A comparative analysis technique that evaluates individual user behavior against similar users in the same role, department, or organizational context to identify outliers and anomalies.
Peer group analysis is particularly effective for insider threat detection as it accounts for legitimate role-based variations in behavior while identifying individuals who deviate significantly from their peers. The technique considers factors such as job function, seniority level, department, geographic location, and project assignments. For example, if most finance team members access 10-15 files daily but one user consistently accesses 200+ files, this warrants investigation. The approach reduces false positives compared to absolute threshold-based detection.