search menu icon-carat-right cmu-wordmark

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders

March 2013 Technical Note
Andrew P. Moore, David McIntire, Dave Mundie, David Zubrow

In this report, the authors justify applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders.”


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


This paper describes an analysis that justifies applying the pattern "Increased Review for Intellectual Property (IP) Theft by Departing Insiders." The pattern helps organizations plan, prepare, and implement a strategy to mitigate the risk of insider theft of IP. The analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders' actions during a relatively small window of time prior to their departure. Preliminary research results show that approximately 70% of insider IP thieves can be caught by following the pattern's recommendation of reviewing insiders' actions for theft events during only the last two months of their employment. These results provide practical guidance for practitioners wishing to fine tune the application of the pattern for their organizations. "Increased Review for IP Theft by Departing Insiders" is part of the CERT(R) Insider Threat Center's evolving library of enterprise architectural patterns for mitigating the insider threat, based on the Center's collected data. The Center's larger goal is to foster greater organizational resilience to insider threat, using repeated application of patterns from the library.