Insider Threat Indicators
Monitoring of potential insider risk behaviors
Current Value
12 alerts
-2 from previous period
Industry average: 18 alerts
Calculation Method
Count of high-confidence insider threat indicators detected. Includes anomalous access patterns, data exfiltration attempts, policy violations, and behavioral risk indicators.
Significance
This KPI tracks the effectiveness of your insider threat detection program. It focuses on identifying potentially risky behaviors by trusted insiders that could lead to data theft, sabotage, or unintentional harm.
Definition
Insider Threat Indicators measures your organization's ability to detect anomalous or potentially harmful activities by trusted users with legitimate access. It considers both malicious intent (data theft, sabotage) and unintentional risks (negligence, policy violations).
Significance
Insider threats are among the most challenging security risks to detect and manage. Unlike external attackers, insiders already have access, knowledge of systems, and legitimate credentials.
This KPI helps organizations monitor the effectiveness of their insider risk monitoring capabilities. While the goal isn't necessarily to reduce alerts to zero (which might indicate poor detection), the focus is on high-fidelity detection of genuinely concerning behaviors.
Calculation Method
Alert calculation focuses on high-confidence indicators:
- Abnormal access patterns (access outside normal hours, role, location)
- Data exfiltration signals (unusual downloads, email attachments, transfers)
- Privilege escalation or abuse
- Behavioral risk indicators (from UEBA systems)
- Terminated employee credential usage
Only high-confidence alerts (typically with multiple correlated signals) are counted in this metric.
Benchmark
Industry average: 18 high-confidence alerts per month
Best practice targets: Focus on detection quality rather than specific alert count; >90% investigation rate for high-confidence alerts