Early warning system insider attacks

Started in April 2021

When an attack comes from the inside, the impact of an attack can be catastrophic, and could cause financial, reputational and regulatory consequences.


Cyberattacks can be catastrophic, and could cause financial, reputational and regulatory consequences. Usually, cyber-attacks are launched by external attackers from outside the organization. But they also could be triggered from the inside, e.g. an employee sells private data, or an employee is planted as a mole by another organisation. 

But because the impact is so high, the PCSI project ‘early warning system insider attacks’ explores ways to detect and prevent potential insider attacks in an early stage. The idea is to exchange information on insider attacks, give out an early warning to other organizations, and collaboratively build intelligence on modus operandi and other critical information to improve the detection and prevention of such attacks in the future. We will apply a multidisciplinary approach in which we combine intelligence on human behavior with technical intelligence to enable cross organisational learning about modus operandi of insider fraud for better detection.

Project results

In the Explore phase we investigated the feasibility of the concept of an early warning system. We explored how this could best be implemented to enable cross organisational learning. At the same time, we validated that this concept would be new and add an unexplored dimension in detecting insider attacks. By creating an understanding of how we could share data and what has already been tried, we could optimally position our solution to resolve the current pains within the partnered organisations. 

Conclusion at the end of the Explore phase
We found that some technical solutions exist which record all electronic footprints of employees within an organisation. But, at the same time, there is no solution yet that helps organisations to collaborate using their intel to better detect insider attacks in the future. Using the PIFI1 protocol, relevant data of the modus operandi can be shared between organisations. In turn, this provides an overview of historical cases for participating organisations which can be used for data- and trend analysis. Finally, sharing this intel pre-warns the other organisations of a potential attack, making this a suitable solution for an early warning system.

Activities within the Proof of Concept phase
As part of the PoC phase we enabled cross organizational learning about modus operandi of insider attacks for better detection. This was done by developing an insider attack sharing form which contained the modus operandi and other relevant information about the attack. This information was successfully shared between financial organizations which could be analyzed on correlation, distribution, association and experience.

Activities within the Exploit phase
We're now searching for suitable parties to collaborate with. 

Activities within the Pilot phase
The pilot phase will focus on measuring and evaluating the functionalities regarding accessibility, ease of use, completeness of data and data analysis. Users need to be able to effectively make use of the MVP without being hindered by technical constraints. The current version of the MVP is developed to be ‘straight-forward’ and leave no room for misinterpretations as we have tested on multiple occasions. From earlier feedback we learned that each specific type of relevant information needs to have a predefined entry point.

As a result of collecting data, the outcomes and insight are sourced from the analytics. We will perform multiple analysis approaches in order to determine a ‘best practice’ that clearly states the most relevant results. The goal would be to achieve a generalized analysis reporting approach that is easily accessible to all involved parties.

[1] Protocol Incidenten-waarschuwingssysteem Financiële Instellingen

This project is part of the trend

15 Threat February 2024

Growing number of insider attacks

Employees are increasingly getting involved in data leaks intentionally or unintentionally due to social as well as technical reasons. A growing market has emerged for confidential data on the Dark Web. As a result, on the social side, data is increasingly being stolen and sold by malicious employees or used in other kinds of ways. There are different forms of intentional insider attack threats; e.g. an employee radicalizes, is extorted or has been premeditated to work in an organization. Also due to technical reasons (access without official permission) attacks (can) take place.
Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO