Skip to main content

Corporate Insider Threat Detection: Cyber Security Inside and Out

1st October 2012 to 31st March 2015


It is widely recognised that the threat to enterprises from insider activities is increasing, and that significant costs are being incurred. Since insider threat and compromising actions can take a multitude of forms, there is a diverse experience and understanding of what insider threats are, and how to detect or prevent them. The purpose of this research is to investigate the potential for near real-time detection of insider threat activities within a large enterprise environment using monitoring tools centred around the information infrastructure. As insider threat activities are not confined solely to cyber-based threats, the research will explore the potential for harnessing a variety of threat indicators buried in a different enterprise operations connected to or interfacing with the information infrastructure, enabling human analysts to make informed decisions efficiently and effectively.


Our research incorporates both theoretical and applied research projected to deliver a significantly enhanced capability in insider threat detection.  We are also developing education and dissemination materials and strategies designed to maximise uptake of the insight generated by the research. Our approach is to combine cyber security, psychology, criminology, visual analytics, enterprise operations management and executive education expertise to:

  • Develop a model for insider threat which is flexible enough to underpin detection systems based on both detecting deviations from normal behaviour, and the identification of specific events of interest which might indicate the presence of an attack involving an insider. The model will support the distinguishing of attack events relating to activities in the physical space and cyber space, based on data sources accessible via the information infrastructure.
  • Understand the potential for psychological indicators of an insider becoming a threat, including how we might detect such indicators based on cyber behaviours.
  • Identify the most effective pattern extraction algorithms for facilitating correlation and detection across heterogeneous operational contexts.
  • Understand the enterprise culture and common practices that such novel detection systems would need to work within, and design processes appropriate to enabling operation.
  • Provide a visual analytical interface to assist human analysts in more complex reasoning and decision-making processes by enabling them to fuse their knowledge and experience with the information and threat indicators discovered by the system, hence empowering the analysts to play an active role within the detection system in addition to being consumers of its outputs.
  • Develop an understanding of both the various organisational roles that will be impacted by such an insider threat detection system and have responsibilities towards successful outcomes, and the various awareness raising and educational methods which are likely to have the greatest impact in enabling stakeholders to benefit from the research and to learn from the knowledge developed.

We are working closely with Financial Fraud Action UK, SOCA, CISCO, CIFAS - the UK's Fraud Prevention Service - and others.  The project hosted a UK Workshop on Cyber-Insider Threat Risk Mitigation, in April 2014, bringing together over 80 attendees from industry, government and academia.  Based on the success of this event, we intend to host a follow-up workshop at the end of the project, in 2015.  Please contact our project manager if you would like to be on the mailing list.

Selected Publications

View All



Principal Investigator


Oliver Buckley
Alexandra Ellis
(Saïd Business School)
Katherine Fletcher
Jassim Happa
Phil Legg
Michael Levi
(University of Cardiff)
Eamonn Maguire
Nick Moffat
Jason Nurse
Gordon Wright
(University of Leicester)

Share this: