Insider Threat Awareness
Student Guide
February 2024
Center for Development of Security Excellence
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 1-1
Contents
Lesson 1: Course Introducon ................................................................................................................... 1-2
Introducon ....................................................................................................................................... 1-2
Lesson 2: Insider Threat Vulnerabilies ................................................................................................. 2-1
Introducon ....................................................................................................................................... 2-1
Denions .......................................................................................................................................... 2-2
Adversaries ......................................................................................................................................... 2-4
Insider Risk ......................................................................................................................................... 2-8
Conclusion ........................................................................................................................................ 2-11
Lesson 3: Insider Threat Indicators and Concerning Behavior ............................................................... 3-1
Introducon ....................................................................................................................................... 3-1
Risk Indicators .................................................................................................................................... 3-2
Geng Help ....................................................................................................................................... 3-9
Conclusion ........................................................................................................................................ 3-10
Lesson 4: Reporng Requirements ........................................................................................................ 4-1
Introducon ....................................................................................................................................... 4-1
Reporng Concerning Behavior ......................................................................................................... 4-1
Scenarios ............................................................................................................................................ 4-3
Conclusion .......................................................................................................................................... 4-7
Lesson 5: Course Conclusion .................................................................................................................. 5-1
Conclusion .......................................................................................................................................... 5-1
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 1-2
Lesson 1: Course Introducon
Introduction
Welcome
[Video clip, Vigilance series narrator:] Many people believe that insider threat programs are designed
to catch bad guys or spy on employees. In reality, these programs are designed to deter, detect, and
migate risk. Insider threat programs work with a muldisciplinary team of professionals, including
security, Human Resources, cyber security, mental health, legal, law enforcement and
counterintelligence to idenfy and evaluate potenally anomalous behaviors that may indicate
increased risk and recommend appropriate responses.
The goal of the program is to deter threats and detect potenal issues early on before a problem
occurs. To be sure, the risk posed by trusted insiders is real and substanal. From compromise of
classied informaon to devastang events resulng in loss of life, insider threats can have a
profound impact on naonal security. However, by working together and recognizing the signs
insider threat, programs can oen prevent these acvies by providing help and support to
employees in need, facilitang enhanced security and other countermeasures, and swily reacng to
threatening situaons. We all contribute to the ability of our insider threat programs to nd soluons
that support naonal security while protecng individual privacy and civil liberes.
How can you help?
[Course narrator:] It is up to all of us to be aware of potenal signs and report what we see. You are
your organizaon’s rst line of defense against someone who could do harm. On November 5, 2009,
Army psychiatrist Major Nidal Hasan opened red at Fort Hood, killing 13 people and injuring 30
others. Hasan exhibited signs of radicalizaon for years. On September 16, 2013, Aaron Alexis walked
into the Washington Navy Yard with a shotgun, killing 12 people and injuring 3 others. Alexis was a
former Navy reservist with a history of mental health problems. These cases inuenced the
formaon of insider threat policy.
This course will familiarize you with insider threat and provide guidance on what to do if you suspect
that something is not right.
Objectives
Welcome to the Insider Threat Awareness course. This course focuses on insider threat
vulnerabilies, potenal behaviors of concern, and reporng requirements.
Course objecves:
Analyze a scenario and determine the vulnerabilies posed by insiders
Analyze a scenario and recognize concerning behavior
Analyze a scenario and apply the appropriate reporng procedures
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-1
Lesson 2: Insider Threat Vulnerabilies
Introduction
Objectives
[Vigilance Series video clip, video narrator:] Insider aacks are somemes dicult to detect,
especially since the perpetrators can be people we know and trust. Most people who become wing
or unwing insider threats don't enter the workforce with malicious intent, but over me may
experience stressors which when combined with their personal predisposions and trigger events can
lead them along a crical pathway to betrayal. Insider threat programs can play a strong role in
idenfying at-risk individuals and helping them o this pathway toward more posive outcomes, but
they can't intervene if they are not aware of the problem.
[Course narrator:] This lesson describes the vulnerabilies posed by insiders.
Lesson Objecves
Given access and intent aributes, classify whether an individual meets the Naonal Insider
Threat Task Force (NITTF) denion for insider threat
Given a scenario, recognize adversarial collecon techniques
Given a descripon of predisposions, stressors, and behaviors, recognize an individual who
may pose an insider risk
Case Studies
Most insider threats do not start out as a threat; rather, they evolve into a threat over me. Consider
Major Nidal Hasan and Aaron Alexis. Major Nidal Hasan displayed concerning behaviors before he
carried out the 2009 Fort Hood shoong. Aaron Alexis had a history of mental health issues and was
involved in several violent incidents before he carried out the 2013 Washington Navy Yard shoong.
The pathway to an insider incident is oen complex. By recognizing certain risk factors along a
crical pathway, we can work to idenfy potenal threats before they escalate.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-2
Definitions
Who is An Insider?
What do we mean by insider? Consider the following. Who is considered an insider?
Select all that apply.
Sue, a cleared DOD employee
Kim, a contractor supporng a defense contract
Raj, a private sector engineer with no USG contracts married to a DOD employee
James, a volunteer supporng cleared facilies
Carlos, a civilian access control team member at a DOD facility
Lisa, a supply chain vendor for the USG
Teresa, a civilian sanitaon engineer employed at a USG facility
Insider
An insider is any person with authorized access to any United States Government resource to include
personnel, facilies, informaon, equipment, networks, or systems. This may be through
employment, a contractual relaonship, or volunteer acvies. An insider can be anyone with
access. So what makes an insider become a threat?
What is an Insider Threat?
[Mishandling video narrator:] Dave's been working on this high-prole project for a while now. He's
been pung a lot of extra hours to try to get stu done. He was already running late yesterday and
decided to take some unclassied work home. He grabbed a stack of documents and rushed out the
door in order to meet some friends for dinner. When he got home and looked through his papers, he
discovered that he accidentally grabbed some program informaon. It was a one-page document
marked SECRET SAR. Because it was so late at night, he didn't know what else to do so he decided to
shred the informaon in order to protect it.
[Course narrator:] Dave didn’t intenonally bring home a classied document. It was an accident.
Could this incident indicate an insider threat?
Select the best response.
Yes
No
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-3
Insider Threat
Insider threats can be intenonal or unintenonal.
An insider threat is the threat that an insider will use her or his authorized access, wingly or
unwingly, to do harm to the security of the United States. This can include damage through
espionage, terrorism, unauthorized disclosure, or the loss or degradaon of department resources
or capabilies.
As we saw with Dave, not all threats are deliberate acts. Unintenonal acts by insiders can pose just
as signicant a threat. A signicant poron of insider threats involve negligent or accidental
behaviors. An insider threat can occur when an individual commits a dangerous act for any number
of reasons outside of an intent to harm an organizaon.
What is Not an Insider Threat?
Consider the following scenarios. Which does NOT indicate a potenal insider threat?
Select the best response.
A scienst at a cleared facility accidentally takes home a document marked SECRET.
An employee takes a photo at their desk and posts it to social media. Documents marked
CUI are visible in the background.
An analyst has concerns about the CONFIDENTIAL informaon she’s been asked to review
and makes a protected disclosure.
None of these. They all may indicate an insider threat.
Whistleblowing
Making a protected disclosure does not indicate an insider threat.
Whistleblowing is the reporng of waste, fraud, abuse, corrupon, or dangers to public health and
safety to someone who is in the posion to recfy the wrongdoing. Employees are protected from
employer retaliaon via the Whistleblower Protecon Act and Security Execuve Agent Direcve
(SEAD) 9: Whistleblower Protecon. It is unlawful for your employer to take any acon aecng your
access to classied informaon in reprisal for making a protected disclosure. A disclosure is
protected if it meets two criteria.
The disclosure must be based on the belief that wrongdoing has occurred.
The disclosure must be made to a person or enty that is authorized to receive it.
Organizaons have whistleblowing policies on the correct way to report as opposed to releasing the
informaon to the media or an unauthorized source. Releasing informaon to the media or an
unauthorized source is unauthorized disclosure. It is a crime and is not whistleblowing nor applicable
to whistleblower protecons. Visit the course Resources to access the Whistleblower Protecon
Policies and FAQ Job Aid and a real life example of a case where acons were illegal and not
protected.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-4
Adversaries
Consider This
[Vigilance series, season 1, episode 2:] Rachel is sing at her computer when she receives a message
via social media oering her a job.
[Course narrator:] Rachel just received a message via social media asking her to write arcles about
travel, wine, and technology. What should she do?
Select the best response.
Be careful; it’s possible she’s being targeted.
Ask how much it pays.
What Do They Want?
Remember, not all insider threats are intenonal. It’s possible Rachel is being targeted. If she’s not
careful, an adversary could collect informaon from her, making her an unwing insider threat.
Adversaries include foreign governments, terrorist organizaons, competors, and non-state actors.
They want to know non-public informaon that an insider can provide. This includes informaon
related to:
Personnel
Methodologies, capabilies, and limitaons
Facility locaons worldwide
The countries the organizaon works with
Being aware of what adversaries want helps you protect your organizaon’s informaon.
Consider This
Consider the following scenarios. Which, if any, may indicate a threat?
Select all that apply.
Your company’s sales department receives a purchase request from an unknown vendor.
A scienst at your facility receives a request to review a research paper.
During a conference overseas, a researchers laptop is stolen.
As you arrive at your building early one morning, you encounter a coworker leaving the
building. The coworker nervously explains that he somemes prefers to work overnight.
Your organizaon’s network service is disrupted following a denial of service aack.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-5
Collection Methods
Any of these scenarios might point toward a possible threat.
Examining past cases reveals that adversaries commonly use certain collecon methods.
Understanding these methods can help you idenfy the presence of a threat. The most common
methods, used in over 80% of cases are:
Requests for informaon
Academic solicitaon
Suspicious network acvity
Foreign visits
Solicitaon and markeng or seeking employment
Targeng at conferences, convenons, and trade shows
Elicitaon and recruitment
Visit the course Resources to access the Collecon Methods and Countermeasures Job Aid.
Requests for Information
Aempts by foreign enes to establish a connecon with a cleared contractor or employee
vulnerable to the extracon of protected informaon
Examples include, but are not limited to:
Sales
Representaon
Response to tenders for technical or business services
Requests under the guise of price quote or markeng surveys
Academic Solicitation
Aempts to acquire protected informaon under the guise of academic reasons
Examples include, but are not limited to, requests for or arrangement of:
Peer or scienc board reviews of academic papers or presentaons
Requests to study or consult with faculty members
Applicaons for admission into academic instuons or programs, as faculty members,
students, fellows, or employees
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-6
Suspicious Network Activity
Aempts to carry out intrusions into cleared contractor networks and exltrate protected
informaon
Examples include, but are not limited to:
Cyber intrusion
Viruses
Malware
Backdoor aacks
Acquision of user names and passwords
Targeting at Conferences, Conventions, and Trade Shows
Aempts to directly link programs and technologies with knowledgeable personnel
Technique:
Technical experts may receive invitaons to share their knowledge
Experts may be asked about restricted, proprietary, and classied informaon
Solicitation and Marketing/Seeking Employment
Aempts to place foreign personnel near cleared personnel to collect informaon and build
relaonships that may be exploited
May take many forms including:
Joint ventures or research partnerships
Oering of services
Internship programs for foreign students
Foreign Visits
Aempts to gain access to and collect protected informaon that goes beyond that permied
and intended for sharing
Examples include, but are not limited to:
Pre-arranged visits by foreign conngents
Unannounced visits
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-7
Elicitation and Recruitment
Aempts to discreetly gather informaon that is not readily available and do so without raising
suspicion that specic facts are being sought. It is usually non-threatening, easy to disguise,
deniable, and eecve.
Examples include:
Conversaons in person, over the phone, or in wring
Commonly occur via social media
Threat Categories
Insider threat categories include:
Unauthorized disclosure, which can be in the form of a leak – an intenonal, unauthorized
disclosure of classied or proprietary informaon to a person or organizaon that doesn’t
have a “need-to-know.” Unauthorized disclosure can also be unintenonal. A spill is the
unintenonal transfer of classied or proprietary informaon to unaccredited or
unauthorized systems, individuals, applicaons, or media.
Espionage is the unauthorized transmial of classied or proprietary informaon to a
competor, foreign naon, or enty with the intent to harm.
Sabotage is the act of deliberately destroying, damaging, or obstrucng. While sabotage is
oen conducted for polical or military advantage, personal disgruntlement may also be a
movaon.
Targeted violence is violence directed at an individual or group for a specic reason. It
includes everything from acve shooter to harassment to workplace bullying.
While you should be aware of the various types of insider threats, know that you likely will not know
the intenon of a potenal threat. Your role is to simply report concerning behavior. Visit the course
Resources to access case studies with real life examples of unauthorized disclosure, espionage,
targeted violence, and sabotage.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-8
Insider Risk
Consider This
[Vigilance video series clip:]
Tim: I'm denitely interested. I think I can work that out and get it to you as soon as possible. Thank
you.
Susan: Hey Tim - working late again?
Tim: Hey Susan – yeah, just nished up a few things. You working late?
Susan: No, I forgot my cellphone. Got about halfway home before I realized. Can you believe that?
Me without my phone?
Tim: I know, right? Thing’s like your third hand. Its prey late… I beer go feed the dog. Guess I lost
track of me.
Susan: I guess so... See you tomorrow, Tim.
[Course narrator:] That was an odd encounter. Susan senses that something isn’t right. What should
she do?
Select the best response.
Susan should mind her own business, get her cellphone, and go home.
Susan should run aer Tim and ask him whats wrong.
Susan should call her coworker and ask their opinion.
Susan should talk to her supervisor about it.
Who May Pose an Insider Threat?
Susan should talk to her supervisor. Maybe Tim was just working late and maybe he needed to rush
home to feed his dog. It isn’t Susan’s job to know the full picture, and she shouldn’t speculate.
However, it is her responsibility to report concerning behavior.
There is no one type of person nor single set of circumstances that facilitates an insider act.
However, there are certain predisposions and stressors that may signal that an insider may be at
increased risk of comming a hosle act. These may make an insider more likely to act on
opportunity enabled by their access. It also may make them more suscepble to targeng or
exploitaon. Without intervenon, concerning behavior may escalate, causing potenal damage to
naonal security, personnel, facilies, or other resources.
Personal Predisposition
Predisposion refers to an individual’s personal characteriscs and circumstances that make them
more likely to engage in certain behavior. For example, looking at past insider threat cases shows
that individuals with a medical or psychiatric disorder or personality or social skills issues are more
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-9
likely to engage in risky behavior. Previous rule violaons and social network risks are also known
predisposions of those who may pose an insider threat.
Going back to the cases of Nidal Hasan and Aaron Alexis, there were several potenal predisposing
factors that may have contributed to each of their decisions to carry out their aacks. Hasan
reportedly expressed radical and extremist beliefs, including support for violent acts. He expressed
dissasfacon with his deployment to Iraq and was reportedly harassed by coworkers for his faith.
Alexis reportedly had a history of mental health issues, including paranoid delusions and hearing
voices. He also had a prior arrest for discharging a rearm in public. While the specic predisposing
factors are dierent, they may have made them more suscepble to carrying out a violent act.
Stressors
Another risk factor that may contribute to insider threat is stressors. These are events or situaons
that cause an individual to feel pressure or anxiety and may lead them to act out in ways they
normally wouldn’t. Common stressors include personal, professional, or nancial problems.
In the cases of Nidal Hasan and Aaron Alexis, each experienced several stressors. Hasan reportedly
expressed dissasfacon with his job and was disciplined for performance issues. He also faced
personal stressors and reportedly was in the process of geng divorced. Alexis reportedly had
signicant debts. He also reported feeling isolated and unsupported by his colleagues. These
stressors may have made each more suscepble to carrying out their aacks.
Concerning Behavior
Finally, concerning behavior is a potenal insider threat indicator. Concerning behaviors are
observable behaviors or acons that suggest an individual may be planning or carrying out a
malicious act. Concerning behaviors can be categorized by interpersonal behaviors such as
arguments or altercaons, technical behaviors such as conducng unauthorized computer searches,
security behaviors such as failing to follow procedures, and nancial behaviors such as unexplained
large purchases.
Both Hasan and Alexis displayed concerning behaviors that may have indicated their intenons. Prior
to the aack on Fort Hood, Hasan communicated with an operave from a terrorist organizaon. He
researched ways to kill large numbers of people. He also displayed errac behavior, such as giving
away his possessions and preparing his apartment for his departure. Aaron Alexis also displayed
several concerning behaviors before carrying out the aack on the Navy Yard. He complained he was
being followed by people who were sending vibraons into his body. He was involved in altercaons
with several people. Two days before the aack, he pracced shoong at a gun range. Taken
together, the concerning behaviors of both Hasan and Alexis suggest they were each experiencing
signicant issues and were exhibing signs of increased risk for potenal violence.
Problematic Organizational Response
Finally, problemac organizaonal response is a potenal insider threat indicator. Inadequate
organizaonal responses can escalate the acons of at-risk employees who are more likely to plan
and execute aacks. Examples of problemac organizaonal responses include inaenon, not
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-10
having a risk assessment process, inadequate invesgaon, and other acons that escalate risk. For
example, in studying past insider threat cases, in many cases there was insucient concern prior to
the incident. In addion, there was not an organizaonal mechanism to organize and communicate
potenal threat informaon to the appropriate security ocials to prevent, deter, detect, or migate
malicious acons.
The cases of both Hasan and Alexis were integral to establishing policies to develop Insider Threat
Programs and guidelines for informaon sharing between organizaons and program pillars. These
policies are essenal to protect classied informaon and strengthen naonal security.
Consider This
[Vigilance video series clip:]
Montenegro: Sorry to hear about you and Sarah spling and calling o the engagement. That's
tough.
Tim: Yeah, but hey…this sure is helping. (Shows Montenegro a picture of his new sports car.)
Montenegro: Whoa, man. That is awesome. Let me see?
Tim: Just picked it up yesterday.
Montenegro: Wow, this is a big step up from your Corolla, bro. That must have set you back a couple
bucks.
Tim: Yeah, well…I was shopping for a new car and I gured, why not?
Montenegro: Yeah man, if I came home with something like that, my wife would kill me! You'd be
vising me in the hospital, brother.
Tim: Hey man, you only live once. Somemes you got to do what you got to do. Listen, I was thinking
I’ll probably give my two weeks’ noce today.
Montenegro: Really? What's going on?
Tim: You know I didn't get the lead programmer posion I wanted, right?
Montenegro: Yeah, I heard. That sucks, you should have goen it.
Tim: I worked my bu o for that job and I really, really needed the money. But it's all good. I gured
I might move across the country, Seale maybe. Be nice to get a road trip with the new
wheels…some fresh air.
Montenegro: Wow, are you serious? I mean, there's bound to be other opportunies around here. I
mean…hey listen, if this is about Sara, there's plenty of other sh in the sea. You know we'll miss you
around here, but hey – Seale? A road trip in a car like that? All sounds prey good.
Tim: Montenegro, do me a solid don't talk to anyone about this yet because a chance to talk it over
with HR rst. Thanks.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 2-11
[Course narrator:] What potenal risk indicators did Major Montenegro see in Tims behavior?
Select all that apply.
Personal issues: His engagement was called o.
Professional issues: He didn’t get the promoon he wanted.
Financial issues: He purchased sports car.
None; he just has a lot going on in his life.
Debrief
While there may be a logical explanaon, Tim is displaying indicators of personal, professional, and
nancial issues that could indicate an insider threat.
[Vigilance Series video clip, video narrator:] Major Montenegro is a good friend to Tim. Despite Tim's
excitement over his new car, he was able to pick up on some obvious stress and dissasfacon in
Tim's life. While this is nothing unusual, we’re all human - it's important to note that many of these
normal stressors can lead to negave consequences if not resolved. Reporng this informaon to a
supervisor, human resources, or directly to the insider threat program is a great way to ensure that
Tim’s situaon is evaluated fairly and quickly - whether Tim poses a threat, is at increased risk for
targeng or recruitment by an adversary, or simply needs a lile help to work through a dicult
me. The insider threat program can nd a soluon that manages insider risk, maintains Tim's
privacy, and protects naonal security.
Conclusion
Summary
You have completed the Insider Threat Vulnerabilies lesson.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-1
Lesson 3: Insider Threat Indicators and Concerning Behavior
Introduction
Objectives
[Vigilance series narrator:] Insider threats come in many forms including sabotage, fraud, the,
workplace violence, unauthorized disclosure, and compromises of classied informaon. The
compromise of classied informaon can be unintenonal - the result of careless security pracces or
an intenonal act perpetrated by an individual working alone or on behalf of an adversary.
Foreign intelligence enes are known to target and recruit trusted insiders as a means of collecng
protected data. In addion, many insiders unwingly place classied informaon at risk by sharing it
with individuals without a need to know. Aempng to access or collect informaon without
authorizaon is a reportable potenal risk indicator of insider threat. Would you recognize it if you
saw it? Would you know what to do?
[Course narrator:] This lesson describes insider threat indicators and concerning behaviors.
Lesson Objecves
Given a scenario, idenfy reportable behavior indicators
Given a scenario, recognize the role of Employee Assistance Programs in migang potenal
threat
Case Studies
Insider threats do not need to hold a high rank or posion to inict grave damage. This is in part due
to technology that empowers individuals at all levels. Today it is possible for one person, regardless
of rank or posion in the organizaon, to do a lot of damage.
Jonathon Toebbe, a U.S. Navy engineer, was sentenced to 18 years for aempng to use his access
to sell sensive nuclear submarine secrets. Harold Marn III, a defense contractor, was sentenced to
9 years for stealing 50 terabytes of classied informaon. Christopher Paul Hasson, a former U.S.
Coast Guard ocer, was sentenced to more than 13 years for federal weapons and drug crimes
related to plong violent aacks.
The pathway to an insider incident is oen complex. By recognizing insider threat indicators and
concerning behaviors, we can work to idenfy potenal threats before they escalate.
To learn more, visit the course Resources to access case studies about Toebbe, Marn, and Hasson.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-2
Risk Indicators
Consider This
[Clip from Vigilance video series, season 1, episode 3:]
Joyce: That's it! See you next week.
Phyllis: The new milestones on this project are impossible!
Joyce: I know, right? Aer this project is nished, I'm gonna need a long holiday weekend on a
tropical beach with some tropical sun and some tropical drinks.
Stewart: I need that travel agent!
Phyllis: Yeah well, I don't think anyone's going on holiday for a while. My problem is I sll don't have
access to the les on the server like your team does. It would make my life a whole lot easier. I know
if I just had some pieces of the source code I need, I could easily make my review date.
Joyce: You're probably right, but you need to talk to Mark about that, Phyllis. A couple weeks ago, I
needed some extra informaon for an arcle I was publishing in a defense journal. Since he was my
supervisor, he hooked me up.
Phyllis: I tried. He doesn't understand. I don't think he ever sees the big picture. I mean, we're all on
the same team, right?
Joyce: As far as I know.
Phyllis: Well, if you could do anything to help me out, I'd really appreciate it.
[Transions to Phyllis alone in the break room, Stewart overhears her on the phone.]
Phyllis: Yes, okay tomorrow sounds ne. Same ight as last me. Yes, I had plenty of me in London
to connect to Cyprus. No, thank you. I have someone picking me up.
[Course narrator:] Do you think Phyllis exhibits any potenal risk indicators?
Select the best response.
No; it looks like she’s just trying to do her job.
Yes; she has a lot going on and her behavior is concerning.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-3
Risk Categories
Phyllis exhibits potenal risk indicators. While its not your responsibility to know specically what is
going on, you do need to recognize potenal risk indicators.
Christopher Hasson, a former U.S. Coast Guard ocer, is a real-life insider threat whose arrest
possibly prevented acts of violence. He was found guilty of federal weapons and drug crimes.
Hasson’s posion in the Coast Guard gave him access to informaon and facilies. Hasson held
extremist views and used his government computer to research violent aacks, including the
Unabombers aacks and manifesto. In addion, Hasson stockpiled assault weapons and opioids.
Risk looks dierent across organizaons. In addion to these categories, risk can generally be
delineated as:
Financial consideraons
Foreign consideraons
Professional performance
Psychological condions
Security or compliance issues
Access Attributes
Include, but are not limited to:
Security clearance and informaon access
Access to physical facilies
Access to systems and applicaons
DOD system(s) privileged user
Explosives access or training
Violent Extremist Mobilization
Includes, but is not limited to:
Engaging in or conspiring to engage in violent extremist acvies
Communicang with foreign terrorist organizaon
Conducng an aack
Traveling overseas to join a foreign terrorist organizaon
Technical Activity
Includes, but is not limited to:
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-4
Violang informaon system policies
Suspicious email or browsing acvity
Transferring data to personal or suspicious account
Tampering with record-keeping data
Introducing malicious code
Criminal/Violent Conduct
Includes, but is not limited to:
Exhibing or threatening violence
Weapon mishandling
Failure to follow court order
Parole or probaon violaon
Criminal aliaons
Suicidal ideaon or aempt
Substance Abuse
Include, but are not limited to:
Illegal substance use or tracking
Legal substance abuse or tracking
Treatment for abuse of drugs, alcohol, or controlled substances
Financial Considerations
Include, but are not limited to:
Financial crime
Filing for bankruptcy
Delinquent debts
High debt-to-income rao
Failure to le tax returns
Displaying signs of unexplained auence
Gambling problem
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-5
Foreign Considerations
Include, but are not limited to:
Cizenship
Foreign travel to countries of concern
Frequent foreign travel excluding ocial travel
Foreign military or government service
Possessing foreign passport
Possession of foreign assets
Unauthorized contact with a foreign intelligence enty (FIE)
Professional Performance
Includes, but is not limited to:
Declining performance rangs
Poor performance
Reprimand/non-judicial punishment
Human Resources (HR) complaints
Demoon
Suspension
Negave characterizaon of previous employment or service
Psychological Conditions
Include, but are not limited to:
An-social or compulsive behavior
Communicang endorsement of workplace violence
Mental instability
Admission to inpaent mental health facility
Past untruthfulness
Security/Compliance Incidents
Include, but are not limited to:
Compliance violaon
Security infracon
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-6
Security violaon
Non-compliance with training requirements
Time entry violaons
Security clearance denial, suspension, or revocaon
Consider This
[Clip from Vigilance series, season 2, episode 2:]
Trish: Hey, Rachel.
Rachel: Oh hi, Trish.
Trish: Some of us are going across the street for some drinks. Come join us!
Rachel: Oh, I'd love to but I'm sll trying to nish some work here. With all those contractors leaving,
it's like a ghost town over there.
Trish: How did you get approved for overme?
Rachel: (Grimaces) I didn't, but I sll have some work to nish. It's okay, I'll just be a few minutes. Go
on, I'll meet you over there.
Trish: All righty.
Rachel: Oh hey, Trish? Can you do me a favor? You're the weapons systems analyst, yes? Could you
get me the most recent tech les? You know, please? There could be something in there. I know
they’re rough dras, but there may be something in there that could help me nish my own work and
then we can all move on.
Trish: Rachel, I've already locked my les for the day…but I guess I can check with my supervisor
tomorrow.
Rachel: Never mind, it's okay. I'll just keep slogging on here. Thanks anyway.
(Trish walks away.)
Rachel (talking to herself): CRAP!
[Course narrator:] Did you noce any potenal risk indicators?
Select all that apply.
Trish asking Rachel to meet the team for drinks.
Trish not helping Rachel by sharing her les.
Rachel asking Trish for access to her les.
Rachel working outside of normal business hours.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-7
Reportable Behavior Indicators
Changing work habits and seeking access to classied informaon without a “need-to-know” are
both reportable behavior indicators.
Jonathan Toebbe is a real-life insider threat who aempted to sell restricted data. He went to great
lengths to avoid detecon, but ulmately was unable to hide his acvies. He smuggled restricted
data past security checkpoints a few pages at me over several years – violang security procedures
and protocols and, certainly, comming unauthorized removal. He was paid $100,000 in
cryptocurrency by FBI agents posing as conspirators.
In addion to these indicators, many known insider threats have been associated with one or more
of the following reportable indicators of concerning behavior -
Signicant changes in personality, behavior, or work habits
Substance abuse or addicve behaviors
Disgruntled to the point of wanng to retaliate
Access to facilies and/or proprietary informaon outside of normal work hours
Seeking classied or proprietary informaon, systems, or technology without a “need-to-
know”
For covered individuals requiring naonal security eligibility, these behaviors are ed to the
adjudicave guidelines and are required to be reported.
Term
Supplemental Material
Adjudicave
Guidelines
Guideline A: Allegiance to the United States
Guideline B: Foreign Inuence
Guideline C: Foreign Preference
Guideline D: Sexual Behavior
Guideline E: Personal Conduct
Guideline F: Financial Consideraons
Guideline G: Alcohol Consumpon
Guideline H: Drug Involvement and Substance Misuse
Guideline I: Psychological Condions
Guideline J: Criminal Conduct
Guideline K: Handling Protected Informaon
Guideline L: Outside Acvies
Guideline M: Use of Informaon Technology
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-8
Consider This
[Clip from Vigilance video series, season 1, episode 3:]
[No dialog - Stewart observes Phyllis looking over Joyce’s shoulder at Joyces computer screen.]
Stewart: I’m going to the breakroom.
[No dialog - Stewart observes Phyllis removing a thumb drive from a computer.]
[Course Narrator:] Now what is Phyllis up to?
Does Phyllis exhibit any potenally concerning behavior?
Select all that apply.
Looking at her co-workers computer over her shoulder
Not going to the break room when Stewart said he was going
Using a ash drive
Being in a bad mood and not being a team player
Technology-Related Indicators
There may be a logical explanaon, but Phyllis’ behavior is concerning. Remember, it is your
responsibility to be aware of concerning behavior. It is not up to you to speculate if it may indicate an
actual threat.
Real-life insider threat Harold Marn III used his posion as a contractor to steal terabytes of
classied data over 30 years. Clearly, he must have displayed some concerning behavior over that
me. Improper use of privileged access, hoarding, and knowingly bypassing protocols are all
reportable technology-related behaviors.
Many known insider threats have been associated with one or more of these and the following
technology-related indicators:
Working odd hours without authorizaon
Inappropriate copying of classied or proprietary informaon
Requests for technical or program access beyond scope of work
Introducon of unauthorized technical devices into the workplace
Keeping unauthorized backups
Unauthorized requests for, use of, or removal of technical equipment
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-9
Getting Help
Consider This
[Clip from Vigilance series, season 2, episode 2:]
News broadcast: In other news from Washington, the federal government has announced a new
round of budget cuts that could impact a number of government agencies.
Government supervisor: There'll be no more overme for federal employees and no performance
bonuses unl further noce.
Carmen: Our contract ends in two months. I'm sorry to have to tell you that we have received ocial
government nocaon that it will not be renewed.
Antonio (talking to himself at his desk): I've only found two job possibilies in three weeks and
neither of them come close to paying me what I was making here. I just hope and pray we don't have
to sell the house and move and start all over again.
Carmen: Good morning, Antonio.
Antonio: What's up?
Carmen: Well, I was wondering where you were this morning.
Antonio: What do you mean? I was here at my desk!
Carmen: Well, you weren't at the Monday team meeng again.
Antonio: Huh, oh yeah. Guess I forgot. Anyway, I don't know what dierence it makes at this point. I
mean, why bother?
Carmen: Well, we sll have to nish as much of the nal schemacs as we can and a rough outline
for going forward.
Antonio: Going forward? For what?! To unemployment?! I mean, to be honest with you, Carmen… if I
had any more sick leave or paid me o Id just take it, but I guess I could work on it a bit more.
Carmen: We're all bummed about this, but we sll have to as much as we…
Antonio: Hey, I said I would work on it, okay?!
[Course narrator:] That didn’t go very well. Antonio is clearly stressed. What should Carmen do?
Select the best response.
She should mind her own business; he’s just having a bad day.
He’s clearly having a hard me. She should get him some help.
Even though the contract is almost up, she should re Antonio.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 3-10
Employee Assistance Programs
Yes, Antonio might need some extra help.
If you or a colleague are experiencing stress, emoonal problems, or nancial dicules, do not
allow the situaon to go unresolved; there are resources that can help you address the problem. The
Employee Assistance Program (EAP) is designed to help employees navigate these issues. Employees
and supervisors are encouraged to call at the rst sign of a developing problem. Early assistance can
prevent readily solvable problems from developing into major issues. Check your internal
organizaon website for informaon on how to contact your EAP and nd out what services they
oer.
Debrief
[Vigilance series clip, narrator:] People who exhibit concerning behaviors are not always bad people.
They may not necessarily be doing something wrong. Somemes stressors build up over me and
that can lead to troubling behavior. Most insider threats exhibit risky behavior prior to comming
negave workplace events.
Conclusion
Summary
You have completed the Insider Threat Indicators and Concerning Behaviors lesson.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-1
Lesson 4: Reporng Requirements
Introduction
Objectives
[Vigilance Series Video Narrator:] Co-workers, supervisors, and managers are oen the rst to sense
that an individual is experiencing stress or personal issues. Many of us may be hesitant to report this
informaon. Aer all, everyone has stressful life experiences or has a bad day occasionally. No one
wants to cause trouble for a friend or co-worker or be thought of as crying wolf over nothing.
Consider though that insider threat programs are muldisciplinary in nature and designed to
evaluate the enrety of the situaon and can oen put reported indicators in context. They treat
each maer individually with utmost respect for privacy and civil liberes. Migaon response
opons oen include soluons that provide help and resources for those in need. We all have a duty
to report indicators. Being nervous about it is natural but consider the consequences of not reporng.
How can you help your fellow employees while fullling your security responsibilies?
[Course narrator:] This lesson describes insider threat reporng procedures.
Lesson Objecves
Given a scenario, recognize the role all employees play in ensuring an organizaon’s security
Given a scenario, idenfy to whom to report concerning behavior
Reporting Concerning Behavior
Roles and Responsibilities
[Clip from Vigilance series, Season 2, Episode 3 Video narrator:] Reporng can be dicult for
employees, but coworkers are right to do so. Employees of cleared industry and federal agencies
must report potenal threats. Early reporng allows insider threat programs to pursue a
muldisciplinary approach to gathering and reviewing informaon.
[Course narrator:] Security is the responsibility of everyone in an organizaon. Employees are the
rst line of defense against insider threats and are responsible for reporng concerning behavior.
While all employees are responsible for reporng concerning behavior, organizaons also have
specic teams and individual roles in place to protect against insider threats.
The Insider Threat Program addresses and analyzes informaon from mulple sources
regarding concerning behaviors and any risks that could potenally harm an organizaon.
The Insider Threat Program Senior Ocial implements Insider Threat Program acvies,
including daily operaons, management, and ensuring standards compliance.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-2
The Facility Security Ocer (FSO) is in charge of managing security in their organizaon’s
facilies.
An organizaon’s leadership promotes a protecve and supporve culture throughout the
organizaon in support of employees and the organizaon’s Insider Threat Program.
Obligations
Reporng foreign collecon aempts is required by both DODD 5240.06 and the Naonal Industrial
Security Program Operang Manual (NISPOM). Who you report to depends on if you are a DOD,
cleared industry, or federal agency employee.
DOD employees: Report potenal threats to your organizaon’s Insider Threat Program
Cleared industry employees: Report to the facility Insider Threat Program Senior Ocial
(ITPSO) or Facility Security Ocer (FSO)
Federal agency employees: Report to your agency’s Insider Threat Program, security oce,
or supervisor
Failure to report can result in nes, prison, or both. Specic reporng procedures vary, follow your
organizaon’s reporng procedures.
What to Report
If you suspect a possible threat, you must report it. You cannot assume anyone else will do so.
Specically, all employees must report personal foreign travel (including to Canada), personal foreign
contacts, outside acvies (speeches, books, manuscripts) involving the Intelligence Community, and
eorts by anyone (regardless of naonality) to obtain illegal or unauthorized access to classied or
proprietary informaon or to compromise a cleared employee. Finally, all employees must report
contacts by cleared employees with known or suspected intelligence ocers from any country, or
any contact which suggests the employee may be the target of an aempted exploitaon by the
intelligence service of another country.
Contractors have addional requirements, and there are specic requirements for reports submied
to the FBI.
Additional Contractor Requirements
Contractors are required to report events that impact:
The status of the facility
The status of an individual’s personnel security clearance
Anything that aects the proper safeguarding of classied/proprietary informaon
Indicaons that classied/proprietary informaon has been lost or compromised
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-3
Reports Submitted to the FBI and DCSA
Reports to be submied to the FBI by the appropriate security ocial:
The contractor shall promptly submit a wrien report to the Defense
Counterintelligence and Security Agency and the nearest eld oce of the FBI regarding
informaon coming to the contractors aenon concerning actual, probable, or
possible:
o Espionage
o Sabotage
o Terrorism
o Subversive acvies
Scenarios
Overview
Earlier in this course, you met Tim, Rachel, and Phyllis. Lets review a brieng for each and explore
what, if anything, should be reported and to whom.
Rachel:
Targeted on social media
Worked late without approval
Asked coworker for les
Tim:
Personal stressors
Professional stressors
Financial stressors
Phyllis:
Seeking informaon without approval
Unauthorized use of ash drive
Foreign travel
Rachel: Briefing
Rachel is a federal government employee who was contacted via social media.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-4
Since receiving the rst message on social media, Rachel has received more messages asking
increasingly detailed quesons about her work. What should she do?
Select the best response.
Answer their quesons
Ignore then sender and block them
Self-report
Rachel: Feedback
Rachel needs to self-report the contact. People are targeted this way all the me.
In 2018, Henry Kyle Frese was contacted by a journalist via Twier direct message. He failed to
report the journalist’s suspicious requests for naonal defense informaon. Instead, he accessed
informaon outside the scope of his job dues. For over a year, Frese passed classied informaon
to journalists and a potenal romanc partner for personal gain. He was arrested in the fall of 2019
and was sentenced to 30 months in prison for the unauthorized disclosure of classied naonal
defense informaon to two journalists. To learn more, visit the course Resources to access a case
study about Frese.
Rachel: Reporting
Rachel knows she must self-report the unsolicited messages she received via social media. To whom
should she report?
Select the best response.
Report to her organizaon’s Insider Threat Program, security oce, or her supervisor.
Report to the media so they can warn the general public.
Report to her co-workers and her network provider.
Feedback: As a Federal employee, Rachel must report to her organizaon’s Insider Threat Program,
security ocer, or her supervisor. If her co-workers are aware she was contacted, they are also
required to report it.
Tim: Briefing
Tim is a DOD employee. His coworker Maj. Montenegro is concerned about him. Tim is exhibing
several potenal risk indicators.
What should Maj. Montenegro do?
Select all that apply.
Don’t report it; its not his responsibility because it doesn’t pose an imminent threat.
Don’t report it; its not his responsibility because he doesn’t think it involves a foreign enty.
Report it; its everyone’s responsibility to report concerning behavior.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-5
Tim: Feedback
Major Montenegro needs to report the concerning behavior so that it can be evaluated. Its likely
Tim just needs some help and to be referred to his organizaon’s Employee Assistance Program.
Reporng helps people o a potenal crical path to a more posive outcome.
Tim: Reporting
To whom should Maj. Montenegro report Tim’s concerning behavior?
Select the best response.
His supervisor
His organizaon’s Insider Threat Program
His security oce
Feedback: DOD reporng procedures state to report to the organizaon’s Insider Threat Program.
[Vigilance video series clip]
Major Montenegro: Anyway, Marc, I just thought you should know what happened. Tim's a really
good guy. I have known him for about three years now. We played soball together. We've gone to
some concerts and stu. He didn't get the lead programming posion that he wanted and then he
broke up with his ancée. I know he's had some nancial problems and lately he's been working
some crazy hours. He's been really down. I really liked him, but I thought I should just report what
happened yesterday. Maybe you can cut him some slack?
Marc: Thanks, Major. I know you liked him. In fact, we all do that's why I'm so happy you came in to
talk to me today. Tim may be having some problems, but he's sll a valued employee that we want to
help out during periods of stress or transion. Our agency has so many resources available to folks
whether they're struggling personally, professionally, or nancially - most people don't even realize
that. Anyway, I will work with the insider threat team to assess the situaon.
Major Montenegro: Insider threat? Wait a minute, I don't want to get Tim in any trouble.
Marc: The insider threat team isn't there to get anyone in trouble and we work together all the me
to improve security pracces, increase awareness, and idenfy employees who may be at risk. Most
of the me we're able to resolve issues swily. Don't worry. Tim's in good hands and you did the right
thing by coming to me. But please, let's keep this between us. I don't want anyone to start rumors
about Tim
Major Montenegro: Yes, sir. Thank you.
Phyllis: Briefing
Phyllis is an employee of a cleared defense contractor. Her coworkers have noced several suspicious
behaviors from her.
What concerning behavior should Phyllis’ coworkers report?
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-6
Select all that apply.
Studying her co-workers computer screen over her shoulder
Using a ash drive
Asking her coworkers for the source code aer the supervisor denied her request
Traveling travel to London and Cyprus without self-reporng
Phyllis: Feedback
All of these behaviors are concerning and should be reported by her coworkers.
In the rst example, Phyllis is aempng to covertly look at informaon on her co-workers
computer. Maybe she’s just being nosey, but without a need-to-know she shouldn’t be looking at all.
Anyone observing such behavior is required to report it. Removable storage devices should not be
connected to computers within a protected network unless prior approval has been granted. Seeking
to work around a supervisors denial of access to classied informaon must also be reported.
Finally, while there’s nothing wrong with traveling out of the country, persons with access to
classied informaon are required to self-report when they plan to travel overseas. Failing to do so
must also be reported.
Daniel Hale is a real-life insider threat. He was a DOD contractor who used technology to exltrate
naonal defense informaon. He purposefully disregarded the law and passed classied informaon
to journalists. Hale’s disclosure of classied documents resulted in the documents being published
and available for public view, to include by adversaries. Their disclosure could cause exceponally
grave damage to the United States. Hale pleaded guilty to retenon and transmission of naonal
defense informaon and was sentenced to 45 months in prison.
To learn more, visit the course Resources to access a case study about Hale.
Phyllis: Reporting
To whom should Phyllis’ coworkers report Phyllis’ concerning behavior?
Select all that apply.
Report to Phyllis’ supervisor.
Report to the facility Insider Threat Program Senior Ocial (ITPSO) or Facility Security Ocer
(FSO).
Report directly to the FBI.
Feedback: The 32 CFR Part 117 NISPOM Rule states that contractors must report to their facility
Insider Threat Program Senior Ocial (ITPSO) or Facility Security Ocer (FSO).
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 4-7
Wrap Up
[Vigilance narrator:] The risk posed by trusted insiders is real and substanal. From compromise of
classied informaon to devastang events resulng in loss of life, insider threats can have a
profound impact on naonal security.
[News announcer:] In Washington today, Applied Technologies conrmed an unauthorized disclosure
of informaon that could compromise the latest US drone avionics program and naonal security.
[Course narrator:] We are all responsible for security. If you encounter concerning behavior, you
must report it.
Conclusion
Summary
You have completed the Reporng Requirements lesson.
Insider Threat Awareness Student Guide
February 2024 Center for Development of Security Excellence Page 5-1
Lesson 5: Course Conclusion
Conclusion
Summary
This course familiarized you with insider threat and provided guidance on what to do if you suspect
that something is not right. It is up to all of us to be aware of potenal signs and report what we see.
You are your organizaon’s rst line of defense against someone who could do harm.
Conclusion
Congratulaons! You have completed the Insider Threat Awareness course.
You should now be able to perform all of the listed acvies.
Analyze a scenario and determine the vulnerabilies posed by insiders
Analyze a scenario and recognize concerning behavior
Analyze a scenario and apply the appropriate reporng procedures
To receive course credit, you must take the Insider Threat Awareness examinaon. Please use the
Security Training, Educaon, and Professionalizaon Portal (STEPP) system from the Center for
Development of Security Excellence to access for the online exam.