Defining Insider Threats
Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. Defining these threats is a critical step in understanding and establishing an insider threat mitigation program. The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use their authorized access, intentionally or unintentionally, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts.
What is an Insider?
An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.
Examples of an insider may include:
- A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.
- A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
- A person to whom the organization has supplied a computer and/or network access.
- A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
- A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.
- A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.
- In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.
What is an Insider Threat?
Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.
This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. External stakeholders and customers of the Cybersecurity and Infrastructure Security Agency (CISA) may find this generic definition better suited and adaptable for their organization’s use.
CISA defines insider threat as the threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This threat can manifest as damage to the department through the following insider behaviors:
- Espionage
- Terrorism
- Unauthorized disclosure of information
- Corruption, including participation in transnational organized crime
- Sabotage
- Workplace violence
- Intentional or unintentional loss or degradation of departmental resources or capabilities
What are the Types of Insider Threats?
- Unintentional Threat
- Negligence– An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization. Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches.
- Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment in a phishing email that contains a virus, or improperly disposing of sensitive documents.
- Collusive Threats– A subset of malicious insider threats is referred to as collusive threats, where one or more insiders collaborate with an external threat actor to compromise an organization. These incidents frequently involve cybercriminals recruiting an insider or several insiders to enable fraud, intellectual property theft, espionage, or a combination of the three.
- Third-Party Threats – Additionally, third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work. These threats may be direct or indirect threats.
How Does an Insider Threat Occur?
Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. Expressions of insider threat are defined in detail below.
Expressions of Insider Threat
- Violence – This action includes the threat of violence, as well as other threatening behaviors that create an intimidating, hostile, or abusive environment.
- Workplace/organizational violence is any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying, offensive jokes, or other threatening behavior by a co-worker or associate that occurs in a person’s place of employment or while a person is working.
- Terrorism as an insider threat is an unlawful use of or threat of violence by employees, members, or others closely associated with an organization, against that organization. Terrorism’s goal is to promote a political or social objective.
- Economic Espionage is the covert practice of obtaining trade secrets from a foreign nation (e.g., all forms and types of financial, business, scientific, technical, economic, or engineering information and methods, techniques, processes, procedures, programs, or codes for manufacturing).
- Government Espionage is covert intelligence-gathering activities by one government against another to obtain political or military advantage. It can also include government(s) spying on corporate entities such as aeronautics firms, consulting firms, think tanks, or munition companies. Government espionage is also referred to as intelligence gathering.
- Criminal Espionage involves a U.S. citizen betraying U.S. government secrets to foreign nations.
- Physical Sabotage is taking deliberate actions aimed at harming an organization’s physical infrastructure (e.g., facilities or equipment).
- Virtual Sabotage is taking malicious actions through technical means to disrupt or stop an organization’s normal business operations.
- Financial Crime is the unauthorized taking or illicit use of a person’s, business’, or organization’s money or property with the intent to benefit from it.
- Intellectual Property Theft is the theft or robbery of an individual’s or organization’s ideas, inventions, or creative expressions, including trade secrets and proprietary products, even if the concepts or items being stolen originated from the thief.
- Unintentional Threats are the non-malicious (frequently accidental or inadvertent) exposure of an organization’s IT infrastructure, systems, and data that causes unintended harm to an organization. Examples include phishing emails, rogue software, and “malvertising” (embedding malicious content into legitimate online advertising).
- Intentional Threats are malicious actions performed by malicious insiders who use technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. This action can involve changing data or inserting malware or other pieces of offensive software to disrupt systems and networks.
Resources
- CISA Insider Threat Mitigation Guide
- Carnegie Mellon University Software Engineering Institute’s the CERT Definition of 'Insider Threat' provides an updated definition of insider threat, including the potential for physical acts of harm.
