Insider Threat

An Insider Threat is a person who uses their access, or the access of others, to wittingly or unwittingly do harm to the University or its community. Harm to the University comes in many forms including theft of private or government funded research data, compromise of University IT systems, unauthorized access to University facilities and equipment; unauthorized disclosure of research data, techniques, and methodologies; and violent acts.

Who is an Insider Threat?

An insider threat is any person who has access to University personnel, facilities, information, equipment, networks, or systems who can do harm to the University or its community.

Collection Methods

Collection refers to transfer of expertise, data, techniques, and methodologies. It can also refer to intelligence gathering such as understanding security measures, identification of key personnel, and identification of vulnerabilities in University networks or processes. Examples of collection methods include: Requests for Information, Academic Solicitation, Suspicious Network Activity; Targeting at Conferences, Conventions; and Trade Shows; Solicitation and Marketing/Seeking Employment, Elicitation and Recruitment, and Foreign Visits. Click on the links to the right or bottom of the page to learn more. 

Risk Vulnerabilities versus Indicators

Risk vulnerabilities refer to predispositions and stressors that may signal that an insider may be more likely to act on an opportunity enabled by their access. Risk vulnerabilities may also make an insider prone to targeting or exploitation by external or foreign entities. 

Risk Indicators are actions or events that suggest potentially harmful activity has or will take place. Risk indicators should be reported as soon as they are noticed not only to protect the University, but also the subject of that report. Early detection allows the University to intervene and minimize escalation of the situation. 

Reporting an Insider Threat

Reporting insider risk protects University employees, infrastructure, and financial security; private and government funded research, and ultimately the University's reputation. Reporting can be anonymous or attributable as determined solely by you. GRS will not attempt to identify you if you choose to be anonymous. Further, GRS will make every effort to maintain the confidentiality of your report, your identity, and the source of the reporting. The below reporting methods can be used to setup discrete follow-on discussions or to perform a one-time report of information. A thorough report consists of the following: name(s) of reported individual(s), campus, department, lab name and/or room number, identifiers (e.g. University email) of reported individual, date of behavior, and description of behavior. Attachments of screenshots, logs, email communications, and other items supporting the report are helpful. If you choose an attributable means to contact GRS, the office will contact you by the same means or one that you identify within two business days.   

Reporting Methods

GRS offers several means to communicate with the office including email, phone, end to end encrypted platforms, mail, and in-person. See below:   

GRS is located at KU Innovation Park, 2029 Becker Drive, Lawrence, Kansas 66047.

Our office phone number is 785-864-0821

GRS maintains an office account GRS@ku.edu. You can contact us using your University email (ku.edu or kumc.edu), your personal email, or a variety of non-attributable email providers listed below:

  • ProtonMail
  • Tuta
  • StartMail
  • Guerilla Mail
  • Anon Addy (Addy.io)
  • Posteo
  • Mailfence

End to end encryption provides the assurance that you are communicating only with GRS personnel. We maintain several accounts to facilitate communication: Listed below are GRS's current applications and usernames:

This anonymous form is secure and will not transmit any information via email. 

Report an Insider Threat

Report an Insider Threat

Collection Methods

Risk Indicators

Still have questions?

Please use one of the above Communication Methods to contact GRS.

Collection Methods

Attempts by external entities to establish a connection with an employee vulnerable to the extraction of protected information. Examples include:

  • Sales
  • Representation
  • Response to tenders for technical or business services
  • Requests under the guise of price quote or marketing surveys

Attempts to acquire protected information under the guise of academic reasons. Examples include:

  • Peer or scientific board reviews of academic papers or presentations
  • Requests to study or consult with faculty members
  • Applications for admission into academic institutions or programs, as faculty members, students, fellows, or employees

Attempts to carry out intrusions into University networks and/or exfiltrate protected information. Examples include:

  • Cyber intrusion
  • Viruses
  • Malware
  • Backdoor attacks
  • Acquisition of usernames and passwords

Attempts to directly link programs and technologies with knowledgeable personnel. These attempts take many forms including:

  • Technical Experts may receive invitations to share their knowledge
  • Experts may be asked about restricted, proprietary, and classified information

Attempts to place foreign or external personnel near employees with access to collect information and build relationships that can be exploited. These attempts take many forms including:

  • Joint ventures or research partnerships
  • Offering of services
  • Internship programs for foreign students

Attempts to discreetly gather information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective. Examples include:

  • Conversation in person, over the phone, or in writing and is commonly facilitated through social media

Attempts to gain access to and collect protected information that goes beyond that which is permitted and intended for sharing. Examples include:

  • Pre-arranged visits by foreign or external entities
  • Unannounced visits

Risk Indicators

Examples of a person displaying Interpersonal Concerns include but are not limited to:

  • Unusually argumentative or engaging in altercations
  • Exhibiting or threatening violence
  • Weapon mishandling
  • Criminal affiliation
  • Suicidal ideation or attempt  

Example of a person displaying Technical Concerns include but are not limited to:

  • Violating information system policies
  • Suspicious email or browsing activity
  • Transferring data to personal or suspicious account
  • Tampering with record-keeping data
  • Introducing malicious code

These concerns include but are not limited to:

  • Compliance violation (e.g. failure or falsely completing COI/COC disclosure)
  • Security infraction
  • Non-compliance with training requirements
  • Time entry violations
  • Security clearance denial, suspension, or revocation
  • Business travel without authorization (e.g. Performing work related duties while on personal travel without registering)

These concerns include but are not limited to:

  • Displaying signs of unexplained affluence
  • Perceived high debt-to-income ratio
  • Unexplained large purchases