NIST 800-53 REV 5 • AWARENESS AND TRAINING
AT-2(2) — Insider Threat
Provide literacy training on recognizing and reporting potential indicators of insider threat.
Supplemental Guidance
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.
Practitioner Notes
Train people to recognize and report insider threats — when someone with legitimate access is doing something malicious or negligent. This is a sensitive topic that requires careful handling.
Example 1: Include a dedicated insider threat module in your annual training. Cover warning signs like a coworker working unusual hours, copying large amounts of data, expressing grievances about the organization, or violating need-to-know principles. Emphasize that reporting concerns is not about being a snitch — it is about protecting the team.
Example 2: Establish an anonymous insider threat reporting mechanism — a hotline number, a web form, or an email address (like concerns@company.com) that goes to your insider threat program manager. Train employees on how to use it and assure them that reports are handled confidentially. Reference this in every training session.