Human Behaviour as a Predictor of Insider Threat: A PRISMA Systematic Literature Review and a Novel Ensemble-Based Detection Model

Cybersecurity insider threats remain a significant challenge for modern organisations due to their potential to cause substantial financial and reputational damage. This paper presents a systematic review of insider-threat research (2019–2026) using the PRISMA methodology and introduces an empirically validated ensemble framework for insider-threat detection. The proposed approach combines User-Based Sequences (UBS), a self-supervised Transformer trained on next-token prediction and time-gap modelling, and an unsupervised anomaly detection ensemble operating on model-derived behavioural features. An answers directory is incorporated to provide grounded truth for insider entities and episodes within the CERT r6.2 dataset, enabling direct validation of detection outcomes. The framework integrates behavioural theory with machine-learning techniques to improve understanding of insider-threat precursors. Evaluation was performed using a seven-stage Isolation Forest ensemble incorporating multimodal behavioural and technical data streams. The approach successfully identified all insider users, achieving 100% recall and an AUROC of 0.93. Comparative analysis against a previously reported model showed comparable AUROC and perfect recall despite differences in evaluation methodology. While precision remained low (0.004) due to the extreme class imbalance in the full CERT r6.2 population (5 insiders among 4000 users), the results highlight the operational challenges of insider-threat detection in realistic enterprise environments. This research contributes a novel, reproducible framework that combines behavioural theory and advanced machine learning to support the detection and analysis of insider threats.