West Point
Insider Threat Program

Mission
To connect Department of Defense and Department of the Army’s Insider Threat efforts with an interdisciplinary team at the United States Military Academy and beyond to counter the Insider Threat by fostering a positive leadership climate that reduces threat likelihood and impact. To leverage these connections against developing research that enriches staff and cadets beyond the classroom and deploys contributions to strengthen the enterprise.

Vision
WE INTEGRATE. As a program, we thrive on interdisciplinarity and build teams that integrate diverse perspectives from military to civilian, public to private, academic to operational, pragmatic to ethical, government to non-government, quantitative to qualitative.
WE RESEARCH. We continually seek opportunities to broaden, deepen, and otherwise enrich the body of knowledge contributing to the understanding of the Insider Risk factors and Insider Threat behaviors.
WE DEVELOP. Our program fosters innovative thinking in contemporary context to develop creativity and agility of thought in the next generation’s leaders of character operating in an increasingly complex world.

Objective
The Insider Threat Program at West Point benefits the Army and Department of Defense with its contributions to (i) research, development, and deployment of tools that point leadership toward personnel experiencing trauma and/or hardship, (ii) promotion of climate, culture, and atmosphere that reduces threat and improves retention, (iii) enhancement of values-based hiring practices, and (iv) promotion of innovative Insider Threat and Insider Risk thinking in the next generation of leaders.


The idea of protecting organizations against threats from inside and out has certainly been important since the dawn of people coming together for a common goal. The imperative for United States governmental organizations to formally address the need to deter, detect, and mitigate “insider” threats began when President Obama signed Executive Order 13587, directing that we implement an insider threat detection and prevention program consistent with guidance and standards developed by the Insider Threat Task Force.

Since that directive, each government agency has implemented its own programs to counter the threat of trusted agents that damage (intentionally or unintentionally) the organization from the inside, out. In 2017, the DoD and DA recognized the need for a multi-disciplinary research entity to enable operators to remain at the “cutting edge” of countering such threats not only today, but tomorrow. In 2019, USD(I&S) and DA G3-5-7 decided to place its research program at West Point (namely, the Department of Mathematical Sciences) to leverage its nearly 50 academic departments and research center against the critical problem of detecting, deterring, and mitigating the Insider Threat.

Where We’ve Been
Since 2019, the West Point Insider Threat program has recruited approximately $2.7 million in funding that has supported the mission of the United States Military Academy across all five academic pillars by contributing to the sourcing (or fully sourcing) eight staff and faculty, providing 51 Cadet internship opportunities, advising nine one- and two-semester research opportunities, conceiving and launching the Managing Insider Risk and Organizational Resilience (MIROR) journal, supporting the research and development of more than two dozen junior faculty members and creating the website https://insiderthreat.westpoint.edu to promulgate Insider Threat information to thousands of users.

This body of work has placed the West Point Insider Threat Program on the “map” of significant contributors to the field. Potential collaborators from other USG agencies, including the Department of Homeland Security, National Nuclear Security Agency (Department of Energy), and the Internal Revenue Service have recognized our quality of work, perspective, and engagement and requested the opportunity to work with our program. We have built working and collaborative relationships with other academic institutions and University Affiliated Research Centers (UARCs) like Queens University, Army University, MITRE, and the Applied Reseach Lab for Intelligence and Security (ARLIS) at the University of Maryland. In addition, industry partners such as the Logistics Management Institute (LMI, LLC), J.P. Morgan Chase (JPM), Wells-Fargo, Pacific Gas & Electric Company (PG&E), DTEX, and others are seeking our collaboration. As a result, with the last year, the West Point Insider Threat Program has been invited to share its thoughts, viewpoints, and output with the broader community in the Insider Threat Summit, at the National Insider Threat Task Force, and as a panelist at the Defense Counterintelligence and Security Agency’s opening to National Insider Threat Awareness Month (NITAM). The DCSA panel is titled “The Future of the Insider Threat Profession,” which leads us to…

Where We’re Going
Since Executive Order 13587 in 2011, about 37 million DoD personnel have worked between five and six billion hours. The number of damaging (intentional or unintentional) insider actions can be counted in the dozens in the last 13 years-mathematically rare events. Even when we have comprehensive data around a scenario, it is notoriously difficult to predict or forecast rare events. A N D there is no one suggesting the data we can collect and analyze present a comprehensive picture of a potential insider threat scenario, even less so in advance of an insider-related activity. And, yet-much of the funding and resourcing within the Insider Threat and Insider Risk portfolio are dedicated to the development of just such models. We can do better.

One way our community has successfully addressed the trouble with “rare events” is through work to get “left of the bang,” or as Robert Graves wrote in the inaugural issue of MIROR, “left of the flash.” This need, and the desire to understand the insider problem more comprehensively, led to the discussion of “insider risk” that potentially leads to “insider threat.” Insider risk requires an understanding of the leading indicators that contribute to insider threat activity. Insider risk effectively takes a step toward integrating humans into the analytical process by pointing leaders and decision makers toward areas of greater threat activity likelihood and enabling them to make informed decisions about mitigating potential threat activity.

In addition to the technical challenges associated with Insider Threat and Insider Risk, both processes are inherently confrontational. Our analysts and indeed, our employees, are looking at each other as potential threat vectors in the workplace. This can stand in the way of the positive, caring, and developmental workplace that fosters the greatest productivity in its workforce. Our community’s overall goal is to keep our enterprises and our people safe from threat and resilient against malicious activity that manifests. A person’s entire mindset changes when their mission is to “protect,” rather than “defend.” The former connotes safeguarding what’s important and the latter destroying an attacker. The idea of “workforce protection” can inspire a feeling of integration and teamwork that causes people to look right and left in a protective mindset, rather than seeking to identify the personnel who may pose threats. It’s a constructive-rather than confrontational-means toward the same end.

There are many definitions of a positive and productive workplace. Common to all of them is that employees feel connected to and invested in the organization and importantly, feel reciprocity: that that organization is connected to and invested in them. Shifting the threat deterrence-detection-mitigation paradigm to a constructive mindset like workforce protection demonstrates the enterprise’s commitment to its employees. An employee base invested in the company is in tune with each other and the company. Their heads are up and their eyes open; they intuitively notice something out of the ordinary. They naturally detect. Positive, care, developmental organizations with a culture of empathy create resilient teammates; if something unfortunate happens that resiliency fosters mitigation of negative effects.

How Will We Get There?
The definition of an insider threat program established in EO 13587 is …[deter], [detect], and [mitigate] insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels…. Our program recognized that the leading indicators for the behaviors established as “insider threats” overlapped significantly with other scourges to organizational wellness, including but not limited to: racism (or any form of extremism), exclusion, sexual assault, sexual harassment, violence against self, violence against others. Damaging insider activity [generally] manifests when people feel pushed to the margins of the organization, resent that feeling, & retaliate by striking out against themselves, their co-workers, or the enterprise, or…allow their guard to be let down in a way they make mistakes they would normally not make.

Workforce Protection is a Team Sport
While our Insider Threat program currently has a history of collaborating with other departments and research centers across West Point, we simply must expand that collaboration to do justice to the idea of workforce protection. As indicated by the list of topics included, research and analysis on such a breadth of topics requires the highest level of multidisciplinary and even transdisciplinary (the involvement of external stakeholders). Our plan is to serve as a “center node” to connect hard science with soft, the operator to the academic, and the pragmatist to the ethicist as we advance these ideas. At West Point, we have all these entities. Within DMATH and the Insider Threat Program, we have the connections to those entities to inspire the collaboration.
In addition to intra-Academy resources, there is a possibility to form a consortium of external resources to build a Community of Practice (CoP) that extends beyond that which is possible at West Point to USG, civilian academe, and industry. We are currently in conversation with ARLIS and the U.S. Risk Management Center of Excellence to define the potential charter, reach, and membership of such a CoP.

Placing Cadets (and Junior Faculty) at the Center
Our Cadets and Junior Faculty are the two graduating classes that make West Point unique amongst academic institutions. Within the first four years of its service, the West Point Insider Threat program has sought to provide experiences, advisement, and mentorship that enable both classes to mature toward their best selves. This imperative will not change as the program evolves from “Insider Threat” to “Workforce Protection.” Indeed, we project the number and impact of the opportunities afforded those involved in the program to increase, as our partnerships, exposure, and production likewise increase. This program has followed the well-known axiom that success begets success. We will continue to place Cadets and Junior Faculty first as we convene a world-class multidisciplinary team to protect our workforce.

Contribution to the Intellectual Capital of the Army, DoD, & Beyond
An ideal embedded in the fabric of this program has been the production of “artifacts,” or tangible output that supports stakeholder needs. We have history of doing just that: whether working with the Center for Junior Officers to develop a Leader Challenge on Extremism, leading the refinement of producing the Army’s Prioritized Protection List, supporting the Army Cyber Institute publishing several works, production of MIROR, or development of algorithms being integrated into Hub processes. This production will increase as we release ourselves from the relative constraints of “Insider Threat” to tackle the problem-behind-the-problem, “workforce protection.”
Less tangible, but no less important is the impact the program will continue to have on the people involved. In just four years, there have been more than 100 undergraduate students and faculty, graduate students, and post docs whose perspective on the world has changed because of the work they have done-and will continue to do-through this program. We seek to expand those opportunities in both depth and breadth.

What does that Look Like?
The Insider Threat program has operated till now with a Program Manager, an Editor-In-Chief for MIROR (sometimes the same person) and a Media Manager as paid staff. The program has enjoyed robust volunteer support from junior faculty to Cadet interested in our research portfolio, and administrative support from the Department of Mathematical Sciences front office—especially surrounding summer travel and budget execution.
Moving forward, the Insider Threat Program will continue to be reliant on the volunteer contribution is has received in the past; however, it will be important to add at least one member to its current staffing. The Media Manager position would remain largely as it is. The Program Manager and Deputy Program Manager would both be Title 10 faculty with similar time allocations for teaching (2 sections in one semester) and Insider Threat Program management (the second semester). The teaching and InT-focused semesters would be offset so one is teaching and the other focused on program management. The focuses of program management would be different between the PM and DPM. The PM would be focused more on strategic engagement and initiatives than the DPM (though likely not exclusively), including the continuation of MIROR production. The DPM would be focused more on the current operations of the program (though not exclusively), including travel coordination and budget management. See Table 1.

Looking Forward
As the current year begins, all the personnel associated with the Insider Threat Program appreciate the opportunities that have been afforded us thus far and are looking very much forward to what the future will bring for use, the program, our partners, and our stakeholders!