Insider Threat Migaon
Responses
Student Guide
April 2024
Center for Development of Security Excellence
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 1-1
Lesson 1: Course Introducon
Introduction
Welcome
While Insider Threat Programs may idenfy individuals comming espionage or other naonal
security crimes, not all incidents will result in the arrest of a spy. In fact, Insider Threat Programs
resolve most cases before they escalate into negave events through the proacve idenficaon of
individuals at risk of harming the organizaoneither wingly or unwinglyand the deployment
of alternave migaon opons. This allows the Insider Threat Program to protect informaon,
facilies, and personneland to retain valuable employees.
Welcome to the Insider Threat Migaon Responses course! This course describes the ability of
muldisciplinary insider threat teams to cra tailored and effecve responses to specific behaviors
or issues.
Muldisciplinary insider threat teams are comprised of subject maer experts from:
Law enforcement
Security
Counterintelligence
Cybersecurity
Behavioral science
Human resources
Legal
Case Study
Lets look at the case study of Mark Steven Domingo. Domingo held radicalized extremist views, and
frequently created social media and online forum posts advocang for acts of violence and terrorism
against religious groups, law enforcement, and military personnel. His ulmate plan was to detonate
two homemade improvised explosive devices at a rally in California, with the intent to kill innocent
civilians. Fortunately, the FBI was made aware of Domingo’s intent through an undercover informant.
Teaming with local law enforcement, they were able to intervene and arrest Domingo before he
could carry out the potenally deadly terror aack. Domingo was convicted of providing material
support to terrorists, and aempted use of a weapon of mass destrucon. He was sentenced to 25
years in prison. At his trial, Domingo tesfied that he was the one who chose to aack the rally,
chose to use the bombs, and chose to go through with the plot to commit mass murder. He
repeatedly stated that he was intent on killing innocent Americans and would have done so had he
not been stopped.
Visit the course Resources
to access a printable case study.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 1-2
Objectives
Here are the course objecves. Take a moment to review them.
Explain the role of Insider Threat Programs in migang the risks posed by insider threats
and how programs migate those risks
Describe factors to consider when formulang a migaon response to an insider threat
incident
Summarize the ability of muldisciplinary teams to cra migaon responses tailored to
insider threat incidents
Idenfy reporng requirements that apply to Insider Threat Programs
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 2-1
Lesson 2: Migaon Overview
Introduction
Welcome
What would have happened if Mark Domingo’s acons were not idenfied and reported early? An
Insider Threat Program can employ alternave response opons to migate the threat. When
idenfied early, Insider Threat Programs can oen resolve common workplace issues, such as
interpersonal problems, financial issues, and even disgruntlement or violent tendencies. This results
in posive outcomes for both the individual and the organizaon.
Objectives
Here are the lesson objecves. Take a moment to review them.
Describe the crical pathway model of insider threat and how it applies to migang the
threat
Explain the role of Insider Threat Programs in migang the risks posed by insider threats
and how programs migate those risks
The Critical Pathway
Potential Risk Indicators
Domingo’s behavior and acvies are examples of potenal risk indicators (PRIs). PRIs are
observable and reportable behaviors and acvies that may be exhibited by those at risk of
becoming an insider threat. Specific PRIs come from a variety of sources in the security and
intelligence communies and may be specific to your organizaon.
PRIs may converge with adjudicave guidelines for determining eligibility for access to classified
informaon. Some organizaons use these to determine insider risk. PRIs generally belong to the
categories listed here:
Access aributes
Professional lifecycle and performance
Foreign consideraons
Security compliance and incidents
Technical acvity
Criminal, violent, or abusive conduct
Financial consideraons
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 2-2
Substance abuse and addicve behaviors
Judgment, character, and psychological condions
Visit the course Resources
to access a printable reference of insider threat PRIs.
Behavioral Model of Insider Threat
Dr. Eric Shaw, clinical psychologist and consultant to Federal agencies on insider crime, originated the
crical pathwaymodel for understanding insider aacks. The components of the model are:
1. Personal Predisposions
2. Stressors
3. Concerning Behaviors
4. Organizaonal Response
5. Insider Aack
It begins with personal predisposions and stressors, which oen correspond to behaviors that
emerge as PRIs. Over me, these factors may combine and increase the risk that an individual may
become an insider threat.
Consider the Mark Domingo case. While serving in the Army, Domingo displayed difficulty socializing
and making friends. He oen felt he was being mocked, cricized, and unfairly treated. He was later
involuntarily discharged and separated from service on disciplinary grounds. All of this fed directly
into his personal stressors. He felt angry, frustrated, and ostracized, and sought an outlet for his
negave emoons. These stressors led to concerning behavior by Domingo. He was very acve on
social media networks, forums, and chatrooms, where he frequently voiced support for violence,
religious extremism, and terrorist acvity. He acvely communicated with others who shared his
views and frustraons, and Domingo quickly became self-radicalized and prepared to take violent
acon. All of these factors culminated in Domingo deciding to detonate two improvised explosive
devices at a public rally with the intent to kill as many people as possible. Thankfully, the FBI and law
enforcement were able to detect these concerning behaviors, intervene, and prevent a potenal
disaster.
The model also demonstrates that there are mulple opportunies to redirect individuals from the
pathway into more posive behaviors. For example, if Domingo had been off-ramped from a path of
radicalizaon to terrorism, then his behavior may not have escalated. Early intervenon can mean
the difference between rehabilitaon and negave escalaon of behavior.
Role of Insider Threat Programs
Overview
Insider Threat Programs fulfill four funcons using a holisc approach. First, they help prevent
insider threats by providing leadership with threat informaon that may help to shape decisions
about managing insider risk and building resiliency throughout the workforce. Second, they deter
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 2-3
potenal insider threats by instung appropriate security countermeasures, including awareness
programs. Next, they detect individuals at risk of becoming insider threats and then finally migate
the risks associated with those individuals before the issue escalates.
Lets examine these in greater detail.
Prevention, Deterrence, and Detection
Prevenon of insider threat acons typically is enabled by ensuring leaders are aware of the current
threat landscape, including pernent insider threat informaon, acvies, and behaviors. This is
supported by providing reports and recommendaons for threat management and ensuring the
workforce understands available resources. Prevenon acvies complement deterrence.
Deterrence occurs through strategic communicaons, ensuring personnel are aware of punive
acons that potenal offenders may face, and promong a security posture that detects malicious
insider threats. These deterrents support detecon.
Detecon of PRIs typically occurs through reporng by personnel and monitoring conducted by the
program. Once detected, the PRI becomes the catalyst for Insider Threat Program acvies,
including informaon gathering, analysis, reporng, and response.
Intervention
The deployment of migaon opons, or your organizaon’s “response” to the insider threat,
depends on mulple variables and the unique nature of the insider threat. The migaon strategy
may include referral outside of the Insider Threat Program when required or acons to migate the
risk internally.
Note that while some insider threat incidents may warrant referrals and intervenon from law
enforcement, not all meet reporng thresholds or result in an arrest.
In most cases, proacve migaon responses provide posive outcomes for the organizaon and the
individual. This allows the organizaon to protect informaon, facilies, and personnel and to retain
valuable employees, and offers intervenon to alleviate the individual’s stressors and guide them off
the crical pathway.
Effective Mitigation
According to the crical pathway model, without intervenon, concerning behavior may escalate,
causing potenal damage to naonal security, personnel, facilies, or other resources through an
insider aack. To be effecve, Insider Threat Programs must be aenve to potenal issues before
they pose a threat, have a risk assessment process in place, address potenal issues adequately, and
take acons that minimize risk while avoiding those that escalate risk.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 2-4
Review Activities
Review Activity 1
You receive a report that Ted, an employee in your organizaon, frequently asks colleagues to loan
him money. Ted told one of his colleagues that he has a large gambling problem and a large debt he
needs to resolve. Where on the insider threat crical pathway is Teds situaon, based on this
report?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Personal Predisposions
Stressors
Concerning Behaviors
All of the Above
Review Activity 2
Which of the following is an effecve way to migate a potenal insider threat based upon what you
know about Ted’s situaon?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Refer Ted to law enforcement
Tell Ted’s colleagues to loan money to him
Provide him with support and resources to deal with his addicon
Terminate Teds employment
Review Activity 3
What funcons do Insider Threat Programs perform to reduce the risks posed by insider threats?
Select all that apply. Then check your answer in the Answer Key at the end of this Student Guide.
Provide leaders with informaon about the threat landscape
Mandate security awareness training for employees
Conduct user acvity monitoring
Document and make available the consequences of insider threat acvity
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 3-1
Lesson 3: Response Planning
Introduction
Welcome
Insider Threat Programs must carefully plan their migaon responses to avoid escalaon of risk and
to engender a thorough and measured approach to the iniaon of punive acon.
Objectives
Here are the lesson objecves. Take a moment to review them.
Idenfy the primary tenets in responding to insider threat maers
List possible consequences of inappropriate migaon responses
Describe factors to consider when formulang a migaon response to an insider threat
incident
Response Basics
Overview
Insider Threat Programs must follow five primary tenets when planning responses to insider threat
incidents, the most important of which is “first, do no harm.” Insider Threat programs must also
establish and maintain internal procedures and authories, avoid alerng the individual that they
have been idenfied as a potenal insider threat, protect the individual’s privacy and civil liberes,
and preserve chain of custody and properly handle evidence.
Lets examine these in greater detail.
First, Do No Harm
When an insider threat incident occurs, your Insider Threat Program must carefully assess the
situaon to avoid exacerbang the situaon or increasing risk. Consider whether there is imminent
danger to the individual or to others and whether there is an acve transmial of classified
informaon. The Insider Threat Program must thoroughly plan its response before taking acon and
avoid knee-jerk responses. When planning, communicate and coordinate with your Insider Threat
Program team members and other organizaonal elements.
Establish and Maintain Procedures and Authorities
Your Insider Threat Program must ensure that it has detailed procedures and authories in place for
migaon response opons and should maintain a general response plan that outlines the overall
roles and responsibilies of Insider Threat Program personnel and Hub members or other staff and
departments.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 3-2
Avoid Alerting the Individual
In general, your Insider Threat Program should avoid alerng the individual that they have been
idenfied as a potenal insider threat. This allows the Program the me needed to determine an
appropriate response, ensures the privacy of the individual, and preserves evidence. Note that in
some cases immediate intervenon may be required.
Protect Privacy & Civil Liberties
Your Insider Threat Program must consider the individuals privacy and civil liberes when
developing migaon response opons. Ensure that personal informaon is properly handled,
accessed, used, reported, and retained in accordance with applicable laws, policies, and regulaons.
Preserve Chain of Custody and Evidence
Your Insider Threat Program must ensure that early acons taken in incident response do not
interfere with the ability of law enforcement or counterintelligence to conduct invesgaons or
operaons, or inhibit future prosecuon, in cases that require reporng to external agencies. Work
with your general counsel and the referral agency to ensure that any evidence associated with the
incident is handled properly and adheres to the proper chain of custody.
The Preserving Invesgave and Operaonal Viability in Insider Threat course offers addional
informaon if you would like to learn more. You may register for this course through the Center for
Development of Security Excellence (CDSE) website.
Unintended Consequences
Impacts
Your Insider Threat Program’s response to insider threat indicators or incidents can have long-
reaching effects. Even seemingly viable soluons may have inadequate or negave impacts on the
individual, on the morale of other personnel, on the mission of your organizaon, and on public
percepon of your organizaon.
Individuals
Possible negave impacts on individuals include disgruntlement due to an overly aggressive
response that makes the individual feel poorly treated, which increases risk, and effects to the
career or life of the individual due to poor informaon handling that persists even if the
individual is exonerated of wrongdoing or was falsely accused.
Morale
Possible negave impacts on the morale of other personnel include disgruntlement throughout
the organizaon if others learn of an overly aggressive response. This may result in reduced
vigilance and hesitancy to report. Overly weak responses may also deter reporng, as it may
make personnel feel that it is pointless to report indicators. In addion, seeing a colleague
charged with or convicted of a crime, even when it is necessary, may impact morale.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 3-3
Mission
A possible negave impact on the mission of the organizaon includes personnel that
circumvent the rules to get their work done due to onerous rule or procedure changes at the
organizaon level.
Public Perception
A possible negave impact on public percepon of your organizaon includes low morale and
diminished future recruitment capability due to media coverage on the situaon and your
response.
Threat Analysis
Overview
Insider Threat Programs must take the me to perform the proper gathering and analysis of data
before taking acon. If an indicator has a plausible explanaon and does not increase the risk
associated with an individual, an immediate reacon may do more harm than good. Conversely,
even if the risk associated with an individual is elevated, it is not necessarily a precursor to a naonal
security crime or act of violence. An immediate response in these instances may compromise the
ability of law enforcement and counterintelligence to pursue inquiries, invesgaons, or operaons.
Lets take a closer look at the consideraons to keep in mind during threat analysis.
Analysis Goal
The Insider Threat Program should begin by establishing the goal of analysis. What quesons is the
team trying to answer? State your purpose clearly and in mulple ways to clarify meaning and scope,
and consider breaking the problem down into smaller pieces.
For example, consider these large quesons that Insider Threat Programs work to resolve:
Is the individual currently harming the organizaon’s resources?
If so, is the harm intenonal?
Is there a risk that the individual will do so in the future?
Breaking these into smaller quesons can help you to grasp and manage your goal.
When formulang quesons, aim to be clear and precise. Anything is possible, so be specific. A clear
and precise queson might be to consider whether it is possible that the individual stole classified
informaon.
Focus on quesons that are significant, answerable, and relevant, such as, “Did the individual have
access to the safe? Does the individual display unexplained affluence?”
Finally, differenate between quesons that have a definive answer, are a maer of opinion, and
require consideraon of mulple viewpoints. The queson, “Were the individual’s credenals used
to log onto the system on a specific date?” has a definive answer, while the queson, “Was the
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 3-4
individual upset?” is a maer of opinion. While the answer may be relevant and the Program can
aggregate the opinions of mulple people to draw a conclusion, the answer is subjecve. Also
consider whether other viewpoints might reveal a plausible explanaon for an indicator. For
example, late night acvity on an informaon system may seem suspicious, but the cybersecurity
subject maer expert may idenfy the acvity as a common pracce of batch patching and updates
scheduled to occur when the system is at its lowest usage.
Fair and Balanced Assessment
Insider Threat Programs must also strive toward a fair and balanced assessment of each case. To do
so, first idenfy and acknowledge your assumpons. Consider whether they are jusfiable and how
they shape your point of view. Next, seek other points of view and evaluate their merits. Finally,
ground all claims with the informaon available. Ensure that your posion is supported by the
evidence and is based on relevant informaon. Crically evaluate your posion to determine
whether you have considered all of the relevant informaon, whether your conclusion goes beyond
the evidence available, and whether there is an argument to be made against your posion.
With these consideraons in mind, review the example real-world case study below.
Example
Jonathan Toebbe was a nuclear engineer holding the highest levels of naonal security eligibility,
as he had access to highly classified informaon concerning naval nuclear propulsion, design
elements, operang parameters, and performance characteriscs. Details of United States
nuclear assets and systems are one of our closest guarded secrets, so it's not surprising that they
are also the most sought aer by adversaries.
In April 2020, Toebbe sent a package to a foreign government containing a sample of Top Secret
nuclear reactor data and instrucons for establishing a covert relaonship to purchase addional
Top Secret data. He began corresponding via encrypted email with a representave of the
foreign government, who offered Toebbe $100,000 in cryptocurrency if he could provide them
with more data. With the help of his wife, Diana, Toebbe connued to secretly deliver stolen Top
Secret nuclear data via dead drops to his contact over several months.
Unknown to Toebbe, however, the package he inially sent to the foreign government was
intercepted by the United States Embassy and Federal Bureau of Invesgaon, and his foreign
contact was in fact an undercover agent. This iniated the undercover operaon that eventually
caught him. Both he and his wife were arrested and pleaded guilty to Conspiracy to
Communicate Restricted Data, and both were sentenced to over 20 years in prison.
Based on what we’ve seen in this lesson, what assumpons can be drawn about the Toebbes
and their movaons? Are there any possible alternave explanaons for their acons?
What do you think the use of stealthy dead drops and requests for cryptocurrency payments
might suggest about Toebbe?
How have his acons threatened our naonal security? Should the FBI have acted sooner
considering the category of informaon involved?
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 3-5
Review Activities
Review Activity 1
Put yourself into the Insider Threat Program at Jonathan Toebbe’s organizaon. In planning a
migaon response to what you have learned about his acons, which of the following should you
consider?
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
There is an acve transmial of classified informaon.
Toebbe should be nofied that he has been idenfied as a risk.
Toebbe’s personal informaon must be properly handled.
You should coordinate with law enforcement or counterintelligence to properly handle
evidence.
Review Activity 2
How can an Insider Threat Program effecvely plan migaon response opons?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Establish the roles and responsibilies for involved personnel on a case-by-case basis
Act as quickly as possible to minimize how long the risk persists
Establish procedures, authories, and a general response plan
Gather evidence by any means necessary
Review Activity 3
Which of the following is NOT a potenal unintended consequence of a failed organizaonal
migaon response to a possible insider threat?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Poor public percepon of the organizaon
Reduced employee morale
Monitoring of organizaon by federal law enforcement
Circumvenon of rules by personnel due to procedure changes
Review Activity 4
An insider threat incident occurred at your facility. Which of these approaches would support an
effecve migaon response?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Act as quickly as possible to put the incident behind your organizaon.
Look for the simplest explanaon, as this is most likely to be accurate.
Ask smaller quesons to differenate fact from opinion.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-1
Lesson 4: Muldisciplinary Migaon Responses
Introduction
Objectives
Muldisciplinary insider threat teams are uniquely posioned to cra migaon responses tailored
to specific insider threat incidents.
Muldisciplinary insider threat teams are comprised of subject maer experts from:
Law enforcement
Security
Counterintelligence
Cybersecurity
Behavioral science
Human resources
Legal
Here are the lesson objecves. Take a moment to review them.
Differenate between organizaonal and individual responses
Summarize the ability of muldisciplinary teams to cra migaon responses tailored to
insider threat incidents
Types of Responses
Organizational and Individual
Responses to insider threat incidents may be organizaonal, individual, or both. Organizaonal
responses address a systemic problem with security procedures, training, hiring pracces, policies,
or other procedures that increase the risk associated with the insider threat. Individual responses
address a specific incident and are designed to migate the risk associated with or harm caused by a
specific individual. In some cases, an organizaonal response may be effecve in addion to or in
place of an individual response.
Organizational Response
Examples of organizaonal responses:
Changing policy or Standard Operang Procedures (SOP) throughout the organizaon
Disabling thumb drives across the organizaon to prevent downloading sensive
informaon
Instung random bag checks
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-2
Introducing metal detectors
Providing training or briefings to:
o Increase awareness of taccs used by adversaries
o Prevent individuals from becoming unwing insider threats
Individual Response
Examples of individual responses:
Internal referrals to human resources or security
Referral to counterintelligence or law enforcement for inquiry, invesgaon, or
operaon
Referral to counseling, such as mental health or financial
Punive acons, such as revocaon of access or terminaon of employment
Tailored Multidisciplinary Mitigation Responses
Overview
The muldisciplinary nature of Insider Threat Programs allows them to cra responses tailored to
specific behaviors. A muldisciplinary team working together can provide the most effecve
responses, which oen include a mul-faceted implementaon that may include a mix of
organizaonal and individual responses that cover mulple disciplines.
To learn more about the disciplines that comprise a muldisciplinary insider threat team, refer to the
Developing a Muldisciplinary Insider Threat Capability course. You may register for this course
through the Center for the Development of Security Excellence (CDSE) website.
Human Resources (HR)
Example response opons specific to human resources:
Referral to the Employee Assistance Program (EAP) for resources in financial counseling,
lending programs, mental health, and other well-being programs
Medical referrals
Mediaon with supervisors
Training
Employee terminaon procedures
Other career opportunies
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-3
Cybersecurity
Example response opons specific to cybersecurity:
Reduce privileges or system access
Reconfigure hardware, such as to prevent the use of thumb drives or disc burning
Limit downloadable file size
Limit or prevent prinng
Conduct training and awareness campaigns on phishing and other cyber targeng
methods
Increase monitoring
Security
Example response opons specific to security:
Log a security violaon or infracon
Provide security counseling, training, or awareness
Implement daily bag checks
Implement random drug and alcohol tesng
Conduct physical monitoring
Modify Standard Operang Procedures (SOP)
Counterintelligence (CI)
Example response opons specific to counterintelligence:
Referral to the cognizant CI acvity for inquiry, invesgaon, or operaon as warranted
Provide training on foreign targeng methods and recruitment
Develop a foreign travel brief/debrief program
Provide threat awareness materials
Law Enforcement (LE)
Example response opons specific to law enforcement:
Referral to the cognizant LE acvity for inquiry or invesgaon as warranted
Provide criminal threat briefings and awareness materials
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-4
Behavioral Science
Example response opons specific to mental health and behavioral science:
Treatment recommendaons
Referral to marital, grief, or other mental health counseling
Referral to substance abuse rehabilitaon programs
Referral to suicide prevenon
Legal
Be sure to include legal in the development of response opons to ensure the potenal
response aligns with privacy protecon requirements and other policies.
Monitoring Response
Once the Insider Threat Program implements a migaon response, it must monitor the response to
determine if the risk has been minimized. Note that implemenng a migaon response opon does
NOT eliminate risk.
Coordinate with your Insider Threat Program partners to determine whether addional migaon is
required. Keep in mind that law or policy may prevent some partners from sharing informaon with
the Program. These may include Employee Assistance Programs, law enforcement, and
counterintelligence. As such, the Insider Threat Program should remain vigilant for addional or
escalang indicators and document behaviors or acvies of concern.
Finally, be sure to periodically re-evaluate the migaon response to determine if it remains the best
opon.
Case Study
Recall Mark Steven Domingo, who provided material support to terrorists and aempted to use a
weapon of mass destrucon. Lets assume for a moment that a colleague, friend, or family member
reported Domingo’s online acvies early on rather than allow his behavior to escalate. What
migaon responses might a muldisciplinary Insider Threat Program have used to proacvely
redirect Domingo away from the crical pathway?
Some possible migaon responses that may have applied to the Domingo case include a
combinaon of:
Referral to counseling resources to help him manage his anger and address depression
(individual response; Behavioral Science)
Monitoring user acvies and implemenng key word triggers (organizaonal response;
Cybersecurity)
Instung daily bag checks within the organizaon (organizaonal response; Security)
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-5
Referral to law enforcement for criminal acvity, such as threats of violence or preparaon
to commit a mass aack (individual response; Law Enforcement)
Referral to counterintelligence for affiliaon with known or suspected terrorists (individual
response; Counterintelligence)
Referral to an employee assistance program or terminaon of employment. Domingo was
separated from the Army due to his behavior. His separaon did not diminish the risk of him
posing a violet threat to others. (individual response; HR)
Note that migaon responses are not a one-size-fits-all soluon. No two insider threat incidents are
alike, even when similar potenal risk indicators are present, so be sure your team evaluates each
incident on a case-by-case basis.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-6
Review Activities
Review Activity 1
For each migaon response, select whether it is an organizaonal or individual response. Then
check your answers in the Answer Key at the end of this Student Guide.
Referral to counterintelligence or law enforcement
Organizaonal
Individual
Provide threat awareness materials
Organizaonal
Individual
Issue a security violaon
Organizaonal
Individual
Terminate employment
Organizaonal
Individual
Offer career path opons
Organizaonal
Individual
Provide an Employee Assistance Program
Organizaonal
Individual
Conduct user acvity monitoring of informaon technology systems
Organizaonal
Individual
Referral to mental health counseling
Organizaonal
Individual
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 4-7
Review Activity 2
In the Jonathan Toebbe case study, which of the following disciplines were instrumental in detecon
and migaon? Visit Resources
to access the case study.
Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.
Law Enforcement
Human Resources
Counterintelligence
Behavioral Science
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 5-1
Lesson 5: Reporng Requirements
Introduction
Objectives
Insider Threat Programs must report certain types of informaon. This lesson describes reporng
requirements for DOD, Federal, and industry Insider Threat Programs.
Here is the lesson objecve. Take a moment to review it.
Idenfy reporng requirements that apply to Insider Threat Programs
Reporting
Overview
DOD, Federal agency, and industry Insider Threat Programs operate under different regulaons and
requirements for reporng. When reporng, your Program may need to cease its acvies, such as
when the referral agency iniates an inquiry or invesgaon. In other instances, the Program may be
able to employ alternate migaon opons concurrent with external acons. Coordinate with the
referral agency and your General Counsel to determine the appropriate steps to take aer reporng.
Lets examine the reporng requirements for DOD, Federal, and industry Insider Threat Programs in
greater detail.
DOD Requirements
DOD Insider Threat Programs are obligated to report certain types of informaon to:
The Federal Bureau of Invesgaon (FBI)
The DOD Insider Threat Management and Analysis Center (DITMAC)
The cognizant Military Department Counterintelligence (MILDEP CI) Office
In addion, DOD Insider Threat Programs must report adverse informaon pursuant to the
adjudicave guidelines to informaon systems such as the Defense Informaon System for Security
(DISS) or other databases as required by the organizaon. DOD Insider Threat Programs must also
report criminal acvity to the appropriate military or local law enforcement organizaon. Finally, the
Program must comply with any other internal reporng procedures it has established.
FBI Reporting
Secon 811 of the Intelligence Authorizaon Act requires reporng the to the FBI when
classified informaon is being, or may have been, disclosed in an unauthorized manner to a
foreign power or an agent of a foreign power. To report to the FBI, use the FBI Headquarters
email point of contact for secure reporng or contact your local field office.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 5-2
Visit the course Resources to access a job aid for Secon 811 referrals.
DITMAC Reporting
The DITMAC sets their own reporng thresholds, which are connuously updated based on
threats. DITMAC thresholds were published in 2022. When reporng to the DITMAC, use the
DITMAC System of Systems (DSOS).
Visit the course Resources
to access the current DITMAC reporng thresholds.
MILDEP CI Office Reporting
Enclosure 4 of DOD Direcve (DODD) 5240.06, Counterintelligence Awareness and Reporng
lists behaviors that DOD enes must report to the MILDEP CI Office, including contacts,
acvies, indicators, and behaviors related to foreign intelligence, internaonal terrorism, and
foreign intelligence enty (FIE) associated cyberspace.
Check your organizaon’s procedures for reporng to your cognizant MILDEP CI Office.
Federal Requirements
Federal Insider Threat Programs are obligated to report to the FBI under Secon 811 of the
Intelligence Authorizaon Act when classified informaon is being, or may have been, disclosed in an
unauthorized manner to a foreign power or an agent of a foreign power.
In addion, Federal Insider Threat Programs must follow any other internal reporng procedures
established within the organizaon.
Industry Requirements
Industry Insider Threat Programs are obligated to report certain types of informaon to the FBI and
the Defense Counterintelligence and Security Agency (DCSA).
Secon 117.8 of 32 CFR Part 117, known as the Naonal Industrial Security Program Operang
Manual or “NISPOM rule”, requires cleared industry to report actual, probable, or possible
espionage, sabotage, terrorism, or subversive acvies at any locaon to the FBI and DCSA. The
NISPOM rule also requires cleared contractors to report adverse informaon.
In addion, industry Insider Threat Programs must report via informaon systems such as DISS or
other databases as directed and follow any other internal reporng procedures as established by
their Insider Threat Program.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 5-3
Review Activities
Review Activity 1
For each requirement, select whether it applies to DOD, Federal, and industry Insider Threat
Programs. Then check your answers in the Answer Key at the end of this Student Guide.
Report to the FBI when classified informaon is disclosed in an unauthorized manner to a foreign
power
DOD
Federal
Industry
Report to the DITMAC
DOD
Federal
Industry
Report adverse informaon to DCSA
DOD
Federal
Industry
Review Activity 2
Which would you report under Secon 811 of the Intelligence Authorizaon Act?
Select the best response. Then check your answer in the Answer Key at the end of this Student Guide.
Authorized disclosure of unclassified informaon to a foreign government
Unauthorized disclosure of classified informaon to a foreign government
Unauthorized disclosure of classified informaon to a domesc-owned company
Authorized disclosure of unclassified documents to a domesc media outlet
Review Activity 3
Which reporng thresholds meet DITMAC requirements?
Select all that apply. Then check your answer in the Answer Key at the end of this Student Guide.
Unauthorized disclosure
Allegiance to the United States
Serious threat
Criminal conduct and affiliaon
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page 6-1
Lesson 6: Course Conclusion
Conclusion
Summary
Insider Threat Programs migate the threats posed by wing and unwing insiders through the
deployment of muldisciplinary responses designed to lead the individual away from the crical
pathway to becoming an insider threat and reporng informaon outside of the Program as
required.
As you work within your Program to cra tailored and effecve migaon responses, remember that
each insider threat incident is unique and should be carefully analyzed and assessed to prevent
causing further harm.
Lesson Summary
Congratulaons! You have completed the Insider Threat Migaon Responses course.
You should now be able to perform all of the listed acvies.
Explain the role of Insider Threat Programs in migang the risks posed by insider threats
and how programs migate those risks
Describe factors to consider when formulang a migaon response to an insider threat
incident
Summarize the ability of muldisciplinary teams to cra migaon responses tailored to
insider threat incidents
Idenfy reporng requirements that apply to Insider Threat Programs
To receive course credit, you must take the Insider Threat Migaon Responses examinaon. If you
accessed the course through the Security Training, Educaon, and Professionalizaon Portal (STEPP),
please use that system to access the online exam.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-1
Appendix A: Answer Key
Lesson 2 Review Activities
Review Activity 1
You receive a report that Ted, an employee in your organizaon, frequently asks colleagues to loan
him money. Ted told one of his colleagues that he has a large gambling problem and a large debt he
needs to resolve. Where on the insider threat crical pathway is Teds situaon, based on this
report?
Personal Predisposions
Stressors
Concerning Behaviors
All of the Above (correct response)
Feedback: Ted’s situaon falls under all stages of the crical pathway. He has an admied gambling
addicon (personal predisposion), a large debt (stressor), and frequently tries to borrow money
from friends/colleagues (concerning behavior).
Review Activity 2
Which of the following is an effecve way to migate a potenal insider threat based upon what you
know about Ted’s situaon?
Refer Ted to law enforcement
Tell Ted’s colleagues to loan money to him
Provide him with support and resources to deal with his addicon (correct response)
Terminate Teds employment
Feedback: In Ted’s situaon, migaon is best achieved through providing him with support and
resources to deal with his addicon.
Review Activity 3
What funcons do Insider Threat Programs perform to reduce the risks posed by insider threats?
Provide leaders with informaon about the threat landscape
Mandate security awareness training for employees
Conduct user acvity monitoring
Document and make available the consequences of insider threat acvity
Feedback: These are all examples of funcons performed by Insider Threat Programs, including
prevenon, deterrence, detecon, and migaon.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-2
Lesson 3 Review Activities
Review Activity 1
Put yourself into the Insider Threat Program at Jonathan Toebbe’s organizaon. In planning a
migaon response to what you have learned about his acons, which of the following should you
consider?
There is an acve transmial of classified informaon. (correct response)
Toebbe should be nofied that he has been idenfied as a risk.
Toebbe’s personal informaon must be properly handled. (correct response)
You should coordinate with law enforcement or counterintelligence to properly handle
evidence. (correct response)
Feedback: In assessing the situaon, it is necessary to consider the amount of risk, including whether
classified informaon is acvely being transmied. Although you should avoid alerng the individual,
it is also sll necessary to ensure the subjects privacy and civil liberes are preserved, and that any
acons taken by the Insider Threat Program do not hinder later acons by law enforcement or
counterintelligence.
Review Activity 2
How can an Insider Threat Program effecvely plan migaon response opons?
Establish the roles and responsibilies for involved personnel on a case-by-case basis
Act as quickly as possible to minimize how long the risk persists
Establish procedures, authories, and a general response plan (correct response)
Gather evidence by any means necessary
Feedback: Insider Threat Programs should maintain detailed procedures and authories for
migaon response opons, as well as a general response plan that outlines roles and
responsibilies.
Review Activity 3
Which of the following is NOT a potenal unintended consequence of a failed organizaonal
migaon response to a possible insider threat?
Poor public percepon of the organizaon
Reduced employee morale
Monitoring of organizaon by federal law enforcement (correct response)
Circumvenon of rules by personnel due to procedure changes
Feedback: The unintended circumstances of a failed migaon response by an organizaon can
affect the individual, the organizaon’s morale, the mission, and public percepon.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-3
Review Activity 4
An insider threat incident occurred at your facility. Which of these approaches would support an
effecve migaon response?
Act as quickly as possible to put the incident behind your organizaon.
Look for the simplest explanaon, as this is most likely to be accurate.
Ask smaller quesons to differenate fact from opinion. (correct response)
Feedback: When performing analysis for a migaon response, take the me to plan thoroughly,
clarify and be specific with your goals, and strive for a fair and balanced assessment of the case.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-4
Lesson 4 Review Activities
Review Activity 1
Referral to counterintelligence or law enforcement
Organizaonal
Individual (correct response)
Feedback: A referral to counterintelligence addresses a specific incident and aims to migate the risk
associated with the individual.
Provide threat awareness materials
Organizaonal (correct response)
Individual
Feedback: Training and awareness campaigns address systemic issues across the organizaon.
Issue a security violaon
Organizaonal
Individual (correct response)
Feedback: A logged security violaon addresses a specific incident and aims to migate the risk
associated with the individual.
Terminate employment
Organizaonal
Individual (correct response)
Feedback: Terminaon of employment is a punive acon that addresses a specific incident and aims
to migate the risk associated with the individual.
Offer career path opons
Organizaonal (correct response)
Individual
Feedback: A program offering career opportunies is an organizaonal response.
Provide an Employee Assistance Program
Organizaonal (correct response)
Individual
Feedback: An Employee Assistance Program is an organizaonal response.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-5
Conduct user acvity monitoring of informaon technology systems
Organizaonal (correct response)
Individual
Feedback: User acvity monitoring is a way to migate risk across the organizaon.
Referral to mental health counseling
Organizaonal
Individual (correct response)
Feedback: A referral to mental health counseling aims to migate the risk associated with the
individual.
Review Activity 2
In the Jonathan Toebbe case study, which of the following disciplines were instrumental in detecon
and migaon? Visit Resources
to access the case study.
Law Enforcement (correct response)
Human Resources
Counterintelligence (correct response)
Behavioral Science
Feedback: Toebbe was prevented from disclosing unauthorized informaon as a result of a
muldisciplinary response comprised by counterintelligence and law enforcement. This includes his
contact with a foreign country and the resulng invesgaon by the Federal Bureau of Invesgaon.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-6
Lesson 5 Review Activities
Review Activity 1
Report to the FBI when classified informaon is disclosed in an unauthorized manner to a foreign
power
DOD (correct response)
Federal (correct response)
Industry
Feedback: DOD and Federal Insider Threat Programs must report to the FBI when classified
informaon is or may have been disclosed in an unauthorized manner to a foreign power, per the
Intelligence Authorizaon Act. Industry must report the loss of classified informaon to DCSA, and
espionage, sabotage, or terrorism to both the FBI and DCSA, per the NISPOM Rule.
Report to the DITMAC
DOD (correct response)
Federal
Industry
Feedback: DOD Insider Threat Programs must report informaon that meets DITMAC reporng
thresholds to the DITMAC.
Report adverse informaon to DCSA
DOD
Federal
Industry (correct response)
Feedback: Industry Insider Threat Programs must report adverse informaon as listed in the NISPOM
Rule to DCSA.
Review Activity 2
Which would you report under Secon 811 of the Intelligence Authorizaon Act?
Authorized disclosure of unclassified informaon to a foreign government
Unauthorized disclosure of classified informaon to a foreign government (correct response)
Unauthorized disclosure of classified informaon to a domesc-owned company
Authorized disclosure of unclassified documents to a domesc media outlet
Feedback: Secon 811 of the Intelligence Authorizaon Act concerns the unauthorized release of
classified informaon to foreign powers or agents.
Insider Threat Migaon Responses Student Guide
April 2024 Center for Development of Security Excellence Page A-7
Review Activity 3
Which reporng thresholds meet DITMAC requirements?
Unauthorized disclosure (correct response)
Allegiance to the United States (correct response)
Serious threat (correct response)
Criminal conduct and affiliaon (correct response)
Feedback: All of these thresholds act as a guide for DOD Component Hubs to use when determining
whether an incident involved a DOD covered person and should be reported as an insider threat to
the DITMAC.