Development of Trusted Human Framework for Mitigating Risks of Insider Threats


  • Muliati Sedek
  • Rabiah Ahmad
  • Aliza Che Amran
  • Siti Norfatihah Isnin
  • Nurdayana Izyan Ahmad Ahsan


This study is exploring insider threat which define as the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization. However, the propensity for the organization to grant the system and physical accesses to an employee, contractor, or business partner (insider) is unavoidable and evidently, literature reviews put forward on the complexity and challenging tasks for organization to manage this insider threats. Beside a technical or technological perspective, a framework with the element of people, process and technology embedded in the Employee Life Cycle would be able to provide alternative for organization to mitigate risks of insider threats. The proposed framework developed using qualitative method and empirical study to organization fully implement cybersecurity control in Malaysia. Practitioners who responsible in strategizing security controls for organizations were interviewed. Our controls components inspired from the Common-sense Guide to Mitigating Insider Threats produced by the Software Engineering Institute of Carnegie Mellon University. Data retrieved from responders analysed using Delphi and results shows that Trusted Human Framework used to mitigate risks by identifying potential detect potential employees (insider) who bound to become a fraudster or perpetrator by violating the access or trust given by the company (employer). Three factors such as motive, opportunity and method are essential to be recognized, identified and suppressed within the organization boundary to stop the insider threats or attacks to happen. As a conclusion, the outcome of this study would be able to assist organization to understand further the general acceptance of the control practices and motivate the organization to strengthen the effort in mitigating insider threats. The suggested framework is also aimed to inspire more organizations to consider identifying insider threats as one of the risk in their company’s enterprise risk management activities.