Knowledge, skills & abilities View full matrix →
NICE Framework (Insider Threat Analysis)
InT-specific (custom)
Adjacent work role
Cross-cutting competencies
Digital employees (AI integration)
Certifications & training
Query & analysis languages
L1: run saved searches · L3: complex correlation · L5: define standards & mentor
Conferences
Financial services sector intelligence sharing and peer networking.
National Cyber-Forensics & Training Alliance.
Defense Security Institute annual insider threat symposium.
Behavioral framework research, TTP KB updates.
Annual summit. Community-driven, research-focused.
Threat Management Conference — behavioral threat assessment.
National Insider Threat SIG symposium and expo.
Recommended media
Cognitive biases and heuristic mistakes. If you read one book, read this.
Deception detection directly applicable to interviews.
Practical body language reading for interviews and elicitation.
The SISCO Method — strategic, rapport-based, non-accusatory interviewing.
Social engineering from the source. How trust is exploited.
Evidence preservation methodology for open source investigations.
Combat profiling for threat detection. Reading baselines and anomalies.
Threat landscape in 20 min/day.
Daily technical brief.
Narrative cybersecurity. Several insider threat episodes.
Physical pentesting, social engineering, insider threats.
Social engineering and OSINT with practitioners.
Spy Game (2001)
"All you really need is a stick of gum, a pocket knife, and a smile." Required viewing.
Snowden (2016)
Study the methods, access patterns, and program gaps.
The Insider (1999)
Whistleblower dynamics. The gray area between threat and courage.
Mr. Robot (2015–2019)
Social engineering done right on screen.
Lie to Me (2009–2011)
Micro-expression analysis dramatized. Entertaining primer on nonverbal deception detection.
Governance
Cross-functional (CISO, legal, HR, physsec, compliance). Sets priorities, resolves jurisdiction. CMU SEI Best Practice 19: cross-organizational engagement.
A relationship structure, not a room. Permanent liaisons with physsec, HR, legal, TA, training, IT ops. NITTF minimum standards require cross-functional participation.
Anonymized output until investigation threshold. Auditable analyst access. Periodic reviews. Clear trigger policies. MITRE's guiding principles address oversight directly.
One data source, not the program. SIFMA 3rd ed. benchmarking shows 90% of programs go beyond DLP. Mature programs add UEBA, SIEM, physsec, HR, behavioral.
Ethics & accountability
Access discipline
Never access data without documented justification. "Curiosity" is not justification. Your own access logs are audited.
Confidentiality
Become a black hole for secrets. Information flows in and doesn't leak. This reputation takes years to build and seconds to destroy.
Objectivity
Follow evidence, not assumptions. Confirmation bias is the analyst's greatest enemy. See: Analytical rigor section below.
Oversight
"Watch the watchers" is a feature, not an insult. Welcome audits of your own activity. Model the behavior you monitor for.
Analytical rigor — biases, fallacies & heuristic mistakes
Insider threat analysis is high-stakes, low-base-rate work. The biases that trip us up aren't exotic — they're the ones we use every day without noticing. Training on these is not optional.
Confirmation bias, anchoring, availability heuristic, fundamental attribution error, hindsight bias, base rate neglect. CIA's Psychology of Intelligence Analysis is the foundational text — free PDF.
Analysis of Competing Hypotheses (ACH), devil's advocacy, red team analysis, key assumptions check. Formal methods to counter groupthink and tunnel vision.
Affirming the consequent, false equivalence, appeal to authority, post hoc ergo propter hoc. Harvard offers free courses on reasoning and decision-making.
Kahneman's System 1/System 2 framework. Substitution, representativeness, WYSIATI (what you see is all there is). Understanding how your own brain shortcuts can lead to wrong conclusions about insider behavior.
Free training: Harvard — Making Sense of Data · CIA — Psychology of Intelligence Analysis (PDF) · Coursera — Critical Thinking
Communication & reporting
Executive summaries
One page, plain language, risk-focused. Board members and GCs read these. If they don't understand it, it doesn't exist for decision-making purposes.
Detailed case reports
Evidence-backed, methodical, defensible. Timeline, artifacts, analysis, conclusions. Assume every report could end up in front of a judge.
Technical translation
Explaining DNS exfiltration to an HR director. Describing UEBA risk scores to a general counsel. This is a skill that must be practiced, not just known.
Behavioral models & research
Whole-person triage: Role, Character, Stressors, Behaviors, Considerations. Evidence-based thinking tool from MITRE behavioral scientists.
300+ potential risk indicators with weighting and decay. Most extensive behavioral indicator taxonomy. Includes organizational vulnerability factors.
Critical Pathway (Shaw)
Progression from predispositions through stressors to attack. Historical context and useful conceptual starting point. Increasingly debated as deterministic — treat as one lens, not the model.
3,000+ real insider threat cases. IP theft, sabotage, fraud, espionage, unintentional. The empirical foundation under most of the field's best practices.
Frameworks
Adversary TTPs. Insiders already have legitimate access — understand how tactics differ from external adversaries.
47 techniques, 29 sub-techniques validated from real cases. Observable Human Indicators (OHIs). Evidence-based, not hypothetical.
Defensive technique → ATT&CK mapping. Useful for detection engineering and coverage gap analysis.
Identify / Protect / Detect / Respond / Recover. SIFMA structures their insider threat guidance around this framework. Many member orgs already use it.
Knowledge management
Tools (vendor-agnostic)
Project tracking (Jira, ADO), knowledge bases (Confluence, Obsidian, BookStack), case management, document management. Agile methodology awareness for managing detection engineering backlogs.
Learn from Past Incidents. After-action reviews, case libraries, detection rule documentation, runbook maintenance. Program value compounds only if knowledge is captured and shared.
Emerging threats
DPRK IT workers
Stolen identities for remote jobs. TA integration, identity verification, behavioral + technical indicators.
Overemployment
Undisclosed multiple positions. COI, IP exposure, performance degradation.
Work avoidance
Mouse movers, keyboard weights, IP-KVMs, keepawake scripts, solo Zoom. Detection & case lifecycle.
AI-powered threats
Deepfakes, LLM-assisted exfil planning, AI pretexts. Uncharted governance territory.
Employment fraud
Fabricated credentials, hiring ID theft, contractor substitution.
Sentiment analysis
LLM-powered communication analysis. Emerging with major privacy implications.
Toolingvendor-agnostic
Hover for definitions.
UEBA
Behavioral analytics
User & Entity Behavior Analytics. Baselines normal, flags anomalies — access patterns, peer deviations, risk scoring. Core detection engine for insider threat.
UAM
Activity monitoring
User Activity Monitoring. Keystrokes, screenshots, app usage, file ops. Raw telemetry for UEBA. Privacy-sensitive; governance critical.
DLP
Data loss prevention
Monitors/controls data movement. Policy-based alerts and blocks. Starting point for most programs — one source, not the whole program.
EDR
Endpoint detection
Host-level monitoring — processes, file changes, connections. Forensic telemetry and containment.
SIEM
Log aggregation
Aggregates all log sources, correlation queries, alerting. SPL/KQL/Lucene. The analyst's primary workbench.
SOAR
Orchestration
Automates enrichment, triage, response. Reduces analyst toil on repetitive tasks.
PAM
Privileged access
Controls/audits elevated access. Session recording, JIT access, credential vaulting. Critical for admin monitoring.
IAM
Identity & access
AD, Entra ID, SSO, MFA, access reviews. Who has access to what — and is it still justified?
PCAP
Packet capture
Network traffic capture for forensics. Reconstruct sessions, extract files. What actually went over the wire.
Sandbox
File analysis
Detonate suspicious files/URLs in isolation. Used when insiders introduce unauthorized tools.
SPJ
Risk assessment
Structured Professional Judgment. RAGE-V (ATAP), WAVR-21, HCR-20. Evidence-based behavioral assessment.
Case mgmt
Investigation tracking
Intake to closure. Evidence chain, tasks, timelines, reporting.
Code recognition: identify Python, Bash, PowerShell, JavaScript, Java, C/C++ in logs and investigations.
OSINT
Training
OPSEC
Non-attributable accounts, managed attribution, throwaway infrastructure.
Evidence preservation
Forensic methodology: screenshots with metadata, archiving, hashing for chain of custody.
Social media
PAI collection tooling and guardrails. Legal/ethical boundaries.
Study references
Common Sense Guide, 7th ed. Start here.
Minimum standards, maturity framework.
Best Practices Guide, 3rd ed. (2024). Financial services.
Free courses, ITPM cert, insider threat toolkit.
Threat assessment professionals. SPJ tools.
Vendor research with methodology value.
Sec+, Net+, CySA+. Foundational.
Cross-sector training and intel sharing.
Case management, frameworks, networking.
Webinars from leading researchers.
Adjacent roles
Incident responder
Digital forensics
Cybersecurity analyst
Threat intelligence
Counterintelligence
Physical security
HR investigations
Legal / compliance
Fraud investigator
Linked roles go to NICCS work role descriptions. KSAs from adjacent roles appear with purple tags in the KSA panel.
Customize & export
Fields flow into PDF and job description exports.