A Critical Reflection on the Threat from Human Insiders – Its Nature, Industry Perceptions, and Detection Approaches

  • Jason R. C. Nurse
  • Philip A. Legg
  • Oliver Buckley
  • Ioannis Agrafiotis
  • Gordon Wright
  • Monica Whitty
  • David Upton
  • Michael Goldsmith
  • Sadie Creese
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Organisations today operate in a world fraught with threats, including “script kiddies”, hackers, hacktivists and advanced persistent threats. Although these threats can be harmful to an enterprise, a potentially more devastating and anecdotally more likely threat is that of the malicious insider. These trusted individuals have access to valuable company systems and data, and are well placed to undermine security measures and to attack their employers. In this paper, we engage in a critical reflection on the insider threat in order to better understand the nature of attacks, associated human factors, perceptions of threats, and detection approaches. We differentiate our work from other contributions by moving away from a purely academic perspective, and instead focus on distilling industrial reports (i.e., those that capture practitioners’ experiences and feedback) and case studies in order to truly appreciate how insider attacks occur in practice and how viable preventative solutions may be developed.


insider threats human factors technical and psychological indicators detection approaches survey reports 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Computer Economics: Malicious insider threats (2010),
  2. 2.
    Ponemon Institute and Attachmate Corporation: The risk of insider fraud second annual study: Executive summary (2013),
  3. 3.
    PricewaterhouseCoopers: The global state of information security® 2014 (2013),
  4. 4.
    PricewaterhouseCoopers: US state of cybercrime survey (2013),
  5. 5.
    Whitty, M., Wright, G.: Deliverable 3.1 - Short report of findings from Case Studies (Corporate Insider Threat Detection project), Leicester University Report (2013)Google Scholar
  6. 6.
    Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats. Addison-Wesley (2012)Google Scholar
  7. 7.
    McAfee and Evalueserve: State of security (2011),
  8. 8.
    PricewaterhouseCoopers: Cybercrime: Protecting against the growing threat (2012),
  9. 9.
    Hunker, J., Probst, C.W.: Insiders and insider threats – an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2(1), 4–27 (2011)Google Scholar
  10. 10.
    Kroll Advisory Solutions and Economist Intelligence Unit: The global fraud report 2012/13 (2012),
  11. 11.
    Shaw, E.D., Stock, H.V.: Behavioral risk indicators of malicious insider theft of intellectual property: Misreading the writing on the wall, Symantec Report (2011)Google Scholar
  12. 12.
    Moore, A.P., Cappelli, D.M., Caron, T.C., Shaw, E., Spooner, D., Trzeciak, R.F.: A preliminary model of insider theft of intellectual property. Technical report, CMU-CERT (2011)Google Scholar
  13. 13.
    Kaspersky: Threatpost series: Insider threats (2011),
  14. 14.
    Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “big picture” of insider IT sabotage across U.S. critical infrastructures. Technical report, CMU-CERT (2008)Google Scholar
  15. 15.
    FBI: Fannie Mae corporate intruder sentenced to over three years in prison for attempting to wipe out fannie mae financial data (2010),
  16. 16.
    Allen, B.: The accidental insider threat: Is your organization ready (expert voices panel) (2012),
  17. 17.
    Credant: Insider threat (2011),
  18. 18.
    Clearswift: The enemy within: an emerging threat (2013),
  19. 19.
    Wall, D.S.: Organizational security and the insider threat: Malicious, negligent and well-meaning insiders. Technical report, Symantec (2011)Google Scholar
  20. 20.
    Turner, J.T., Gelles, M.: Threat assessment: A risk management approach. Routledge (2003)Google Scholar
  21. 21.
    CPNI: CPNI insider data collection study – report of main findings (2013),
  22. 22.
    Holton, C.: Identifying disgruntled employee systems fraud risk through text mining: A simple solution for a multi-billion dollar problem. Decision Support Systems 46(4), 853–864 (2009)CrossRefGoogle Scholar
  23. 23.
    The Department for Business, Innovation and Skills (BIS) & PricewaterhouseCoopers: 2013 Information security breaches survey (2013)Google Scholar
  24. 24.
    Sky News: MoD secrets leaked onto the Internet (2010),
  25. 25.
    Harrysson, M., Metayer, E., Sarrazin, H.: How not to unwittingly reveal company secrets (Harvard Business Review blog network) (2012),
  26. 26.
    Kaspersky: Threatpost’s insider threats survey (2011),
  27. 27.
    Patcha, A., Park, J.M.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)CrossRefGoogle Scholar
  28. 28.
    Salem, M., Hershkop, S., Stolfo, S.: A survey of insider attack detection research. In: Stolfo, S., Bellovin, S., Keromytis, A., Hershkop, S., Smith, S., Sinclair, S. (eds.) Insider Attack and Cyber Security. Advances in Information Security, vol. 39, pp. 69–90. Springer US (2008)Google Scholar
  29. 29.
    Brdiczka, O., Liu, J., Price, B., Shen, J., Patil, A., Chow, R., Bart, E., Ducheneaut, N.: Proactive insider threat detection through graph learning and psychological context. In: IEEE Symposium on Security and Privacy Workshops (2012)Google Scholar
  30. 30.
    Greitzer, F.L., Hohimer, R.E.: Modeling human behavior to anticipate insider attacks. Journal of Strategic Security 4(2), 25–48 (2011)CrossRefGoogle Scholar
  31. 31.
    Greitzer, F.L., Kangas, L.J., Noonan, C.F., Dalton, A.C., Hohimer, R.E.: Identifying at-risk employees: Modeling psychosocial precursors of potential insider threats. In: 45th Hawaii International Conference on System Science. IEEE (2012)Google Scholar
  32. 32.
    Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D.: An insider threat prediction model. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 26–37. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  33. 33.
    Glasser, J., Lindauer, B.: Bridging the gap: A pragmatic approach to generating insider threat data. In: IEEE Symposium on Security and Privacy Workshops (2013)Google Scholar
  34. 34.
    Legg, P.A., Moffat, N., Nurse, J.R.C., Happa, J., Agrafiotis, I., Goldsmith, M., Creese, S.: Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 4(4), 20–37 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Jason R. C. Nurse
    • 1
  • Philip A. Legg
    • 1
  • Oliver Buckley
    • 1
  • Ioannis Agrafiotis
    • 1
  • Gordon Wright
    • 2
  • Monica Whitty
    • 2
  • David Upton
    • 3
  • Michael Goldsmith
    • 1
  • Sadie Creese
    • 1
  1. 1.Cyber Security Centre, Department of Computer ScienceUniversity of OxfordUK
  2. 2.Department of Media and CommunicationsUniversity of LeicesterUK
  3. 3.Saïd Business SchoolUniversity of OxfordUK

Personalised recommendations