Monitoring only for proscribed activities means you can detect only those attacks you know about or that show up at the level of the audit trail (and many don't) Before engagning in profile building the organization has to get the full cooperation of users, which means conveyingh to them the value to THEM of detecting unauthorized use of their accounts. Also, in most corprate settings and many or all govt settings, the computer facility is only for official use. Also, gathering statistics, while allowing some understanding of a user's behavior, does not mean reading their email or contents of files. Teresa Lunt