Motive
Coercion
Curiosity
Espionage
Fear of Reprisals
Hubris
Human Error
Joiner
Lack of Awareness
Leaver
Misapprehension or Delusion
Mover
Personal Gain
Political or Philosophical Beliefs
Recklessness
Resentment
Self Sabotage
Third Party Collusion Motivated by Personal Gain
- ID: MT012
- Created: 22nd May 2024
- Updated: 26th July 2024
- Contributor: The ITM Team
Coercion
A subject is persuaded against their will to access and exfiltrate or destroy sensitive data, or conduct some other act that harms or undermines the target organization.
Subsections
| ID | Name | Description |
|---|---|---|
| MT012.004 | Emotional Vulnerability | A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization. |
| MT012.002 | Extortion | A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization. |
| MT012.006 | Long-Term Relationship Building | A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject. |
| MT012.003 | Psychological Manipulation | A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests. |
| MT012.005 | Romantic Seduction | A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization. |
| MT012.007 | Sexual Extortion | A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated, ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access. |
| MT012.001 | Social Engineering (Inbound) | A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization. |
Prevention
| ID | Name | Description |
|---|---|---|
| PV022 | Internal Whistleblowing | Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters. |
| PV013 | Pre-Employment Background Checks | Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion. |