Combating the Insider Threat with Crowdsourced Intelligence

Combating the Insider Threat with Crowdsourced Intelligence

Insider threat ranks as one of the top concerns for airport authorities. The very real possibility that employees or contractors with access to secure areas may carry out acts of sabotage, theft or terrorism is an ever-present threat that needs a modern, proactive approach to mitigate.

In the Biennial National Strategy for Transportation Security report, TSA administrator David Pekoske presented a robust approach to multiple threats to the nation’s transportation system including insider threats.

The hefty price on implementing this strategic plan appears to fall squarely on airport authorities and focuses largely on screening employees for items in their possession.

Combating the Threat

One critical element missing from the road map is the role of crowdsourced incident reporting. To truly combat the risk of insider threat, transportation authorities should expand their concentric circles of security beyond the screening of what individuals are carrying and into the realm of behavior where the threat can be identified and monitored at an earlier phase in the incident cycle.

In two of the more prominent insider threat events that have taken place over the last few years, the screening of what was in the employee’s possession while entering the secure area would have had no impact on their ability to carry out their plots. They were in an area which they had access to and were carrying equipment that was authorized within the scope of their employment.


In 2018, a ground crew employee in Seattle, WA, Richard Russell, stole a Q400 aircraft. The employee flew the aircraft for over an hour, performing stunt maneuvers before eventually crashing and losing his life. According to the FBI affidavit, “investigators received information regarding Russell’s background, possible stressors and personal life.”


The FBI affidavit regarding the 2019 sabotage of AA flight 365, with 150 passengers on board, shows subject, Abdul-Majeed Marouf Ahmed Alani, admitted to tampering with the aircraft’s air data module.

Alani stated that his intention was not to cause harm to the aircraft or passengers, but to obtain overtime pay fixing the aircraft. Alani further stated to investigators that he was “upset” by the contract negotiations between American Airlines and its mechanics union and that it affected him financially.

In both cases coworkers recalled observing behaviors that were uncharacteristic of both individuals, yet did not report their observations.

Insider Threat

According to the Department of Homeland Security (DHS) an insider threat is defined as: the threat that an employee or contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.

With each insider threat that comes to light there appears to be unique sets of circumstances that brought them to the point where they committed their act. These stressors are often observed by coworkers, but without a means to rapidly and discreetly report, these concerns go unreported or underreported.

In their recent report on insider threats, the International Air Transport Association (IATA) identified some changes in circumstances that may lead to behavioral changes in an employee. Noted in the report is that “most circumstances are caused by financial difficulty, undue pressure from peers and family, perception of unfairness at work, or other inducements or coercion from third parties.”

Unintentional Insiders

For unintentional insider threats, the motivations are different and more negligent than malicious. Unintentional insiders typically subject their organization to breaches through lack of knowledge of security procedures, misplaced technology and placing convenience above security.

Examples of unintentional insider threats in the aviation environment range from leaving access points unsecured to accidentally posting photos or information about secure areas or security practices on social media. While the unintentional insider typically does not have malicious intent, their actions can have just as negative of an impact as the intentional insider.

No strategy to combat insider threat is complete without the involvement and reporting from employees. With both the Miami and Seattle-Tacoma incidents, coworkers of both insiders observed strange behaviors, but either lacked the training to understand the threat or a reporting system designed to transmit their concerns.


The most critical link in early detection of insider threats are employees. Leveraging their observations must be a priority to mitigate threats. Law enforcement agencies use what is known as ‘tripwire strategies’ to detect threats earlier in the incident cycle. By training members of the community on specific observations that should be reported immediately and providing a means to rapidly communicate with authorities, many potentially catastrophic plots have been disrupted.

With meaningful training on the tactics, techniques and procedures of insider threats — as well as some basic training in behavior detection — attentive employees can form a strong layer of defense against bad actors. But beyond vigilance, speed and discretion is of the essence in reporting suspicious behavior.

Crowdsourced Reporting

Human beings are wired to detect suspicious behavior and provide the best opportunity to spot behavior anomalies on a level that is difficult or impossible to detect with electronic surveillance. In a study carried out by Crest Research, it was determined that “familiarity with an area may have a positive effect on detecting suspicious behavior.”

Having familiarity with an area or the people in that area helps in rapidly understanding the baseline normative behavior in a given environment and also provides the ability to detect anomalies in that area. This baseline familiarity positions employees to be in the best position to detect and report potential acts of insider threats. They have a deep understanding of when a coworker is behaving differently, working outside their normal shift or behaving in a way that is abnormal for them.

To capture these observations, employees need a crowdsourced incident reporting platform that they can discreetly report on without ever saying a word. Many of the suspicious behaviors associated with insider threats do not rise to the level of a 9-11 call, and when that is the only medium to report on, many issues that are not yet full-blown emergencies are dismissed.

The key to detecting insider threats exists largely in the behavior detection realm and relies on a combination of human and tech solutions. By properly training employees and equipping them with discreet reporting tools to communicate concerns at the first hint of trouble, we can capture the most valuable information before an insider threat can cause a deadly and costly incident.

David Bruce is a retired federal law enforcement officer with past assignments in counterterrorism investigations, and tactical instructor positions. As a task force officer assigned to the Boston FBI Joint Terrorism Task Force (JTTF) he spent five years investigating domestic and international terrorism cases. He also served as the lead instructor for the Boston Office of the Federal Air Marshal Service. In 2019 David graduated from UMass Amherst with a degree in journalism. Currently, he is an intelligence analyst at ELERTS Corporation.