Skip to main content
US flag signifying that this is a United States Federal Government website

Official website of the Cybersecurity and Infrastructure Security Agency

Here’s how you know

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Initiative for Cybersecurity Careers and Studies
Utility Menu - Refresh
  • About
  • Contact
  • Subscribe(link is external)
    • Beginners
    • K-12 Teachers
    • Students
    • School Administrators
    • Veterans
    • Colleges & Universities
    • Education & Training Catalog
    • CISA Learning
    • Add Your Courses to NICCS
    • Cybersecurity Workforce Development and Training
    • NICCS Training Frequently Asked Questions
    • NICE Workforce Framework for Cybersecurity (NICE Framework)
    • NICE Framework Mapping Tool
    • Cyber Career Pathways Tool
    • Career Pathways Roadmap
    • Cybersecurity Career Map
    • DHS PushButtonPD™ Tool
    • Certifications
    • Scholarships
    • Internships & Apprenticeships
    • Competitions & Games
    • Glossary
    • Additional Resources
    • News
    • Events
    • Featured Stories
  • About
  • Contact
  • Subscribe
Breadcrumb
  1. Interactive Tools
  2. NICE Workforce Framework for Cybersecurity (NICE Framework)
  3. Work Role Search
  4. Insider Threat Analysis

Insider Threat Analysis

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Protection and Defense
PD-WRL-005
  • T1056: Acquire resources to support cybersecurity program goals and objectives
  • T1057: Conduct an effective enterprise continuity of operations program
  • T1062: Contribute insider threat expertise to organizational cybersecurity awareness program
  • T1084: Identify anomalous network activity
  • T1085: Identify potential threats to network resources
  • T1160: Develop risk mitigation strategies
  • T1162: Recommend security changes to systems and system components
  • T1227: Manage cybersecurity budget, staffing, and contracting
  • T1266: Recommend risk mitigation strategies
  • T1324: Process digital evidence
  • T1325: Document digital evidence
  • T1439: Assess the behavior of individual victims, witnesses, or suspects during cybersecurity investigations
  • T1510: Preserve digital evidence
  • T1592: Conduct cybersecurity reviews
  • T1689: Create comprehensive exploitation strategies
  • T1690: Identify exploitable technical or operational vulnerabilities
  • T1698: Collect target information
  • T1712: Recommend potential courses of action
  • T1737: Develop intelligence collection strategies
  • T1743: Identify information collection gaps
  • T1789: Provide aim point recommendations for targets
  • T1790: Provide reengagement recommendations
  • T1799: Notify appropriate personnel of imminent hostile intentions or activities
  • T1801: Determine validity and relevance of information
  • T1969: Document system alerts
  • T1970: Escalate system alerts that may indicate risks
  • T1971: Disseminate anomalous activity reports to the insider threat hub
  • T1973: Conduct independent comprehensive assessments of target-specific information
  • T1974: Conduct insider threat risk assessments
  • T1975: Prepare insider threat briefings
  • T1976: Recommend risk mitigation courses of action (CoA)
  • T1977: Coordinate with internal and external incident management partners across jurisdictions
  • T1978: Recommend improvements to insider threat detection processes
  • T1979: Collect digital evidence that meets priority intelligence requirements
  • T1980: Develop digital evidence reports for internal and external partners
  • T1981: Develop elicitation indicators
  • T1982: Identify high value assets
  • T1983: Identify potential insider threats
  • T1985: Identify imminent or hostile intentions or activities
  • T1986: Develop a continuously updated overview of an incident throughout the incident's life cycle
  • T1987: Develop insider threat cyber operations indicators
  • T1988: Integrate information from cyber resources, internal partners, and external partners
  • T1989: Advise insider threat hub inquiries
  • T1990: Conduct cybersecurity insider threat inquiries
  • T1991: Deliver all-source cyber operations and intelligence indications and warnings
  • T1992: Interpret network activity for intelligence value
  • T1993: Monitor network activity for vulnerabilities
  • T1994: Identify potential insider risks to networks
  • T1995: Document potential insider risks to networks
  • T1996: Report network vulnerabilities
  • T1997: Develop insider threat investigation plans
  • T1998: Investigate alleged insider threat cybersecurity policy violations
  • T1999: Refer cases on active insider threat activities to law enforcement investigators
  • T2001: Establish an insider threat risk management assessment program
  • T2003: Evaluate organizational insider risk response capabilities
  • T2004: Document insider threat information sources
  • T2005: Conduct insider threat studies
  • T2006: Identify potential targets for exploitation
  • T2007: Analyze potential targets for exploitation
  • T2008: Vet insider threat targeting with law enforcement and intelligence partners
  • T2009: Develop insider threat targets
  • T2010: Maintain User Activity Monitoring (UAM) tools
  • T2011: Monitor the output from User Activity Monitoring (UAM) tools
  • K0635: Knowledge of decryption
  • K0636: Knowledge of decryption tools and techniques
  • K0637: Knowledge of data repositories
  • K0656: Knowledge of network collection tools and techniques
  • K0657: Knowledge of network collection policies and procedures
  • K0674: Knowledge of computer networking protocols
  • K0675: Knowledge of risk management processes
  • K0676: Knowledge of cybersecurity laws and regulations
  • K0677: Knowledge of cybersecurity policies and procedures
  • K0678: Knowledge of privacy laws and regulations
  • K0679: Knowledge of privacy policies and procedures
  • K0682: Knowledge of cybersecurity threats
  • K0683: Knowledge of cybersecurity vulnerabilities
  • K0684: Knowledge of cybersecurity threat characteristics
  • K0689: Knowledge of network infrastructure principles and practices
  • K0707: Knowledge of database systems and software
  • K0710: Knowledge of enterprise cybersecurity architecture principles and practices
  • K0721: Knowledge of risk management principles and practices
  • K0734: Knowledge of Risk Management Framework (RMF) requirements
  • K0735: Knowledge of risk management models and frameworks
  • K0751: Knowledge of system threats
  • K0752: Knowledge of system vulnerabilities
  • K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
  • K0784: Knowledge of insider threat laws and regulations
  • K0785: Knowledge of insider threat tools and techniques
  • K0802: Knowledge of chain of custody policies and procedures
  • K0862: Knowledge of data remediation tools and techniques
  • K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
  • K0871: Knowledge of enterprise architecture (EA) principles and practices
  • K0909: Knowledge of abnormal physical and physiological behaviors
  • K1014: Knowledge of network security principles and practices
  • K1023: Knowledge of network exploitation tools and techniques
  • K1031: Knowledge of risk mitigation tools and techniques
  • K1085: Knowledge of exploitation tools and techniques
  • K1096: Knowledge of data analysis tools and techniques
  • K1151: Knowledge of digital evidence cataloging tools and techniques
  • K1152: Knowledge of digital evidence extraction tools and techniques
  • K1154: Knowledge of digital evidence packaging tools and techniques
  • K1155: Knowledge of digital evidence preservation tools and techniques
  • K1180: Knowledge of organizational cybersecurity goals and objectives
  • K1188: Knowledge of organizational policies and procedures
  • K1197: Knowledge of priority intelligence requirements
  • K1209: Knowledge of risk mitigation principles and practices
  • K1241: Knowledge of cultural, political, and organizational assets
  • K1242: Knowledge of cybersecurity review processes and procedures
  • K1243: Knowledge of cybersecurity threat remediation principles and practices
  • K1244: Knowledge of cybersecurity tools and techniques
  • K1245: Knowledge of data exfiltration tools and techniques
  • K1246: Knowledge of data handling tools and techniques
  • K1247: Knowledge of data monitoring tools and techniques
  • K1248: Knowledge of digital and physical security vulnerabilities
  • K1249: Knowledge of digital and physical security vulnerability remediation principles and practices
  • K1250: Knowledge of external organization roles and responsibilities
  • K1251: Knowledge of external referrals policies and procedures
  • K1252: Knowledge of high value asset characteristics
  • K1253: Knowledge of information collection tools and techniques
  • K1254: Knowledge of insider threat hub policies and procedures
  • K1255: Knowledge of insider threat hub operations
  • K1256: Knowledge of insider threat operational indicators
  • K1257: Knowledge of insider threat policies and procedures
  • K1258: Knowledge of insider threat tactics
  • K1259: Knowledge of insider threat targets
  • K1260: Knowledge of intelligence laws and regulations
  • K1261: Knowledge of known insider attacks
  • K1262: Knowledge of network endpoints
  • K1263: Knowledge of notification policies and procedures
  • K1265: Knowledge of organizational objectives, resources, and capabilities
  • K1267: Knowledge of previously referred potential insider threats
  • K1268: Knowledge of risk reduction metrics
  • K1269: Knowledge of security information and event management (SIEM) tools and techniques
  • K1270: Knowledge of suspicious activity response processes
  • K1271: Knowledge of system alert policies and procedures
  • K1272: Knowledge of system components
  • K1273: Knowledge of threat investigation policies and procedures
  • K1274: Knowledge of threat modeling tools and techniques
  • K1275: Knowledge of User Activity Monitoring (UAM) tools and techniques
  • S0378: Skill in decrypting information
  • S0391: Skill in creating technical documentation
  • S0442: Skill in collecting network data
  • S0477: Skill in identifying anomalous activity
  • S0540: Skill in identifying network threats
  • S0558: Skill in developing algorithms
  • S0559: Skill in performing data structure analysis
  • S0579: Skill in preparing reports
  • S0588: Skill in performing threat modeling
  • S0610: Skill in communicating effectively
  • S0688: Skill in performing network data analysis
  • S0690: Skill in performing midpoint collection data analysis
  • S0728: Skill in preparing briefings
  • S0748: Skill in querying data
  • S0791: Skill in presenting to an audience
  • S0817: Skill in building internal and external relationships
  • S0821: Skill in collaborating with internal and external stakeholders
  • S0848: Skill in performing behavioral analysis
  • S0854: Skill in performing data analysis
  • S0866: Skill in performing log file analysis
  • S0874: Skill in performing network traffic analysis
  • S0890: Skill in performing threat analysis
  • S0896: Skill in recognizing behavioral patterns
  • S0900: Skill in analyzing information from multiple sources
  • S0902: Skill in building relationships remotely and in person
  • S0904: Skill in correlating data from multiple tools
  • S0905: Skill in determining what information may helpful to a specific audience
  • S0906: Skill in identifying insider risk security gaps
  • S0907: Skill in identifying insider threats
  • S0908: Skill in determining the importance of assets
  • S0909: Skill in integrating information from multiple sources
  • S0910: Skill in performing cyberintelligence data analysis
  • S0911: Skill in performing data queries
  • S0912: Skill in performing human behavioral analysis
  • S0913: Skill in performing link analysis
  • S0916: Skill in recognizing recurring threat incidents

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 2.0.0)

Related Courses

  • Operational Technology (OT) Cybersecurity Engineering Workshop
    Tonex, Inc.
    Online, Self-Paced
  • Certified Operational Technology Security Specialist (COTSS)
    Tonex, Inc.
    Online, Self-Paced
  • Insider Threat Investigations & Analysis Training Course With Legal Guidance
    Insider Threat Defense Group
    Classroom; Online, Instructor-Led
  • Insider Risk Management Program Evaluation And Optimization Training Course
    Insider Threat Defense Group
    Classroom; Online, Instructor-Led
  • Insider Threat Analysis & Countermeasures (ITAC)
    Tonex, Inc.
    Online, Self-Paced
  • EBIOS Risk Manager
    Agile Consulting & Educational Services, LLC
    Online, Self-Paced
Search for more courses related to “Insider Threat Analysis” »
  • Work Role Categories
  • Competency Areas
  • Work Role Search
  • Task Search
  • Knowledge Search
  • Skill Search
Return to top
  • Plain Writing
  • NICCS Policy
  • Sitemap
  • Glossary
National Initiative for Cybersecurity Careers and Studies
Follow us on CISA's Social Media
Facebook
X
Instagram
LinkedIn
Contact Us
NICCS@mail.cisa.dhs.gov
Cybersecurity and Infrastructure Security Agency Seal

CISA.gov

An official website of the Cybersecurity and Infrastructure Security Agency

Identifier links
  • About CISA
  • Accessibility
  • Budget and Performance
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
Looking for U.S. government information and services?
Visit USA.gov

You have been selected to participate in a brief survey about your experience today with National Initiative for Cybersecurity Careers and Studies.

Would you like to participate in our survey?

If you accept you will be leaving the National Initiative for Cybersecurity Careers and Studies website and going to a third party site.
That site may have different privacy, security and accessibility policies than the National Initiative for Cybersecurity Careers and Studies site.
National Initiative for Cybersecurity Careers and Studies does not endorse any commercial products, services, programs or content on the third party website.
Thank you for visiting our site. We hope your visit was informative and enjoyable.