One of the most difficult cybersecurity threats to detect is the insider threat, especially when related to the detection of fraud. Normally we detect changes of behaviour and identify the key signs of someone committing an insider attack. For this, we might gather data on email traffic, remote access traffic, work patterns, and so on. Then from this data, we can make observations from inferences than can be used to define particular states. This can be used to match particular indicator patterns of behaviour.