The Ponemon Institute estimates the average cost of an insider threat incident at £3.2 million. ISACA's 2024 State of Cybersecurity report found that insider threats — whether malicious or negligent — account for 60% of data breaches. Every major breach investigation produces a detailed post-mortem of the digital signals that were missed. Almost none ask the prior question: what non-digital signals preceded them, and why was there no monitoring infrastructure to detect them?
The Timeline Problem With Digital Monitoring
UEBA, SIEM, and DLP systems are excellent at what they are designed to do: detect anomalous digital behaviour relative to established patterns. Unusual file access at 2am, lateral movement to systems outside a user's normal scope, credential use from unexpected geographic locations — these systems catch these events reliably when properly tuned.
The problem is the word "after." UEBA detects anomalous digital behaviour after it has occurred. The digital act is the triggering event, not its detection. By the time a UEBA alert fires on unusual data access, the access has already happened. In many significant insider cases — Wen Ho Lee, Robert Hanssen, Chelsea Manning — the digital activity that eventually triggered investigation had been occurring for months or years before detection.
Insider threat research provides a consistent answer to why: the digital acts are not the beginning of the insider threat timeline. They are closer to the end. The beginning is typically a precipitating event — financial stress, personal crisis, ideological radicalisation, recruitment by a foreign intelligence service, coercion — that produces measurable changes in an individual's emotional and behavioural state before it produces changes in their digital behaviour.
What the Psychology of Insider Threat Actually Shows
The US Department of Homeland Security's Common Sense Guide to Mitigating Insider Threats identifies a characteristic behavioural trajectory: a concerning life event or stressor, followed by a change in attitude or behaviour observable to colleagues, followed eventually by an operational act. The Carnegie Mellon CERT Insider Threat Center's longitudinal analysis of 150 insider cases found that the average time between the first observable precursor and the first malicious act was 14 months.
Fourteen months. The precursors were observable — to colleagues, in some cases to managers. In almost no case were they systematically monitored. The monitoring infrastructure was watching network logs. Nobody was watching the person.
This is the gap EchoDepth addresses. Continuous emotional baseline monitoring — tracking arousal, valence, and dominance over time for each monitored individual — surfaces deviations from an individual's established pattern. A person whose emotional baseline has been calm-neutral for six months who begins showing sustained negative valence and elevated arousal during routine access events is not necessarily an insider threat. But they represent an anomaly that warrants closer attention, months before the digital signals that a SIEM would detect.
"In the majority of insider threat cases examined, there were observable behavioural indicators prior to the damaging act. In almost all cases, no systematic monitoring was in place to detect these indicators."
— Carnegie Mellon CERT Insider Threat Center, Common Sense Guide (7th edition)How EchoDepth's Three-Phase Detection Architecture Works
EchoDepth's insider threat monitoring capability operates in three phases. In the baseline establishment phase, the system builds an individual emotional profile per monitored person from routine sessions over two to four weeks. This profile captures the individual's typical VAD range, micro-expression frequency, and arousal patterns across different contexts.
In the anomaly detection phase, ongoing sessions are scored against the individual baseline. Deviations above a configurable threshold in valence, arousal, or dominance generate weighted anomaly scores. The system also tracks trajectory — a gradual drift in baseline over weeks may indicate progressive emotional change, while a sudden spike indicates an acute stressor.
In the integration phase, anomaly scores feed directly into SIEM platforms via REST API — Splunk, Microsoft Sentinel, IBM QRadar. Security teams receive the human-layer signal alongside their digital event feeds, enabling correlation: does this individual's elevated anomaly score coincide with unusual access patterns? This correlation is much more powerful than either signal alone.
The Privacy Architecture: Why This Is Legal and Proportionate
Continuous emotional monitoring raises legitimate privacy questions. EchoDepth's architecture addresses these directly. All biometric data is pseudonymised by default — the system scores deviation from baseline rather than storing raw identifiable biometric data. Role-based access controls govern who can access individual-level scores versus aggregate team readiness metrics. All data is processed within UK borders. Full audit logging meets UK GDPR requirements for biometric data processing in security contexts.
The proportionality argument is straightforward: organisations that already operate CCTV, keycard access logging, email monitoring, and DLP systems are conducting extensive monitoring of their personnel's digital behaviour. Extending that monitoring to include emotional baseline deviation scoring — using camera infrastructure already in place — is proportionate to the insider threat risk and less intrusive than many existing monitoring practices.
A full Data Processing Agreement is available under NDA for procurement teams requiring detailed GDPR and DSP Act compliance documentation.
Continuous emotional baseline monitoring for insider threat detection
Individual baseline profiling. Anomaly scoring. SIEM integration. UK data residency. No wearables.