A Taxonomic Classification of Insider Threats: Existing Techniques, Future Directions & Recommendations


  • Usman Rauf Dept. of Math. & Computer Science, Mercy College, NY, USA
  • Fadi Mohsen Information Systems Group, Bernoulli Institute for Mathematics, Computer Science and Artificial Intelligence, University of Groningen, 9712 CP Groningen, The Netherlands
  • Zhiyuan Wei Dept. of Math. & Computer Science, Mercy College, NY, USA




Insider threats, anomaly detection, attack deterrence, intrusive applications, machine learning


In the last two decades, the number of rapidly increasing cyber incidents (i.e., data theft and privacy breaches) shows that it is becoming enormously difficult for conventional defense mechanisms and architectures to neutralize modern cyber threats in a real-time situation. Disgruntled and rouge employees/agents and intrusive applications are two notorious classes of such modern threats, referred to as Insider Threats, which lead to data theft and privacy breaches. To counter such state-of-the-art threats, modern defense mechanisms require the incorporation of active threat analytics to proactively detect and mitigate any malicious intent at the employee or application level. Existing solutions to these problems intensively rely on co-relation, distance-based risk metrics, and human judgment. Especially when humans are kept in the loop for access-control policy-related decision-making against advanced persistent threats. As a consequence, the situation can escalate and lead to privacy/data breaches in case of insider threats. To confront such challenges, the security community has been striving to identify anomalous intent for advanced behavioral anomaly detection and auto-resiliency (the ability to deter an ongoing threat by policy tuning). Towards this dimension, we aim to review the literature in this domain and evaluate the effectiveness of existing approaches per our proposed criteria. According to our knowledge, this is one of the first endeavors toward developing evaluation-based standards to assess the effectiveness of relevant approaches in this domain while considering insider employees and intrusive applications simultaneously. There have been efforts in literature towards describing and understanding insider threats in general. However, none have addressed the detection and deterrence element in its entirety, hence making our contribution one of a kind. Towards the end of this article, we enlist and discuss the existing data sets. The data sets can help understand the attributes that play crucial roles in insider threat detection. In addition, they can be beneficial for testing the newly designed security solutions in this domain. We also present recommendations for establishing a baseline standard for analyzing insider-threat data sets. This baseline standard could be used in the future to design resilient architectures and provide a road map for organizations to enhance their defense capabilities against insider threats.


Download data is not yet available.

Author Biographies

Usman Rauf, Dept. of Math. & Computer Science, Mercy College, NY, USA

Usman Rauf received his B.S. degree in Computational Physics, in 2008, from University of the Punjab, Pakistan. He was awarded Scholarship for Service award (2009–2011) to pursue his M.S. degree in Computational Sciences & Engineering, from Research Center for Modeling & Simulation at National University of Sciences and Technology, Pakistan. He graduated in 2020, with his Doctorate, from University of North Carolina at Charlotte, USA, on a fully funded Ph.D. scholarship. Since 2020, he is serving as an Assistant Professor of Cybersecurity at Mercy College, NY, USA. During his academic journey he has participated and lead several research & educational grants by U.S. agencies.

Fadi Mohsen, Information Systems Group, Bernoulli Institute for Mathematics, Computer Science and Artificial Intelligence, University of Groningen, 9712 CP Groningen, The Netherlands

Fadi Mohsen obtained his BSc degree in Computer Information Systems from the University of Jordan, Jordan. He was awarded the Fulbright Scholarship in 2008 to pursue his MSc in Computer Science at the University of Colorado at Colorado Springs, USA. In 2016, he received his Ph.D. in Computing and Informatics from the University of North Carolina at Charlotte, USA. He is currently an assistant professor at the University of Groningen. His research interests lie in usable security, mobile, and web security, moving target defense, and security analytics.

Zhiyuan Wei, Dept. of Math. & Computer Science, Mercy College, NY, USA

Zhiyuan Wei received his B.S. degree in computer science and technology from Shanghai JianQiao University, Shanghai, China, in 2021 and the M.S. degree in Cyber security from Mercy College, NY, USA, in 2023. He is currently working as a software engineer at Rocky Mountain Robotech LLC, CO, USA. Since 2022, he has been working as researchers assistant on Insider threat analytics. His research interests include threat analytics, data Science and machine learning.


(2016) CERT Threat Test Dataset. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099

(2018) Insider Threat Report. URL http://crowdresearchpartners.com

(2022a) As mobile usage skyrockets, nearly half of consumers do not protect personal data. www.mcafee.com/cs-cz/consumer-corporate/newsroompress-releases/press-release.html?news_id=9042347b-54f5-4149-bd16-f72357b35f13

(2022a) Cost of insider threats: Global. https://static.poder360.com.br/2022/01/pfpt-us-tr-the-cost-of-insider-threats-ponemon-report.pdf

(2022b) Identity and Access Management Suite, Beta Systems. URL https://www.betasystems-iam.com/en/products/garancy-iam-suite/

(2022b) Malware hits millions of android users. https://techstory.in/malware-hits-millions-of-android-users-the-apps-you-need-to-delete/

A M, K P, M B (2012) Preventing and Profiling Malicious Insider Attacks. Tech. rep., Defense Science and Technology Organization

Agrafiotis I, Erola A, Goldsmith M, Creese S (2016) A tripwire grammar for insider threat detection. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, ACM, MIST ’16, pp 105–108

Aziz B, Foley SN, Herbert J, Swart G (2006) Reconfiguring role based access control policies using risk semantics. J High Speed Netw 15(3):261–273, URL http://dl.acm.org/citation.cfm?id=2692141.2692146

Bisgin H, Mohsen F, Nwobodo V, Havens R (2021) Enhancing malware detection in android application by incorporating broadcast receivers. International Journal of Information Privacy, Security and Integrity 5(1):36–68, DOI: 10.1504/IJIPSI.2021.119168, URL https://www.inderscienceonline.com/doi/abs/10.1504/IJIPSI.2021.119168, https://www.inderscienceonline.com/doi/pdf/10.1504/IJIPSI.2021.119168

Bishop M, Conboy HM, Phan H, Simidchieva BI, Avrunin GS, Clarke LA, Osterweil LJ, Peisert S (2014) Insider threat identification by process analysis. In: 2014 IEEE Security and Privacy Workshops, pp 251–264, DOI: 10.1109/SPW.2014.40

Biskup J (2011) History-dependent inference control of queries by dynamic policy adaption. In: Li Y (ed) Data and Applications Security and Privacy XXV, Springer Berlin Heidelberg, Berlin, Heidelberg, pp 106–121

Brdiczka O, Liu J, Price B, Shen J, Patil A, Chow R, Bart E, Ducheneaut N (2012) Proactive insider threat detection through graph learning and psychological context. In: Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pp 142–149

Cappelli DM, Moore AP, Trzeciak RF (2012) The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley

Chakraborty S, Ray I (2006) Trustbac: Integrating trust relationships into the rbac model for access control in open systems. In: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, ACM, New York, NY, USA, SACMAT ’06, pp 49–58

Chen T, Kammüller F, Nemli I, Probst CW (2015) A probabilistic analysis framework for malicious insider threats. In: Human Aspects of Information Security, Privacy, and Trust, Springer International Publishing, pp 178–189

Cole E (2017) Defending Against the Wrong Enemy. Tech. rep., SANS Insider Threat Survey

Dimmock N, Belokosztolszki A, Eyers D, Bacon J, Moody K (2004) Using trust and risk in role-based access control policies. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, ACM, New York, NY, USA, SACMAT ’04, pp 156–162

Feng F, Lin C, Peng D, Li J (2008) A trust and context based access control model for distributed systems. In: 2008 10th IEEE International Conference on High Performance Computing and Communications, pp 629–634, DOI: 10.1109/HPCC.2008.37

Gates CS, Chen J, Li N, Proctor RW (2014) Effective risk communication for android apps. IEEE Transactions on Dependable and Secure Computing 11(3):252–265, DOI: 10.1109/TDSC.2013.58

Gheyas IA, Abdallah AE (2016) Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis. Big Data Analytics 1(1):6

Glasser J, Lindauer B (2013) Bridging the gap: A pragmatic approach to pp 98–104, DOI: 10.1109/SPW.2013.37

Hamed A, Ben Ayed HK (2016) Privacy risk assessment and users’ awareness for mobile apps permissions. In: 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pp 1–8, DOI: 10.1109/AICCSA.2016.7945694

Hu Y, Kong W, Ding D, Yan J (2018) Method-level permission analysis based on static call graph of android apps. In: 2018 5th International Conference on Dependable Systems and Their Applications (DSA), pp 8–14, DOI: 10.1109/DSA.2018.00014

IBM (2021) IBM QRadar, SIEM. URL https://www.ibm.com/downloads/cas/OP62GKAR

IBM (2022) Resource Access Control Facility (RACF). URL https://www.ibm.com/products/resource-access-control-facility

Jovanovic B (2022) Virus alert: 31 antivirus statistics and trends. https://dataprot.net/statistics/antivirus-statistics/

Khariwal K, Singh J, Arora A (2020) Ipdroid: Android malware detection using intents and permissions. In: 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), pp 197–202, DOI: 10.1109/WorldS450073.2020.9210414

Legg PA, Buckley O, Goldsmith M, Creese S (2017) Automated insider threat detection system using user and role-based profile assessment. IEEE Systems Journal 11(2):503–512

Lindauer B (2020) Insider threat test dataset. Carnegie Mellon University, DOI: https://doi.org/10.1184/R1/12841247.v1

Ma J, Adi K, Mejri M, Logrippo L (2010) Risk analysis in access control systems. In: 2010 Eighth International Conference on Privacy, Security and Trust, pp 160–166

Mohsen F (2021) More than a million Android Apps with Two Privacy Scores. DOI: 10.34894/CW7PAH, URL https://doi.org/10.34894/CW7PAH

Mohsen F, Abdelhaq H, Bisgin H, Jolly A, Szczepanski M (2018) Countering intrusiveness using new security-centric ranking algorithm built on top of elasticsearch. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp 1048–1057, DOI: 10.1109/TrustCom/BigDataSE.2018.00147

Mohsen F, Abdelhaq H, Bisgin H (2022a) Security-centric ranking algorithm and two privacy scores to mitigate intrusive apps. Concurrency and Computation: Practice and Experience 34(14):e6571, DOI: https://doi.org/10.1002/cpe.6571, URL https://onlinelibrary.wiley.com/doi/abs/10.1002/cpe.6571

Mohsen F, Karastoyanova D, Azzopardi G (2022b) The manifest and store data of 870,515 Android mobile applications. DOI: 10.34894/H0YJFT, URL https://doi.org/10.34894/H0YJFT

Mohsen F, Karastoyanova D, Azzopardi G (2022c) To remove or not remove mobile apps? a data-driven predictive model approach. DOI: 10.48550/ARXIV.2206.03905, URL https://arxiv.org/abs/2206.03905

Montenegro F, Bisgin H, Mohsen F, Sobers NM (2021) Predicting intrusiveness of android apps by applying lstm networks on their descriptions. In: Arai K, Kapoor S, Bhatia R (eds) Proceedings of the Future Technologies Conference (FTC) 2020, Volume 1, Springer International Publishing, Cham, pp 1–15

Nissanke N, Khayat EJ (2004) Risk based security analysis of permissions in rbac. In: WOSIS

Nurse JRC, Buckley O, Legg PA, Goldsmith M, Creese S, Wright GRT, Whitty M (2014) Understanding insider threat: A framework for characterising attacks. In: 2014 IEEE Security and Privacy Workshops, pp 214–228

Oracle (2012) Application Access Controls Governor. URL https://docs.oracle.com/cd/E37379_01/doc.8643/e36194.pdf

Quattrone A, Kulik L, Tanin E, Ramamohanarao K, Gu T (2015) Privacypalisade: Evaluating app permissions and building privacy into smartphones. In: 2015 10th International Conference on Information, Communications and Signal Processing (ICICS), pp 1–5, DOI: 10.1109/ICICS.2015.7459926

R Z, X C, J S, F X, Y P (2014) Detecting insider threat based on document access behavior analysis. In: Web Technologies and Applications, Lecture Notes in Computer Science, Springer, vol 8710, pp 98–104

Rashid T, Agrafiotis I, Nurse JR (2016) A new take on detecting insider threats: Exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, ACM, New York, NY, USA, MIST ’16, pp 47–56

Rashidi B, Fung C, Nguyen A, Vu T, Bertino E (2018) Android user privacy preserving through crowdsourcing. IEEE Transactions on Information Forensics and Security 13(3):773–787, DOI: 10.1109/TIFS.2017.2767019

Rauf U (2018) A taxonomy of bio-inspired cyber security approaches: Existing techniques and future directions. Arabian Journal for Science and Engineering DOI: https://doi.org/10.1007/s13369-018-3117-2

Rauf U, Mohsin M, Mazurczyk W (2019a) Cyber regulatory networks: Towards a bio-inspired auto-resilient framework for cyber-defense. In: Bio-inspired Information and Communication Technologies, Springer International Publishing, Cham, pp 156–174, DOI: http://dx.doi.org/10.1007/978-3-030-24202-2_12

Rauf U, Shehab M, Qamar N, Sameen S (2019b) Bio-inspired approach to thwart against insider threats: An access control policy regulation framework. In: Bio-inspired Information and Communication Technologies, Springer International Publishing, pp 39–57, DOI: https://doi.org/10.1007/978-3-030-24202-2_4

Rauf U, Shehab M, Qamar N, Sameen S (2021) Formal approach to thwart against insider attacks: A bio-inspired auto-resilient policy regulation framework. Future Generation Computer Systems 117:412–425, DOI: https://doi.org/10.1016/j.future.2020.11.009, URL https://www.sciencedirect.com/science/article/pii/S0167739X20330338

S Anthony (2022) Malware Hits Millions of Android Users. https://www.tomsguide.com/news/malware-hits-10-million-android-users-delete-these-apps-right-now, online; accessed 10 September 2022

Salim F, Reid J, Dawson E, Dulleck U (2011) An approach to access control under uncertainty. In: 2011 Sixth International Conference on Availability, Reliability and Security, pp 1–8, DOI: 10.1109/ARES.2011.11

SAP (2022) Sap access control 12.0. https://help.sap.com/docs/SAP_ACCESS_CONTROL.

Shannon CE (1948) A mathematical theory of communication. The Bell System Technical Journal 27:379–423, URL http://plan9.bell-labs.com/cm/ms/what/shannonday/shannon1948.pdf

Ted E, Goldberg HG, Memory A, Young WT, Rees B, Pierce R, Huang D, Reardon M, Bader DA, Chow E, et al (2013) Detecting insider threats in a real corporate database of computer usage activity. In: Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, pp 1393–1401




How to Cite

Rauf U, Mohsen F, Wei Z. A Taxonomic Classification of Insider Threats: Existing Techniques, Future Directions & Recommendations. JCSANDM [Internet]. 2023 May 3 [cited 2023 Nov. 28];12(02):221–252. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/18823