Security Awareness — Insider Threat & Behavioral Pattern Reporting
A Colleague Who Was Passed Over for Promotion Has Started Working Unusual Hours, Accessing Files Outside His Normal Workflow, and Becoming Increasingly Withdrawn. Each Behavior Is Individually Explainable. Together, They Fit a Recognized Insider Threat Pattern. What Is the Employee’s Obligation?
A real insider threat and security reporting compliance scenario — with three decision options, the right answer, and a full Manager’s Guide for team discussion facilitation.
Quick Answer
When an employee observes a pattern of behavioral changes in a colleague that matches known insider threat indicators — but each behavior is individually explainable — does an obligation to report exist?
Yes — and the obligation is to report the pattern, not to build a case. The employee’s job in an insider threat context is not to investigate, not to confront the colleague, and not to determine whether the behaviors constitute a genuine threat. It is to report what they have observed to the appropriate security channel and let the security team make the determination. The barriers to this are almost entirely social: loyalty to a colleague, fear of being wrong, and a diffusion of responsibility assumption that “IT would have caught it.” Each of those barriers has a name in the behavioral security literature — and each is trained by this scenario.
Why Insider Threats Are the Hardest to Catch
Insider threats succeed not because security systems fail to detect them — it’s because colleagues who notice behavioral indicators don’t report them. The CISA insider threat behavioral indicators research identifies the specific pattern elements in this scenario — promotion denial, file access outside normal workflow, schedule changes, social withdrawal — as a recognized pre-incident behavioral cluster. The average insider threat incident is active for months before detection. In most documented cases, colleagues later reported noticing changes they didn’t report at the time. The training this scenario delivers is not about recognizing the threat — it is about overcoming the social barriers that prevent reporting it.
The Situation
Marcus has been an IT systems analyst at the company for six years. He and the employee worked together on a major infrastructure project two years ago and have had lunch together several times. He is well-liked, competent, and was widely expected to be promoted to senior analyst in the last cycle. The promotion went to someone else — someone newer to the team — and Marcus’s reaction at the time was professional but visibly disappointing.
Over the past six weeks, the employee has noticed several changes. Marcus has been working late — unusual for him — and arriving before most of the team. In a shared project space, the employee noticed that Marcus had been accessing folders related to client contracts and financial systems that weren’t part of his current project assignments. Marcus has become noticeably quieter in team meetings and has stopped joining the team for lunch. He seems distracted and has twice brushed off casual check-ins with “just a lot going on.”
Each of these behaviors has a plausible innocent explanation. Together, they form a pattern the employee can’t quite set aside. The employee is aware that Marcus has elevated access to several core systems as part of his role. They feel uncomfortable raising it because they could be completely wrong — and they like Marcus.
What Should the Employee Do?
Choice ASay nothing. Each behavior is explainable. Reporting a colleague based on a hunch could destroy his career and their friendship. If something was really wrong, IT access logs and security monitoring would catch it. It’s not the employee’s job to police their coworkers.
Choice BReport the pattern of observed behaviors to the security team or through the ethics/security hotline — describing what has been observed factually and without accusation, and letting the security team assess whether investigation is warranted. The employee reports behaviors, not conclusions.
Choice CTalk to Marcus directly. Ask how he’s doing, give him a chance to explain, and see if a conversation clears the concern before involving anyone else. If the explanation makes sense, there’s no reason to escalate.
The Right Call
Choice B — Report the observed pattern to the security team. Not an accusation. A report of observed behaviors.
Choice A is the silence that most insider threats rely on. The rationalization that “IT would have caught it” reflects a fundamental misunderstanding of how insider threats work — employees with legitimate elevated access can operate within their authorized permissions in ways that access log analysis alone doesn’t flag as threatening. Human behavioral observation is the layer of detection that technical controls cannot replicate. Choice C is the most dangerous option despite being the most sympathetic: tipping off a potential insider threat that their behavior has been noticed gives them time to cover their tracks, accelerate their timeline, or destroy evidence. It also places the reporting employee in a position of having conducted an informal confrontation that may later complicate any investigation. Choice B routes the observation to the people qualified to assess it — without accusation, without confrontation, and without the employee needing to have been right.
Why This Is Harder Than It Looks
Four rationalizations fire simultaneously — all pointing toward silence.
Loyalty: “He’s going through something hard, and I’d be betraying him.” Minimization: “Each thing is explainable — I’m probably reading into it.” Diffusion of responsibility: “IT would have caught it if it were real.” Fear of being wrong: “What if I report this and destroy his career over nothing?” Each rationalization is individually understandable. Together, they create a powerful social force toward silence that the training has to directly address. The key reframe: the employee’s obligation is not to accuse Marcus — it is to report observed behaviors to people qualified to assess them. If the behaviors are innocent, the security team will determine that. The employee’s job is to surface the observation, not to reach a verdict.
Technical monitoring cannot replace human behavioral observation — and this is the gap most security programs underestimate.
Access log analysis identifies access outside normal patterns against a statistical baseline. It does not observe that Marcus seems distracted in meetings, has stopped joining team lunches, and deflected a check-in with “just a lot going on.” Those behavioral signals — which are often the earliest indicators of an insider threat in development — are only visible to colleagues. A security program that trains employees to use technical controls but not to report behavioral observations is leaving its most important detection layer unused.
The cost asymmetry is real — and the training has to address it honestly.
The cost of reporting and being wrong: a security team spends time investigating and finds nothing. The relationship with Marcus may be awkward if he learns that a colleague reported. The cost of not reporting and being wrong: a security incident with consequences that could include data theft, system sabotage, client exposure, regulatory violation, or significant organizational harm. When the training frames that cost asymmetry are honestly acknowledged, the case for reporting becomes much clearer — and the rationalization that “I might be wrong” becomes obviously insufficient grounds for silence.
Frequently Asked Questions
What are the recognized behavioral indicators of insider threat risk?
CISA and the CERT Insider Threat Center identify the following as recognized behavioral indicators: expressed grievance related to a perceived organizational wrong such as a promotion denial or termination; accessing files or systems outside normal work scope; changes in work schedule including unusual hours or increased after-hours activity; social withdrawal from colleagues; financial stress signals; expressions of disillusionment with the organization; and downloading or transferring unusual volumes of data. No single indicator is determinative — the pattern and combination are what create the reporting threshold.
What happens when an employee reports insider threat behavioral indicators, and will the subject know who reported?
Most organizations route insider threat behavioral reports to a security team or designated insider threat program officer who conducts an initial assessment without notifying the subject. The assessment determines whether the behaviors warrant further investigation, additional monitoring, or no action. Reporting through the ethics or security hotline typically provides confidentiality protections that prevent the subject from being told who reported. The security team will not disclose the report’s source to the subject without the reporter’s knowledge. If the assessment finds no concern, the report is closed without action.
What should an employee include in an insider threat behavioral report?
Specific observed behaviors with dates and context — not conclusions or diagnoses. “On Tuesday and Wednesday I observed Marcus in the office after 8 PM when the rest of the team had left” rather than “Marcus seems like he might be stealing data.” The report should describe what was seen or heard, when, and any context that seemed significant. The security team will conduct the analysis. The employee’s job is to provide factual observations — and they do not need to have reached a conclusion before reporting.
How to Use This Scenario in Training
This is the Security Awareness cluster’s designated manager-facilitated team discussion scenario. While Scenarios 1–5 work effectively as individual e-learning, this scenario is specifically designed for team discussion because the goal is to build shared team awareness of behavioral indicators and a shared understanding of the reporting obligation. That shared understanding only develops through group conversation. Individual e-learning completion creates individual awareness. Team discussion creates the team-level vigilance that insider threat programs need.
This scenario demonstrates the combined loyalty, diffusion of responsibility, and minimization rationalization patterns from the Decision Readiness Engine™. Decision-ready employees recognize that the obligation to report is not the obligation to be right — it is the obligation to surface an observation to the people qualified to assess it. The Manager’s Guide below provides managers with everything they need to facilitate this conversation with their team in 20 minutes.
Manager’s Guide
Facilitating the Insider Threat Team Discussion
Purpose of This Discussion
This is not a training module. It is a team conversation designed to build three things: a shared understanding of what insider threat behavioral indicators look like in practice, a shared understanding of the reporting obligation and what it entails and doesn’t, and a team-level norm that makes reporting these observations feel expected rather than exceptional. You are not teaching a policy. You are building a culture.
Timing & Format
20–25 minutes. Works best at the start of a regular team meeting, so the session has protected time. Minimum viable team size: 4 people. Works up to 15–20 in a single discussion. Larger teams split into discussion groups of 5–8, then reconvene to share key observations.
Opening Framing (say this first — word for word is fine)
“I want to spend about 20 minutes on something that most teams never talk about until it’s too late. Not because I think we have a problem — I don’t. But the research on insider security incidents consistently shows that colleagues noticed behavioral changes beforehand and didn’t say anything. Usually, because they liked the person, or thought they were probably wrong, or assumed someone else had already noticed. I want to talk through a scenario and make sure we all understand what we’d actually do if we saw something that concerned us. There are no right answers in the discussion — I’m interested in your honest reactions.”
Step 1 — Present the Scenario (3 minutes)
Read or summarize the Marcus scenario to the team. Keep it factual and neutral — don’t editorialize or signal the right answer. End with the three choices and ask the team to think about what they would actually do before anyone speaks.
Tip: Allow 20–30 seconds of silence after presenting the choices before asking anyone to respond. The discomfort in that silence is part of the training.
Step 2 — First Reactions (5 minutes)
Ask: “What’s your gut instinct — what would you actually do?”
Don’t correct anyone yet. Let the team’s honest reactions surface. Most teams will split between Choice A (say nothing) and Choice B (report), with some momentum toward Choice C (talk to Marcus directly). That distribution is valuable information and the starting point for the real discussion.
If the team skews heavily toward A: “So most of us would stay quiet. Let’s talk about what’s driving that.” If the team skews toward C: “A lot of us would go talk to him first. What are we hoping that conversation accomplishes?”
Step 3 — The Four Barriers (8 minutes)
Work through the four rationalizations that prevent reporting. Name them explicitly — most team members will recognize all four in themselves.
Loyalty — “Reporting feels like a betrayal.”
Ask: “Is there a difference between reporting behaviors and accusing someone? What does reporting actually commit us to?” The reframe: reporting is an observation, not a verdict. You are not saying Marcus did anything wrong. You are saying you observed a pattern that you’re not qualified to assess alone.
Minimization — “Each thing is explainable.”
Ask: “At what point does a pattern of explainable things become something worth flagging? Where’s your threshold?” The reframe: the security team’s job is to assess patterns. Your job is to surface observations. You don’t need to have determined that the pattern is threatening to report that it exists.
Diffusion — “IT would have caught it.”
Ask: “What can access logs tell us that we can’t see? What can we see that access logs can’t?” The reframe: behavioral observation is a detection layer that technical monitoring cannot replicate. The security team sees file access patterns. We see whether someone seems distracted in meetings, stops joining team lunches, deflects casual check-ins. Those signals are only visible to us.
Fear of Being Wrong — “What if I damage his career for nothing?”
Ask: “What’s the cost if you report and you’re wrong? What’s the cost if you don’t report and you’re right?” The reframe: if the security team investigates and finds nothing, the report is closed. If you don’t report and there is a security incident, the harm is real — and the knowledge that people noticed beforehand and said nothing is worse. The asymmetry strongly favors reporting.
Step 4 — The “Talk to Him First” Problem (3 minutes)
Address Choice C directly — because it will have supporters in every team discussion, and it’s the one that feels most humane.
Ask: “What happens if we talk to Marcus and he is doing something? What does he do with the information that we’ve noticed?”
The answer: he covers his tracks, accelerates his timeline, or destroys evidence. The instinct to talk to the person first before reporting is kind and understandable — and in most interpersonal workplace situations, it’s exactly right. Insider threat is the exception. It is specifically the situation in which a well-intentioned conversation can make a bad situation significantly worse.
Step 5 — What Reporting Actually Looks Like (3 minutes)
Close the discussion with the practical action: where does the report go, what does it say, and what happens next.
Cover these three points:
Where to report: [Insert your organization’s security reporting channel — hotline number, security team email, or reporting portal]. Anonymous reporting is available through [insert hotline if applicable].
What to include: Specific observed behaviors with dates and context. Not conclusions — observations. “On Tuesday, Marcus was still in the office at 9 PM,” not “Marcus seems like he might be planning something.”
What happens next: The security team conducts an initial assessment. The report subject is not notified until the assessment warrants it. If the assessment finds no concern, the report is closed. You will not necessarily receive feedback on the outcome, but you will not be penalized for making a good-faith report.
Closing the Session
End with one question and one statement.
Question: “Is there anything about this scenario — or about the reporting process — that would make it hard for you to report something if you noticed it?” Let the answers surface and address them directly if possible.
Statement: “We’re all capable of noticing things the security system can’t see. The agreement I’d like us to leave this conversation with is: if any of us notices a pattern that concerns us — about anyone on the team, including me — we report it. We don’t carry it alone, we don’t wait for certainty, and we don’t feel like we’re betraying someone by surfacing an observation. That’s what I’m asking of us as a team.”
More Security Awareness Scenarios
|
The approved tool is slow. She uses personal Dropbox instead. “Everyone does this.” |
The AI tool makes her more productive. The policy doesn’t mention it. Is she in compliance? |
Browse all security awareness compliance training scenarios. |
Want Security Awareness Scenarios in Your Program?
Xcelus builds scenario-based security awareness training, including the Insider Threat Manager’s Guide format — designed for manager-facilitated team discussion that builds shared team vigilance that individual e-learning cannot.
© 2005–2026 Xcelus LLC. All rights reserved. Scenario content is original work protected by copyright. You may link freely — reproduction or adaptation without written permission is prohibited.