A persistent challenge for both public and private sector organizations is the threat of harm from trusted individuals—the so-called insider threat or insider risk. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) defines insider threat as the potential for an insider—any person who has or had authorized access to, or knowledge of, an organization’s assets and resources—to use their authorized access, wittingly or unwittingly, to bring harm to the organization’s mission, resources, personnel, facilities, information, equipment, networks, or systems. Similarly, the CERT National Insider Threat Center (Cappelli et al., 2012) defines insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”
As determined by the INFOSEC Research Council in 2005, mitigating insider risks from authorized users is a hard problem across government, industry, and academia—the insider threat was ranked second on their Information Security Hard Problems List (INFOSEC, 2005) and the factors that led to this ranking remain as challenging today as they were then: e.g., “capability gaps” such as the lack of standard metrics or methods for measuring success for technical solutions and the lack of real world data sets that can be used to evaluate countermeasures. In the years since publication of the INFOSEC Hard Problems List, researchers and practitioners have come to recognize that there is a critical need to examine behavioral as well as technical indicators to understand and anticipate these threats (e.g., Cappelli et al., 2012; Greitzer, 2019; Shaw & Sellers, 2015).
Thus, while insider threat research has traditionally addressed insiders’ misuse of technology, tools, or data by focusing on ways to leverage these technical resources to detect and mitigate such incidents, the mission space has expanded to focus on prevention and on identifying ways to counter insider threat incidents through individual and organizational wellness, protection, and health. The social and behavioral science (SBS) disciplines are well-suited to contribute to this emergent counter-insider threat mission space because of its comprehensive approach to understanding human behavior at the micro-, meso-, and macro-levels. To promote this more comprehensive approach, the National Insider Threat Task Force (NITTF) and DoD’s Counter-Insider Threat Program have enlisted the Defense Personnel and Security Research Center (PERSEREC) Threat Lab to host a new, online, open-access journal, Counter-Insider Threat Research and Practice (CITRAP). As the Editor-in-Chief for this new journal, I’m honored and proud to introduce this scholarly resource to the broad counter-insider threat communities of research and practice. CITRAP serves as an interdisciplinary and multidisciplinary resource for scholarly works that report on findings and lessons learned across a broad spectrum of the research and operational communities, including the computational sciences, behavioral sciences, public policy, law, and industry.
A driving vision for this journal is to champion multi-disciplinary SBS research across the counter-insider threat mission space. CITRAP aims to communicate practical and theoretical advances in all aspects of insider threat research and practice and to facilitate the translation of SBS insider threat research into evidence-based practice. The envisioned contributions of CITRAP are:
Focus on insider threat. Many journals include information security or cybersecurity-related research; however, there are currently no peer-reviewed publications dedicated to research and applications aimed at detecting, deterring, preventing, and mitigating insider threats. CITRAP’s multi-disciplinary approach draws on diverse fields, disciplines, and methods to propagate new insights, lessons learned, and technical approaches across the spectrum of insider threat research and operations.
Emphasis on application. CTRAP encourages both theoretical and applied scientific research that offer actionable takeaways for practitioners. In addition to providing Original Research papers that identify practical implications of findings, CITRAP publishes peer-reviewed papers in its Scholarship in Practice section that discuss practical applications—new approaches to countering insider threats, challenges, lessons learned, and thoughtful essays in which practitioners may share their practical experiences.
Conveyance of SBS research. Much of the extant research concerns “rules and tools” for preventing threat events and detecting indicators of imminent threats. These articles tend to be published in technology-focused outlets. While valuable to our understanding of, preventing, and mitigating threat events, these forums are less likely to attract SBS researchers. CITRAP welcomes all manner of technical, sociotechnical, and SBS oriented research and operationally oriented manuscripts.
Thus, CITRAP provides a forum where both academics and practitioners can find current, evidence-based papers on issues surrounding insider threat. We expect that the scholarly works published in CITRAP will attract a diverse readership across a range of academic disciplines, practitioner groups, organizational stakeholders (e.g., HR professionals, Insider Threat Program Managers, Security officers, etc.), and policy makers whose interests span the broad range of research and practical challenges facing the insider threat community.
Figure 1 depicts the diverse set of insider threats that fall into the general class of information assurance/security failures. This chart is an updated version of a framework that was used to introduce cyber friendly fire (a little-noticed aspect of unintentional insider threats) by Carroll, Greitzer & Roberts (2014). There are two main classes of insider threat: malicious and unintentional insider threats. In the case of malicious threats, the insider may focus the attack on theft of sensitive information, technology, or materials, sabotage of information or physical assets, fraud, or violence (which may be manifested in acts against people in the organization, i.e., workplace violence, or domestic extremism). Malicious insider threats are often preceded by observable “concerning behaviors” by disgruntled or aggrieved individuals, and which, if appropriately dealt with by management, could potentially be averted (Cappelli et al., 2012; Shaw & Fischer, 2005). In the case of unintentional insider threats, the risk is created by unwitting individuals within the organization whose actions—or failure to act—increase the potential for harm to the organization’s assets. Unintentional insider threats may result from social engineering attacks, such as phishing, or they may arise from errors of judgment or lack of training in which actions taken by cyber defenders have unintended negative consequences (cyber friendly fire). Unintentional insider risk/threats have been associated with various human and organizational contributing factors including stress, overwork, attention lapses, or negligence (Greitzer et al., 2014).
CITRAP encourages contributions from research and practice representing the varied pathways in Figure 1. We welcome articles describing Original Research or Scholarship in Practice that address all manner of technical, sociotechnical, and SBS-oriented approaches in countering insider risk, including (but not limited to) predictive analytics for insider threat anticipation, advancements or innovations in the specification of potential risk indicators, social-behavioral models that highlight individual human behavioral or organizational contributing factors, the role of organizational factors as insider threat risks, measures of effectiveness of insider threat mitigation programs, and future challenges envisioned for insider threat programs. For this inaugural issue, we are pleased to present contributions that address timely and important topics.
Authors Mark Lenzenweger and Eric Shaw, in their original research paper, “The Critical Pathway to Insider Risk Model: Brief Overview and Future Directions,” describe the development and continuing evolution of the framework posed by Shaw and Sellers (2015) that facilitates identifying critical characteristics and contributing factors that underlie many insider threat incidents. The Critical Pathway to Insider Risk (CPIR) describes predisposing factors (e.g., dispositional factors such as personality traits, psychopathology, interpersonal styles), stressors, concerning behaviors, and maladaptive organizational responses. The authors review the CPIR model, discuss feedback received from the field, and discuss current and future challenges relating to the theory and methodology underlying the framework, its psychosocial features, and the predictive validity of its insider risk constructs. This critique and their discussion of challenges for future research and development will, one hopes, stimulate additional discourse.
An original research paper titled “Multiple Approach Paths to Insider Threat (MAP-IT): Intentional, Ambivalent and Unintentional Pathways to Insider Threats” by Jordan Richard Schoenherr, Kristoffer Lilja-Lolax, and David V. Gioe emphasizes the importance of considering both individual motivation and social context in understanding insider threats. Their proposed multiple-path insider threat framework distinguishes three motivational pathways (intentional, unintentional, and ambivalent) and decomposes the intentional pathway into antisocial, asocial, and prosocial motivations (e.g., personality traits, group membership). Extending beyond the view that psychosocial insider threat indicators reflect maladaptive behaviors or psychopathologies, this approach considers how insider threats can be understood as normal interpersonal processes or psychological mechanisms (such as cognitive dissonance) for dealing with perceived discrepancies in one’s attitudes and behaviors and those of other groups and group members that lead to insider threats. The framework is illustrated with representative case studies.
In a Scholarship in Practice paper titled “Reducing Insider Risk Through Positive Deterrence,” Andrew Moore, Carrie Gardner and Denise Rousseau describe why and how insider risk management programs can use positive as well as the traditional reactive, or compliance-oriented approaches to countering insider threats. The positive deterrence approach bridges security and HR functional frameworks and promotes the articulation of strategies that benefit both the security needs of the organization and the needs and wellbeing of the workforce. The authors provide actionable guidance on how to incorporate positive deterrence strategies to achieve a more balanced, proactive approach to reduce insider risk. These clear operational implications should make this paper required reading for all insider threat professionals in the operational community.
A Scholarship in Practice article titled “Domestic Extremism: How to Counter Threats Posed to Critical Assets,” by Jessica Baweja, Madelyn Dunning, and Christine Noonan, discusses the findings of a study the authors conducted on protecting critical assets against the threat of domestic extremism posed by radicalized insiders. Focus groups were interviewed to identify best practices, tools, or techniques relevant to preventing or countering domestic extremism and to identify gaps in security measures. Their findings emphasized the importance of appropriate prevention and response measures, suggesting that organizations should foster strong security cultures, clear guidance for employee behavior (codes of conduct) and consider creation of behavior observation programs (as legally authorized and appropriate) to address early intervention. The authors provide recommendations on practices that might be especially important to counter the threat to critical infrastructures posed by domestic extremism.
A third Scholarship in Practice article, titled “Seven (Science-Based) Commandments for Understanding and Countering Insider Threats,” highlights the criticality of human factors and social science approaches to countering insider threats. Eric Lang, Director of the Personnel and Security Research Center (PERSEREC), offers seven useful overarching insights and recommendations gleaned from decades of research. These “seven Commandments” advise us to value personal and social dynamics solutions; improve supervisor and coworker reporting; implement comprehensive, fair, and effective continuous evaluation; conduct timely, team-based, transparent and humane follow-up procedures; provide mental health education that promotes help-seeking and reduces mental health stigma; help leaders, managers, and supervisors develop healthy organizational cultures; and avoid quick and dirty education and assessment methods. Importantly, it is argued that effective implementation of these principles requires active involvement by social scientists and subject matter experts in counter-insider threat programs.
In addition to the peer-reviewed articles, CITRAP provides invited Perspectives articles on topics of high interest that provide timely contributions to contextualize findings within a field, add a new dimension to previously published research, or discuss current advances and novel insights. In this inaugural issue, we are pleased to call readers’ attention to Perspectives articles that encourage debate and discussion across our communities of research and practice.
In a Perspectives article titled “Counter Insider Threat: A Process of Evolution… and a Point of Departure,” Brad Millick (Director of Counter Insider Threat at the Department of Defense and a CITRAP stakeholder) provides some background on the establishment of the federal government’s insider threat program, particularly within the Department of Defense (DoD)—its evolution, key principles underlying its focus on human behavior, and the alignment of CITRAP’s goals with the program’s mission.
Robert Rohrer, Director of the National Insider Threat Task Force, offers a Perspectives article titled “Welcome to the Counter-Insider Threat Research and Practice Journal’s Inaugural Issue” in which he describes how the field has matured over the past ten years, progressing well beyond individual-focused analytics to include broader objectives – informed by the social and behavioral sciences – to reduce organizational risk by leveraging “trusted workforce” concepts.
A Perspectives article by Eric Lang, Director of PERSEREC, discusses research at PERSEREC and The Threat Lab to strengthen three critical nets for countering insider threats—the security net, safety net, and stakeholder net—by facilitating information sharing among organizational leaders, policy-makers, operations managers, HR specialists, security professionals, social scientists and education/training experts.
In conclusion, the articles in this inaugural issue represent important SBS-related topics to advance insider threat research and practice. By informing readers about new approaches to improve organizational risk mitigation programs and response to insider threat, new or refined psychosocial constructs along the critical pathway to insider risk, and timely recommendations on how to address troubling challenges in assessing internal threats posed by domestic extremism, these papers should provide inspiration for innovations in research and practice that will advance the insider threat field.
On behalf of the excellent Editorial Team and the devoted CITRAP Associate Editors, I would like to thank the authors of the articles published in this issue for contributing and sharing their work with the broader research community, and I would especially like to thank all the authors who submitted papers to CITRAP and encourage these authors as well as readers to embrace CITRAP as a preferred outlet for their publications in the counter-insider threat domain. I also wish to thank the CITRAP Editorial Team for its hard work over the past year to stand up this journal: I’m indebted to Stephanie Jaros for her dedication in establishing stakeholder support for CITRAP and to the members of the editorial staff who have made this publication a reality—Michael Hunter, Maura Burke, Adrienne Fox Luscombe, Leanna Attias, and Leissa Nelson: your efforts have been crucial to the success of CITRAP, and much appreciated. To my Associate Editors—Bill Claycomb, Deb Loftis, Christine Noonan and Matthew Schumacher—thank you for your commitment in helping to manage the manuscript reviews and decision process. As Stephanie Jaros, the architect of CITRAP, would say: “Onward and Upward!”
PERSEREC supports The Threat Lab, which produces the CITRAP journal.