Skip to main content


about dawn cappelli

Dawn CappelliDawn Cappelli is a Senior Member of the CERT Technical Staff at Carnegie Mellon University’s Software Engineering Institute (SEI). She has over 25 years experience in software engineering, including programming, technical project management, information security, and research. She is technical lead of CERTs insider threat research, a CyLab-funded project. She recently sat down for a CyLab Chronicles Q&A an update on this important, ongoing work.

[ email ] | [profile]

CyLab Chronicles

Q&A with Dawn Cappelli

posted by Richard Power

CyLab Chronicles: Give us a brief synopsis of the Insider Threat project so far?

CAPPELLI: Research conducted by CERT since 2001 has focused on gathering data about actual malicious insider acts, including espionage, IT sabotage, fraud, theft of confidential or proprietary information, and potential threats to our nation's critical infrastructures. In 2002, the Insider Threat Study team, comprised of U.S. Secret Service (USSS) behavioral psychologists and CERT information security experts, collected approximately 150 actual insider threat cases that occurred in US critical infrastructure sectors between 1996 and 2002, and examined them from both a technical and a behavioral perspective. Over the past two years, we have used CyLab funding to update our case library with more recent cases. We collected almost 100 additional cases and coded them in our CERT/CyLab database, bringing our case library to a total of nearly 250 cases. That case library was used last year for the following three projects:

  • Empirically-Based Insider Threat Risk Assessment Diagnostic
  • Modeling Patterns of Insider Fraud and Theft of Confidential or Sensitive Information: A Basis for Empowering Business and IT Managers
  • The third edition of the Common Sense Guide for Prevention and Detection of Insider Threats

In prior years, the CERT/CyLab MERIT team developed an empirically-based system dynamics model of insider IT sabotage that embodies the key technical, social, and organizational patterns of behavior that we saw in a majority of cases. The modeling process and the model itself helped us better understand how the threat evolves over time, and effective mitigations of the risk. The purpose of the project to model insider fraud and theft of confidential or sensitive information is to extend MERIT to include a comprehensive pattern analysis and transition materials for all types of insider threat, including fraud, theft of confidential or sensitive information, and IT sabotage. Outputs of this project will include a complete package of empirically-based insider threat system dynamics models and workshop materials. Over the past year, our modeling efforts have produced preliminary findings regarding patterns in these types of incidents that have been quite enlightening, and useful in raising awareness to potential “red flags” that could indicate potential illicit insider activity.

CyLab Chronicles: What results do you consider significant? What has this study revealed that surprised you? Have any of its findings contradicted any common assumptions about the Insider Threat, or conversely, has it validated such assumptions?

CAPPELLI: We began our modeling efforts by analyzing cases of insider theft and insider fraud to identify patterns of insider behavior, organizational events or conditions, and technical issues across the cases. Our analysis of 87 theft cases and 49 fraud cases revealed a surprising finding: the patterns identified actually separated the crimes into two different classes than originally expected:

  • Theft or modification of information for financial gain – This class includes cases where insiders used their access to organization systems either to steal information that they sold to outsiders, or to modify information for financial gain for themselves or others. Insiders in this class were generally current employees in relatively low-level positions, with a fairly equal split among male and female perpetrators. Insiders stole personally identifiable information or customer information, or modified data. They committed their crimes during normal working hours using their authorized access.
  • Theft of information for business advantage - This class includes cases where insiders used their access to organization systems to obtain information that they used for their own personal business advantage, such as obtaining a new job or starting their own business. Insiders in this class were all men in relatively high-level positions, many in technical positions like scientists, engineers, or programmers; or sales. Insiders stole intellectual property and customer information during normal working hours; most of them used their authorized access. Those who did not use authorized access were all former employees.

There are some interesting differences between these two classes of theft that influence how they are detected. When financial gain is the specific motive, crimes tend to involve theft of small amounts of data (e.g., social security numbers) repeatedly over long periods of time. When business advantage is the motive, crimes tend to involve much larger amounts of data (e.g., proprietary source code) and often occur within three weeks before the insider’s resignation. Both types of crime had a high rate of collusion with both insiders and outsiders; this behavior, if detected, also provides an opportunity for an organization to perceive a higher risk of insider theft and act on those foresights. We have compiled a variety of statistics from this work that can inform organizations on cost-effective defenses to the insider threat. One striking finding in our most recent analysis is that in over 2/3 of the 31 cases of theft for financial gain, the insider was recruited to steal by someone outside the organization. In many of these cases, the insider was taking most of the risk, while receiving relatively small financial compensation. Often the outsider was a relative of the insider or an acquaintance who realized the value of exploiting the insider’s access to information. This suggests that organizations should educate employees on their responsibilities for protecting the information with which they are entrusted, and the possibility that unscrupulous individuals will try to take advantage of their access to that information.

CyLab Chronicles:  Are there any mistakes or areas of weaknesses in regard to personnel security, physical security or information security that you find occurring over and over in the incidents that you have researched?

CAPPELLI: Insider threats are often delegated to the IT or information security departments. It is difficult, if not impossible, to prevent many insider crimes through technology alone, however. First of all, technical users are aware of technical measures and countermeasures, both proactive and reactive, and therefore are able to work around them if properly motivated. Non-technical users tend to commit their crimes using authorized access in the course of performing their daily activities. Therefore, it can be very difficult to distinguish between malicious and non-malicious online activity. Therefore, the CERT/CyLab MERIT work promotes a holistic approach to insider threat risk mitigation. We believe it is important that organizations understand the “big picture” of insider threat, and that responsibility for prevention and detection of insider threat is shared among IT/information security, human resources, management, physical security, legal, and the data owners.

The Common Sense Guide for Prevention and Detection of Insider Threats, which is discussed below, details specific best practices which can be implemented across the organization.

CyLab Chronicles: Tell us about the Diagnostic tool you have developed? What is it? What is its scope? What does it tell us? How is it applied?

CAPPELLI: The purpose of the Insider Threat Diagnostic is to organize all of the issues of concern in the hundreds of cases in the CERT/CyLab insider threat database into a single actionable framework that can be used by organizations to assess their insider threat risk. The insider threat diagnostic enables organizations to gain a better understanding of actual insider threat activity and an enhanced ability to assess and manage associated risks. It merges technical, organizational, personnel, and business security and process issues into a single, actionable framework. The instrument is structured to encompass all stakeholders in the fight against insider threat: management, information technology, information security, human resources, software engineering, “data owners”, and physical security.

The diagnostic captures specific vulnerabilities that were exploited in insider threat cases in our database. Vulnerabilities include technical vulnerabilities and issues, as well as exploits that were facilitated by oversights in technical practices, business processes, human resources functions, management practices, organizational policies and practices, and legal issues. We have organized those vulnerabilities into a series of workbooks. Each workbook has a specific audience, and contains all issues applicable to that audience. In addition, each issue is reinforced with one or more actual case examples to illustrate the details that were overlooked by the victim organizations in the cases. Six workbooks were created:

  • Information Technology/Information Security
  • Human Resources
  • Management
  • Physical Security
  • Software Engineering
  • Data “Owners”
  • Legal

The workbooks are used to conduct insider threat assessments via face to face interviews onsite by the CERT/CyLab MERIT team. Following the assessment, the organization is provided with a confidential report of findings that details areas of concern for their organization, as well as how prevalent each area of concern was in the cases in the CERT/CyLab database.
We are also designing an insider threat workshop based on the diagnostic, which emphasizes the most prevalent problems observed in the hundreds of cases in our database. The workshop will be offered soon.

CyLab Chronicles: Based on your research, what are the top five action items or best practices you would advise corporations to implement to thwart or mitigate the Insider Threat?

CAPELLI: In October we published the 3rd Edition of the Common Sense Guide for Prevention and Detection of Insider Threats. This document has been one of the most downloaded documents on the CERT website for the past several years. The latest edition contains some new practices based on our analysis of the 100 recent cases added to our database. In addition, all practices from the 2nd edition have been updated to include recent trends, patterns, and issues from the new cases. We recommend that readers refer to that document for a description of how the practices, policies and technologies outlined in that report could have been successful in preventing or detecting actual insider incidents earlier. The practices include:
PRACTICE 1: Consider threats from insiders and business partners in enterprise-wide risk assessments
PRACTICE 2: Clearly document and consistently enforce policies and controls.
PRACTICE 3: Institute periodic security awareness training for all employees.
PRACTICE 4: Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.
PRACTICE 5: Anticipate and manage negative workplace issues.
PRACTICE 6: Track and secure the physical environment.
PRACTICE 7: Implement strict password and account management policies and practices.
PRACTICE 8: Enforce separation of duties and least privilege.
PRACTICE 9: Consider insider threats in the software development life cycle.
PRACTICE 10: Use extra caution with system administrators and technical or privileged users.
PRACTICE 11: Implement system change controls.
PRACTICE 12: Log, monitor, and audit employee online actions.
PRACTICE 13: Use layered defense against remote attacks.
PRACTICE 14: Deactivate computer access following termination
PRACTICE 15: Implement secure backup and recovery processes
PRACTICE 16: Develop an insider incident response plan.

Insider Threat Resources:

a) Risk Mitigation Strategies: Lessons Learned from Actual Attacks (.pdf) – RSA Conference, April 2008, San Fransisco (D. Cappelli, A. Moore)

b) Cappelli, D.M., Moore, A.P., and Shimeall, T.J. Common Sense Guide to Prevention and Detection of Insider Threats. CyLab Member’s Report, April 2005 (updated July 2006 and October 2008).

c) The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures – published chapter in the book Insider Attack and Cyber Security: Beyond the Hacker, eds. Stolfo, S.J., et. al., Springer Science + Business Media, LLC, 2008. Also published as an SEI Technical Report - CMU/SEI-2008-TR-009.

d) Greitzer, Frank; Moore, Andrew; Cappelli, Dawn; Andrews, Dee; Carroll, Lynn; Hull, Thomas. “Combating the Insider Cyber Threat”. IEEE Security & Privacy (January/February 2008): 61-64.

e) Insider Threat and the Software Development Life Cycle – CERT podcast, March 2008 (D. Cappelli)

f) Protecting Against Insider Threat – CERT podcast, November 2006 (D. Cappelli)

g) 2007 E-Crime Watch Survey. CERT, US Secret Service, CSO Magazine, and Microsoft. Available at

h) Keeney, M.M., Kowalski, E.F., Cappelli, D.M., Moore, A.P., Shimeall, T.J., and Rogers, S.N. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. Joint SEI and U.S. Secret Service Report, May 2005. Available at

i) Randazzo, M.R., Keeney, M.M., Kowalski, E.F., Cappelli, D.M., Moore, and A.P. 2004. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. Joint SEI and U.S. Secret Service Report, August 2004. Available at

j) Kowalski, E.F., Cappelli, D.M., and Moore, A.P. 2008. Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector. Joint SEI and U.S. Secret Service Report, January 2008. Available at

k) Kowalski, E.F., Conway, T., Keverline, S., Williams, M., Cappelli, D.M., Moore, A.P., and Willke, B. 2008. Insider Threat Study: Illicit Cyber Activity in the Government Sector. Joint SEI and U.S. Secret Service Report, January 2008. Available at

l) Moore, A.P., Cappelli, D.M., Joseph, H., R.F. Trzeciak 2006. An Experience Using System Dynamics to Facilitate an Insider Threat Workshop. In Proceedings of the 25th Conference of the System Dynamics Society, July 2007.

m) Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T., Weaver, E.A., and Willke, B.J. 2006. Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage. In Proceedings of the 24th Conference of the System Dynamics Society, July 2006. Available at

See all CyLab Chronicles articles