Insider threat


Malicious insider

intentionally exploit organisation, use legitimate access, unauthorised purpose

CATALYST - precipitating, tipping point (not everyone the same become insider threat from same event)

ACTOR characteristics (Nurse)

- psychological state - disgruntle - attitude towards work = not committed/lazy

- motivation - not promoted -skill set -opportunity - role in organisationtype actor/ status (employed) - personality - narcissm, social problem -physical/cyber behaviour

Detect - change behaviour, coworker detect and report, monitor IT system 

Prevent - IT security ,Training- expectations, responsibilities (report behaviour) consequences, Vetting- previous incidents, Standards/policies, Monitor and review- talk employee (voice principle, open door policy, discuss issues)

IMPACT - Share sensitive data, Lose trust colleagues, Lose trust public ,Reduce integrity, Threaten operations Case study – PC mark daly – bbc reporter, institutional racism

1 of 5

Insider threat

Centre for Protection of National Infrastructure (CPNI)

- exploit legitimate access organisation assets unauthorised purpose

Nurse et al - framework detect and identify insider threat

3 types

malicious - intentional, motivated

accidental - most common, human error, less easy to predict

compromised- computer malware, phishing email


lose public trust, lose sensitive data, lose trust employees, learn from previous insider threat (develop training, policies, procedures)

2 of 5

Accidental/non malicious

Accidental - most common - human factors lead to accidental threat

Catalyst for insider - lack training on system Case study - prison officer or NHS send email 

DETECT - Agreeableness, openness = susceptible to scams & carelessness, boredom, or disatisfaction 

Attack objective from framework - task or activity that is the reason for the incident, e.g working under time constraint. Modelling accidental threats we are able to gain further insight into the reasons linked to attacks, and facilitate better understanding

PREVENT - only access what employee needs access too, change password notification, digital footprint (show who has viewed what, less likely breach security risk caught) User Entity Behaviour Analytics – observe normal user behaviour, create baseline what is normal, deviation from this may be used to detect insider threat. Training 

IMPACT - loss integrity, loss trust public, learn from incident, e.g disciplinary action (impact on staff member, lose job, lose income, MH),  

3 of 5

Compromised insider threat

Compromised - credentials unknowingly compromised by external threat, intention to steal data or sabotage organisation

Computer infected malware- phishing

Access to sensitive data

DETECT - unaware of risk, gullible to phishing emails, carelessness, laziness,

PREVENT - Training, Improve security, Pop ups do you want to access/open, monitor employee

IMPACT - Malware, Loss data, Share confidential data, Lose trust

4 of 5

Insider threat framework

Nurse framework insider threat

Catalyst + Actor characteristics (may influence someone become insider threat) - psychological state, motivation, skills, opportunity, attitude towards work, history, personality, physical/cyber behaviour

Attack - objective- step (how), step goal, organisation characteristic - assets, vulnerability

Positives framework - able to detct threat, framework deeper understanding, 

Negatives - Difficult to establish mindset individuals

relying on the co-operation of other individuals within the organisation to report suspicious behaviour

insider’s mind-set. reiterate the difficulty in gathering this psychological information on insider threats; in many cases, we found that more emphasis  placed on the attack itself, rather than on gathering data regarding indicators in order to learn from it

5 of 5


No comments have yet been made

Similar Criminology resources:

See all Criminology resources »See all Insider threat resources »