Insider Threat Awareness

September is Insider Threat Awareness month! While insider threat is a significant concern that must be considered throughout the year, we would like to take a little time this month to emphasize the importance of deterring, detecting, and mitigating threats posed from trusted insiders, and foster a deeper understanding of indicators and reporting requirements related to insider threat.
 
What is an Insider? An insider is anyone that has, or has had access to an organization's resources, facilities and information, network or systems.
 
What is an Insider Threat? The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to their organization or the security of the United States.
 
Who is at risk of becoming an Insider Threat? Anyone can be at risk of becoming a threat, whether intentionally or unintentionally.
 
Who are our adversaries? Adversaries include foreign governments, foreign and domestic terrorist organizations, competitors, non-state actors, and anyone seeking to do harm to the U.S., our people, or your organization. Think back on our previous teachings about counterintelligence, suspicious contact, foreign activities, etc. Remember how and why adversaries seek to target us and elicit information. They will do whatever is necessary to get their hands on ANY non-public information that we, as insiders, can provide.
 
Understanding Insider Threat
Most insider threats do not start out as a threat; rather, they evolve into a threat over time. The pathway to an insider incident is often complex. Minor frustrations and stressors, both personal and professional, can add up and increase the possibility that an individual may become careless, negligent, or malicious.
 
Insider threats occur for a wide variety of reasons and can be deliberate or unintentional. Insiders do not need to hold a high rank or position to inflict grave damage. Technology can empower individuals at all levels and it is possible for one person, regardless of rank or position in an organization, to do a lot of damage. 
 
Some individuals blatantly seek to do harm. They may become so disillusioned that they act with malice. They may feel sympathy for or be swayed by an adversary. They may have gotten themselves into a bad situation and see no other way out.
 
Some individuals may have no active intent to do harm but commit unintentional acts, often through negligent or accidental behaviors, but the impact can be just as significant. If we are not careful with the information we share, we may unwittingly become an insider threat.
 
In addition, while we often focus on unauthorized disclosure and the threat of adversaries stealing information, we must also consider workplace violence.
 
Regardless of intent, an insider threat can cause grave and irrevocable damage. Damage from an insider threat can include, but may not be limited to resource degradation, harm to national security, reduced military strength and mission readiness; loss of organizational reputation, innovation, and industry advantage; financial instability; and even potential injury to persons or loss of life.
 
We can reduce risk by promoting awareness, establishing an effective Insider threat Program, training our workforce, effective reporting, and providing resources to support individuals who may be struggling. When we recognize and report concerning behaviors and indicators, we can work to detect, deter, and mitigate potential threats before they escalate.
 
Risk assessment must consider all possible threats, from theft of information to violent acts. Every organization should have an Insider Threat Program designed to deter, detect, and mitigate actions by insiders who may pose a threat. The Insider Threat Program must address and analyze information from multiple sources regarding behaviors and risks that could potentially do harm and should employ holistic and multidisciplinary responses for managing insiders who are at risk, while maintaining their privacy and civil liberties.
 
The organization’s Insider Threat Program Senior Official (ITPSO) implements insider threat program activities, including daily operations, management, and ensuring standards of compliance.
 
The Facility Security Officer (FSO) is in charge of managing security in the organization’s facilities.
 
Leadership is responsible for promoting a protective and supportive culture throughout the organization to support their workforce and encourage understanding and compliance with the Insider Threat Program.
 
Access Attributes: Access is at the heart of understanding and characterizing insider threats. Without access, there is no insider. That said, access comes in many forms. There is physical access to buildings, spaces, people, assets, etc., virtual access to computer networks and systems, access to organizational knowledge, acquired skills, specialized training, and more. In that light, every organization has some inherent insider threat risk. We cannot function without entrusting people with valuable tools and information, so every person within an organization typically has some form of access that could be exploited. Risk can be reduced when sensitive access is properly assigned, managed, and protected, and when individuals take their responsibility to report concerning behavior seriously.
 
Recognizing Reportable Insider Threat Indicators
As a staff member or employee of your organization, your responsibility is simple. You must report concerning behavior to the appropriate individuals within your organization. It is not your responsibility to know specifically what is going on, but you must be able to recognize concerning behaviors and know how to report them.
 
Concerning behaviors is a broad term to describe any observable behaviors or actions that suggest an individual may be at risk of becoming an insider threat, may be acting in a way that is risky or negligent, may be planning to take a malicious act, or may be actively carrying out a malicious act.
 
Some are easily defined and categorized, others are more subtle and difficult to identify. While we will not go into extreme detail here, we have listed below some common categories of concerning behaviors and shed a bit of light on some of the more nuanced categories. We encourage you to dive deeper on this list by reviewing the DCSA Insider Threat Indicators Job Aid and DITMAC – What Should I Report?
 

• Professional Lifecycle and Performance Indicators
• Security/Compliance Incidents
• Technical Activities and Technology Related Indicators
• Questionable Allegiance to the United States
• Foreign Considerations, Influence, and Preference
• Financial Considerations
• Criminal, Violent, and Abusive Conduct
• Substance and Alcohol Abuse or Misuse and Addictive Behaviors
• Judgement, Character, and Psychological Conditions
• Violent Behavior
• Violent Extremist Mobilization Indicators
• Outside Activities
• Personal Conduct
• Suspicious Contact
• Unauthorized Disclosure

 
Interpersonal behaviors are actions, words, and body language we use when interacting with others in social situations.
 
Personal Predispositions are personal characteristics, personality traits, and circumstances that make a person more likely to engage in risky behavior.
 
Stressors are events or situations that cause an individual to feel pressure or anxiety and may lead them to act in ways they normally wouldn’t. Stressors can be personal, professional, financial, etc.
 
Some indicators involving interpersonal behaviors, predispositions, and stressors would be significant changes in personality, behavior, or work habits, disgruntlement that could lead to a desire to retaliate, engaging in arguments or altercations, engaging in risky or inappropriate behavior, history of rule violations, untruthfulness, social network risks, etc. Insider threat case studies indicate that individuals with medical or psychiatric disorders, or personality or social skills issues are more likely to engage in risky behavior.
 
Problematic Organizational Responses are a factor that should be considered. Inadequate organizational responses can escalate the actions of at-risk individuals who are more likely to plan and execute attacks. This includes, but is not limited to, inattention, lacking risk assessment processes, inadequate investigation, and other actions that escalate risk. Many past insider threat case studies indicate that there was insufficient concern prior to the incident, or a lack of organizational mechanism to organize and communicate potential threat information to the appropriate security officials to prevent, deter, detect, or mitigate malicious actions.
 
Many known insider threats have been associated with one or more reportable indicators and bits of information, from differing perspectives, can add up to a bigger picture of a concerning landscape.
 
Why Reporting is Critical & How to Report Concerns
Insider threats can cause grave damage to an organization, to people, and to our country. An organization’s workforce is the first line of defense against insider threats, and we are all obligated to report concerning behavior.
 
Any concerning behavior, any indicators, any information about any individual that could indicate that a person is, or could become, an insider threat, must be reported to your organization’s FSO and ITPSO immediately upon discovery.
 
NEVER assume someone else has or will report a concern!  If you have a concern or suspect someone is at risk of becoming a threat, you must report it. Failure to report can result in fines, prison, or both.
 
Security is everyone’s responsibility. Protecting our organization, our coworkers, and our country should always be our top priority.
 
Report all insider threat concerns to your organization’s FSO and ITPSO!
It is our job as security professionals to help you navigate any situations that arise.
 
Whistleblower Protection
It is important to note that making a protected disclosure does not indicate an insider threat.
 
Whistleblowing is the reporting of waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing. Employees are protected from employer retaliation via the Whistleblower Protection Act and Security Executive Agent Directive (SEAD) 9: Whistleblower Protection.
 
It is unlawful for your employer to take any action affecting your access to classified information in reprisal for making a protected disclosure.
 
A disclosure is protected if it meets two criteria.

• The disclosure must be based on the belief that wrongdoing has occurred.
• The disclosure must be made to a person or entity that is authorized to receive it.

Organizations should have whistleblowing policies defining the correct way to report as opposed to releasing the information to the media or an unauthorized source. Releasing information to the media or an unauthorized source is unauthorized disclosure. It is a crime and is not whistleblowing nor applicable to whistleblower protection.
 
The DoD National Hot Line is always available to all individuals to report fraud, waste, abuse, corruption, or dangers to public health and safety. Email: [email protected] | Phone: 1-800-424-9098 | Website: https://www.dodig.mil/Hotline | Mail: Defense Hotline, The Pentagon, Washington, DC  20301-1900
 Resources and Additional Learning
 
Additional information about this topic can be found:

• CDSE Insider Threat Awareness
• CISA - Understanding the Insider Threat Video
• Security Awareness Games
• Behavioral Science in Insider Threat
• User Behavior Identity: Why it Matters
• Social Engineering: Why it Matters
• CDSE Bystander Engagement and Insider Risk Video
• CDSE Insider Threat Security Shorts
• Insider Threat Toolkit
• DITMAC - DOD Insider Threat Management and Analysis Center
• Cybersecurity Attacks - The Insider Threat
• Defense Insider Threat Management Analysis Center (DITMAC) Short
• Insider Threat Fact Finding
• Reporting Requirements at a Glance
• HR and the Insider Threat
• Suspicious Emails
• Reporting Job Aid
• NITAM Highlighted Case Studies
• Case Study Library
• 32 CFR Part 117 (NISPOM Rule)
• 32 CFR Part 147 (Adjudicative Guidelines)

 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate things to ensure you fulfill all requirements.