Software Engineering Institute

Andrew P. Moore

Software Engineering Institute

Andrew Moore is a senior member of the technical staff and lead insider threat researcher at the SEI, working in the CERT Division.

Moore works with teams across the SEI applying modeling and simulation techniques to cybersecurity and to system and software engineering problems. He has over 30 years of experience developing and applying mission-critical system analysis methods and tools, leading to the transfer of critical technology to both industry and the government.

Andy’s research interests include socio-technical system simulation modeling and analysis, cybersecurity, insider threat, software acquisition and sustainment, IT controls analysis, survivable systems engineering, and system risk analysis.

Before joining the SEI in 2000, Moore worked for the U.S. Naval Research Laboratory (NRL) developing, analyzing, and applying high-assurance system development methods for the Navy. He has served as principal investigator on numerous projects sponsored by ODNI, OSD, NSA, DARPA, and CMU’s CyLab.

Moore has published a book, two book chapters, a special journal issue on insider threat modeling and simulation, and a wide variety of technical journal and conference papers.

Moore holds a BA in Mathematics and Computer Science from The College of Wooster, an MA in Computer Science from Duke University, and a graduate certificate in System Dynamics Modeling and Simulation from Worcester Polytechnic Institute.

Contact: Andrew Moore

Publications by Andrew P. Moore

Loss Magnitude Estimation in Support of Business Impact Analysis

December 15, 2020 • Technical Report

Daniel J. Kambic Andrew P. Moore David Tobar

The authors describe a project to develop an estimation method that yields greater confidence in and improved ranges for estimates of potential cyber loss magnitude.
read
Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem

June 24, 2019 • White Paper

Andrew P. Moore Allen D. Householder

This paper presents modeling and analysis of two critical foundational processes of the cybersecurity vulnerability management ecosystem using a combination of system dynamics and agent-based modeling techniques.
read
Common Sense Guide to Mitigating Insider Threats, Sixth Edition

February 27, 2019 • Technical Report

Michael C. Theis Randall F. Trzeciak Daniel L. Costa

The guide presents recommendations for mitigating insider threat based on the CERT Division's continued research and analysis of more than 1,500 insider threat cases.
read
Positive Incentives for Reducing Insider Threat

November 30, 2017 • Podcast

Andrew P. Moore Daniel Bauer

Andrew Moore and Daniel Bauer highlight results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat.
learn more
Common Sense Guide to Mitigating Insider Threats, Fifth Edition

December 21, 2016 • Technical Report

Matthew L. Collins Michael C. Theis Randall F. Trzeciak

Presents recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.
read
The Critical Role of Positive Incentives for Reducing Insider Threats

December 15, 2016 • Technical Report

Andrew P. Moore Jeff Savinda Elizabeth A. Monaco

This report describes how positive incentives complement traditional practices to provide a better balance for organizations' insider threat programs.
read
The Critical Role of Positive Incentives in Reducing Insider Threat

November 01, 2016 • Presentation

Andrew P. Moore

Investigated job engagement, perceived organizational support, and connectedness at work
read
Reducing Insider Threat through Positive Incentives

October 18, 2016 • Poster

Andrew P. Moore

Extending the Traditional Insider Threat Security Paradigm
read
Introduction to the Special Issue on Insider Threat Modeling and Simulation

April 08, 2016 • Article

Andrew P. Moore Kirk A. Kennedy (Federal Bureau of Investigation)Thomas J. Dover (Federal Bureau of Investigation)

In this publication, the authors introduce the area of insider threat modeling and simulation generally, and discuss the range of methods used in the research papers of the Special Issue.
read
Insider Threat Mitigation Posters (SEI 2015 Research Review)

October 21, 2015 • Poster

William R. Claycomb Andrew P. Moore

Two posters on insider threat research: Social network dynamics and holes in dynamic networks
read
Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls

October 16, 2015 • White Paper

Andrew P. Moore William E. Novak Matthew L. Collins

In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.
read
Insider Threat Mitigation

October 16, 2015 • Presentation

William R. Claycomb Andrew P. Moore

Explores hypothesis that over time, insider social networks exhibit weakening of internal connections and strengthening of external connections to adversaries
read
Social Network Dynamics of Insider Threats: A Preliminary Model

July 23, 2015 • Conference Paper

Andrew P. Moore Kathleen Carley (Carnegie Mellon School of Computer Science)Matthew L. Collins

This paper describes a system dynamics model of insider espionage social networks. The model focuses on two forms of social capital: expectations and social norms.
read
A Dynamic Model of Sustainment Investment

February 05, 2015 • Technical Report

Sarah Sheard Robert Ferguson Andrew P. Moore

This paper describes a dynamic sustainment model that shows how budgeting, allocation of resources, mission performance, and strategic planning are interrelated and how they affect each other over time.
read
Pattern-Based Design of Insider Threat Programs

December 09, 2014 • Technical Note

Andrew P. Moore Matthew L. Collins Dave Mundie

In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
read
Dynamics of Software Sustainment

October 31, 2014 • Article

Sarah Sheard Robert Ferguson Mike Phillips

This paper describes the development of a dynamic economic model of sustainment to predict the consequences of funding decisions within sustainment organizations.
read
Insider Threat Mitigation Project

October 28, 2014 • Poster

Kathleen Carley (Carnegie Mellon School of Computer Science)Neal Altman Geoff Morgan (Carnegie Mellon School of Computer Science)

In this poster, the approach taken by the Insider Threat Mitigation Project is illustrated, including ego-centered and email-centered analyses.
read
Data-Driven Software Assurance: A Research Study

May 09, 2014 • Technical Report

Michael D. Konrad Art Manion Andrew P. Moore

In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
read
Modeling Sustainment Dynamics

March 21, 2014 • Presentation

Sarah Sheard Andrew P. Moore Robert Ferguson

This presentation overviews a systems dynamics simulation model that describes influences of multiple variables on the sustainment phase of a system.
read
Spotlight On: Programmers as Malicious Insiders–Updated and Revised

December 02, 2013 • White Paper

Matthew L. Collins Dawn Cappelli Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)

In this paper, the authors describe the who, what, when, where, and how of attacks by insiders using programming techniques and includes case examples.
read
Panel Discussion: Managing the Insider Threat: What Every Organization Should Know

November 07, 2013 • Webinar

Robert Floodeen William R. Claycomb Andrew P. Moore

In this webinar, a watch panel discusses Managing the Insider Threat: What Every Organization Should Know.
watch
Emerging Trends

November 07, 2013 • Webinar

William R. Claycomb Andrew P. Moore

In this November 2013 webinar, Bill Claycomb and Andrew Moore discuss how technology in emerging trends enables new types of insider attacks.
watch
Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis

October 22, 2013 • Conference Paper

Lori Flynn Jason W. Clark Andrew P. Moore

In this paper, the authors describe four patterns of insider IT sabotage mitigation and initial results from 46 relevant cases for pattern effectiveness.
read
Modeling the Evolution of a Science Project in Software-Reliant System Acquisition Programs

July 01, 2013 • Presentation

Andrew P. Moore William E. Novak

This presentation was delivered at the International Conference of the System Dynamics Society in July 2013.
read
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations (2013)

May 20, 2013 • Technical Note

Matthew L. Collins Derrick Spooner Dawn Cappelli

In this report, the authors provide a snapshot of individuals involved in insider threat cases and recommends how to mitigate the risk of similar incidents.
read
Understanding the Drivers Behind Software Acquisition Program Performance

April 10, 2013 • Presentation

Andrew P. Moore William E. Novak

This presentation was delivered at the April 2013 STC.
read
The Evolution of a Science Project

April 04, 2013 • Podcast

Andrew P. Moore William Novak

In this podcast, Bill Novak and Andy Moore describe a recent technical report, The Evolution of a Science Project, which intends to improve acquisition staff decision-making.
learn more
Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders

March 01, 2013 • Technical Note

Andrew P. Moore David McIntire Dave Mundie

In this report, the authors justify applying the pattern “Increased Review for Intellectual Property (IP) Theft by Departing Insiders.”
read
Analyzing Cases of Resilience Success and Failure - A Research Study

December 01, 2012 • Technical Note

Julia H. Allen Pamela D. Curtis Andrew P. Moore

In this report, the authors describe research aimed at helping organizations to know the business value of implementing resilience processes and practices.
read
Common Sense Guide to Mitigating Insider Threats, Fourth Edition

December 01, 2012 • Technical Report

George Silowash Dawn Cappelli Andrew P. Moore

In this report, the authors define insider threats and outline current insider threat patterns and trends.
read
Evolution of a Science Project

October 25, 2012 • Presentation

Julie B. Cohen Andrew P. Moore William E. Novak

This presentation was delivered at the NDIA Systems Engineering Conference in October 2012.
read
Spotlight On: Insider Threat from Trusted Business Partners Version 2: Updated and Revised

October 01, 2012 • White Paper

Todd Lewellen Andrew P. Moore Dawn Cappelli

In this article, the authors focus on cases in which the malicious insider was employed by a trusted business partner of the victim organization.
read
Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector

July 01, 2012 • Special Report

Adam Cummings Todd Lewellen David McIntire

In this report, the authors describe insights and risk indicators of malicious insider activity in the banking and finance sector.
read
The Evolution of a Science Project: A Preliminary System Dynamics Model of a Recurring Software-Reliant Acquisition Behavior

July 01, 2012 • Technical Report

William E. Novak Andrew P. Moore Christopher J. Alberts

This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.
read
Insider Threat Security Reference Architecture

April 01, 2012 • Technical Report

Joji Montelibano Andrew P. Moore

In this report, the authors describe the Insider Threat Security Reference Architecture (ITSRA), an enterprise-wide solution to the insider threat.
read
A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders

April 01, 2012 • Technical Report

Andrew P. Moore Michael Hanley Dave Mundie

In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property.
read
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

January 24, 2012 • Book

Dawn M. Cappelli Andrew P. Moore Randall F. Trzeciak

In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.
read
A Preliminary Model of Insider Theft of Intellectual Property

June 01, 2011 • Technical Note

Andrew P. Moore Dawn Cappelli Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)

In this report, the authors describe general observations about and a preliminary system dynamics model of insider crime based on our empirical data.
read
A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project

August 01, 2010 • Technical Report

Lisa Brownsword Carol Woody Christopher J. Alberts

In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.
read
Spotlight On: Insider Threat from Trusted Business Partners

February 01, 2010 • White Paper

Robert Weiland (Carnegie Mellon University)Andrew P. Moore Dawn Cappelli

In this report, the authors focus on cases in which the insider was employed by a trusted business partner of the victim organization.
read
Mitigating Insider Threat: New and Improved Practices

August 18, 2009 • Podcast

Dawn Cappelli Randall F. Trzeciak Andrew P. Moore

Two hundred and eighty-two cases of actual insider attacks suggest 16 best practices for preventing and detecting insider threat.
learn more
Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model

July 20, 2009 • White Paper

Andrew P. Moore Dawn Cappelli Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)

In this paper, the authors describe general observations about, and a preliminary system dynamics model of, insider crime based on our empirical data.
read
Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations (2009)

June 01, 2009 • White Paper

Derrick Spooner Dawn Cappelli Andrew P. Moore

In this report, the authors focus on employees, contractors, and business partners who stole intellectual property to benefit a foreign entity.
read
Spotlight On: Malicious Insiders with Ties to the Internet Underground Community

March 01, 2009 • White Paper

Michael Hanley Andrew P. Moore Dawn Cappelli

In this report, the authors focus on insider threat cases in which the insider had relationships with the internet underground community.
read
Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1

January 01, 2009 • White Paper

Dawn Cappelli Andrew P. Moore Randall F. Trzeciak

In this paper, the authors present findings from examining insider crimes in a new way and add new practices that were not present in the second edition.
read
Spotlight On: Programming Techniques Used as an Insider Attack Tool

December 01, 2008 • White Paper

Dawn Cappelli Thomas C. Caron (John Heinz III College, School of Information Systems Management, Carnegie Mellon University)Randall F. Trzeciak

In this report, the authors focus on persons who use programming techniques to commit malicious acts against their organizations.
read
Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System

May 01, 2008 • White Paper

Dawn Cappelli Akash G. Desai (Information Networking Institute, Carnegie Mellon University)Andrew P. Moore

In this paper, the authors describe the MERIT insider threat model and simulation results.
read
The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures

May 01, 2008 • Technical Report

Andrew P. Moore Dawn Cappelli Randall F. Trzeciak

In this report, the authors describe seven observations about insider IT sabotage based on their empirical data and study findings.
read
Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

April 09, 2008 • Presentation

Dawn Cappelli Andrew P. Moore

In this presentation, the authors describe different types of insider crime and best practices for mitigating that crime.
read
Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector

January 01, 2008 • White Paper

Eileen Kowalski (United States Secret Service)Dawn Cappelli Andrew P. Moore

In this paper, the authors present the findings of research examining reported insider incidents in the information technology and telecommunications sectors.
read
Insider Threat Study: Illicit Cyber Activity in the Government Sector

January 01, 2008 • White Paper

Eileen Kowalski (United States Secret Service)Dawn Cappelli Bradford J. Willke

In this paper, the authors present the findings of a research effort to examine reported insider incidents in the government sector.
read
Modeling and Analysis of Information Technology Change and Access Controls in the Business Context

March 01, 2007 • Technical Note

Andrew P. Moore Rohit S. Antao

In this report, the authors describe progress in developing a system dynamics model of typical use of change and access controls to support IT operations.
read
Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers Information, Systems, or Networks

March 01, 2007 • Technical Note

Dawn Cappelli Akash G. Desai (Information Networking Institute, Carnegie Mellon University)Andrew P. Moore

In this 2006 report, the authors describe MERIT insider threat model and simulation results.
read
Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis

December 01, 2006 • Technical Report

Stephen R. Band (Counterintelligence Field Activity - Behavioral Science Directorate)Dawn Cappelli Lynn F. Fischer

In this report, the authors examine the psychological, technical, organizational, and contextual factors that contribute to espionage and insider sabotage.
read
A Risk Mitigation Model: Lessons Learned From Actual Insider Sabotage

November 07, 2006 • Presentation

Dawn Cappelli Andrew P. Moore Eric D. Shaw

In this presentation, the authors describe an interactive case example of insider threat, discuss key sabotage observations, and provide an overview of MERIT.
read
Insider Threats in the SDLC: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information and IT Sabotage

January 01, 2006 • Presentation

Dawn Cappelli Randall F. Trzeciak Andrew P. Moore

In this 2006 presentation, the authors describe the lessons they learned from real-world fraud, theft, and sabotage incidents.
read
Insider Threats in the SDLC

January 01, 2006 • Presentation

Dawn Cappelli Andrew P. Moore Randall F. Trzeciak

This presentation on insider threats in the SDLC was delivered by Dawn Cappelli, Andrew P. Moore, and Randy Trzeciak of the Software Engineering Institute's CERT Program in 2006.
read
Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model

August 11, 2005 • White Paper

Eliot Rich (University at Albany State University of New York)Howard F. Lipson Dave Mundie

In this paper, the authors identify actions that may inadvertently lead to increased vulnerability to threats from employees, contractors, and clients.
read
Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

June 01, 2005 • Technical Report

Marissa R. Randazzo (United States Secret Service)Michelle Keeney (United States Secret Service)Eileen Kowalski (United States Secret Service)

In this 2005 report, the authors outline the ITS, a study of insider incidents identified by public reporting or in fraud cases from the Secret Service.
read
Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

May 01, 2005 • Special Report

Tara Conway (National Threat Assessment Center)Susan Keverline (National Threat Assessment Center)Michelle Keeney (United States Secret Service)

In this report, the authors seek to close the gaps in the literature that make it difficult for organizations to fully understand the insider threat.
read
Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem

January 01, 2005 • White Paper

David F. Andersen (University at Albany State University of New York)Elise A. Weaver (Worcester Polytechnic Institute)Aldo Zagonel (University at Albany, Rockefeller College of Public Affairs and Policy)

This paper discusses the preliminary system dynamic maps of the insider cyber-threat and describes the main ideas behind the research proposal.
read
Security and Survivability Reasoning Frameworks and Architectural Design Tactics

September 01, 2004 • Technical Note

Robert J. Ellison Andrew P. Moore Len Bass

In this report, the authors describe an approach to disciplined software architecture design for the related quality attributes of security and survivability.
read
Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

August 01, 2004 • Special Report

Dawn Cappelli Andrew P. Moore Marissa R. Randazzo (United States Secret Service)

In this report, the authors present an overview of the Insider Threat Study (ITS), including its background, scope, study methods, and findings.
read
Trustworthy Refinement Through Intrusion-Aware Design

October 01, 2002 • Technical Report

Robert J. Ellison Andrew P. Moore

This document has been superseded by CMU/SEI-2003-TR-002.
read
Trustworthy Refinement Through Intrusion-Aware Design (TRIAD)

October 01, 2002 • Technical Report

Robert J. Ellison Andrew P. Moore

In this report, the authors demonstrate the application of TRIAD to refining a survivability strategy for a business that sells products on the internet.
read
Foundations for Survivable Systems Engineering

May 20, 2002 • White Paper

Robert J. Ellison Richard C. Linger (Oak Ridge National Laboratory)Nancy R. Mead

In this paper, the authors describe their efforts to perform risk assessment and analyze and design robust survivable systems.
read
Can We Ever Build Survivable Systems from COTS Components?

December 01, 2001 • Technical Note

Howard F. Lipson Nancy R. Mead Andrew P. Moore

In this 2001 report, the authors describe a risk-mitigation framework for deciding when and how COTS components can be used to build survivable systems.
read
Architectural Refinement for the Design of Survivable Systems

October 01, 2001 • Technical Note

Robert J. Ellison Andrew P. Moore

This paper describes a process for systematically refining an enterprise system architecture to resist, recognize, and recover from deliberate, malicious attacks by applying reusable design primitives that help ensure the survival of the enterprise mission.
read
Foundations for Survivable System Development: Service Traces, Intrusion Traces, and Evaluation Models

October 01, 2001 • Technical Report

Richard C. Linger (Oak Ridge National Laboratory)Andrew P. Moore

This 2001 paper describes initial work in the foundations stage for survivability specification and intrusion specification, as well as survivability evaluationmodels that draw upon both of these areas.
read
Attack Modeling for Information Security and Survivability

March 01, 2001 • Technical Note

Andrew P. Moore Robert J. Ellison Richard C. Linger (Oak Ridge National Laboratory)

This technical note describes and illustrates an approach for documenting attack information in a structured and reusable form.
read