** The terms ‘insider risk’ and ‘insider threat’ are often used interchangeably, even though it could be argued that technically they are quite different. However, we won’t unpack that debate here. For the purposes of this note we will assume the terms mean the same thing.*

Defining Insider Threat.jpg

Introduction

What’s an “insider”? An insider is

any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.

or

any person who has, or previously had, authorized access to or knowledge of the organization’s resources, including people, processes, information, technology, and facilities.

It is generally accepted that there are two types of insider threats: malicious and non-malicious insider threats.

“2 out of 3 insider threat incidents are caused by negligence” (Swiss cyber institute)

For the most part, Human Risk Management, Security Awareness or Security Culture efforts (whichever of these monikers and approaches you choose to adopt) has the potential to primarily affect non-malicious insider threats.

The non-malicious insider threats break down into three categories:

The team at MITRE do a great job of explaining it all here.

Three types of non-malicious insider

MITRE defines three types of non-malicious insider threats, and understanding them helps avoid using a one-size-fits-all approach to security:

  1. Negligent Insiders – These are people who know the security rules but ignore them anyway. Maybe they think the rules are unnecessary, or they’re just careless. Either way, their behavior can put the organization at risk.
  2. Mistaken Insiders – These employees aren’t intentionally breaking the rules; they just make honest mistakes. Security isn’t their main focus, and with everything else on their plate, slip-ups happen—especially when they’re under pressure or don’t have enough resources.
  3. Outsmarted Insiders – These individuals fall for new tricks before they’ve had the chance to learn how to defend against them. Just like software can have vulnerabilities that cyber criminals discover, people can be caught off guard by new social engineering tactics or evolving threats.