Insider Threats to Governments and Organizations

Minitrack Description

The insider problem is one of the most important problems in computer security, and indeed, in all aspects of real-world security. Insiders have compromised many key societal systems and processes in domains such as government, finance, and even science. Many reports of insider attacks describe people trusted with access to sensitive information abusing that access to damage that information, compromise the privacy of that information, and collaborate with others (sometimes other insiders) to cause various kinds of failures, losses, and serious harm. Indeed, the insider problem is also pernicious in the non-computer world; as the ancient Roman satirist Juvenal said, "Who will guard the guards themselves?" Any approaches therefore must have not only a technical aspect, but also a non-technical (social, political, legal, cultural, and so forth) approach. Insider attacks may be accidental or arise from conflicting policies that confuse the putative attacker. These unintentional insider attacks are as dangerous as deliberate insider attacks, but must be handled differently due to the lack of maliciousness. Understanding how to cope with unintentional insider attacks effectively is also a complex, difficult problem.

This minitrack solicits papers dealing with the social (i.e., economic, sociological, and political) and legal aspects of the insider problem, especially as they relate to government, government contractors, and other governmental entities. This includes international organizations and non-governmental organizations (NGOs).


Minitrack topics include, but are not limited to:

  • Whistleblowing
  • Examining the causes of insider attacks
  • Multi-disciplinary approaches to the insider problem
  • Measuring the effectiveness of remediation technologies and methodologies
  • Insider threats and social media
  • Case studies of insider threats and attacks, including unintentional attacks
  • Human factors and the insider problem

More information on the minitrack chairs:

Matt Bishop received his Ph.D. in computer science from Purdue University, where he specialized in computer security, in 1984. He was a research scientist at the Research Institute of Advanced Computer Science and was on the faculty at Dartmouth College before joining the Department of Computer Science at the University of California at Davis. His main research area is the analysis of vulnerabilities in computer systems, including modeling them, building tools to detect vulnerabilities, and ameliorating or eliminating them. He is active in the areas of network security, the study of denial of service attacks and defenses, policy modeling, software assurance testing, formal modeling of access control, and the insider problem. He is also interested in electronic voting, and was one of the two principle investigators of the California Top-to-Bottom Review, which performed a technical review of all electronic voting systems certified in the State of California. He is active in information assurance education. His textbook, Computer Security: Art and Science, was published in December 2002 by Addison-Wesley Professional. He also teaches software engineering, machine architecture, operating systems, programming, and (of course) computer security.


Jay P. Kesan is a Professor and Workman Research Scholar at the University of Illinois at Urbana-Champaign. His primary research interests are in the areas of computer security and intellectual property. He has a Ph.D. in Electrical and Computer Engineering from the University of Texas at Austin and a J.D. from Georgetown University.


Jason W. Clark, Ph.D., is a researcher at Carnegie Mellon University's Software Engineering Institute (SEI). His main areas of interest are cyber-security with a focus on insider threats, specifically prediction, detection, and mitigation. He completed his Ph.D. in Information Technology from George Mason University, where he specialized in cyber-crime and anonymous searching of the Internet. Prior to joining the SEI in 2012, Jason worked at the Institute for Defense Analyses (IDA) as a lead information security analyst and from 2003-07 at the United States Census Bureau writing and reviewing security documentation and policy. He also teaches part-time undergraduate courses at Northern Virginia Community College (NVCC) and Southern New Hampshire University (SNHU).

Co-Chairs

Matt Bishop
(Primary Contact)

University of California at Davis
Department of Computer Science
One Shields Ave.
Davis, CA 95616, USA
Phone: +1-530-752-8060
Email: mabishop@ucdavis.edu

Jay P. Kesan
University of Illinois at Urbana-Champaign
College of Law
504 E. Pennsylvania Ave.
Champaign, Ill 61820, USA
Phone: +1-217-333-7887
Fax: +1-304-293-6035
Email: kesan@illinois.edu

Jason W. Clark
Carnegie Mellon University
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213, USA
Phone: +1-202-731-2742
Email: jwclark@cert.org