Insight into insiders and IT: A survey of insider threat taxonomies, analysis, modeling, and countermeasures

Ivan Homoliak, Flavio Toffalini, Juan Guarnizo, Yuval Elovici, Martín Ochoa

Research output: Contribution to journalReview articlepeer-review

132 Scopus citations


Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

Original languageEnglish
Article numbera30
JournalACM Computing Surveys
Issue number2
StatePublished - 1 May 2019
Externally publishedYes


  • 5W1H questions
  • Grounded theory for rigorous literature review
  • Insider threat
  • Malicious insider threat
  • Masqueraders
  • Traitors
  • Unintentional insider threat

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science (all)


Dive into the research topics of 'Insight into insiders and IT: A survey of insider threat taxonomies, analysis, modeling, and countermeasures'. Together they form a unique fingerprint.

Cite this