ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: AR2
  • Created: 22nd May 2024
  • Updated: 23rd July 2024

Means

The mechanisms or circumstances required for an infringement to occur.

Sections

ID Name Description
ME024Access

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

 

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

 

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

ME018Aiding and Abetting

An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies.

ME001Asset Control

A subject can access devices that have not been assigned to them.

ME004Bluetooth

A subject can conduct bluetooth file transfers from an organization device.

ME022Bring Your Own Device (BYOD)

An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.

 

The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment.

ME012Clipboard

A subject can use the clipboard on a device (copy & paste).

ME009FTP Servers

A subject is able to access external FTP servers.

ME003Installed Software

A subject can leverage software approved for installation or software that is already installed.

ME013Media Capture

A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings.

ME008Network Attached Storage

A subject can write to a Network Attached Storage (NAS) device outside of the organisations control.

ME017Physical Disk Access

A subject has the ability to access the physical disk of a target system.

ME025Placement

A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.

 

Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.

 

Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity.

ME014Printing

A subject has the ability to print documents and other files.

ME007Privileged Access

A subject has privileged access to devices, systems or services that hold sensitive information.

ME005Removable Media

A subject can mount and write to removable media.

ME011Screenshots

A subject can take screenshots on a device.

ME023Sensitivity Label Leakage

Sensitivity label leakage refers to the exposure or misuse of classification metadata—such as Microsoft Purview Information Protection (MIP) sensitivity labels—through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.

 

This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.

 

Examples of Use:

  • An insider accesses file properties on a shared drive to identify documents labeled Highly Confidential with the intention of exfiltrating them later.
  • Sensitivity labels are exposed in outbound email headers or logs, revealing the internal classification of attached files.
  • Files copied to an unmanaged device retain their label metadata, inadvertently disclosing sensitivity levels if examined later.
ME015SMB File Sharing

A subject has the ability to share files across a network through Server Message Block (SMB) file sharing.

ME010SSH Servers

A subject is able to access external SSH servers.

ME016System Startup Firmware Access

A subject has the ability to access the system startup firmware of a target system.

ME002Unrestricted Software Installation

A subject can install software on a device without restriction.

ME021Unrevoked Access

The subject has left the organization but still has access to services or data that is reserved for employees.

ME006Web Access

A subject can access the web with an organization device.