This is a popular topic in Board Room too. No matter how much cyber protection technologies are invested and deployed, controls always have insufficient coverage to deal with insider.
According to PNNL Predictive Adaptive Classification Model for Analysis and Notification, it involves substantial data sources and derivatives to identify insider threats. This may be possible with big data but after all, who will watch the watcher?
The line of defence shall be:
- Preventive controls as barrier (where technology is available and investment is justified)
- Detective controls as digital evidence (when events are reviewed effectively to identify offender)
- Administrative controls as management directives (when productive activities have higher preference over prohibitive measures)
- Corporate disciplinary process or contractual undertaking enforcement for offender
- Laws & regulations as the ultimate deterrent