Insider attacks doubled last year from two years ago, according to recent Ponemon Institute research, and most likely most of those insiders’ network behavior could have foreshadowed a preventable attack only if their data access were properly monitored.

That’s where a proactive strategy comes in, advised InfoSec World 2020 featured speaker Velma C. Latson, who discussed preventative tactics at the session “Challenging Insider Threats: Cyberspace Insider Threat Triage (CITT) Plan.”

According to Ponemon, the total number of insider threats increased from 3,200 in 2018 to 4,716 incidents in 2020.

Latson, a lecturer in the technology and security department at Bowie State University, suggested that organizations compare user profiles and resource usage to a benchmark created by the network administrator, based on the considered average standard of how users at different levels of access would use the system.

By doing so, the CITT tool provides easier analysis to understand an incident caused by an inside user, the accessibility the user has to the data, and the permissions the user has to manipulate the data into low risk, medium risk, and high-risk categories, Latson said.

Risk assessment, training and cybersecurity awareness, and cyber user behavior were emerging themes in a recent analysis of attacks, Latson noted, adding that a CITT plan puts into practical use a strategy to challenge insider threats.

The plan can identify the most critical crisis per insider incident to become a crisis-prepared organization by prioritizing cyber user behavior, identifying sequences and applying available options in case of an incident.

Benchmark usage then is compared against a “threat score” calculated based on HR data and psychological data for each authorized user. The HR employee analysis is calculated from factors such as remaining days of leave, promotions, and salary range. In addition to the HR factor, a personality analysis is taken into consideration.

Factors calculated into this figure are social media posts, how the employee feels about the company, and how the employee socially interacts with their peers. If the combination of both the threat score and the level of employee risk based on the CITT plan, the tool determines whether or not the security administrator should be alerted to the possibility of an insider threat crises occurring.