An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.
Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets.
An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer systems by former employees, a so-called Logic bomb.
Insider threat is an active area of research in academia and government.
The CERT Coordination Center at Carnegie-Mellon University maintains the CERT Insider Threat Center, which includes a database of more than 850 cases of insider threats, including instances of fraud, theft and sabotage; the database is used for research and analysis. CERT's Insider Threat Team also maintains an informational blog to help organizations and businesses defend themselves against insider crime.
Intent-based Access Control (IBAC),  a novel access control model first proposed by Abdulaziz Almehmadi, is an access control system that detects the intention of the user requesting access answering the question "Why?" access is being requested as opposed to current access control systems that asks "Who?" is requesting access. IBAC is designed to prevent the insider threat as opposed to the current access control systems that are designed to prevent the outsider threat. IBAC is a risk-based access control that assesses risk of access based on the detected intent and the motivation level towards executing that intent. IBAC takes advantage of the robustness of P300-based Concealed Information Test to detect an intent of access and uses the brain signals to detect the motivation level. The access control system has been used on 30 participants with 100% detected intentions of access and all mal-intent users being rejected access before they commit their mal-intended action.
A report published in July 2012 on the insider threat in the U.S. financial sector gives some statistics on insider threat incidents: 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as "difficult" and 17% as being "disgruntled". The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.
The US Department of Defense Personnel Security Research Center published a report that describes approaches for detecting insider threats. Earlier it published ten case studies of insider attacks by information technology professionals.
- Computer security
- Insider Threat Management
- Mole (espionage)
- Naval Criminal Investigative Service
- Threat (computer)
- "FBI Counterintelligence: The Insider Threat. An introduction to detecting and deterring an insider spy". Fbi.gov. Archived from the original on 2014-02-10. Retrieved 2014-03-08.
- "The CERT Insider Threat Center". Cert.org. Retrieved 2014-03-08.
- "Insider Threat Blog". CERT. Retrieved 10 August 2012.
- Abdulaziz Almehmadi and Khalil El-Khatib, "On the Possibility of Insider Threat Prevention Using Intent-Based Access Control (IBAC)", Systems Journal, IEEE , vol. PP, no. 99, pp. 1, 12, doi: 10.1109/JSYST.2015.2424677 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7103286&isnumber=4357939
- Abdulaziz Almehmadi "Insider Threats Meet Access Control", URL: https://www.amazon.com/gp/aw/d/1539772012/ref=mp_s_a_1_1?ie=UTF8&qid=1477837714&sr=8-1&pi=AC_SX280_SY350_FMwebp_QL65&keywords=almehmadi&dpPl=1&dpID=518-g2uTc0L&ref=plSrch
- Cummings, Adam; Lewellen, Todd; McIntire, David; Moore, Andrew; Trzeciak, Randall (2012), Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, Software Engineering Institute, Carnegie Mellon University, (CMU/SEI-2012-SR-004)
- Shaw, Eric; Fischer, Lynn; Rose, Andrée (2009), Insider Risk Evaluation and Audit (PDF), Department of Defense Personnel Security Research Center, TR 09-02
- Shaw, Eric; Fischer, Lynn (2005), Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations (PDF)