs.

By integrating HR records, legal records, financial data, and even social media activity, organizations can develop more comprehensive risk profiles can enable broader and more accurate monitoring, risk scoring, and the identification of at-risk individuals, even before an impactful incident occurs. With predictive analytics that combine expert system and AI/ML, organizations can model insider risk profiles and associated behavioral patterns to identify individuals on the path to committing a critical insider threat³ – to get left of harm.

Insiders typically exert multiple actions that lead to an impactful incident. Explained by Frank L Greitzer Ph.D.⁴, chief behavioral scientist as Cogility – “traditional approaches focusing only on technical indicators will most often alert security analysts and threat responders only during or after the attack. But if organizations incorporate behavioral factors into their analysis, analysts may observe various trip wires or red flags along the critical pathway”.

Best Practices for Implementing a Whole Person Approach

Transitioning to a whole person insider threat program requires planning and cross-department support. According to Greitzer, organizations should:

1. Expand the Breadth of Insider Threat Stakeholders – Include HR, legal, behavioral experts, and leadership as part of the core C-InT program team.⁵
2. Define Key Insider Risks – Identify both severe insider threats and their early warning signs that are of key concern to the organization.
3. Identify and incorporate Technical and Behavioral Risk Indicators – Utilize diverse data sources to assess risks and leverage existing PRI taxonomies such as SOFIT⁶.
4. Develop Insider Risk Assessment Models – Map out indicators and assign risk weights against target insider threat behavior to enable model development.
5. Assess Data Sources and Management – Determine the scope, acceptable risks, and gaps to securely obtain and manage these data sources to ensure compliance.
6. Establish Monitoring and Risk Assessment Requirements – Define clear policies and protocols, and design templates to normalize assessment.
7. Evaluate Current Capabilities and Infrastructure – Assess current program resources and tools, controls and processes, as well as insider threat metrics.
8. Examine the capabilities and costs of new tools and technologies. This includes the use of expert systems and AI/ML for real-time threat detection and analysis. This should also include case management functions from assessment to mitigation. Determine the must-haves to augment existing tools, controls and capabilities.
9. Determine the operational, economic, and risk management improvements of a whole person C-InT approach. Ascertain implementation scope, timing, and KPI targets.
10. Present key highlights, justifications, and KPIs to gain stakeholder commitment and move to actionalize plans.

Modernizing Insider Threat Management

As organizations face increasing insider threats, the integration of continuous behavioral monitoring, AI-augmentation, predictive modeling, and case management will be essential to meet the processing, assessment, and mitigation needs of modern C-InT programs.

A whole person insider threat management approach helps organizations move from reactive detection to proactive risk assessment to better protect assets and personnel, manage risk, and foster a secure workplace. Now is the time to modernize your program and adopt a forward-thinking, whole person approach to counter-insider threats.

For more extensive insights on this topic go to the original webinar or the white paper.

The author would like to acknowledge Frank Greitzer Ph.D. at Cogility Software, Holger Schulze at Cybersecurity Insiders, and the QKS-Group for their contributions.

1. 2024 Insider Threat survey by Cybersecurity Insiders n=413
2. 2024 QKS-Group SPARK Matrix™: Insider Risk Management
3. Shaw, E. & Sellers, L. (2015). Application of the critical-path method to evaluate insider risks. Studies in Intelligence, 59 (2), 41-48
4. Adapted from: Greitzer et al. (2018). https://ieeexplore.ieee.org/document/8424651
5. Intelligence and National Security Alliance (INSA), Human Resources and Insider Threat Mitigation: A Powerful Pairing, September 2020 - INSA White Paper
6. SOFIT; Greitzer, Pearl, Leuong, and Becker. https://ieeexplore.ieee.org/document/8424651