How This Framework Is Governed
This page describes how the Insider Threat Analyst Career Framework is authored, how changes are made, how KSAs are managed, and how you can contribute. Transparency is the point.
Authorship & authority
This framework is authored and maintained by a single practitioner, informed by peer review from the FS-ISAC Insider Threat Working Group and contributions from the broader insider threat community. It is not a committee product, a vendor initiative, or a regulatory standard. It is a practitioner tool built by practitioners.
Community contributions — resource suggestions, KSA refinements, corrections, new content — are welcomed, evaluated, and credited. But contributions don't automatically become part of the framework. Every change goes through editorial review to ensure consistency with the framework's scope, structure, and quality standard.
KSA stability
Practitioners, hiring managers, and training programs need to know that when they reference a KSA by its ID, it means what they think it means. The framework makes these commitments:
- IDs are stable. Once a KSA is published with an ID (e.g., K-SIEM01, A-SYNTH01), that ID will not be reassigned to a different concept.
- Wording may be refined for clarity. The description text may be updated to improve specificity or readability without changing the KSA's scope. All wording changes are documented in the changelog.
- Scope changes get new IDs. If a KSA's meaning needs to materially change, the original ID is deprecated and a new ID is created. The old ID remains in the data model as deprecated — never silently replaced.
- Deprecation, not deletion. If a KSA becomes redundant or obsolete, it is marked deprecated, not removed. Downstream references don't break.
Relationship to NICE
The framework's KSA model extends the NICE Framework (SP 800-181r1) Insider Threat Analyst work role. It does not replace it.
- NICE InT KSAs are inherited as-is, tagged with source "NICE InT" in the KSA Matrix.
- Custom KSAs fill gaps the NICE framework doesn't cover — behavioral analysis, detection engineering, elicitation, program maturity, and emerging threats. These are written by insider threat practitioners based on operational experience, industry research, and published frameworks (CMU SEI, SIFMA, MITRE, SOFIT, CPIR).
- Adjacent role KSAs are borrowed from other NICE work roles (Digital Evidence Analysis, Threat Analysis, Incident Response) and attributed to their source.
Custom KSAs are informed practitioner consensus, not regulatory requirements. Organizations should adapt them to their context, sector, and risk profile.
How changes happen today
The framework is in active development. Changes follow this process:
- Suggestions come in via the suggestion form or hello@insiderthreatanalyst.com.
- Evaluation: Each suggestion is reviewed against the framework's existing coverage, scope, and quality bar. Not everything gets added — but everything gets considered.
- Implementation: Accepted changes ship in versioned releases. Every change is documented in the changelog with rationale and attribution.
- Credit: Contributors are listed on the Contributors page by name (or anonymously, their choice).
There is no formal RFC process today. The framework has a single editor who makes final calls informed by practitioner feedback. This works at the current scale. If it stops working, the process will evolve.
Update cadence
Current pace: Weekly updates during active development. Community suggestions are reviewed as they arrive and incorporated into the next release when appropriate.
Future pace: Monthly releases once the framework stabilizes. All changes documented in the changelog regardless of cadence.
The goal is to be nimble early — respond to feedback quickly, iterate visibly, and show contributors that their input matters — without letting maintenance become unsustainable.
AI/ML and emerging threats
- AI as detection tool — LLM-assisted triage, automated timeline generation, behavioral anomaly detection (K-AI01 today)
- AI as threat vector — autonomous agents with delegated access to internal systems, APIs, and collaboration platforms that bypass traditional behavioral baselines. These are insider-like access holders with no human behavioral patterns to anchor detection against.
- AI as attack enabler — GenAI-assisted social engineering, deepfake-based impersonation, LLM-powered data exfiltration
New KSAs will be added to this cluster as the field matures and practitioner consensus develops around what competencies are required. This is the governance model in action: identify the domain, document it, solicit input, and formalize KSAs when the practice catches up to the threat. If you work in this space, we want to hear from you.
Where this is headed
If this framework grows into a community-maintained standard — used across organizations, cited in job postings, referenced in training programs — a more formal governance process will be needed. That might include:
- Proposed changes published with rationale for community review
- A review period before adoption
- A small practitioner advisory board for contested decisions
- Semantic versioning (breaking changes increment the major version)
That process doesn't exist yet because it would be premature. The framework has a changelog, credited contributors, and stable KSA IDs. That's the right level of governance for where it is today.
Where insider threat fits
Insider threat programs don't exist in a vacuum. The field overlaps with several adjacent disciplines, and understanding these relationships helps practitioners communicate their value — especially to leadership who may be hearing different terminology from analysts, vendors, and consultants.
- Human Risk Management (HRM) — the Gartner/Proofpoint framing that treats security awareness, DLP, phishing prevention, and insider threat as facets of one workforce risk discipline. Insider threat is the sharpest edge of HRM — the specialized capability that makes the broader program actually work.
- Behavioral Threat Management (BeTM) — the ATAP/workplace violence world. Shares behavioral indicator models, structured professional judgment tools, multidisciplinary team structures, and stressor-to-behavior pathways with insider threat. Different origin (physical safety vs. information security) but converging practice.
- Counterintelligence (CI) — overlaps on espionage indicators, foreign contact reporting, elicitation detection, and HUMINT-adjacent analysis. Some organizations co-locate insider threat and CI functions; others keep them separate with liaison relationships.
This framework focuses on the insider threat analyst role specifically, but many KSAs — particularly in behavioral science, case management, and stakeholder engagement — transfer directly across these disciplines. Career paths frequently cross between them.
Community & ecosystem
This framework exists in a growing ecosystem of insider threat practitioner resources. The full directory — organized by standards bodies, communities of practice, and research/vendor intelligence — lives on the framework page's Resources tab. Key communities include:
- CMU SEI National Insider Threat Center / OSIT Working Group — 250+ members, 130+ organizations, the primary research and information-sharing community for practitioners building insider threat programs
- IRPA — Insider Risk Practitioner Alliance (formerly FIRPA), the Five Eyes alliance with Centres of Excellence in Australia, Canada, and the US
- NITSIG — National Insider Threat SIG, information sharing and analysis since 2014
- insiderthreatmatrix.com — case management framework and practitioner networking. Companion resource to this framework
If you represent a practitioner community, research group, or industry body that should be listed, get in touch.
Contribute
This framework improves when practitioners engage with it. Here's what's most valuable:
- KSA refinements — wording improvements, scope questions, gap identification
- Training resources — courses, certifications, or free materials that map to specific competency clusters
- Research & publications — academic papers, industry reports, case studies for the annotated bibliography
- Emerging threat intelligence — new vectors, TTPs, or detection challenges that may warrant new KSAs
- Practitioner validation — does this match your experience? Where does it diverge? What's missing?
Submit a suggestion → or hello@insiderthreatanalyst.com