ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

About Us

ITM is a continually growing framework for Digital Investigators investigating instances of computer-enabled insider threats in organizations of any size.

The ITM is used to map the trajectory of a subject, both pre and post-infringement, to give investigators a structure to categorize evidence and to articulate the motive, means, and methods used by a subject of an investigation. The ITM has been created to unify varying concepts and terms for Digital Investigators, providing a common language for people, processes and technology, to better address the challenge of computer-enabled insider threats.

ITM was created by James Weston from Forscie, and Joshua Beaman from Security Blue Team.

Security Blue Team logo

Specialising in digital forensics, cyber incident response, insider risk/threat investigations, and training.

Security Blue Team logo

A leading cybersecurity training company dedicated to cultivating a new generation of experts and bridging the gap between skill development and industry demands.

Using ITM

Detection Engineering

By reviewing ITM Detections organizations can identify gaps in their detections and use the information provided to generate new rules related to insider threats. References to ITM IDs or pages can also be included in alert playbooks to give more context to investigating analysts, allowing them to better understand what they're look at.

Activity Correlation

Using ITM IDs as artifacts/observables within a case management platform or incident reporting can help to identify trends that could highlight the need to implement security controls, alter organizational processes, or otherwise address the issue of repeat offending.

Standardized Language

The ITM offers comprehensive documentation of the 'why and how' of insider threats, ensuring investigators can recognize and discuss threats using a unified language.

Policy Writing

The ITM provides a comprehensive overview of the insider threat life cycle. As a result, it can be used to establish policies to mitigate against a broad base of insider threat activity and ensure insider threats can be handled appropriately once detected. At a minimum, the ‘Infringements’ listed in the ITM can be used to write rules to prohibit harmful activity.