Means

A subject is able to create, modify, or delete cloud resources within an organization.

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies.

A subject can access devices that have not been assigned to them.

A subject can conduct bluetooth file transfers from an organization device.

An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.

The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment.

A subject can use the clipboard on a device (copy & paste).

An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.

The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.

This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.

The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.

This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability.

A subject is able to access external FTP servers.

A subject can leverage software approved for installation or software that is already installed.

A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings.

A subject can write to a Network Attached Storage (NAS) device outside the organization’s control. In remote or hybrid settings, the subject’s ability to access NAS devices on their personal LAN — from a corporate-managed endpoint — introduces a persistent and often unmonitored risk vector.

These consumer-grade platforms (e.g., Synology, QNAP, WD My Cloud) fall outside the scope of organizational governance, yet remain fully accessible when the subject is working from home. If reachable, they provide a standing means to stage, duplicate, or transfer sensitive enterprise data.

This capability is particularly dangerous when VPN configurations permit split tunneling, unintentionally allowing local subnet access alongside corporate resources. Even in the absence of deliberate misuse, the continued accessibility of these unmanaged file-sharing services expands the subject’s technical means and circumvention potential.

A subject has the ability to access the physical disk of a target system.

A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.

Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.

Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity.

A subject has the ability to print documents and other files.

A subject has privileged access to devices, systems or services that hold sensitive information.

A subject can mount and write to removable media.

A subject can take screenshots or record their screen on a device.

Sensitivity label leakage refers to the exposure or misuse of classification metadata, such as Microsoft Purview Information Protection (MIP) sensitivity labels, through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.

This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.

Examples of Use:

• An insider accesses file properties on a shared drive to identify documents labeled Highly Confidential with the intention of exfiltrating them later.
• Sensitivity labels are exposed in outbound email headers or logs, revealing the internal classification of attached files.
• Files copied to an unmanaged device retain their label metadata, inadvertently disclosing sensitivity levels if examined later.

A subject has the ability to share files across a network through Server Message Block (SMB) file sharing.

A subject is able to access external SSH servers.

A subject has the ability to access the system startup firmware of a target system.

Authentication credentials, including passwords, API keys, and tokens are stored in unmanaged locations outside the scope of enterprise access governance. These may include plain text documents, spreadsheets, shared folders, configuration files, or personal notes. These storage locations are not subject to audit, version control, or policy enforcement, and often fall outside of privileged access management (PAM) or identity and access management (IAM) systems.

Unmanaged credential storage creates a latent security condition in which one or more subjects may be able to retrieve high-privilege credentials without generating any access logs or triggering control workflows. In many cases, these credentials are reused across systems, are not rotated, and are inconsistently protected. This creates durable risk, especially in environments where entitlement reviews do not include stored credentials as an exposure category.

The presence of unmanaged credentials increases the feasibility of lateral movement, privilege escalation, and untraceable access to sensitive systems. Investigators should treat the existence of untracked or insecurely stored credentials as an enabling factor when reconstructing access conditions for an infringement. Their presence also indicates control breakdowns that may permit future abuse or support behavioral drift within privileged roles.

A subject can install software on a device without restriction.

The subject has left the organization but still has access to services or data that is reserved for employees.

A subject can access the web with an organization device.