ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: MT003
  • Created: 22nd May 2024
  • Updated: 25th April 2025
  • Contributor: The ITM Team

Leaver

A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies.

Prevention

ID Name Description
PV024Employee Off-boarding Process

When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

PV003Enforce an Acceptable Use Policy

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

PV054Human Resources Collaboration for Early Threat Detection

Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat.

 

Mental Health and Personal Struggles

  • Trigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.
  • Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.
  • Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation.

 

Negative Statements or Discontent with the Company

  • Trigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.
  • Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.
  • Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization).

 

Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)

  • Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.
  • Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.
  • Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment.

 

Hearsay and Indirect Reports

  • Trigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.
  • Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.
  • Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems.

 

Implementation Considerations

  • Collaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.
  • Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.
  • Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.
PV038Insider Threat Awareness Training

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

PV048Privileged Access Management (PAM)

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

 

Key Prevention Measures:


Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

  • Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
  • Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
  • Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
  • Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

 

Benefits:


PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.

PV046Regulation Awareness Training

Regulation Awareness Training equips staff with the knowledge and understanding required to comply with legal, regulatory, and policy obligations relevant to their roles. This includes, but is not limited to, export controls, international sanctions, anti-bribery laws, conflict-of-interest rules, antitrust regulations, and data protection requirements.

 

The training should be customized according to the specific risks of different roles within the organization, ensuring that employees in high-risk areas—such as legal, procurement, sales, finance, engineering, and senior management—receive in-depth education on how to recognize and avoid behaviors that could lead to regulatory violations. Scenarios that could result in inadvertent or intentional breaches should be addressed, alongside practical advice on how to report concerns and escalate issues.

 

To accommodate varying learning styles and operational needs, Regulation Awareness Training can be delivered through multiple formats:

 

  • eLearning Modules: For general staff, to provide flexible, scalable training on compliance topics, which can be completed at the employee's convenience.
  • Instructor-led Sessions: For higher-risk roles or senior management, where more interactive, in-depth training may be necessary to address complex regulatory requirements and nuanced decision-making.
  • Scenario-based Workshops: To reinforce learning with real-world examples and role-playing exercises that help employees internalize regulatory concepts.

 

By fostering a culture of compliance and accountability, Regulation Awareness Training helps minimize the risk of breaches, whether intentional or accidental, and strengthens the organization’s ability to identify, prevent, and respond to regulatory infringements.

Detection

ID Name Description
DT045Agent Capable of User Activity Monitoring

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

 

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

 

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

 

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

DT047Agent Capable of User Behaviour Analytics

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

 

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

 

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

 

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

DT048Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

DT104Leaver Watchlist

In relevant security tooling (such as a SIEM or EDR), a watchlist (also known as a reference set) should be used to monitor for any activity generated by accounts belonging to employees who have left the organization, as this is unexpected. This can help to ensure that the security team readily detects any unrevoked access or account usage.

 

This process must be in partnership with the Human Resources team, which should inform the security team when an individual leaves the organization (during an Employee Off-Boarding Process, see PV024), including their full and user account names. Ideally, this process should be automated to prevent any gaps in monitoring between the information being sent and the security team adding the name(s) to the watchlist. All format variations should be considered as individual entries in the watchlist to ensure accounts using different naming conventions will generate alerts, such as john.smith, john smith, john.smith@company.com, and jsmith.

 

False positives could occur if there is a legitimate reason for interaction with the account(s), such as actions conducted by IT staff.