Insider Threat (Intentional)

What You'll Learn

• Identify behavioral warning signs of intentional insider threats, including unusual access patterns, after-hours activity, and interest in data outside normal job responsibilities
• Distinguish between accidental policy violations and deliberate data exfiltration based on context, frequency, and pattern
• Report suspicious insider behavior through proper channels without directly confronting the individual
• Document observed indicators accurately and factually to support a security investigation
• Understand why authorized users pose a unique detection challenge compared to external attackers

Training Steps

1. A Normal Thursday Evening

   Welcome to Stratford Financial! You are Alice, a senior analyst on the client services team. Today you've stayed late to finish a quarterly report. Most colleagues have already gone home. As you wrap up, you notice your colleague Marcus Sterling is still at his desk - unusual, since he typically leaves early. Over the past few weeks, Alice has noticed some changes in Marcus's behavior. He used to be friendly and outgoing, but lately he's become withdrawn and secretive. He takes calls in the stairwell and quickly minimizes his screen when anyone walks by. Alice assumed he was dealing with personal issues - but tonight, something catches her attention.

2. The USB Drive

   As Alice gets up to leave, she notices Marcus inserting a USB flash drive into his workstation. He glances around nervously, then begins copying folders from what appears to be the Client Portfolio database. Marcus spots Alice looking his way and quickly pulls out the USB drive, dropping it into his bag. He forces a smile and says he's 'just backing up some personal photos.'

3. A Troubling Discovery

   The next morning, Alice arrives at work and checks her email. She notices a strange message in her inbox - it looks like an automated notification from the document management system. The notification indicates that Marcus shared a large file with an external email address late last night.

4. Connecting the Dots

   Alice pauses to consider what she's seen: Marcus working late and acting secretive Copying files to a personal USB drive Sharing confidential client data to a personal Gmail account The file contained sensitive portfolio information marked 'CONFIDENTIAL' Any one of these could have an innocent explanation. But together, they paint a concerning picture. An intentional insider threat is when a trusted employee deliberately misuses their access to harm the organization. This can include: Data theft - Stealing confidential information, trade secrets, or client data Sabotage - Damaging systems, deleting files, or disrupting operations Fraud - Financial manipulation for personal gain Espionage - Selling information to competitors or foreign entities Insiders have legitimate access, making their actions harder to detect than external attacks.

5. Recognizing Warning Signs

   Insider threats often exhibit observable warning signs - both behavioral and technical: Behavioral Indicators: Working unusual hours without clear business need Expressing dissatisfaction, grievances, or intention to leave Becoming secretive - minimizing screens, taking calls privately Financial stress or living beyond means Downloading or accessing data outside normal job duties Technical Indicators: Large file transfers to personal devices or cloud storage Accessing systems at unusual times Copying files marked as confidential or restricted Using unauthorized USB drives or external media Emailing documents to personal email accounts Alice knows that reporting a colleague is uncomfortable. She and Marcus have worked together for two years. But she also understands that failing to report could enable significant harm to clients and the company. Stratford Financial has an anonymous reporting hotline and a secure reporting portal specifically designed to protect employees who come forward with concerns.

6. Accessing the Reporting Portal

   Alice decides to submit a confidential report through the company's Insider Threat Reporting Portal. This portal is specifically designed for employees to report concerns about potential insider threats while maintaining confidentiality.

7. Submitting the Report

   The portal prompts Alice to describe her concerns. She provides factual observations without speculation about Marcus's intent or motivations - that's for the investigation team to determine. The form emphasizes that all reports are kept confidential and that retaliation against reporters is strictly prohibited.

8. Immediate Response

   After submitting the report, Alice receives an automated confirmation. The portal assigns a case number and explains what happens next. The Security Team will investigate the concerns discreetly, preserving evidence while determining whether the activity was malicious or had a legitimate explanation.

9. One Week Later

   A week passes. Alice notices that Marcus's desk has been cleared. She receives an email from the Chief Information Security Officer.

10. The Bigger Picture

    Alice later learns that Marcus had accepted a job at a competitor and was planning to take client data with him. The investigation revealed he had been collecting sensitive information for several weeks. Because Alice reported early, the security team was able to limit the damage. Without her report, significantly more data could have been compromised before anyone noticed. When you observe potential insider threat indicators, remember the NOTICE framework: N ote what you observed - Document specific facts, dates, and times O bserve without confronting - Don't alert the person to your suspicions T rust your instincts - If something feels wrong, it's worth reporting I nform through proper channels - Use official reporting mechanisms C onfidentiality matters - Don't discuss with colleagues E xpect protection - Retaliation against reporters is prohibited