The Australian Government has operated insider threat programs since Australia’s federation in 1901, though the programs may not have been named ‘insider threat’. The private sector around the world including banks, miners of precious metals and stones, and lawyers have over centuries also operated insider threat programs to protect their assets and operations.
Since 2001, triggered by the 9/11 attacks in the United States and subsequent emerging geostrategic threats, the Australian Government has progressively recognised the need for more comprehensive insider threat programs to protect government assets and operations, directing more effort to mitigate insider threat. Aligned with this effort, the Australian Government has also made clear the need for Australia’s critical infrastructure owners and operators, which are predominantly private sector entities, to create and operate effective insider threat programs to mitigate person-based threats to assets and operations.
The term ‘insider threat’ describes people who use the legitimate access they have been entrusted with to cause harm to the organisation that extended that trust and granted them access. The Australian Security Intelligence Organisation (ASIO) defines an insider threat as current or former employees or contractors who have, or had, legitimate access to your workplace’s people, information, techniques, activities, technology, assets or facilities [and] use that legitimate access to cause harm to the organisation.
Note that insider threats may act unintentionally or intentionally in causing harm, however the consequences of their action can be the same irrespective of intent. Insider threat events often disrupt or degrade an organisation’s operations and can inflict financial and reputational damage. Insider threat is a risk type relevant to all organisations across government at all levels, private sector, and not-for-profits because all organisations have people.
Ahead of examining the Australian Government’s recent approaches to mitigating insider threat, let’s contextualise that examination with consideration of the insider threat by Australia’s ally, the United States.
In 2025, the United States National Counterintelligence and Security Center (NCSC) released a comprehensive report on insider threat mitigation for U.S. critical infrastructure, highlighting the growing risk posed by trusted individuals with access to sensitive systems, facilities, and personnel. The report notes that foreign adversaries and cybercriminals increasingly target private sector organisations, state and local governments, and academic institutions. The report emphasises that insider threats must be recognised as a critical security challenge alongside cyber and physical threats.
This NCSC guidance comes at a time when U.S. critical infrastructure is under unprecedented pressure from both foreign intelligence entities and sophisticated cybercriminal organisations. The report outlines how adversaries collect vast amounts of data—both public and non-public—on individuals and organisations, using advanced analytics and artificial intelligence to identify, target, and exploit vulnerabilities of people for espionage, sabotage, or financial gain. Insiders can enable an external entity to access assets, sabotage operations, or steal data.
So with this context, what has the Australian Government recently established through policy and legislation with respect to the necessity of insider threat programs? There are four recent areas of insider threat focus:
- Protective Security Policy Framework
- Security of Critical Infrastructure legislation
- the AUKUS treaty
- Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025
Protective Security Policy Framework
TOP SECRET—Privileged Access
In November 2021, the Commonwealth’s Protective Security Policy Framework (PSPF) revised two policies to upgrade the security actions that would be applied to people granted the Commonwealth’s highest level of security clearance, known as TOP SECRET-Privileged Access (TS-PA).
These measures include an insider threat program which includes ongoing (or continuous) monitoring of people with TS-PA clearances. The Australian Security Intelligence Organisation (ASIO) manages the TS-PA capability. This approach to managing insider threat is primarily for Australian Government employees and contractors employed in the intelligence, security, defence, diplomatic, and Australian Defence Force domains.
Requirement 51
In late 2023 the many Australian Government departments that operate outside the group of national security departments and agencies, where all employees and contractors have TOP SECRET clearances as noted above, were told each department needed to establish an insider threat program.
This requirement was clarified in November 2024 amendments to the Commonwealth’s PSPF which most Commonwealth departments are subject to. The amendment, known as Requirement 51 states: “An insider threat program is implemented by entities that manage BASELINE to [TOP SECRET] PV security clearance subjects to manage the risk of insider threat in the entity.”
This means if any person in an entity has a Commonwealth security clearance at any level, then an insider threat program is required to be created and operated by the hosting entity and the sponsor of those clearances is responsible to ensure an insider threat program exists.
Security of Critical Infrastructure (SOCI) legislation
Also, in 2023, it became clear that critical infrastructure entities, most of which are private sector entities, have obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act) requiring them to mitigate insider threat for both their ‘critical workers’ and broader workforce, and also into their supply chain.
Whilst the SOCI legislation does not expressly use the term ‘insider threat program’, such a program is the mechanism required to manage personnel security and insider threat across a critical infrastructure entity, as expressed in the SOCI legislation, for both critical workers and all other employees and contractors with legitimate access to the entity’s assets and operations.
AUKUS
Further, Australia’s partners in the AUKUS enterprise, the United States and the United Kingdom, have decided to maintain and construct nuclear-powered submarines in Australia and share select secret advanced technologies and research with Australia. This arrangement requires the creation and operation of robust insider threat programs, aligned with U.S. and UK security practices, capturing tens of thousands of people across Australia and overseas. Australia cannot afford to fail to safeguard the nuclear technology secrets and submarine operations information that our key allies are willing to share.
Insider threat programs for the key government, defence, and private sector AUKUS entities are reportedly in place and will need to grow. These insider threat programs will be complex and demanding to operate effectively, with best practice indicating that there should be external review of these programs by suitably qualified providers.
Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025
On 27 March 2025, the Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 (TSA Act) became operational.
The TSA Act enables amendment of the Aviation Transport Security Act 2004 (ATSA) and the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA), updating legislative and policy frameworks to enable iterative, risk-based legislation aligned with the SOCI Act.
The most significant evolution in the TSA Act is the move from the early 2000s ATSA / MTOFSA focus on granting people access to zones and on cyber security to an all-encompassing risk-based ‘all-hazards’ approach spanning personnel, cyber, natural, and supply chain. The explanatory memorandum to the TSA Act states with respect to personnel security:
Personnel with access to systems, data or premises may pose insider threat risks including fraud, theft, espionage, infrastructure sabotage and misuse of sensitive data. This includes personnel such as employees, owners, operators, contractors, and subcontractors. In the transport sector, there has been a risk of issue-motivated disruptions perpetrated by insider personnel. Issue motivated groups can create disruptions through cyberspace and via non-violent protests, as well as serious and organised crime groups concealing illicit commodities from authorities while in transit.
Of the four hazard classes that are set out for risk mitigation action, only personnel security, which focuses on insider threat mitigation, is mandated for all 17 industry participants that are listed in the TSA Act legislation.
Insider threat is real and requires mitigation
To summarise, we see in Australia over the last four years that ASIO, the Department of Home Affairs (responsible for PSPF, SOCI, and TSA) and the Department of Defence (AUKUS) have raised new demands for insider threat programs making clear the serious risk posed to Australia’s national security by insider threats.
Australian Government entities, such as the intelligence agencies and defence, have mature secure cultures and powerful personnel security controls based in legislation to mitigate insider threat. However, the vast majority of private sector entities, including critical infrastructure entities, do not have the benefit of a longstanding and mature security culture and practices from which to develop and operate an insider threat program.
The Australian Government’s intent and efforts to strengthen insider threat mitigation, in both the public and private sectors, is due to an increase in the array and intensity of threats, both cyber and people-based, noting that people are often integral to cyber threats. People are the link across all threat vectors.
An insider threat program is not a simple security mitigation measure. Designed well and operated effectively, an insider threat program mitigates insider threat and delivers a security dividend, but also delivers a bundle of positive workplace and enterprise outcomes including enhanced workplace health and safety, productivity, better recruitment outcomes, positive workplace culture, and financial savings on employee separation including post-employment management.
Recognising the insider threat exists and acting to mitigate it is good for business, and contributes to Australia’s economic success and national security.