Manage insider threats: Knowing where the risks are

Tom Olzak details the insider threats that an organization should be prepared to defend.

Too often, we view insider risk as a homogenous threat landscape; employees with access do bad things and there is business impact. While this description is somewhat accurate, it doesn't provide enough information with which to manage risk. What we need is a deeper look at what types of threats exist, the business roles involved, and the signs that typically exist when an employee, vendor, etc. is not complying with policy, law, or ethics. Armed with this information, organizations can implement administrative, technical, and physical controls to mitigate insider risk.

In this opening article, we look at the three categories of insider threats as defined in The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Cappelli, More, & Trzeciak) and at The CERT Insider Threat Center. In Part 2, we will discuss recommended methods for detecting, containing, and responding to insider threats planned, in progress, or completed.

Insider threat defined

Defining insider threats requires an understanding of who and what are involved. The three primary categories of associated attacks are theft of intellectual property, fraud, and damage to information resources. In each category, CERT research tells us that a specific business role is usually responsible. See Table A.

Table A

Intellectual property theft

Intellectual property (IP) is any "creation of mind" created or owned by an organization. For our purposes, examples include

  • Engineering designs/drawings
  • Software created in-house
  • Trade secrets

In many situations, the creators of IP (engineers, software developers, etc.) believe they have ownership rights. In others, financial gain or professional advancement is the driver for theft. The tipping point from good to rogue employee usually happens when creators don't receive recognition for their work or when they don't perceive themselves as adequately compensated and appreciated. CERT lists several objectives for IP theft, including

  • Starting a new business
  • Providing a competitive advantage to a new employer
  • Providing it to a foreign country (especially a country with which an employee has cultural, political, or ethnic ties)

Because people allowed access to IP are most likely to steal IP, detection can be difficult. However, close attention to common IP removal paths is the first step in mitigating risk from IP loss, including

  • Company email
  • Remote network access
  • Storage on laptops and other mobile storage devices
  • File transfer services (e.g., FTP or SFTP)


Fraud is theft of financial assets. Employee fraud is much more common than most organizations believe. In an article at, Tracy L. Coenen writes, "Experts estimate that on average it costs companies 3% to 5% of revenue each year." For example, a payroll clerk creating a false employee, paying that employee, and then collecting and cashing the check commits fraud. Other types of fraud include misuse of expense accounts or payment to vendors when they provide no services or products. People deep in debt with no hope of digging themselves out tend to top the list of insider threats in this category.

Fraud occurs when three conditions are met, as shown in Figure A. Pressure is usually a seemingly overwhelming financial need. Opportunities consist of vulnerabilities in an organization's processes, security, etc. that allow a pressured employee to steal with little chance of detection. Rationalization occurs when an employee convinces himself that his need is greater than ethical or moral concerns. An employee might also rationalize theft based on how she perceives management mistreatment or ingratitude for the business value she's provided. Removing one side of the triangle eliminates or significantly reduces risk from fraud.

Figure A

Fraud Triangle Developed by Donald Cressey

Fraud occurs across many channels, and involvement might extend beyond employees to external criminal individuals or organizations. Again, employees resorting to fraud usually seek financial gain. Methods include

  • Selling stolen information
  • Modifying information to realize financial gains for self or others
  • Receiving payment for adding, modifying, or deleting information

Most employees committing fraud avoid complex technological pathways. For example, the last two examples above simply require alteration of a database without removal of data. When data is removed, it is often downloaded to a home computer, copied to mobile storage, faxed, or emailed.

Damage to information resources

Damage to information resources is usually an attempt to break one or more business processes, thereby resulting in significant harm to the business. In most cases, only someone with administrator access can successfully achieve these goals. For example, a programmer might plant a logic bomb that destroys a database, irreparably damages server software, or causes an application to perform in unexpected ways. In addition to logic bombs, reconfiguration of network devices in ways that cause significant loss of productivity is a surreptitious malicious act often difficult to remediate.

Administrators don't always want to make themselves known with a large, visible event. Rather, creation of additional administrator accounts often provides an attacker with long-term access for small but costly hits against a current or former employer. Organizations without proper log management would have a very difficult time assigning responsibility when the rogue account is eventually identified.


Employees don't always have access to everything needed for theft or system damage. Many organizations raise barriers with separation of duties enforced with role-based access control. Enterprising insider threats circumvent these controls using collusion.

What is collusion?

Peter Vajda writes, "Collusion takes hold when two (or more) individuals co-opt their values and ethics to support their own - and others' - mis-deeds." The key word is support. While an engineer, for example, might have full access to all relevant components of the IP he or she intends to steal, a payroll or accounts payable clerk might not. Consequently, the person planning the theft might recruit key employees with access to information or processes otherwise unavailable.

It is usually the most trusted employees who commit these crimes. Collusion increases the risk for the perpetrators, but it also decreases the opportunities to detect theft. Bypassing separation of duties via collusion circumvents a key control. According to CERT research, it isn't uncommon for multiple individuals (including outsiders) to participate in long-term fraud.

Probability of collusion

Managers like to believe their employees will behave with integrity, but collusion is a common cause of insider risk. According to a Fraud Matters Newsletter article posted at the EFP Rotenberg website, "Collusion accounts for as much as 40 percent of fraud, with median loss of approximately $485,000-nearly five times that of crimes perpetrated by an individual alone." The amount of loss from fraud associated with collusion significantly elevates associated risk to levels needing close attention by security teams and management.

The last word

Insider threats can potentially cost organizations a great deal each year through loss of IP, fraud, and damage to information resources. Each threat category largely involves a specific role or set of business roles and different attack vectors. In Part 2, we will explore recognizing problem employees and implementation of controls to mitigate insider opportunities.


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks