Recognize and Report Anomalous Behavior

An engaged workforce trained to recognize and report suspicious behavior or activity can help defend against insider threats.  Organizations are encouraged to consider the following when developing their insider threat program.    

Develop an Understanding of Behavior Norms and Standard Business Activities

Determine base-line behavior for areas the organization can actively monitor.  Develop questions based on individual, department, and network activity.  Examples can include:     

• What is the normal work schedule?
• What physical locations should be accessed?
• What are normal communications or interactions with internal and external entities?
• What are the normal IT system or electronic file access protocols?
• What is normal network or VPN activity?

Be Aware of High-Risk Behavior That Can Indicate a Potential Insider Threat

A combination or cluster of high-risk behavior should cause reason for concern.  High-risk behavior can include:   

• Extremist ideology or fascination with terrorist organizations
• Abrupt change in personality or social engagement
• Angry outburst or hateful comments about co-workers or organization
• Reports of physical or cyber harassing and bullying
• Significant interest in areas outside the scope of their duties
• Working odd hours without authorization
• Requesting access to information, systems, or facilities not associated with their duties
• Remotely accessing the network at odd times or while on vacation
• Unnecessarily copying or downloading sensitive information
• Signs of drug use, alcohol abuse, or illegal activity
• Financial difficulty or gambling addiction
• Unexplained wealth or unusual foreign travel
• Repeated rule violations    

The Department of Energy Identifying at-Risk employees: A Behavioral Model for Predicting Potential Insider Threats studies psychological and personality predispositions that may indicate an increased risk of insider abuse.

The Central Intelligence Agency Internal Security and Counterintelligence Application of the Critical-Path Method to Evaluate Insider Risk demonstrates a common set of insider threat risk factors and behavioral indicators that led to actual events.

The Intelligence and National Security Alliance Assessing the Mind of the Malicious Insider describes how to use a behavioral model to mitigate insider threats.

The Center for Development of Security Excellence offers Insider Threat Case Studies to help better understand malicious insiders.

Establish Clear Guidelines for Reporting Suspicious Behavior

Organizations are encouraged to consider the following when developing their reporting procedures:

• Clear reporting guidelines supported by insider threat policy
  • Including anonymous reporting
• Incorporate multiple communication channels
  • Phone hotline
  • Email
  • Website
  • Supervisors
  • Human resources
  • Insider threat program office open-door policy
• Ensure reporting protects the privacy of all concerned
• Account for public safety exceptions to statutes and regulations
  • Public Safety Exceptions within the Health Insurance Portability and Accountability Act (HIPPA)
  • Public Safety Exceptions within the Family Education Rights and Privacy Act (FERPA)
• Provide quick feedback to those reporting concerning behavior

Additional Resources

The If You See Something, Say Something™ campaign provides individuals and organizations with information on reporting suspicious activity.