Dawn Cappelli created the CERT Insider Threat Center at Carnegie Mellon in 2001 and joined Rockwell Automation in 2013 to work on the company's insider threat program. 

The attitude toward insider threats back in 2001 was rather defeatist: “What can we do; they’re inside the company, they have access - there is no way you’ll ever stop them,” she explained during a CISO Stories podcast with Todd Fitzgerald, vice president for cybersecurity strategy of the Cybersecurity Collaborative.

Now Rockwell's global chief information security officer, Cappelli said there are distinct patterns for different kinds of insider threats.

Listen now to episode 19 of CISO Stories: No Insider Cybersecurity Risk? Guess Again

For example, 85% of people who steal intellectual property leave within 30 to 90 days of resignation or after leaving the company, she said. “They know they’re going to leave, so they take the information.”

Sabotage is very different, she said, usually involving what psychologists call "personal predispositions" to conflict with other people, to retaliate against rules.

“They can work there for years and be fine, but then something happens to set them off — it could be there’s a layoff, or they get a new boss they don’t like, or they don’t get the raise they expected," Cappelli said. "And now because of those personal predispositions, they can’t help it. Everyone knows how angry they are. They get worse and worse over time. They’re taking technical action to set up their attack.

“If you can understand those patterns and what to look for, then you can catch these things before they attack,” she noted.