Insider Threat Mitigation Guide
Cybersecurity and Infrastructure Security Agency 11
2. Dening Insider Threats
Examples of Insider Threat Denitions
from government agencies, industry, and academia
Department of Homeland Security (DHS)
“The threat that an insider will use his or her
authorized access, wittingly or unwittingly, to do
harm to the Department’s mission, resources,
personnel, facilities, information, equipment,
networks, or systems. This threat can manifest
as damage to the Department through the
following insider behaviors: espionage; terrorism;
unauthorized disclosure of information; corruption,
to include participation in transnational organized
crime; sabotage; workplace violence; and
intentional or unintentional loss or degradation of
Departmental resources or capabilities.”
12
CERT National Insider Threat Center
“The potential for an individual who has or
had authorized access to an organization’s
assets to use their access, either maliciously or
unintentionally, to act in a way that could negatively
affect the organization.”
13
Computer Language Company Incorporated
“The potential risk that employees and ofcers
of a company can cause more harm to the IT
infrastructure or to the company in general than
external threats such as viruses and cracker
attacks. Also known as an ‘authorized user threat,’
disgruntled employees have easy access to
condential data, especially if their feelings are not
made public.”
14
RAND Corporation
“The potential for an individual who has or had
authorized access to an organization’s assets to use
their access, either maliciously or unintentionally,
to act in a way that could negatively affect the
organization or national security.”
15
National Insider Threat Task Force (NITTF)
“The risk an insider will use their authorized
access, wittingly or unwittingly, to do harm to their
organization. This can include theft of proprietary
information and technology; damage to company
facilities, systems or equipment; actual or threatened
harm to employees; or other actions that would
prevent the company from carrying out its normal
business practice.”
16
Ernst & Young Global Limited (EY)
“The threat a current or former employee, contractor,
or business partner, who has or had authorized
access to an organization’s network systems, data,
or premises, uses that access to compromise
the condentiality, integrity, or availability of the
organization’s network systems, data, or premises,
whether or not out of malicious intent.”
17
Department of Defense (DoD)/Center for
Development of Security Excellence (CDSE)
“The threat that an insider will use her/his authorized
access, wittingly or unwittingly, to do harm to the
security of the United States or classied national
security information.”
18
12
Department of Homeland Security. (2019, October 01). Insider Threat Program. Instruction # 262-05-002, Revision 01. (p. 5). Washington, DC.
13
Costa, D. (2017, March 7). CERT Denition of ‘Insider Threat’ – Updated. Retrieved from https://insights.sei.cmu.edu/insider-threat/2017/03/cert-
denition-of-insider-threat---updated.html
14
The Computer Language Company Inc. (n.d.). Encyclopedia: Denition of Insider Threat. Retrieved from https://www.pcmag.com/encyclopedia/
term/45031/insider-threat
15
Luckey, D., Stebbins, D., Orrie, R., Rebhan, E., Bhatt, S.D., et al. (2019). Assessing Continuous Evaluation Approaches for Insider Threats: How Can
the Security Posture of the U.S. Departments and Agencies Be Improved? Santa Monica, CA: RAND Corporation. Retrieved from https://assets.ey.com/
content/dam/ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/EY-managing-insider-threat.pdf
16
Department of Homeland Security. (n.d.). Insider Threat Mitigation: What is an Insider Threat? Retrieved from cisa.gov/insider-threat-mitigation
17
EY. (2016). Managing Insider Threat; A Holistic Approach to Dealing with Risk from Within. (p. 1). Retrieved from https://assets.ey.com/content/dam/
ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/EY-managing-insider-threat.pdf
18
Department of Defense. (2017, August 28). Department of Defense Directive. DoDD 5205.16. (p. 1). Washington, DC. Retrieved from https://fas.org/
irp/doddir/dod/d5205_16.pdf; Department of Defense. (2016, May 18). DoD 5220.00-M National Industrial Security Program Operating Manual. Ch 2.
(p. C-4). Washington, DC. Retrieved from https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf