The CERT Guide to Insider Threats
by Dawn Cappelli, Andrew Moore and Randall Trzeciak

Addison-Wesley 2012.
ISBN 978-0-321-81257-5 USD 35.88,
Table of Contents

Reviewed by  Richard Austin   May 23, 2013 

This was a hard book to review - it is intended to be introductory and targeted at a non-technical reader, a decision which led to a glacial pace of presentation and frustratingly shallow detail in many areas. However, it also has the huge plus of being based on analysis of 700+ cases of insider abuse collected by CERT over a ten-year period. For that reason alone, I respectfully recommend it to your attention.

The term "insider threat" can have many meanings so the authors clearly set their scope as "a current or former employee, contractor or business partner who has or has had authorized access to an organization's network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity or availability of information or information systems" (p. xx). That definition earns the authors bonus credit for including both contractors and business partners.

Based on their analysis, the authors identify three profiles for insider threats:
IT sabotage
Theft of intellectual property

As security professionals, our goals for insider threats are to identify the factors that make the threat likely to occur (the authors call these "predispositions"), to recognize that the threat has been instantiated, and to mitigate the threat or its effects. The authors address those goals by abstracting the results of their analysis of insider threat into the MERIT model ("Management and Education of the Risk of Insider Threat"). MERIT is a system dynamics model and some readers may benefit from a more substantial introduction to the topic (e.g., Meadows, D. H. [2008]. Thinking in Systems: A Primer. Chelsea Green Publishing).

Each threat profile is described in its own chapter where the model for that threat is presented. For example, the authors found that cases involving theft of intellectual property (IP) fit two general patterns: "entitled independent" and "ambitious leader". The "entitled independent" is, for example, the engineer who feels a proprietary ownership in the new product she developed and feels "entitled" to take the design with her when her position is eliminated during an economic downturn. The "ambitious leader" recruits a group of insiders to pilfer intellectual property for a share in the financial reward. The MERIT model for these patterns portrays the factors and relationships that give rise to the threat and shows where organizational responses can be most effectively applied. For example, the desire to steal for an "entitled independent" arises from the interplay between their contribution to the IP and feelings of ownership and precipitating events such as dissatisfaction or a job offer from a competitor. There's obviously a tension here where even though the feeling of entitlement predisposes the engineer to potentially steal the product, the organization benefits from the engineer's substantial contributions to the product and feelings of ownership. The models recognize this tension by suggesting that organizations include recognition of precipitating events as triggers for defensive measures such as increased behavioral monitoring.

After working through the threat models, the authors turn their attention to detection and prevention. Chapter 6 reviews 16 best practices (ranging from consistently enforcing policies to effective monitoring). The best practices are each presented in a "how to" followed by a "what happens if you don't" case study. The list of best practices contains no surprises but a reexamination of "the usual suspects" from an insider-threat perspective is useful.

Chapter 7, "Technical Insider Threat Controls", provides managerially-focused readers with a brief introduction to how intrusion detection systmes (IDS), network flow data, security information and event management (SIEM), etc., can be effectively used in detecting instantiation of insider threats.

For technical professionals, the takeaways from this book revolve around the MERIT model and its way of looking at insider threats. The authors provide footnote references to the papers that back up the book chapters, and much of the lamented missing details are found in those papers. For managerial professionals, this is an excellent introductory book for understanding the scope of the insider threat and what organizations can do to predict, recognize and mitigate the threat.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin ( fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org