Why Insider Threat Denial is Everyone’s Problem

People don’t like to admit when they’re wrong. And really, who can blame them? Being wrong is uncomfortable, anxiety-inducing, and embarrassing. These are all feelings that people try their best to avoid.

DevOps Connect:DevSecOps @ RSAC 2022

One of the most common methods for avoiding them is denial, or the unwillingness to accept something as truth. This isn’t a blog explicitly about human psychology, but it is about a dangerous cybersecurity problem rooted in it: insider threat denial syndrome.


Insider threat is a major source of headache for security professionals. However, their focus of concern is centered around malicious insider threat: the rogue employee or the external threat that actively and aggressively compromises security. 31% of security professionals rate malicious insiders as the most damaging type of insider threat to the organization. Only 11% of security professionals believe that accidental insider breach will have a more damaging effect on their organization. It seems that some security professionals are in denial that a careless employee could have the same impact as a malicious insider to their organization.

Given that a whopping 46% of security incidents involved careless employees, security professional need to treat all types insider threat with the same level of attention and criticality.

The pros of preparation and active monitoring far outweigh the cons, and IT and security professionals need to prepare for the careless employee just as much as for the malicious actor. In the non-malicious insider threat, the employee who mistakenly opens a suspicious email or attachment or falls for an obvious phishing scam can wreak just as much havoc as a malicious insider. It’s hard to imagine anyone denying the possibility of such an accident, but you can imagine the obvious line of defense, veiling denial: “Nope, wouldn’t happen — my team is too smart for that.”

It is difficult to identify insider threats and especially accidental insider threat. It is important, however, to treat all insider threat, malicious or not, with the same level of importance. Fortunately, there are ways to identify, predict, and contain these threats to better protect your team, organization, and reputation in the market. Here are a few tips:


People behave differently when they know their activity is being monitored. To prevent any misuse, abuse, or other suspicious activity on your company’s devices or network, adopt monitoring of onsite employees and contractors as a best practice and communicate it openly. While most employees are aware (and accept) that the IT team is observing their behavior, it’s good to be transparent and open about your monitoring practices.


All employees and teams in an organization are measured against key performance indicators, or business KPIs. You should be applying the same criteria to your cybersecurity approach. With cybersecurity KPIs, you can measure the risk level of individuals and departments — as well as the organization as a whole. Security Risk Scoring (SRS) is a practical methodology designed to help predict potential threats and measure ongoing risk exposure.


Though monitoring and measuring are necessary, overdoing both can impact employee morale and productivity. With solutions like Preempt, your employees are empowered to help you maintain tight security across the organization. Trust can be used as leverage for both parties here: When you trust your employees to educate themselves against risk and report anything suspicious, they trust you to avoid forms of targeted, invasive monitoring.


As we mentioned above, malicious, deliberate insider threats are not as common as simple accidents. Real-time training programs and ongoing feedback about security best practices are critical to preventing such slip-ups. One way to make training more effective is by tying your lessons to real-world, contextual situations. This way, best practices become less theoretical and more rooted in reality, and are more easily remembered by your team.


When you’ve got all of the above bases covered, it’s time to think about detection strategies. What’s anomalous, but benign behavior? What’s anomalous, and worth paying attention to? Which actions are truly malicious? By building in the right logic to your cybersecurity solution, user data can be ingested, processed, and used to identify what should be observed more closely and what can be ignored.


A tool must be appropriate for the problem it’s being used to fix. When it comes to empowering your team to help monitor and report security issues, be sure to offer your team a wide range of tools and solutions so that they can select the most flexible, adaptive controls to fit the given situation. Also ensure that the user’s response feeds back into the system — this is essential to how the tool learns behavior and get even smarter over time. Plus, it helps reduce the burden on security officers and automates the Incident Response process.

To learn more about how to implement a team-time Insider Threat program, read this whitepaper: “How to Eliminate Insider Threats”.

*** This is a Security Bloggers Network syndicated blog from Preempt Blog authored by Eran Cohen. Read the original post at: