A Systematic Review of Agent-Based and Mean-Field Models for Insider Threat Dynamics: Methods, Architectures, and Future Research Directions

Abstract

Insider threats represent one of the most complex and critical challenges in modern cybersecurity, arising from individuals within an organization who exploit legitimate access privileges for malicious purposes. Traditional detection approaches often fail to capture the dynamic, behavioral, and social dimensions of insider threat evolution. To address these challenges, mathematical modelling frameworks such as agent-based models (ABM) and mean-field models have emerged as powerful tools for simulating insider threat dynamics and understanding emergent behaviors in organizational systems. Agent-based models enable the representation of individuals as autonomous agents interacting within a socio-technical environment, capturing behavioral, psychological, and organizational factors influencing malicious actions. In contrast, mean-field models provide a macroscopic perspective by approximating collective dynamics through aggregated system-level equations, offering computational efficiency and scalability. Recent advancements between 2018 and 2023 have integrated these approaches with machine learning, game theory, and stochastic modelling to improve prediction accuracy and real-time detection capabilities. This review systematically examines the evolution of ABM and means-field models for insider threat dynamics, focusing on modelling techniques, architectural frameworks, and real-world applications. It also highlights key challenges, including data scarcity, model validation, and interpretability, while identifying future research directions toward intelligent, adaptive, and scalable insider threat mitigation systems.