search menu icon-carat-right cmu-wordmark

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders

April 2012 Technical Report
Andrew P. Moore, Michael Hanley, Dave Mundie

In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


A research project at the CERT Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This report presents an example of such a pattern—Increased Monitoring for Intellectual Property (IP) Theft by Departing Insiders—to help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP. Our case data shows that many insiders who stole IP did so within 30 days of their termination. Based on this insight, this pattern helps reduce that risk through increased monitoring of departing insiders during their last 30 days of employment. The increased monitoring suggested by the pattern is above and beyond what might be required for a baseline organizational detection of potentially malicious insider actions. Future work will include development of a library of enterprise architectural patterns for mitigating the insider threat based on the data we have collected. Our goal is for organizational resilience to insider threat to emerge from repeated application of patterns from the library.