How to Build Incident Response Scenarios for Insider Threats

By 2023, 60% of large enterprise organizations will have well-defined incident response scenarios for insider threats, which is a major increase from fewer than 20% today.

Organizations must prepare for insider threats likely to have negative effects on business outcomes. As part of incident response processes, security and risk management leaders must develop organization-specific, incident response scenarios to improve their information security management programs.

Gartner has identified three ways you can build an incident response scenario for insider threats:

Invest in monitoring and surveillance capabilities to gain a better understanding of, and more visibility into, people and assets — from how data is handled to identifying employee behaviors that don’t follow standard policy. Such investments will help you efficiently roll out response, mitigation and recovery when violations occur.

“CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior,” says Care.

Thorough background checks of employees and vendors and monitoring anomalous data exchanges gives CISOs a view into user entity behavior analytics. This is critical for understanding sources of risk and their subsequent risk mitigation plan.

Incident response scenarios come from developing user-profiles and personas that can help identify unusual behavior for users or groups with high-risk activities.

Identify the potential risky behaviors and map them against potential solutions or mitigation. While they will vary by organization, common scenarios include installing unsanctioned software, failing password attempts and attempting access to other employee accounts. As you get more in-depth insight into user-profiles and personas, these scenarios could be made more pointed.

Once context-specific incident response scenarios are identified, iterate the actions to include specific users or groups to indicate whether the actions warrant escalation to an incident. 

Look to past insider threat incidents in your organization and use them to test and refine your incident response preparation and readiness. Work with your legal and HR teams to do so, as they typically document such incidents. You can also examine post-incident reporting and add it as a critical source to your scenario planning.

Remember that past incidents can help you create a playbook of use cases and implement incident management process improvements, such as adding future incident indicators for actions or behaviors that were missed.