Managing Insider Threats is a Team Sport

Some of the nation’s most powerful companies—Capital One, Tesla, Microsoft, General Electric—have been impacted by insider breaches within the last five years. It’s a reminder that no organization is exempt from such incidents, which cause millions of dollars in damage while posing a slew of other privacy, reputational, and operational issues.

As digital environments have become an easy breeding ground for information sharing, insider threats have increased in tandem.

What can organizations do to identify bad actors on the inside before they leak information or cause harm? The solution is layered.

Deanna Caputo, Ph.D., a senior principal behavioral psychologist, has dedicated her life’s work to chipping away at the problem. During her 16-year tenure at MITRE, she’s applied her background in human behavioral science to cyber challenges that network and endpoint monitoring alone can’t solve.

The MITRE Insider Threat Research and Solutions team is dedicated to leveraging the behavioral, data, and cyber sciences to advance insider risk detection and indicators, deterrence and mitigation, program design and development, and screening and vetting.

“This is a human problem, and humans are not the weakest link,” she explains of insider threats. “They are the missing link.”

Read our full conversation with Caputo: 

What is an insider threat? 

An insider threat is someone who has legitimate current or previous access to an organization's information, its people, or its facilities, and uses that access to cause harm to data, facilities, or individuals. 

Why are insider threats a growing issue? 

There's greater opportunity for people who have grievances to find somebody to give sensitive information to. These days, it's a lot easier for adversaries to recruit employees via the World Wide Web and the dark Web. 

Before the internet, “true spies” packaged information and threw it over the wall of an embassy. Now we see people just giving sensitive information away, whether that be to competitors or the public. Sabotage, domestic extremism, fraud, and workplace violence are also drivers. 

How can organizations better address insider threats? 

Many organizations believe insider threat detection is covered by their security operations centers. But these programs need access to contextual human information that can’t be found through network and endpoint monitoring. 

Insider threat detection and deterrence is a team sport. It requires combining human behavior sensors, technical sensors, and the context of the organization’s mission. 

Employees, teammates, and supervisors play an important role in mitigating risks—sense something, say something! 

What are some behavioral indicators or tells for bystanders to watch for? 

Pay attention to behaviors that don't seem quite right or appropriate at the time. We don’t typically catch someone in the act. Rather, it’s a confluence of events and people’s life circumstances that often lead them to make a bad decision. 

Tell us about the Insider Threat Framework your team is launching next year. 

Our framework will connect cyber-physical elements with psycho-social pieces—individual and organizational factors. It will be the first comprehensive data-driven framework for insider threats. 

We will use it to develop better potential risk indicators and assess gaps in our sensors, then advise the commercial community to produce solutions that fill targeted gaps instead of collecting excess information. Ideally, it will bolster our ability to identify risks before they become threats. 

Why is MITRE tackling this issue? 

We are committed to insider threat deterrence, detection, and mitigation because it impacts the economic well-being of our country and underscores our responsibility to protect information, people, and processes. Company insiders have the greatest access to IP and, therefore, the ability to cause the gravest damage. 

We don't concentrate on case studies or trying to catch the last bad guy. We're focused on collecting enough information on characteristics across bad behavior to identify indicators differentiating good employees from those choosing to do bad things. 

Read More: 

Last fall, Caputo participated in programming for National Insider Threat Awareness Month, which focused on the bystander effect and emphasized how threat detection is a team sport.

MITRE is a founding member of the recently launched Five Eyes Insider Risk Practitioner Alliance (FIRPA), which brings together expertise from across the "Five Eyes" nations— Australia, Canada, New Zealand, the United Kingdom, and the United States—to tackle the growing insider risk and threat challenges as a collective.