The Millennial Generation as an Insider Threat: High Risk or Over Hyped?

David Fisher




This thesis asks if a specific generation, Millennials, is collectively more likely to possess the characteristics and traits of an insider threat than the Baby Boomers or Generation X (Gen X) generations. For the purposes of this study, insider threat it is defined as “people who maliciously and deliberately used their access to cause harm.”[1] The study’s relevance lies in the fact that that these three generations comprise 95 percent of today’s workforce, with the Millennials steadily becoming the largest part.[2]

This analysis is accomplished by comparing the generations against known insider threat risk factors. These risk factors, as defined by the United States Computer Emergency Readiness Team (US-CERT), are:

  • Greed/financial need
  • Entitlement—narcissism (ego/self-image)
  • Ethical “flexibility”
  • Vulnerability to blackmail
  • Reduced loyalty
  • Rebelliousness, passive aggressiveness
  • Compulsiveness and destructive behavior
  • Introversion
  • Lack of empathy
  • Predisposition toward law enforcement (authority)
  • Minimization of their mistakes or faults
  • Intolerance of criticism
  • Inability to assume responsibility for their actions
  • Self-perceived value exceeding their performance [3]

Each of these factors is analyzed to identify which generation possesses which factors, creating the generation’s insider threat probability. Then each generation is ranked to develop the generation threat hierarchy—that is, the order in which the generations rank relative to their possession of insider threat risk factors. The threat hierarchy then provides the theoretical answer to the research question.

The data sources utilized for this study stem from a variety of functional areas, disciplines, and organizations. The insider motivations are gathered through various behavioral analysis studies from US-CERT, the Federal Bureau of Investigation (FBI), Department of Defense’s Personnel and Security Research Center (PERSEREC) and published, first-hand accounts and descriptions of known insiders and those who encourage them.[4] The data used for enumerating successful insider threat compromises was provided by Carnegie Mellon’s Computer Emergency Response Team (CERT).[5] This data has been collected and tabulated since 1996 to capture a variety of data points about successful insider threat attacks. It validates the theoretical answer based on a comparison of actual data sets.

This study shows three results. First, despite the stereotypes, Millennials are no more likely to be insider threats than any other generational cohort. Second, based simply on the projected representation in the workforce, Millennials may still become the primary perpetrators of insider threat attacks in the workforce. Lastly, as their numbers in the workforce continue to grow, Millennials will likely be the majority of the perpetrators in the years to come; statistically, however, there is no reason to believe that the percentage of attacks from Millennials will increase any more than what is currently experienced.

During the course of researching, analyzing, and writing on this topic, it became apparent that there are several shortcomings that, while certainly affecting the outcome to a minor extent, are not believed to cast any significant doubt on the findings: the weight assigned to the risk factors that led to the calculations, the data used in the analysis, and the analysis’ limited scope. Weight was assigned to factors based on input from available literature, which included both academic publications and online material. As sparse as the available information was, the category weights represent the best estimates.

The second shortfall is regarding the data used in the analysis. The data provided by CERT has merit, however CERT possesses no authority to require any organization, private of public, to report any breaches related to cyber security, let alone specifics regarding compromises that can be traced directly to an insider threat. The data reaches back to 1997 and consists of 655 reported cases of insiders stealing data from within an organization’s information systems. While a larger dataset would strengthen the analysis’ validation, this study could only use what was made available by CERT.

Lastly, the scope of this analysis is limited to the generational cohorts. Furthering this study by breaking the cohorts into more specific demographics such as age, race, gender, and level of education, while not providing significant validation to the findings, might lend further insight into the Millennial cohort itself to specifically determine which combination of demographics warrants further research. This thesis shows that Millennials are statistically less likely to become insider threats; deeper examination into the generation’s demographics is the next logical step.

This thesis asked the question: Do Millennials pose a higher risk of becoming insider threats? Based on available evidence, the answer appeared to be that they are, in fact, more likely. The actual data, however, did not support the evidentiary conclusion. To the cyber security community, this finding means that, while Millennials have committed insider threat crimes below their representative workforce percentage, they will soon outnumber other generations; their lower-than-proportionate level of compromises will outnumber other cohorts simply by their sheer numbers. Thus, a successful mitigation strategy should be developed, keeping this finding at the forefront of the strategy— not because Millennials are more likely to compromise, but because they are simply more numerous.




Cole, Eric. Insider Threats in Law Enforcement. Bethesda, MD: SANS Institute 2014.

Knowledge Center. “Generations: Demographic Trends in Population and Workforce.” Knowledge Center. March 5, 2013.

National Cybersecurity and Communications Integration Center. Combating the Insider Threat. Washington, DC: U.S. Department of Homeland Security, 2014. %20the%20Insider%20Threat.pdf.

Software Engineering Institute. “About Us.” Accessed August 23, 2015.


[1] Eric Cole, Insider Threats in Law Enforcement (Bethesda, MD: SANS Institute 2014),

[2] The traditional generation, born before 1945, represents 5 percent of the US workforce as of 2012. That percentage continues to shrink as those workers exit the workforce. See “Generations” Demographic Trends in Population and Workforce,” Knowledge Center, March 5, 2013,

[3] National Cybersecurity and Communications Integration Center, Combating the Insider Threat (Washington, DC: U.S. Department of Homeland Security, 2014),

[4] The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD). It is accepted among cyber security practitioners as an authoritative agency relative to all elements of cyber security and defenses.

[5] Not to be confused with US-CERT, which is part of the federal structure, CERT is a “national asset in the field of cybersecurity that is recognized as a trusted, authoritative organization dedicated to improving the security and resilience of computer systems and networks.” See “About Us,” Software Engineering Institute, accessed August 23, 2015,

No Comments

Post a Comment