Why does insider threat detection need an emotional signal layer?

Digital behaviour monitoring systems — UEBA, SIEM, DLP — only detect anomalies after a digital act has occurred. But insider threat research consistently shows that emotional and behavioural changes precede digital acts by days, weeks, or months. Financial stress, ideological grievance, coercion, or personal crisis manifest in facial and behavioural signals before they manifest as unusual file access or credential misuse. EchoDepth provides continuous emotional baseline monitoring that surfaces these pre-digital signals.

What is the average cost of an insider threat incident?

The Ponemon Institute's 2023 Cost of Insider Threats report estimated the average annual cost per insider threat incident at $16.2 million globally. For UK organisations, the equivalent figure accounting for regulatory environment and market context translates to approximately £3.2 million per incident on average. These costs include investigation, remediation, regulatory fines, legal costs, and reputational damage.

How does EchoDepth monitor for insider threat without being invasive?

EchoDepth monitors facial Action Units using existing camera infrastructure — CCTV, desk cameras, or room cameras already in place. It establishes an emotional baseline per individual over time, then scores deviations from that baseline. The system does not flag specific emotions as suspicious; it identifies statistically significant departures from an individual's own established pattern. All data is pseudonymised, processed within UK borders, and subject to role-based access control and full audit logging under UK GDPR.

← Insights Personnel Security · Insider Threat May 2026

Personnel Security Vetting:
The Case for Continuous Emotional Monitoring

Standard vetting is a snapshot. Most insider incidents involve individuals who passed their last vetting review. Continuous emotional baseline monitoring detects the behavioural drift between formal reviews — catching the precursors to an incident, not its aftermath.

The vetting cycle gap

Developed Vetting (DV) — the UK's highest personnel security clearance — is reviewed on a 7–10 year cycle. In the interval between reviews, a cleared individual's circumstances can change substantially: financial stress, relationship breakdown, health crisis, ideological exposure, workplace grievance. Each of these is a documented precursor to insider incidents, and none of them are visible to the vetting record until the next formal review.

The CPNI's analysis of UK insider incidents consistently identifies post-vetting life events as the proximate trigger. The question is not whether vetting standards are sufficient — they are — but whether point-in-time assessment is structurally capable of detecting the dynamic risk that develops between cycles.

What emotional monitoring adds

EchoDepth establishes a facial AU behavioural baseline for each individual during normal working conditions. The baseline captures the person's typical pattern of emotional expression — their characteristic AU signatures for concentration, engagement, fatigue, and stress. Deviation from this baseline, sustained over time, is a signal for human review.

The deviation patterns that precede insider incidents are well-documented in the security psychology literature: sustained suppression behaviour (elevated Instability scores indicating involuntary emotional regulation effort), progressive negative affect without situational explanation, and social withdrawal signals. These are not visible in attendance records or access logs. They are visible in facial behaviour.

Between vetting cycles: a persistent signal layer

Continuous monitoring does not replace vetting. It creates a persistent signal layer that operates between formal reviews — flagging behavioural changes that warrant earlier review, enhanced interview, or adjusted access permissions. This is consistent with the NPSA's guidance on personnel security as a continuous programme rather than a series of discrete checks.

The output is not a determination of risk. It is a prioritised signal — identifying which individuals from a cleared population show behavioural patterns that correlate with elevated insider risk — allowing security teams to allocate limited review capacity where the evidence suggests it is most needed.

Deployment and privacy architecture

EchoDepth processes standard camera video on-premise. No biometric data is transmitted externally. The baseline and deviation signals are retained in an encrypted on-premise store with access controls appropriate to the security classification of the environment. The system is configurable for any combination of roles, locations, and monitoring intensity commensurate with clearance level and access sensitivity.

Related capability

Insider threat monitoring for defence and security environments

Continuous emotional baseline monitoring. FACS AU analysis. SCIF-compatible. Integrates with existing personnel security programmes.

Insider Threat Solution Request a Technical Briefing

Personnel Security Vetting:The Case for Continuous Emotional Monitoring