Skip to main content

Insider Threat Analysis Center

Researchers: Andrew Moore, Randall Trzeciak, Dawn Cappelli

Cross Cutting Thrusts: Threat Analysis and Modeling | Next Generation Threat Prediction and Response


CERT and CyLab continue to be recognized as leaders in insider threat research. CyLab has funded the following projects, all of which have been extremely well-received by both industry and government:

  • Common Sense Guide to Prevention and Detection of Insider Threats: The third version was released in October 2008. This was a significant undertaking, reflecting almost 100 new insider threat cases. Many involve new technologies (e.g. keystroke monitoring and use of a virus to infect organization system with targeted malicious code) and organizational issues like outsourcing.
  • System Dynamics Modeling: In previous years, we created a model for insider IT sabotage. Currently, we are developing two new models: insider theft of information and insider fraud. These new models will reflect the 100 recent cases collected this year using CyLab funding.
  • Education & Awareness: This year we expanded our half day MERIT insider threat workshop to a full day, funded by the SEI. It will be expanded once again at the end of this year to include new CyLab MERIT materials (two new models and insider threat diagnostic instrument). CyLab also funded development of the MERIT Interactive Training Simulation proof of concept.
  • Insider Threat Diagnostic: We are currently creating a diagnostic instrument that can be used to assess organizations’ vulnerability to insider threat, and to assist in prioritizing mitigation activities. This diagnostic is based on our library of over 250 cases of insider threat.
  • Spotlight On: This quarterly article focuses on a specific area of concern and present analysis based on the hundreds of actual insider threat cases cataloged in the CERT insider threat database.

This project has multiple objectives toward maintaining the currency and relevancy of insider threat information, methods, and tools. First we will continue to collect new insider threat cases, gather case information, and code them in our MERIT database. We will update all MERIT products based on new cases: the MERIT insider threat diagnostic instrument, the MERIT Common Sense Guide, and all MERIT models. Insider threat researchers will produce a quarterly newsletter for CyLab members detailing new research, preliminary findings, reports, podcasts, webcasts, and other developments in insider threat. Finally we will keep the MERIT website up to date so that it contains all of our insider threat research, and to enable members to interact with the MERIT team via the website with questions, suggestions, case information, and feedback.

The deliverables will provide timely information to organizations for better understanding of current insider threats, will enable CyLab members to collaborate with the MERIT team and influence research, and will be first released to CyLab member organizations.