Blog Post
See All Blog Posts

Unmasking Insider Threats: A Whole Person Approach with SOFIT 2.0

By Frank Greitzer

When it comes to cybersecurity and national defense, the biggest threats aren't always external. Increasingly, organizations are recognizing the dangers posed by insiders—trusted individuals with the access and knowledge to cause serious harm. But detecting such threats isn’t as simple as catching someone breaking rules. It requires a deeper, more nuanced understanding of human behavior, technical footprints, and organizational context. This is the idea behind the development of the SOFIT knowledge base of insider risk indicators.

Originally developed by a team led by Dr. Frank L. Greitzer with collaborators in an IARPA-sponsored research program1, SOFIT — short for Sociotechnical and Organizational Factors for Insider Threat — is a sophisticated knowledge base of insider threat Potential Risk Indicators (PRIs). SOFIT provides a framework for modeling insider risk. It goes beyond a typical list of vulnerabilities and red flags by offering a hierarchical system of behavioral and technical factors that are considered by expert analysts to reflect an individual’s increased likelihood of becoming an insider threat.

What Are PRIs?

PRIs are observable behaviors, events, or conditions that may suggest insider risk. These indicators range from overt actions like policy violations or criminal activity to more subtle signals such as depression, disgruntlement, or financial stress. The original SOFIT framework grouped these PRIs into major categories like boundary violations, job performance issues, technical security violations, and psychosocial concerns. After nearly ten years of working with SOFIT, I saw a need to apply several updates to the knowledge base that make it easier to use and that reflect new insights gained through research and practice that improve the performance of predictive models. The new structure of the knowledge base is shown below—there are now nine major classes defined within the Individual Factor branch of the hierarchy, with a total of 32 subclasses also shown in the figure. In this streamlined framework, the individual PRIs occupy the third level of the hierarchy.

While some models that we’ve studied make simplistic assumptions about how to aggregate the risk contributions of individual PRIs that are observed, the most successful approaches account for dynamic, context-sensitive characteristics of PRIs and dependencies or relationships among PRIs. The new version of the SOFIT knowledge base, dubbed SOFIT 2.0, has been restructured to better inform more sophisticated, pattern-based predictive models. The Cogynt decision intelligence platform—in computing insider risk using its pattern-based, hierarchical complex event processing model—is particularly well-adapted to incorporate the hierarchical SOFIT framework.

The Evolution: From SOFIT to SOFIT 2.0

SOFIT 2.0 marks a significant advancement, addressing three core challenges:

  1. Difficulty Differentiating PRIs
    Some PRIs were overlapping or redundant. For example, " Excessive Use of Personal Webmail At Work” and "Excessive Personal Use of Work Email" both fall under what’s now called cyberloafing. SOFIT 2.0 consolidates similar indicators, reducing ambiguity and improving the system’s clarity.
  2. PRI Decay Modeling
    Not all risks stay relevant forever. For example, while PRIs related to personality or character traits have a relatively permanent impact on analyst judgment, many cyber indicators (such as failed login attempts) have a relatively transient impact. However, my research demonstrated some inconsistencies in our original hypotheses about assigning decay parameters to PRIs, and SOFIT 2.0 reflects some adjustments.
  3. High-Level Pattern Dependencies
    Most models assume PRIs act independently, but human behavior is rarely that linear. SOFIT 2.0 acknowledges that combinations of seemingly minor indicators can form a significant pattern that adds more “context” to the case than what might be seen by independently aggregating the contributions of individual PRIs. For example, being passed over for promotion, showing disgruntlement, and attempting unauthorized data access may, in combination, signal a real threat—even if no single indicator is damning on its own.

Real-World Relevance: The Romero Case

The power of the Cogynt model built upon the SOFIT 2.0 framework is readily understood through examples. In the 2019 Gabriel Romero case, a Navy sailor fatally shot two civilian workers before taking his own life. Although the entire incident took less than thirty seconds, there were “warning signs” in Romero’s personnel record going back six months that perhaps could have been identified to avert this tragedy. Indeed, applying Cogynt with SOFIT’s framework reveals numerous missed signals that would have generated a Workplace Violence alert at least a week before the incident: disciplinary actions and poor performance reviews occurred many months prior to the incident; and just a couple of weeks prior to the incident he exhibited aggression and was passed over for promotion. Taken in isolation, these might seem like HR issues. Combined, they painted a tragic picture that, if caught early, might have led to intervention.

The Power of Integration: Cogynt and SOFIT

Cogility’s Cogynt Decision Intelligence Platform operationalizes the SOFIT 2.0 framework to augment human judgment, giving analysts tools to make better-informed, timely decisions.

Cogynt integrates the SOFIT knowledge base with real-time data ingestion, advanced analytics, and hierarchical complex event processing (HCEP). This enables organizations to:

  • Detect patterns across multiple domains (technical, behavioral, organizational)
  • Monitor threat behavior in context and over time
  • Generate alerts with risk scores and supporting rationale
  • Support case management and tailored mitigation strategies

A Whole Person Approach

We emphasize the whole person approach to insider threat detection. That means understanding that behind every potential risk is a person—often struggling, misunderstood, or overlooked. This isn’t just about stopping malicious insiders; it’s also about intervening early to support individuals and de-escalate risks before harm occurs.

By combining behavioral science with cutting-edge technology, SOFIT 2.0 moves us from reactive response to proactive risk mitigation. It transforms how organizations think about risk—not just by detecting threats, but by understanding them.

Check out the briefing slides that were used to describe the SOFIT 2.0 transformation… and download the SOFIT 2.0 PRI framework.

Recent Related Stories

Decision Intelligence
Unlocking Real-Time Decision Advantage: Why Cogynt Is Setting the Standard for Decision Intelligence
In today's fast-moving environments, organizations can no longer afford to rely on traditional analytics or siloed event processing. Business, government,…
Read More
Industry Insights
INFCIRC/908 ITM Webinar Q&A
In March 2024, Belgium and the United States co-hosted the 2nd International Symposium on Mitigating Insider Threats. Experts from around…
Read More
Decision Support
What is Decision Support Intelligence and When to Automate Decisions
Understanding Decision Support Intelligence The dream of all decisioning solutions is to expedite decision-making, such that important decisions are made…
Read More

Categories

Industry Insights (11)
Release Notes (6)
Company News (6)
Decision Intelligence (13)
Insider Risk Management (13)
Real-time Analytics (6)
Decision Support (8)
Apache Open Source (4)
Cyber Security (3)

Connect