Threats from the inside of an organization's perimeters are a significant problem, since it is difficult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discuss a number of approaches from the technological, the sociological, and the socio-technical domain. We draw two main conclusions. Tackling insider threats requires a combination of techniques from the

more »

... echnical, the sociological, and the socio-technical domain, to enable qualified detection of threats, and their mitigation. Another important observation is that the distinction between insiders and outsiders seems to loose significance as IT infrastructure is used in performing insider attacks. Little real-world data is available about the insider threat [1], yet recognizing when insiders are attempting to do something they should not on a corporate or organizational (computer) system is an important problem in cyber and organizational security in general. This "insider threat" has received considerable attention, and is cited as one of the most serious security problems [ 2] 1 . It is also considered the most difficult problem to deal with because insiders often have information and capabilities not known to external attackers, and as a consequence can cause serious harm. Yet, little real-world data is available about the insider threat. Especially in the US, there has been substantial research to better understand insider threats and develop more effective approaches. Starting in 1999, RAND conducted a series of workshops to elucidate the necessary research agenda to address this problem [3, 4, 5] . In parallel, the Defense Department produced its own report [6], outlining both a set of policy changes and research directions aimed at addressing the insider threat. Since then, a rich literature studying various aspects of the insider threat problem has emerged. However, the motivation for work on insider threats appears to differ among countries. Much of the interest in the US seems arguably derives from highly public and damaging national security incidents; Robert Hanssen (arrested in 2001) was an FBI insider who stole and sold secrets to the Russians, and most recently Bradley Manning, a US Army soldier and insider, provided Wiki Leaks with numerous sensitive US government documents. European interest on the other hand appears mostly driven from criminal acts committed by privately employed insiders, as in the $7 billion dollar fraud committed against the French bank Societe Generale by one of its traders, Jerome Kerviel. Several issues make attacks performed by insiders especially difficult to deal with both from a research and practitioners perspective. There is no uniform or widely accepted definition of either the "insider" or the "insider threat". Indeed, we are forced to conclude that the definition chosen depends on the threat of concern to the specific audience; unfortunately sometimes terminology is used without the precise definition being made clear. Real-world data sets are almost completely missing, a problem shared across cyber security [7], but particularly acute for insider threats. Because by definition the insider is already within at least some element of the organization's security perimeter, security approaches applicable to the "outsider" may not be equally effective for insiders. As a consequence, the insider poses unique security threats arising from his privileged status.