ArchiveOODA Original

Identifying “Insider” Threats in Information Security


The threat of “insiders” in positions of trust with access to critical aspects of an organization’s Information Technology (IT) infrastructure, whether government, military, or private sector, to intentionally compromise and sabotage their secrets or proprietary information has become one of the paramount threats facing national security and critical infrastructure since the rise of the internet in the mid-1980s. One reason for the increase in this threat is the massive and exponential explosion of availability of proprietary or classified information within organizations. A second key risk factor is the relative ease of access by “trusted” IT professionals who operate in these “secure” environments, ranging from data entry clerks to IT network administrators.

To further exacerbate these risk factors, there is an emerging extremist ideology that all information, including an organization’s most secret and proprietary information, should be free and accessible to everyone. Julian Assange of WikiLeaks is perhaps the most prominent exponent of this ideological mantra. Like many others sharing this ideology, he is considered a genius software programmer and cryptographer.(1) This mantra of complete openness insists that government authority should be questioned and transparency maintained even during periods of national emergency when states are threatened by terrorist groups that are intent on launching catastrophic attacks against their infrastructure and populations. “Secrets sustain corruption,” they argue.(2) This was his motivation for creating WikiLeaks in 2006 as the byproduct of “insiders” downloading secret and proprietary information and where the senders’ identities were encrypted to protect them from potential disclosure and prosecution.

Certain governments – notably China’s offensive cyber-espionage program – have long engaged in Internet espionage against their Western adversaries in order to exploit their IT systems for secret and proprietary information. In this new development of “Insider Threat in Information Technology” (ITIT), what are often self-radicalized individuals within Western countries are now contributing to the illegal activities of militant websites such as Wikileaks, which intentionally expose Western governments’ secret documents (while not exposing any potentially damaging Chinese or Russian government official documents, even though these are highly authoritarian and surveillance-intensive regimes), and hacktivist groups such as “Anonymous” that engage in cyber-warfare operations against Western targets (although they attack foreign targets, as well, including North Korea and Mexican drug cartels).(3)

Defining the “Insider Threat”

An “insider threat” is a betrayal of trust by individuals who are employed within organizations who are granted access to their critical IT components and intentionally compromise them in order to sabotage their ability to accomplish their mission. Such acts of betrayal include, but are not limited to, espionage on behalf of a foreign government or business competitor, unauthorized disclosure of secret or proprietary information to a media organization, and any other activity that would degrade an organization’s resources or capabilities. An “insider” might be an individual acting alone or in collusion with others either inside or outside the organization.

In this framework, the “insider” threat is categorized as distinct from a whistleblower threat. Within a government organization, for example, a whistleblower may complain about some of its activities that he or she considers as unjust or inefficient, but the complaint would be transmitted to “proper” bureaucratic channels, with the overall intent to reform, but not destroy the organization, and any secret information at one’s disposal would not be released that might endanger an intelligence agency’s covert agents, or reveal national security-type sensitive information about its covert programs or the location of its covert facilities.

Types of “Insider Threats”

In the realm of information technology, there are three general types of possible insider threats. The first threat involves the theft of secrets or intellectual property, thefts that can go unnoticed for months or even years. The second is the surreptitious removal and transfer of proprietary information from one’s organization to a business competitor. The third threat is the immediate unauthorized “voluminous” dissemination of an organization’s secret information to a third party, such as a media organization or militant website, for worldwide dissemination in order to severely damage its organizational integrity and well-being.

Identifying the Personal and Behavioral Indicators that Produce “Insider” Traitors

Based on the published profiles of individuals who have become “insider” threats to their countries or organizations, such as Bradley Manning and Edward Snowden, several key risk indicators stand out. These risk indicators can be broken down into those that are personal and those that are behavioral in nature. While the personal risk indicators relate to an individual’s predisposing psychological characteristics, the behavioral risk indicators characterize such individuals’ worrisome activities that coalesce to form a warning signal that an “insider” may be engaged in methodical theft against an organization or treasonous activities against one’s country.

It must be emphasized that no single risk indicator is determinant in identifying a potential “insider” threat within an organization. These risk indicators need to be considered in combination with each other, all the while recognizing that each of them might shift in one direction or another, decrease in their intensity, or escalate and become more worrisome over time. Moreover, a large number of individuals within an organization might exhibit some risk indicators at any given time, but will not necessarily cross the threshold of a realized information technology “insider” threat.  Nevertheless, most of the individuals who become traitors to their organizations or countries were later discovered to have displayed numerous personal and behavioral risk indicators during their formative pre-incident phases that should have raised red flags prior to their incidents.

Conclusion: Preemptively Identifying Information Technology Insider Threats

To preemptively identify a susceptible individual in an organization who appears to be on a trajectory to becoming an ITIT, it is crucial for security professionals to develop a situational awareness of the potentially risky personal and behavioral characteristics that such individuals possess and exhibit in their daily activities. Such situational awareness also requires understanding the psychological and behavioral profiles of individuals, such as Bradley Manning and Edward Snowden, who progressed along such ITIT trajectories.

To prevent an “insider threat” incident against an organization or government, security professionals must, therefore, develop a comprehensive and detailed situational awareness of all the risky personal and behavioral risk indicators that might affect their employees. First, appropriate screening processes must be instituted to select new employees. Second, computer networks must be routinely monitored for potential suspicious activity. Third, a potentially risky employee’s colleagues and managers constitute the first line of defense against such individuals who might pose an “insider threat” to their organization. All employees must be trained to help protect their organization’s security by reporting any suspicious mindsets and behaviors that might be associated with a potential compromise of sensitive proprietary or classified information. Finally, one of the most effective methods to defeat the insider threat is to substantially decrease the organizational factors that might increase the ease for “insiders” to surreptitiously remove such sensitive information. Tight regulations must be placed on access privileges to proprietary and classified information as well as exiting procedures out of facilities (including network systems).

Above all, organizations need to promote among their employees a culture based on a strong sense of individual and collective responsibility to safeguard sensitive information, which results from a commitment to and identification with the organization’s goals and values.

Dr. Joshua Sinai is a Washington, DC-based consultant on national security studies.


(1) See Julian Assange, Julian Assange – The Unauthorised Biography (Canongate Books, 2011); Julian Assange, Jacob Applebaum, and Andy Muller-Maguhn Cypherpunks: Freedom and the Future of the Internet (OR Books, 2012).

(2) Steve Fishman, “Bradley Manning’s Army of One,” New York Magazine, July 3, 2011.

(3) For an account about Anonymous, see Parmy Olson, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency (Back Bay Books, May 2013).

Joshua Sinai

Joshua Sinai

Dr. Joshua Sinai is a Washington, DC-based consultant on national security studies.