Developing Sector Specific Threat Scenarios
Case studies can help articulate the potential impact of insider risks. The unique stories and their impacts are helpful for convincing executive-level and senior level leadership that insider risk needs addressing with action and investment. However, the efficacy of case studies is very limited for developing capabilities to identify insider risk. In part, using case studies to develop potential risk indicators (PRIs) can narrow Insider Threat/Risk Programs’ focus on identifying and mitigating the idiosyncratic details of the case study. From that perspective, it is difficult to differentiate the behaviors or events unique to the case study, from more generalizable patterns (and more effective indicators) of insider risk. Practitioners new to insider risk often identify what they think are logically sound and obvious risk behaviors or events and try to use them as PRIs, only to find that these unique details do not translate beyond the individual case. Using case studies to develop PRIs fails to reflect the creativity intentional or malicious insiders bring to achieve their objectives. Programs that focus on case studies for identifying insider risks tend to “chase the last bad person” rather than proactively identify and mitigate future insider risks.
To address this issue, in 2017 MITRE developed a methodology to identify realistic threat scenarios of insider risks based on direct data collected from frontline employees in government and applied the methodology to generate threat scenarios for the energy sector and higher education sector. “Threat scenarios” are examples of how sector specific employees could intentionally create risk or cause harm by leveraging their unique accesses and knowledge. These threat scenarios are not intended to be comprehensive, but instead are provided as examples to highlight potential avenues for intentional or malicious insiders to operate, and to demonstrate the benefits of moving beyond existing case studies. Additionally, these threat scenarios are intended to encourage programs to focus on concerning behaviors occurring before any threat or impact is realized.