Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Palo Alto Networks: The 10-80-10 Rule: Understanding Insider Threat Risk in Your Workforce

Palo Alto Networks
07/03/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


new threat actor TPTs, and real-world case studies. UNA42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for UNA42. In today's episode, I'm going to talk with Chris Tillett. Chris is a Senior Research Engineer at Palo Alto and a member of the Advisory Board for Titanium Labs. Chris, your bio on LinkedIn was really short. It says author, speaker, technologist, and failure expert. Before we get into today's topic on Insider Threat, I want you to talk to me a little bit about what you mean by failure expert. Yeah, that's a title I've earned through pain and experience. I had to really learn by doing, and I have a natural curiosity. So by me looking at something and going, well, I wonder if we did this, how would that impact the network? Or if we did that, how would that impact the systems? It helped me learn and fail fast. I love it. You've got to be fearless to be able to go into something knowing that the odds could be stacked against you, but no risk, no reward. What is Insider Threat, and why has that become such a growing concern in today's cybersecurity landscape? Insider Threats are probably the most difficult thing to address because in reality they start in a person's figurative heart. To catch the early traces of it is extremely difficult. There are just some people that are wired to find the loopholes in an organization. When we look at what an Insider Threat is, in reality, it's anyone who has access to our systems, our data, our information that could use that for their own gain or the gain for somebody else. So tell our audience the common motivations or factors that you've seen that lead individuals to become Insider Threats, and then how understanding those motivations help on identifying and mitigating those risks. So I call it the 10-80-10 rule. I talked earlier of there are people that are just wired to find the holes in your organization. That's about 10% of your employees. Sometimes that's data theft. Sometimes that could actually be money theft. That's also why you put controls in place. Typically those controls are going to catch people where it starts with a dollar or two and then eventually they get more and more bold and then they trip a control later on. The other 10% of people that are on the other opposite end of that spectrum are people that we never have to worry about. They will never steal from the organization. As a matter of fact, they won't even borrow a pencil and take it home. That's just not how they're wired and they refuse to do it. To me, those two sides are very easy. You have the ones that are just going to get bold and eventually screw up, and then you got others that you never have to worry about. The hard part is the 80% in the middle, and the reason why is many of them will never become Insider Threats ever, but all it takes is a change in their circumstances, a change in the organization, and all of a sudden the thoughts creep in. That seed of motivation, the 80% are the hardest to find. So what are some of those key indicators or behavioral patterns that organizations should be aware of when trying to identify those Insiders in their workforce? Is it crucial for the management to know their employees and for the SOC to be in communication with that management and track normal across an organization? Having something that does behavioral tracking is absolutely crucial. What is Insider Threat for HR? What is Insider Threat for accounting, for IT? When we're using digital assets, we are creating a profile of what is normal. If we're not able to track that, then when a user deviates from that normal, we're not going to catch those beginning indicators. CISOs need to leverage the business units. Having that baseline on behavior immediately is one of the most important things an organization should do, but that's just my opinion. That's absolutely true, David. And so when you look at this, that baseline in comparison, not only to themselves, but their organization and their peers is going to be truly enlightening to the SOC. Being able to evaluate an individual against their peer groups is going to be crucial to see whether or not they're really deviating from their norm. Chris, thanks for joining me today on Threat Vector. We'll be back on The Cyber Wire daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.

TL;DR

  • The 10-80-10 rule segments employees into those predisposed to exploit (10%), those who never would (10%), and the critical middle 80% who could become threats given changed circumstances.
  • Insider threats begin with motivation, not access—making early detection extremely difficult since the warning signs start in a person's mindset before manifesting in behavior.
  • Behavioral baselining across business units is essential; organizations must understand what normal looks like for each department to identify meaningful deviations.
  • Comparing individual behavior against peer groups provides crucial context that helps SOC teams distinguish genuine anomalies from acceptable variations in work patterns.

Summary

This Threat Vector segment features Chris Tillett, Senior Research Engineer at Palo Alto Networks, discussing the psychology and detection of insider threats. Tillett introduces his 10-80-10 rule, which segments employees into three categories: 10% who are inherently inclined to exploit organizational vulnerabilities, 10% who would never compromise their employer, and the critical 80% in the middle who could become threats given the right circumstances. The conversation emphasizes that insider threats originate in motivation rather than technical access, making early detection extremely challenging. Tillett stresses the importance of behavioral baselining—understanding what normal activity looks like for HR, accounting, IT, and other business units—so that deviations can be identified before they escalate. He advocates for CISOs to leverage business unit relationships and implement behavioral tracking that compares individuals against their peer groups, enabling SOC teams to spot anomalies that might indicate emerging insider risk.

Chapters

0:00 - Introduction to Threat Vector
0:48 - Meet Chris Tillett
1:48 - Defining Insider Threat
2:48 - The 10-80-10 Rule
4:15 - Behavioral Detection Strategies
5:52 - Closing

Key Quotes

2:48 "So I call it the 10-80-10 rule."
3:54 "The hard part is the 80% in the middle, and the reason why is many of them will never become Insider Threats ever, but all it takes is a change in their circumstances, a change in the organization, and all of a sudden the thoughts creep in."
4:44 "Having something that does behavioral tracking is absolutely crucial."

FAQ

What makes the middle 80% of employees the biggest insider threat concern?

Unlike the 10% who are predisposed to exploit vulnerabilities or the 10% who would never compromise their employer, the middle 80% represent latent risk. They may never become threats, but changes in personal circumstances or organizational conditions can plant seeds of motivation that lead to insider incidents.

How should organizations approach behavioral monitoring for insider threats?

Organizations should establish behavioral baselines specific to each business unit—understanding what normal looks like for HR, accounting, IT, and other departments. The SOC should then compare individual behavior not just against their own history but against their peer groups to identify meaningful deviations that warrant investigation.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Threat Intelligence
  • Identity & Access
  • Best Practices
  • Interview
  • Insider Threat
  • Behavioral Analytics
  • Employee Risk Assessment
  • Security Operations Center
  • User Behavior Monitoring
  • Threat Detection
  • CISO Strategy
  • Organizational Security
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Palo Alto Networks: The 10-80-10 Rule: Understanding Insider Threat Risk in Your Workforce

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting an Elite Security Team to Achieve Championship-Level Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version