MITRE’s Recommended Terminology for Insider Threat Programs
Naming the Insider Threat/Risk Program to maximize collaboration and minimize misconceptions
The name of your program is important as it can affect the perceptions of leadership and key stakeholders, which in turn affects their willingness to work with and support the program. Generally, employees are viewed as enablers of an organization rather than threats. Programs can facilitate more effective collaboration and buy-in by avoiding the term “Insider Threat” in the name of the program. Programs should also avoid terms like “counter insider threat” as this solicits the misconception that the program is working against or countering employees. Instead, use more palatable terms to describe the program (e.g., “Insider Risk Program” or “Insider Risk Management Program.” Note that the term “Insider Threat Program” is effectively used by U.S. Government programs, therefore, it is used on this website.
Insider Threat/Risk Programs are “proactive”, not “predictive”
It is incredibly difficult to accurately predict human behavior, even with centuries of behavioral sciences, or using data science experts. No tool can reasonably “predict” behavior, and the word is no more than over-promising marketing. Furthermore, the term “predict” can elicit the troubling perception that guilt is assumed before an action is taken. Instead, use “proactive” to describe programs’ efforts to identify potential risks early without the negative connotations or over-promising of “prediction”.
“Deterrence” is achievable, “Prevention” is not
“Prevention” is a very high bar, and it is unlikely any organization that is not completely stove-piped or locked down will be able to reasonably prevent risks from employees with legitimate accesses and inside knowledge. Instead, use the term “deterrence” to set a more reasonable objective for the program to achieve.
Insider Threat/Risk Programs do “Monitoring”, not “Surveillance”
“Surveillance” is very negatively connoted and not well received by most individuals, using the term creates unhelpful, inaccurate perceptions about the operations and goals of the program. The term also generates significant consternation from organizations’ key stakeholders, whose collaboration is required for buy-in, access, and the ultimate success of the program. Instead, we recommend strategically managing perception about the program by using much less negatively connoted language like “monitoring” or “reviewing”.
Insider Threat/Risk Programs use context and indicators of “concern” and “risk”, not “intent”
“Intent” has multiple meanings which can cause confusion amongst key stakeholders by propagating the inaccurate perception that an Insider Threat/Risk Program predicts human behavior (e.g., Minority Report). “Intent” also implies a high degree of certainty about the reasons an individual engages in a behavior, which requires capabilities and authorities beyond what is typically available for Insider Threat/Risk Programs. We recommend using terms that reflect how the program uses indicators for flagging, identifying, and triaging potential risk (e.g., “indicators of concern”, “potential risk indicators”, “context”), rather than terms like ‘indicators of intent’.
“Tactics, Techniques or Procedures (TTPs)” are ineffective for insider risk
With over fifteen years of research, we have concluded the TTP structure is ineffective for identifying insider risk. The term “TTP” emphasizes a very cyber-centric approach to identifying insider risks and fails to recognize that insider threat is an inherently human challenge requiring more than just cyber sensors and a cyber approach. Furthermore, malicious and non-malicious insiders simply act differently than Advanced Persistent Threats (APTs) because they know how to leverage organizational processes to meet their objectives. They obfuscate malicious activities inside their legitimate work activity, and they take actions that do not require them to directly interact with cyber systems or break rules. Instead, use more inclusive and less cyber-centric terms such as “Potential Risk Indicators (PRIs)”.
Be more specific than “behavioral analysis”
“Behavioral analysis” has a particular meaning in the behavioral sciences and is also a licensed healthcare profession regulated in the U.S. and other countries. Using this term to describe tools and approaches can create confusion. Instead, choose more specific labels to describe what your tool and program do analytically.