Reassembling the Shredded Puzzle: A Conceptual Model for Insider Risk Assessment

Understanding insider threats has long been compared to “connecting the dots,” but this analogy dramatically understates the complexity of the real analytic challenge. In work conducted between 2005 and 2010, I introduced the “shredded puzzle graphic” as a way to more accurately depict the process of insider threat assessment—a multilayered, inference driven workflow that transforms raw, heterogeneous data into meaningful behavioral interpretations. This model has since guided much of my research on predictive, model based approaches for insider risk.

Why a Shredded Puzzle?

Unlike a simple puzzle with a clear picture on the box, insider threat assessment requires analysts to make sense of fragmented information without knowing the final image—and with pieces drawn from multiple puzzles mixed together. To intensify the challenge, the pieces in this metaphorical puzzle have been shredded. The first task, then, is not to assemble the puzzle but to reconstruct the pieces themselves. This represents the basic engineering stage: transforming diverse raw data into usable analytic elements.

This shredded‑puzzle metaphor better captures the reality of insider risk analysis than the common dot‑connecting narrative. It emphasizes ambiguity, missing structure, and the need for inferential reasoning at each step—an essential perspective when addressing complex sociotechnical behaviors that evolve over time.

From Data to Meaning: Three Levels of Analytic Inference

The shredded puzzle model breaks the insider threat assessment process into three major inferential layers:

1. Data → Observables

Raw data from a range of sources—network logs, security detectors, timecards, system settings—must first be processed into observables, the smallest meaningful pieces of the puzzle. Examples include:

• Amount of web surfing

• Amount of downloads

• Hours worked based on timecard or VPN records

• Screen-saver activity derived from system registry keys

  
  

At this stage, analysts are not inferring intent or behavior—only reconstructing reliable, interpretable pieces of information from disparate systems.

2. Observables → Indicators

Next, collections or patterns of observables are transformed into indicators—features suggestive of potentially suspicious or anomalous activity. Examples include:

• Increased downloads above normal

• Unusual or late hours worked

• Excessive web surfing

• Attempts to access privileged databases

• Use of personal email for work-related content

Indicators may also come from psychosocial data, such as HR records documenting arguments with supervisors or signs of hostility, which may contribute to identifying a disgruntled employee.

3. Indicators → Behaviors

At the highest layer, analysts infer behaviors—patterns of indicators that correspond to purposeful actions, whether malicious or benign. These include:

• Attempts to circumvent policy

• Abuse of access privileges

• Sequences of actions consistent with intellectual property theft Behavioral interpretations often involve temporal relationships—where the order and timing of indicators matter.

A Knowledge Base: The Glue That Holds the Puzzle Together

Central to the shredded puzzle model is a knowledge base that defines the semantics linking observables, indicators, and behaviors. It provides the interpretive framework that enables analysts and algorithms to move from raw data to meaningful assessment of insider threat risk. This semantic structure embeds domain expertise about malicious and unintentional insider behaviors, helping guide inference at each stage of the analytic process. Subsequent to developing the shredded-puzzle concept, I and colleagues working on a government-sponsored insider threat research project (IARPA SCITE program, 2016-2019) developed the SOFIT (Sociotechnical and Organizational Factors for Insider Threat) knowledge base (e.g., Greitzer et al., 2018), which has been widely applied in modeling insider risk. More recently, working with Cogility Software, I have streamlined and updated the knowledge base (SOFIT2.0 can be obtained here).

Why This Model Matters Today

In more than a decade of research following my depiction of the shredded puzzle concept, I explored many quantitative modeling techniques to capture this idea, including rule-based systems, artificial neural networks, Bayesian networks, among others. A series of expert knowledge elicitation studies demonstrated that no single approach fully captured the analytic process used by experts—not until I became aware of the pattern-based expert AI approach embodied in Cogility Software’s Hierarchical Complex Event Processing (HCEP) platform, Cogynt.ai. This real-time decision intelligence platform is unique in its hierarchical, pattern-based expert system approach that implements the classification-based inference process envisioned in the shredded-puzzle metaphor. Recent empirical studies comparing the outputs of Cogynt.ai with insider risk judgments by expert analysts have revealed Cogynt.ai’s superior performance compared to conventional approaches.

Although originally developed two decades ago, the shredded puzzle framework remains relevant—and prescient—in today’s data‑rich, sociotechnically complex environments. Now, having been essentially captured in Cogility’s Cogynt.ai model, the concept has become a reality.

Insider threats continue to arise at the intersection of human behavior, organizational context, and technical systems. Effective risk assessment depends not on a single “smoking gun,” but on the ability to reconstruct a coherent picture from fragmented, noisy, and sometimes misleading data. The vision embodied in the shredded puzzle metaphor – further informed by the SOFIT2.0 knowledge base and implemented in the Cogynt.ai decision intelligence platform – provides remarkable clarity and unsurpassed support for insider risk analysts.

Call to Action

As insider threats grow more sophisticated and the data landscape becomes increasingly fragmented, organizations can no longer rely on oversimplified “connect‑the‑dots” approaches. The shredded puzzle model offers a more realistic and actionable way to understand how meaning is constructed from raw, disjointed information—and why a structured, inference‑driven workflow is essential for timely, accurate insider risk assessment. Now is the moment for security leaders to rethink their analytic foundations, invest in tools and knowledge frameworks that support multi‑layered reasoning, and empower their analysts with systems that reflect the true complexity of human‑driven risks.

Now is the time to embrace a model that mirrors how experts actually think, by emphasizing the reconstruction of meaning across multiple analytic layers:

data → observables → indicators → behaviors

With this robust conceptual foundation that underlies a sophisticated and more accurate risk assessment modeling approach, organizations can move beyond reactive alerts and toward proactive, intelligence‑driven protection of their most critical assets.

• To learn more about Cogility Software, see https://cogility.com/.

• To learn more about Cogynt.ai, see https://cogility.com/resources/whole-person-insider-risk-management/.

References

Greitzer, FL, J Purl, YM Leong & DE Becker. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE Security and Privacy Workshops (SPW), Workshop on Research for Insider Threat (WRIT), San Francisco, CA, May 24, 2018, pp. 197-206.  DOI: 10.1109/SPW.2018.00035

Greitzer FL, and DA Frincke.  (2010).  "Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation."  In Insider Threats in Cyber Security, ed. CW Probst, J Hunter, D Gollmann & M Bishop, pp. 85-113.  Springer, New York.  http://dx/doi.org/10.1007/978-1-4419-7133-3_5.