top of page

Prevention Beyond the Wire: An Intelligence Driven Analysis of the Internal Cyber Threat

Updated: Mar 11, 2020

Nicole Hoffman and James McCarter | October 02, 2019

In September 2019, The National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) partnered with federal agencies across the government to launch “National Insider Threat Awareness Month” to “...emphasize the importance of safeguarding our nation from insider threats and to share best practices for mitigating those risks.” (ODNI, 2019) This task force was created to curb threats such as internally sourced violence within the workplace, espionage, cyber incidents, IP (intellectual property) loss and unauthorized disclosure of classified or sensitive information. In order to truly assess the risks that insiders pose to an organization we are fundamentally concerned with two things: likelihood and impact. While highlighting impact is the driving force behind NITA Month, to assess the likelihood of the threat it becomes prudent to utilize the principles of intelligence driven analytics to assist in assessing the likelihood of an event happening. In doing so, the nuances of human intelligence (HUMINT) come into play when assessing the motive of an adversary as current technical attack models may overlook the cause of physically actioned compromises. The objective of this paper is to focus on the internal cyber adversary’s psychological motivations in order to recognize and curb an insider event before it happens.

1. Introduction

To hire or not to hire, that is the question. All organizations mustconfront the fact that the threat of compromise by the insider is unavoidable. We necessarily grant permissions and access to those within our organizations to accomplish our strategic and operational goals, which carries with it the potential for some ofthe gravest and most unexpected intrusions. This reality forces us to carefully consider who we are willing to bring into our trusted circle.Unfortunately, there is not amodel for hiring managers to follow that is 100% effectivein preventingan internal adversary.There are, however,certain characteristics that employers can look for during the interview process,as well as during employment that may provide early warning of future potential insider threat behaviors or activities.

“An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well”. (What is an Insider Threat, 2019)

In the Verizon Insider Threat Report of 2018, 90% of companies surveyed felt vulnerable to insider attack. Within the same report, 27% of companies stated the potential cost of an insider attack would be between $100k-$500k. With such a high price tag, preventing an insider threat must necessarily go beyond focusing solely on traditional cybersecurity architecture. It is prudent to understand the relationship of risk between our digital networks and our physical organizations.

Criminal psychologists and human interrogation specialists know the recipe for a crime: means, motive and opportunity. In order to thwart a crime, we know that if we remove one of the three, we should be able to curb the behavior, but as a cybersecurity industry, we focus so heavily on restricting the opportunity for an insider attack (which will never be fully eliminated) that we neglect the other controllable aspect, the motive. A large portion of a human intelligence officer’s job is to be responsible for overseeing psychological operations, which are designed to control, influence, predict, and understand persons and groups though communication and contact in order to secure information from other humans. By using principles of a HUMINT officer to leverage psychological perspective of an insider threat, a situationally aware manager can use that intelligence to inform our insider risk profile and the likelihood level of a potential attack before it occurs.

When we focus on the means, the opportunity, and a motive to carry out an attack, we can clearly assess our intelligence requirements needed to satisfy our knowledge gaps. Because we have a fair understanding of the means and opportunity, let’s focus on motives. While many of these risky insiders are unwitting accomplices to insider compromise with the absence of a malicious motive (through social engineering, poor enforcement policy or sheer laziness), we are focusing on characteristics historically identified in malicious insiders’ motivations such as fear of losing a job, revenge for a perceived wrong doing, corporate or national espionage, and/or financial gain. By doing so, we can analyze the lessons learned from a variety of insider threat cases to recognize and implement prevention methods. Armed with this knowledge, employers can not only detect and prevent an inside attack, but also build a healthier professional ecosystem...


To read the entire report, fill out the form below and receive a free download!


bottom of page