Early warning system insider attacks

Started in April 2021

When an attack comes from the inside, the impact of an attack can be catastrophic, and could cause financial, reputational and regulatory consequences.


Cyberattacks can be catastrophic, and could cause financial, reputational and regulatory consequences. Usually, cyber-attacks are launched by external attackers from outside the organization. But they also could be triggered from the inside, e.g. an employee sells private data, or an employee is planted as a mole by another organisation. 

But because the impact is so high, the PCSI project ‘early warning system insider attacks’ explores ways to detect and prevent potential insider attacks in an early stage. The idea is to exchange information on insider attacks, give out an early warning to other organizations, and collaboratively build intelligence on modus operandi and other critical information to improve the detection and prevention of such attacks in the future. We will apply a multidisciplinary approach in which we combine intelligence on human behavior with technical intelligence to enable cross organisational learning about modus operandi of insider fraud for better detection.

Project results

In the Explore phase we investigated the feasibility of the concept of an early warning system. We explored how this could best be implemented to enable cross organisational learning. At the same time, we validated that this concept would be new and add an unexplored dimension in detecting insider attacks. By creating an understanding of how we could share data and what has already been tried, we could optimally position our solution to resolve the current pains within the partnered organisations. 

Conclusion at the end of the Explore phase
We found that some technical solutions exist which record all electronic footprints of employees within an organisation. But, at the same time, there is no solution yet that helps organisations to collaborate using their intel to better detect insider attacks in the future. Using the PIFI1 protocol, relevant data of the modus operandi can be shared between organisations. In turn, this provides an overview of historical cases for participating organisations which can be used for data- and trend analysis. Finally, sharing this intel pre-warns the other organisations of a potential attack, making this a suitable solution for an early warning system.

Activities within the Proof of Concept phase
As part of the PoC phase we enabled cross organizational learning about modus operandi of insider attacks for better detection. This was done by developing an insider attack sharing form which contained the modus operandi and other relevant information about the attack. This information was successfully shared between financial organizations which could be analyzed on correlation, distribution, association and experience.

Activities within the Exploit phase
We're now searching for suitable parties to collaborate with. 

This project is part of the trend

15 Threat February 2024

Growing number of insider attacks

Beeldmerk PCSI
PCSI is een samenwerking van
    ABN-AMRO Achmea ASML Belastingdienst ING TNO