Explain the Challenges in insider threats investigations in cyber security.
1 Answer


  • High volume of network activity: Given the continuously increasing volume of traffic in networks, detecting malicious acts in real or short time is a challenge.IT’s main goal is to ensure that all business services are running without problems. Digging deeper into traffic with many roles for possible security alerts may cause a significant network overhead. Bottom line, always there is a need to balance between performance, security and efficiency as in terms of resources,those goals may often contradict with each other.

  • Lack of IT staff training. IT staff are not trained to be detectives or forensic investigators. Roles of security personnel in organizations are evolving and on the rise. IT staff may lack the skills to handle, from a technical or communication perspective, several types of attacks.

  • Growing use of cloud services: For security in general, cloud services create different forms of security risks and concerns. For data, services and possible infrastructure that are provided by a cloud service provider, how could an organization properly conduct insider attacks’ investigations?

  • Pressure to change IT configurations quickly more so than securely. IT staff are busy with running normal operations and deal with frequent software, system, network, and hardware updates. Such frequent changes create security challenges on making sure that new challenges will not create new vulnerabilities and that our security policies are up-to-date and capable of protecting our most recent software, system, network, and hardware environments.

  • Use of Mobile devices and Bring-Your-Own-Device (BYOD) model: Mobile devices and BYOD are inevitable in any organization regardless of how much classified data and systems are in that organization. Whether employees have their own smart devices or use organization devices risks exist in many perspectives.

  • For insider threats in particular, with powerful smart devices, users can access and expose system resources through those devices. As those devices are typically used for dual company and personal usage, isolating the two domains from each other is impossible. Smart devices cannot be connected in the organization domain in the same level of control as desktops and laptops. This keeps a very vague or illusive relation between organization network and those devices which complicates activities such as controlling, monitoring, or investigating such devices, if necessary.

Please log in to add an answer.