The National Institute of Standards and Technology (NIST) Cybersecurity Framework’s provides several core steps to implement regarding a threat mitigation program. These core steps are to Identify, Protect, Detect, Respond, and Recover. These steps are used as a framework and within the bounds of a company’s business model (NIST, 2014).

Following are the seven steps:
1. Prioritize and Scope — While considering its business objective the organization develops an insider threat program. The company defines its scope knowing its acceptable risk tolerances.
2. Orient — The organization identifies its potential threats and vulnerabilities after identifying its own processes and assets. At this point, the organization would also make sure they are complying with laws and regulations in their country/state.
3. Assess Current State — The company would assess where they currently stand in regards to insider threats. Is there a potential for a threat in the near future or even an active one? If an active insider threat is uncovered, organizations can work with resources such as local law enforcement or the FBI to conduct an investigation. This can be especially recommended in cases that involve the potential for economic espionage (FBI, Counterintelligence. 2016).
4. Conduct a Risk Assessment — A risk assessment is conducted to find out the likelihood of an insider threat. The impact of a threat would also be assessed.
5. Create a Target State — After having defined their scope and knowing what the current state is within their organization, the company would set goals for its insider threat program to aim towards.
6. Identify, Analyze, and Prioritize Gaps — Taking into consideration its current state, the company will identify and analyze current gaps. The company determines the steps needed to close the gap between where their insider threat program currently stands and where they would like for it to be.
7. Implement Action Plan — The company implements an action plan to close the gaps it currently has. The organization should continue to monitor its current practices, making changes as needed.

Potential Legal implications:
Insider threat programs can involve some potentially intrusive practices as an organization attempts to prevent and detect threats. Companies need to take into account the laws and regulations they must adhere to in their company, including employment and privacy laws. There are different Federal and State laws that companies must comply with. The Electronic Communications Act (ECPA), also knows as the Wiretap Act, is a federal law that protects a person from intentional interception of information. The Act covers electronic, oral, and wire communications, this also includes email and telephone communications. While monitoring such communications is illegal, service providers/employers who provide the internet or method of communication, as defined by law, can disclose communications of an employee if those communications occurred during his/her employment. In order to protect themselves from liability, a company can provide its employees with a very clear network policy with formal acknowledgment from both parties. Most States recognize tort and intrusion laws in cases where intentional intrusions are taking place. There is still some legal discourse regarding how much privacy an employee can expect while conducting work. Any time activities and communications are being monitored or logged you can run into privacy protection laws and expectations. These types of monitoring program can be illegal, and even when the legal line is not clear the act of monitoring can be a liability.

References & Further Reading:

FBI, U.S. Department of Justice, Inside the FBI’s Counterintelligence Program, Retrieved from

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 2014.(NIST Cybersecurity Framework) Retrieved from