Insider Risk Management


  1. Security Policy Reform Council. Insider Threat Subcommittee. (2017). Assessing the Mind of the Malicious Insider: Using a Behavioural Model and Data Analytics to Improve Continuous Evaluation. Intelligence and National Security Alliance (INSA).
  2. Wetzel, J. (2017). Insider Threats to Financial Services: Uncovering Evidence with External Intelligence. Recorded Future.
  3. Scott, J., and Spaniel, D. (2016) In 2017, the Insider Threat Epidemic Begins. Institute for Critical Infrastructure and Technology (ICIT). Washington D.C. ICIT.
  4. Costa, D., Albrethsen, M., Collins, M., Perl, S., Sllowash, G., Spooner, D. (2016). An Insider Threat Indicator Ontology. Carnegie Mellon University CERT Division. Software Engineering Institute.
  5. CERT Insider Threat Center. (2016). Common Sense Guide to Mitigating Insider Threats, Fifth Edition. Carnegie Mellon University CERT Division. Software Engineering Institute.
  6. Moore, A., Perl, S., Cowley, J., Collins, M., Cassidy, T., VanHoudnos, N. (2016). The Critical Role of Positive Incentives for Reducing Insider Threats. Carnegie Mellon University CERT Division. Software Engineering Institute.
  7. Moore, A., Novak, W., Collins, M., Trzeciak, R., Theis, M. (2015). Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls. Carnegie Mellon University. Software Engineering Institute.
  8. Shaw, E. and Seller, L. (2015). Application of the Critical Path-Method to Evaluate Insider Risk. Studies in Intelligence. Vol. 59 (2), pp 1-8.
  9. Cole, E. (2015). Insider Threats and The Need for Fast and Directed Response. SANS Institute Reading Room.
  10. (2015). Analytic Approaches to Detect Insider Threats. Carnegie Mellon University.
  11. Moore, A., Collins, M.,Mundie, D., Ruefle, R., McIntire, D. (2014). Pattern-Based Design of Insider Threat Programs. Carnegie Mellon University CERT Division. Software Engineering Institute.
  12. Upton, D., Creese, S. (2014). The Danger from Within. Harvard Business Review.
  13. Shaw, E., Payri, M., Cohn, M., Shaw, I. (2013). How Often Is Employee Anger an Insider Risk II? Detecting and Measuring Negative Sentiment versus Insider Risk in Digital Communications – Comparison between Human Raters and Psycholinguistic Software. The Journal of Digital Forensics, Security and Law. Vol 8(2) article 3, pp. 72-92.
  14. Flynn, L., Huth, C., Trzeciak, R., Buttles, P. (2013). Best Practices Against Insider Threats in All Nations. Carnegie Mellon University CERT Division. Software Engineering Institute.
  15. Cummings, A., Lewellen, T., McIntire, D., Moore, A., and Trzeciak, R. (2012). Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector. Carnegie Mellon University CERT Program. Software Engineering Institute.
  16. Lockheardt, C. (2012). The Human Factor: Using Behavioral Science to Counter Insider Threats. MITRE.
  17. Moore, A., Cappelli, D., Caron, T., Shaw, E., Spooner, D., (2011). A Preliminary Model of Insider Theft of Intellectual Property. Carnegie Mellon University. Software Engineering Institute.
  18. Shaw, E. and Stock, H. (2011). Behavioural Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall. Symantec.
  19. Defense Personnel Security Research Center. (2009). Espionage and Other Compromises in National Security: 1975 to 2008. PERSEREC.
  20. Band, S., Cappelli, D., Fischer, L. Moore, A, Shaw, E. and Trzeciak, R. (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Approach. Carnegie Mellon University CERT Program. Software Engineering Institute.
  21. Shaw, E., Ruby, K., and Post, J. (1998). The Insider Threat to Information Systems: The Psychology of the Dangerous Insider. Security Awareness Bulletin, No. 2-98, pp.1-10.
  22. Central Intelligence Agency (CIA). Intelligence Community Staff. (1990). Project Slammer Interim Report. Washington D.C.
  23. Centre for Research and Evidence of Security Threats (CREST) Understanding Insider Threat – The impact of Organisational Change



  1. (2017). How to Manage the Computer-Security Threat. The Economist.
  2. CREST Security Review. (2016). Cyber Security. Centre for Research and Evidence on Security Threats (CREST). Issue 2, pp. 1-31.
  3. Chelly, M. (2017). Employees’ Impact on Cyber Security: Human Behavior Consequences on Security Measures. Responsible Cyber.
  4. (2016). Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations – Release I. Ponemon Institute.
  5. (2016). Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations – Release 2: The Widening Gap Between IT and End Users. Ponemon Institute.
  6. (2016). Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations – Release 3: Differences in Security Practices and Vigilance Across UK, France Germany and US. Ponemon Institute.
  7. Evans, M., Maglaras, L., He, Y., Janicke, H. (2016). Human Behaviour as an Aspect of Cyber Security Assurance. School of Computer Sciences and Informatics of the De Montfort University, Leicester, UK.
  8. Bada, M., and Sasse, A. (2014). Cyber Security Awareness Campaigns: Why do they Fail to Change Behaviour? Global Cyber Security Capacity Centre.
  9. Nurse, J., Legg, P., Buckley, O., Agrafiotis, I., Wright, G., Whitty, M., Upton, D., Goldsmith, M., Creese, S. (2014). A Critical Reflection on the Threat from Human Insiders – its Nature, Industry Perceptions, and Detection Approaches. Department of Media and Communications and the Cyber Security Centre of the Department of Computer Science of the University of Oxford.
  10. Pfleeger, S., Caputo, D. (2012). Leveraging Behavioral Science to Mitigate Cyber Security Risk. Dartmouth College and The MITRE Corporation.




  1. Behavioral Analysis Unit. National Center for the Analysis of Violent Crime. (2017). Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks. US Department of Justice and the Federal Bureau of Investigations.
  2. Varazzani, C. (2017). The Brains Behind Behavioral Science. Behavioral Scientist.
  3. Davis, J. (2016). Stalking Crimes and Victim Protection. Psychology Today.
  4. Richtel, M. (2014). That Devil on Your Shoulder Likes to Sleep In. The New York Times. 01, November.
  5. Glasgow, K., Schouten, R. (2014). Assessing Violence Risk in Threatening Communications. Harvard Medical School, and Department of Psychiatry, Massachusetts General Hospital together with Johns Hopkins University Applied Physics Laboratory, and College of Information Studies, University of Maryland.
  6. Miller, A. (2014). Threat Assessment in Action. American Psychological Association.
  7. Meer van der, B. (2014). Psychological Disorder & Mental Illness on the Workplace. In: conference proceedings Psychological Disorder & Mental Illness of the Workplace at the ASIS EU Conference, April 14. The Hague. Van der Meer Investigative Psychologists.
  8. VIDEO. (2013). The Path to Violence. JWM Productions.
  9. Slonje, R., Smith, P., Frisén, A. (2012). The Nature of Cyberbullying, and Strategies for Prevention. Computers in Human Behavior. Elsevier.




  1. Jack, C. (2017). Lexicon of Lies: Terms for Problematic Information.Data and Society Research Institute.Heuer, R., (1999). The Psychology of Intelligence Analysis. Center for the Study of Intelligence. Central Intelligence Agency.
  2. Brown, S. (2017). I Read the News, Therefore I am (Prejudiced). Psychology Today.
  3. Gu, L., Kropotov, V., Yarochkin, F., Leopando, J., Estialbo, J. (2017). Fake News and Cyber Propaganda: The Use and Abuse of Social Media. TREND MICRO.
  4. Franganillo, J., (2016). Information Overload, Why it Matters and How to Combat It. Interaction Design Foundation.
  5. Callagher, B. (2016). What Impact does Fake News have on the Real World. Merry Jane.
  6. Benson, B., and Manoogian III, J., (2016). The Cognitive Bias Codex.