Knowledge, skills & abilities View full matrix →
NICE Framework (Insider Threat Analysis)
InT-specific (custom)
Adjacent work role
Certifications & training
Required at this level Nice to have / preferredLevel shown = introduced at
Query & analysis languages
Introduced at selected level Active (already introduced) Higher level
Code literacy: Identify Python, Bash, PowerShell, JavaScript, Java, C/C++ in logs and investigations. You don't need to write code — you need to recognize it when it appears in evidence. Codecademy · freeCodeCamp · Harvard CS50
Conferences
Financial services sector intelligence sharing and peer networking. Annual summit (fall) + regional events worldwide. Americas, EMEA, APAC tracks.
National Cyber-Forensics & Training Alliance. Cross-sector intel sharing with FBI, USSS, and private sector. Pittsburgh-based, ongoing events.
Defense Security Institute annual insider threat symposium. Government and cleared contractor focused. Typically spring.
Behavioral framework workshops, TTP KB updates, practitioner roundtables. Invitation-based and open sessions throughout the year.
Annual summit (typically September — National Insider Threat Awareness Month). Community-driven, research-focused, open to all sectors.
Threat Management Conference. Behavioral threat assessment, SPJ tools, case studies. Annual (typically August). Worldwide membership.
National Insider Threat SIG symposium and expo. Cross-sector practitioner community. Annual event + ongoing SIG meetings.
EU Agency for Cybersecurity. Annual conference (October), working groups, EMEA threat landscape reports. GDPR-centric insider risk coverage.
UK National Protective Security Authority (formerly CPNI). Personnel security guidance, insider risk workshops, UK/Five Eyes focus.
Recommended media
Cognitive biases and heuristic mistakes. If you read one book, read this.
Deception detection directly applicable to interviews.
Practical body language reading for interviews and elicitation.
The SISCO Method — strategic, rapport-based, non-accusatory interviewing.
Social engineering from the source. How trust is exploited.
Combat profiling for threat detection. Reading baselines and anomalies.
Why insider risk is the biggest cyber threat you can't ignore. Practical, program-level perspective from practitioners.
How humans are the weakest link. Social engineering playbook from the inside.
Mitnick's own story. Access, trust, lateral movement — before those were buzzwords.
The foundational text on cognitive biases in analysis. Free from CIA. Chapter 8 (ACH) is the single most important chapter for insider threat analysts.
Strategic warning analysis. Pattern recognition across weak signals — directly applicable to insider threat indicator correlation.
The investigation and capture of Ana Montes, Cuba's master spy inside DIA. First-person counterintelligence case study.
How trauma reshapes the body and brain. Essential for anyone in chronic-stress fields. See also: ♡ Analyst Wellness
Threat landscape in 20 min/day.
Daily technical brief.
Narrative cybersecurity. Several insider threat episodes.
Physical pentesting, social engineering, insider threats.
Social engineering and OSINT with practitioners.
Spy Game (2001) (criminally underrated)
"All you really need is a stick of gum, a pocket knife, and a smile." Required viewing.
Snowden (2016)
Study the methods, access patterns, and program gaps.
The Insider (1999)
Whistleblower dynamics. The gray area between threat and courage.
Mr. Robot (2015–2019)
Social engineering done right on screen.
Lie to Me (2009–2011)
Micro-expression analysis dramatized. Entertaining primer on nonverbal deception detection.
The Inside Man (series) (free signup req'd)
Dramatized insider threat scenarios. Short episodes, good for team training and awareness.
Breach (2007)
Robert Hanssen case. The definitive insider threat film — espionage, access, compartmentalization failure.
The Americans (2013–2018)
KGB illegals embedded as Americans. Long-game insider placement, dual-life psychology, recruitment tradecraft. Outstanding character study of ideological motivation.
Zero Days (2016)
Stuxnet documentary. Cyber-physical sabotage via insider-like access. The convergence of nation-state capability and industrial control systems.
The Two Faces of Ana (2006)
DIA training video on Ana Montes — Cuba's spy inside the Pentagon for 17 years. See also: Carmichael's True Believer (books tab).
Aldrich Ames: Traitor Within (1998)
CIA counterintelligence chief selling secrets to the KGB. Financial indicators, lifestyle changes, access abuse — textbook insider threat case.
Official MITRE walkthrough of the Insider Threat TTP Knowledge Base v2.0. Free, foundational.
SANS webcasts and summit recordings. Detection engineering, case studies, tooling deep-dives.
CMU Software Engineering Institute talks on insider threat case analysis and best practices.
Free video courses and interactive scenarios from the Center for Development of Security Excellence.
Former FBI agent's YouTube talks on nonverbal communication. Directly applicable to interviews.
Google career certificate overview. Network security, Linux, SQL, Python, SIEM, IDS. Free foundational program.
🏛 Governance
Cross-functional (CISO, legal, HR, physsec, compliance). Sets priorities, resolves jurisdiction. CMU SEI: 13 key elements of a program, starting with governance.
A relationship structure, not a room. Centrally managed analysis and response capability integrating CI, security, HR, legal, IA, and law enforcement sources. CDSE training catalog
When does an inquiry become an investigation? When does it go to law enforcement? Governance defines thresholds, authorities, and handoff procedures. NITTF standards and resources for program structure.
One data source, not the program. SIFMA 3rd ed. benchmarking shows 90% of programs go beyond DLP. Mature programs add UEBA, SIEM, physsec, HR, behavioral. Microsoft DLP planning
⚖️ Ethics & accountability
Never access data without documented justification. "Curiosity" is not justification. Your own access logs are audited. CMU SEI Best Practices 7–8: stringent access controls and privileged user monitoring.
Become a black hole for secrets. Information flows in and doesn't leak. This reputation takes years to build and seconds to destroy. ASIS Code of Ethics addresses investigator confidentiality obligations.
Follow evidence, not assumptions. Confirmation bias is the analyst's greatest enemy. Heuer's Psychology of Intelligence Analysis (free CIA PDF) is the foundational text on analytical objectivity.
"Watch the watchers" is a feature, not an insult. Welcome audits of your own activity. Model the behavior you monitor for. MITRE's guiding principles address program oversight directly.
🔍 Personnel vetting & screening
Free, actionable recommendations for pre-hire vetting. Onboarding, background screening, and suitability determination — one of the first steps in mitigating insider threats.
Research-driven approach to candidate vetting. Current background investigation methods were built from anecdotes, not data — MITRE is developing validated behavioral indicators for hiring decisions.
UK National Protective Security Authority. Role-based risk assessment, national security vetting levels, ongoing personnel security. Five Eyes perspective.
Reid's integrity interview and behavior analysis interview (BAI) for hiring. Separate from investigative interrogation — focused on detecting deception and assessing suitability during the hiring process.
🧠 Analytical rigor — biases, fallacies & heuristic mistakes
Insider threat analysis is high-stakes, low-base-rate work. The biases that trip us up aren't exotic — they're the ones we use every day without noticing. Training on these is not optional.
Confirmation bias, anchoring, availability heuristic, fundamental attribution error, hindsight bias, base rate neglect. Interactive Cognitive Bias Codex — click any bias for explanation. Heuer: Psychology of Intelligence Analysis (free CIA PDF)
Analysis of Competing Hypotheses (ACH), devil's advocacy, red team analysis, key assumptions check. Formal methods to counter groupthink and tunnel vision.
Affirming the consequent, false equivalence, appeal to authority, post hoc ergo propter hoc. Harvard's free critical thinking course covers argument structure, reasoning, and bias identification.
Kahneman's System 1/System 2 framework. Substitution, representativeness, WYSIATI (what you see is all there is). Interactive fallacy reference — rollover each icon for examples of how your brain shortcuts lead to wrong conclusions.
Free training: Harvard — Critical Thinking & Argument · CIA — Psychology of Intelligence Analysis (PDF) · Coursera — Critical Thinking
🎯 Spot the bias — practitioner edition
Each quote demonstrates the bias it describes. Can you name them all before clicking?
📝 Communication & reporting
One page, plain language, risk-focused. "Writing for Impact" by a Fortune 100 CISO — free guide to security exec summaries that get read and acted on. SANS: writing better security reports
Evidence-backed, methodical, defensible. Timeline, artifacts, analysis, conclusions. Assume every report could end up in front of a judge. SANS DFIR report writing
Explaining DNS exfiltration to an HR director. Describing UEBA risk scores to a general counsel. UpGuard's guide walks through structure, audience, and tone for security reporting to non-technical readers.
ICD 203 analytic tradecraft standards applied to defense intelligence. SALUTE, INTSUM, SITREPs — structured formats that reduce ambiguity and improve handoff quality. ICD 203 full text (PDF)
🔍 Behavioral models & research
Whole-person triage: Role, Character, Stressors, Behaviors, Considerations. Evidence-based thinking tool from MITRE behavioral scientists.
300+ potential risk indicators with weighting and decay. Most extensive behavioral indicator taxonomy. Includes organizational vulnerability factors.
CPIR: predispositions → stressors → concerning behaviors → attack. 2,500+ practitioners trained. CPIR-I field screening tool. CIA Studies in Intelligence (2015) · CPIR certification
3,000+ real insider threat cases. IP theft, sabotage, fraud, espionage, unintentional. The empirical foundation under most of the field's best practices.
Steve Crimando, MA, CTM. Behavioral threat management, targeted violence prevention, crisis intervention. DHS NTER Certified Master Instructor. ATAP, ASIS EPIC. Deployed to both WTC attacks. Risk & Resilience Hub
Monthly one-pager from DCSA's Behavioral Threat Analysis Center. Radicalization, psychological risk factors, reasonable accommodations, stressor-behavior pathways. Subscribe: dcsa.quantico.dcsa.list.ditmac-sme@mail.mil
🗂 Frameworks
Adversary TTPs. Insiders already have legitimate access — understand how tactics differ from external adversaries.
47 techniques, 29 sub-techniques validated from real cases. Observable Human Indicators (OHIs). Evidence-based, not hypothetical.
Defensive technique → ATT&CK mapping. Useful for detection engineering and coverage gap analysis.
Identify / Protect / Detect / Respond / Recover. SIFMA structures their insider threat guidance around this framework. Many member orgs already use it.
📐 The analyst's value chain (DIKW)
Wisdom — Actionable recommendations to leadership. Your judgment delivers it. This is the analyst's irreplaceable value.
Knowledge — Contextualized analysis: who, what, why, how bad. Your investigation builds it.
Information — Parsed events, correlated alerts, DLP triggers. Your detections produce it.
Data — Raw logs, telemetry, badge swipes. Your SIEM ingests it.
📚 Knowledge management
Project tracking (Jira, ADO), knowledge bases (Confluence, Obsidian, BookStack), case management, document management. Agile methodology awareness for managing detection engineering backlogs.
Learn from Past Incidents. After-action reviews, case libraries, detection rule documentation, runbook maintenance. Program value compounds only if knowledge is captured and shared.
📊 Audit & maturity measurement
You can't improve what you don't measure. These frameworks provide structured approaches to assessing program maturity, identifying gaps, and building evidence-based roadmaps for improvement.
Free self-assessment tool built with CMU SEI. Maturity Indicator Levels (MIL 0-5) across three domains: Program Management, Threat Detection, and Response. Fillable PDF, no cost. Start here.
Global Technology Audit Guide for internal auditors. Frameworks from CMU SEI, NIST, INSA. Bridges insider threat programs and internal audit — a critical stakeholder relationship. Free for IIA members.
19 maturity elements aligned to NITTF Minimum Standards. Designed for federal but applicable to private sector. Maps capability progression from basic to optimized.
Professional certificate covering ITVA, ITPE, IRMPE, and GQIM methodologies. 3 courses + 65-question exam (80% pass). The premier maturity measurement credential.
"The Design and Implementation of an Insider Threat Maturity Model," Counter-Insider Threat Research and Practice. Academic rigor applied to maturity modeling. Google Scholar
Open-source insider threat program framework and maturity assessment on GitHub. Trade secret readiness, detection maturity, program structure. Practical and community-maintained. By Tim Schnurr (LeastTrust).
Annual Data Breach Investigations Report. Insider misuse pattern, privilege abuse, data mishandling. Independent benchmark for board-level context alongside Ponemon cost data.
CMU SEI Resilience Management Model. 26 process areas integrating security, business continuity, and IT ops. Capability-focused maturity for operational resilience. Complements IRMPE.
The legal foundation. EO 13587 (Oct 2011) created the NITTF. Presidential Memorandum (Nov 2012) established minimum standards for all executive branch agencies. Prompted by Manning/WikiLeaks. Full text (FAS)
Emerging threats
Stolen identities for remote jobs. TA integration, identity verification, behavioral + technical indicators. Google GTIG · Nisos
Undisclosed multiple positions. COI, IP exposure, performance degradation. This is where the practitioners are.
Mouse movers, keyboard weights, IP-KVMs, keepawake scripts, solo Zoom. Detection & case lifecycle.
Deepfakes, LLM-assisted exfil planning, AI pretexts. Uncharted governance territory.
Fabricated credentials, hiring ID theft, contractor substitution. NBC/Nisos investigation (Mar 2026).
Wearable exfiltration — live-streaming boardrooms, photographing screens without touching a device. LED indicators can be disabled. 7M+ sold 2025. Legal analysis (4-part)
Unsanctioned AI tools processing sensitive data through personal accounts. Adoption outpacing governance. AI agents amplifying risk.
Threat actors actively recruiting employees via Telegram, Signal, dark web. 91K+ instances observed in 2025. Telecoms, finance top targets.
🤖 Digital employees (AI integration)
AI is reshaping insider threat operations at every level — from automated triage to behavioral modeling to workforce planning. "Digital employee" isn't metaphor; it's how mature programs think about AI agents that augment analyst capacity.
AI in the insider threat toolkit
UEBA/RBA models — risk scoring, peer-group baselines, anomaly detection. The core ML engine. Exabeam explainer · Gartner Market Guide
LLM-assisted triage — automated alert summarization, timeline generation, natural language queries across logs. DTEX i³ research · Anthropic research
Deepfake detection — identity verification for remote workers, interview authenticity, document analysis. NIST FRTE/FATE · DHS S&T Digital Forgeries (PDF)
Governance challenges — algorithmic bias, model explainability, privacy of behavioral monitoring, regulatory uncertainty. NIST AI RMF · EU AI Act
Toolingvendor-agnostic
Hover for definitions.
CASB
Cloud access broker
Cloud Access Security Broker. Visibility into SaaS/IaaS usage, shadow IT discovery, data movement controls. Essential as work shifts to cloud.
Case mgmt
Investigation tracking
Intake to closure. Evidence chain, tasks, timelines, reporting.
Comms
Communications monitoring
Email, chat, messaging analysis. Sentiment and keyword detection. LLM-powered analysis emerging but major privacy/legal implications. Governance-heavy — legal review required before deployment.
CSPM
Cloud security posture
Cloud Security Posture Management. Misconfig detection, compliance monitoring, risk prioritization across cloud environments. Wiz, Prisma Cloud, Orca.
Data classification
Sensitivity labeling
Discovers and labels sensitive data across repos, shares, cloud, endpoints. Enables DLP policy precision. Varonis, Spirion, Microsoft Purview.
Deception
Honeypots & canaries
Decoy files, credentials, and systems that only trigger when accessed by insiders. Zero false-positive detection. Canary tokens, Thinkst Canary.
DLP
Data loss prevention
Monitors/controls data movement. Policy-based alerts and blocks. Starting point for most programs — one source, not the whole program.
EDR
Endpoint detection
Host-level monitoring — processes, file changes, connections. Forensic telemetry and containment.
Forensic imaging
Disk & memory
Bit-for-bit acquisition and analysis of endpoints. Chain of custody, dead-box and live acquisition. FTK, EnCase, Autopsy.
GRC
Governance & compliance
Governance, Risk, and Compliance platforms. Policy management, audit trails, regulatory mapping. ServiceNow GRC, Archer, OneTrust.
IAM
Identity & access
AD, Entra ID, SSO, MFA, access reviews. Who has access to what — and is it still justified?
NDR
Network detection
Network Detection & Response. Behavioral analytics on network traffic, lateral movement detection, encrypted traffic analysis. Vectra, ExtraHop, Darktrace.
PAM
Privileged access
Controls/audits elevated access. Session recording, JIT access, credential vaulting. Critical for admin monitoring.
PCAP
Packet capture
Network traffic capture for forensics. Reconstruct sessions, extract files. What actually went over the wire.
Sandbox
File analysis
Detonate suspicious files/URLs in isolation. Used when insiders introduce unauthorized tools.
SIEM
Log aggregation
Aggregates all log sources, correlation queries, alerting. SPL/KQL/Lucene. The analyst's primary workbench.
SOAR
Orchestration
Automates enrichment, triage, response. Reduces analyst toil on repetitive tasks.
SPJ
Risk assessment
Structured Professional Judgment. RAGE-V (ATAP), WAVR-21, HCR-20. Evidence-based behavioral assessment.
TIP
Threat intel platform
Aggregates, correlates, and operationalizes threat intelligence. STIX/TAXII, indicator management, enrichment. Anomali, MISP, ThreatConnect.
UAM
Activity monitoring
User Activity Monitoring. Keystrokes, screenshots, app usage, file ops. Raw telemetry for UEBA. Privacy-sensitive; governance critical.
UEBA
Behavioral analytics
User & Entity Behavior Analytics. Baselines normal, flags anomalies — access patterns, peer deviations, risk scoring. Core detection engine for insider threat.
■ Detection ■ Monitoring ■ Protection ■ Investigation ■ Assessment ■ Management
Where to start
Start with your SIEM. Learn the query language (SPL, KQL, or Lucene). Get comfortable with your EDR console. Layer DLP data as a source, not a program. Beyond tools, build sysadmin and network fundamentals — IAM, data movement patterns, privilege escalation paths. The tools change every budget cycle; the concepts don't.
Maturity-based guidance
Minimum viable toolstack: SIEM + EDR + DLP + IAM + case management. Cover detection, protection, and tracking with what you have.
Growing program: Add UEBA, UAM, PAM, CASB, a TIP, and structured risk assessment. This is where behavioral analytics transform your program.
Mature additions: NDR, CSPM, data classification, deception, SOAR, comms monitoring, forensic imaging. Layer these when you have the staff to operate them.
Open-source starter stack: Elastic SIEM + Wazuh (EDR) + TheHive (case mgmt) + MISP (TIP). Production-grade and zero licensing cost — just bring ops time.
🔎 OSINT — Open Source Intelligence
The collection and analysis of publicly available information to produce actionable intelligence. OSINT is a discipline, not a Google search — it requires methodology, legal awareness, evidence preservation, and operational security.
Academic certificate program. Also: Bellingcat, SANS SEC487/587, Covert Access Team.
Forensic-grade web capture for investigations. Chrome extension by Ritu Gill (RCMP veteran). Court-defensible evidence preservation, timestamped hashing, subject dossiers.
The "OSINT Bible." Categorized directory of 30+ categories of free tools and resources. Wikipedia for background.
Hetherington's CRAWL method (Communicate, Research, Analyze, Write, Listen). Accredited training for corporate security, government, law enforcement. Preps for OSMOSIS OSC exam.
⚠ OPSEC reminder: OSINT investigations require managed attribution (non-attributable accounts, VPNs, separate infrastructure). Your collection activity is itself observable. Sock puppet hygiene, legal boundaries, and evidence preservation methodology are not optional — they're prerequisites. Covered in SANS SEC487, Tulane cert, and OSINT Academy.
🏛️ Standards, government & professional bodies
Threat assessment professionals. SPJ tools.
Free courses, ITPM cert, insider threat toolkit.
Central landing page for all CISA insider threat resources — mitigation guide, IRMPE self-assessment, fact sheets, training. Includes the Mitigation Guide. Bookmark this.
Common Sense Guide, 7th ed. Start here.
Insider Incident Data Exchange Standard. JSON schema for standardized case data collection and sharing. Open source, v1.0.
Sec+, Net+, CySA+. Foundational.
Cyberspace Workforce Qualification & Management Program. Defines cert/training requirements by DCWF work role and proficiency level. Qualification matrices
Cybersecurity Maturity Model Certification. Required for defense contractors. Insider threat monitoring expectations increase with tier.
Financial Services Information Sharing and Analysis Center. Sector-specific threat intelligence, insider threat working group, peer networking. Global membership.
Auditing Insider Threat Programs. Bridges insider threat and internal audit using CMU SEI, NIST, INSA frameworks. Free for IIA members.
Insider threat white paper series. Measuring effectiveness, cross-sector collaboration. Government–private sector bridge.
Global ISMS standard. 93 controls across 4 themes. Annex A includes insider-relevant controls.
Cross-sector training and intel sharing.
Minimum standards, maturity framework.
Association for OSINT Professionals. OSMOSISCon, OSC certification, tools directory, peer networking.
Secure Controls Framework. Free metaframework — 1,300+ controls mapped to 100+ laws/standards. AI governance controls added 2025.
Best Practices Guide, 3rd ed. (2024). Financial services. Free PDF.
🤝 Communities of practice
250+ members, 130+ organizations. The primary research and information-sharing community for practitioners building insider threat programs.
Internet Crime Complaint Center. Reporting channel and intelligence products for cyber-enabled crime including insider threats.
FBI's largest public-private partnership. 36,000+ members, 70+ local chapters. Free membership, threat briefings, local networking.
Case management framework, structured methodologies, and practitioner networking. Companion resource — where career competencies meet operational practice.
Webinars from leading researchers.
Insider Risk Practitioner Alliance (formerly FIRPA). Five Eyes alliance connecting practitioner communities across Australia, Canada, and the US. Houses three Centres of Excellence: AIR CoE · C-InRM CoE · US InRM CoE
National Insider Threat SIG. Information sharing and analysis since 2014. Annual symposium and expo.
Secret Service Electronic Crimes Task Forces. Financial crimes, cyber investigations, public-private partnerships.
🔬 Research & vendor intelligence
Trade secret protection & insider threat prevention news. Curated case law, litigation, and policy developments.
Insider risk research, investigations, and threat advisories. Vendor research with methodology value.
Track the evidence base. Robinson (Purdue, 2025), Stewart & Handy (KCL, 2024), Shaw (CPIR), Greitzer (SOFIT).
Cost of Insider Risks (annual). 2025: $17.4M avg cost, 81-day containment, 55% negligence-driven. The benchmark study.
Threat reports, human risk research, DLP and insider threat perspectives. Also offers free AI security certifications.
Pre-built insider threat detection analytics — SPL searches, data sources, MITRE mappings. Free, open.
DoD UARC for intelligence & security. Insider risk research, GCITP certification, MIROR journal, RISC internships.
936 US legal cases analyzed for TTP trends (2008-2024). Evidence-based detection criteria for programs building rulesets and personas.
DoD Insider Threat Management & Analysis Center. Behavioral Threat Analysis Center (BTAC) provides case-specific recommendations. Monthly BTAC Bulletin + Beyond the Bulletin podcast
🎓 Training platforms & online learning
Center for Development of Security Excellence. Free insider threat training, ITPM certification, security fundamentals. No cost, government-backed.
InT Concepts (3hr, online), Building an InT Program (7hr, online), InT Analyst (3-day, classroom), IRM-MoE certificate. The practitioner gold standard.
SEC487 (OSINT), SEC504 (hacker techniques), FOR500 (Windows forensics), MGT521 (security leadership). Premium but industry-defining. GIAC certifications.
Investigation Theory — one of the best holistic analyst training programs. Applied Network Defense courses. Practical, scenario-driven, builds investigative thinking not just tool skills.
Prompt injection CTF. 7 levels of increasingly hardened LLM defenses — extract the secret password from each one. The best hands-on intro to AI red teaming. Free, browser-based, addictive.
The Reid Technique — interview and interrogation training since 1947. 500,000+ investigators trained worldwide. Also: pre-employment interviewing strategies. IAI / CFI credential
Cybersecurity-focused training. Insider threat, incident response, forensics courses. Many orgs buy enterprise subscriptions.
Free foundational program covering network security, Linux, SQL, Python, SIEM, IDS. Strong L1 preparation.
University-backed courses. Critical thinking, data analysis, cybersecurity fundamentals. Google Cybersecurity Certificate is excellent for L1-L2.
Data science, statistics, critical thinking, psychology, behavioral economics. Analytical rigor at L2-L3. Completely free. Science of Well-Being · Negotiation
Technical skill platform. SIEM, EDR, network analysis, scripting. Enterprise subscription model — check if your org provides access.
Broad course catalog. OSINT, SIEM administration, interview techniques, digital forensics. Affordable individual courses.
HR-focused training with courses relevant to insider threat — workplace investigations, interview techniques, employment law.
⚖️ Legal & privacy resources
International Association of Privacy Professionals. The definitive resource for privacy law, compliance, and how monitoring programs intersect with employee rights.
Workplace monitoring operates at the intersection of security need and privacy right. Laws vary by state and country — know your jurisdiction before you collect.
3rd edition Best Practices Guide covers GDPR, CCPA, state privacy laws, and how they constrain insider threat monitoring in financial services. Chapter on legal frameworks. SIFMA cybersecurity hub
Common Sense Guide Best Practice 12: institutionalize system change controls. Addresses privacy-preserving monitoring and data minimization.
🔗 Adjacent roles
Counterintelligence
Physical security
HR investigations
Legal / compliance
Fraud investigator
■ Cyber/tech ■ Intelligence ■ Physical security ■ Human/organizational ■ Legal
Linked roles go to NICCS work role descriptions. KSAs from adjacent roles appear with purple tags in the KSA panel.
🌍 EMEA & international resources
Federal Office for Information Security. IT security standards and insider threat awareness resources for DACH region.
EU Agency for Cybersecurity. Threat landscape reports, workforce development frameworks, insider threat guidance.
IRRG (UK)
Insider Risk Research Group. CMORG working group (UK equivalent of FSSCC), stood up post-DPRK IT worker attacks. Signposts key work across public/private sectors. No website — ad hoc convening.
Data exfiltration guidance — methods, countermeasures, distinguishing malicious from accidental. Pairs with HoMER.
Personnel security guidance including insider threat mitigation for UK organisations.
Holistic Management of Employee Risk. Full-spectrum insider risk — espionage, sabotage, fraud, coercion, human error. UK's closest equivalent to NITTF.
How to win senior leadership support for insider risk programmes. Leadership perceptions, barriers, drivers for action.
Customize & exportPDFs generated client-side — no data leaves your browser
Fields flow into PDF and job description exports.
Career pathwayVisual progression across levels and concentrations