ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT033
  • Created: 31st May 2024
  • Updated: 31st May 2024
  • Contributor: The ITM Team

Closed-Circuit Television

CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file.

Sections

ID Name Description
PR007CCTV Enumeration

A subject observes and/or records the locations of CCTV cameras in a target area.

PR008Physical Item Smuggling

A subject attempts to defeat physical security controls by smuggling an item (potentially an innocent item at first) into a controlled area to facilitate an infringement (such as a smart phone with a camera).

PR009Physical Exploration

A subject attempts to defeat physical security controls to gain access to a secured area to conduct an infringement.

IF003Exfiltration via Media Capture

A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media.

IF002Exfiltration via Physical Medium

A subject may exfiltrate data via a physical medium, such as a removable drive.

ME013Media Capture

A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings.

IF012Public Statements Resulting in Brand Damage

A subject makes comments either in-person or online that can damage the organization's brand through association.

IF006Unauthorized Printing of Documents

A subject exfiltrates information by printing it to paper or other physical medium.

AF010Physical Removal of Disk Storage

A subject may remove attached disk storage from a system to deny investigators access to the files stored within it.

AF011Physical Destruction of Storage Media

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

PR012Physical Disk Removal

A subject removes the physical disk of a target system to access the target file system with an external device/system.

ME024Access

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

 

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

 

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

IF003.002Exfiltration via Video Capture

A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information.

IF003.001Exfiltration via Photography

A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information.

IF003.003Exfiltration via Audio Capture

A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations.

IF011.002Intentionally Weakening Physical Security Controls For a Third Party

The subject intentionally weakens or bypasses physical security controls for a third party, such as allowing them to piggyback into a secure area, leaving a door unlocked for them, or providing them with a security pass.

IF002.005Exfiltration via Physical Documents

A subject tansports physical documents outside of the control of the organization.

ME021.003Physical Access Credentials

Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.

IF015.004Theft of Non-Digital Assets

A subject steals non-digital assets, such as physical documents, belonging to an organization.

IF015.003Theft of Other Digital Assets

A subject steals other digital assets, such as monitors, hard drives, or peripherals, belonging to an organization.

IF015.002Theft of a Corporate Mobile Phone

A subject steals a corporate mobile phone belonging to an organization.

IF015.001Theft of a Corporate Laptop

A subject steals a corporate laptop belonging to an organization.

IF002.008Exfiltration via USB to Mobile Device

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

IF002.009Exfiltration via Disk Media

A subject exfiltrates data using writeable disk media.

ME024.004Access to Physical Hardware

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

 

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

 

With this type of access, a subject can:

  • Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
  • Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
  • Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
  • Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
  • Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
  • Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

 

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

 

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

ME024.005Access to Physical Spaces

Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.

 

Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.

 

This type of access can be leveraged to:

  • Obtain unattended or discarded sensitive information, such as printouts, notes, or credentials left on desks.
  • Observe operational activity or decision-making, gaining insight into projects, personnel, or internal dynamics.
  • Access unlocked devices or improperly secured terminals, allowing direct system interaction or credential harvesting.
  • Bypass digital controls via physical means, such as tailgating into secure spaces or using misappropriated access cards.
  • Covertly install or remove equipment, such as data exfiltration tools, recording devices, or physical implants.
  • Eavesdrop on confidential conversations, either directly or through concealed recording equipment, enabling the collection of sensitive verbal disclosures, strategic discussions, or authentication procedures.

 

Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.

 

Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.

 

The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints.

ME025.001Proximity to Strategic Business Functions

A subject’s placement within critical business units or specialized teams can grant them access to highly sensitive operational data, strategic initiatives, and proprietary information. Roles within departments such as executive leadership, corporate strategy, legal, finance, R&D, supply chain management, and security operations position the subject to interact with confidential communications, forward-looking business plans, and strategic decision-making processes.

 

Subjects in close proximity to organizational leadership—including C-suite executives, senior directors, or key decision-makers—are uniquely positioned to access sensitive insights, manipulate decision-making, or gather intelligence on high-stakes initiatives. These individuals may be exposed to:

 

  • Privileged communications such as internal memos, executive briefings, and strategic planning documents that are typically restricted.
  • Pre-decisional data, including merger and acquisition strategies, product development pipelines, and market positioning strategies.
  • Strategic operational plans outlining organizational direction, key resource allocation, and long-term goals.

 

Having direct or indirect access to leaders facilitates eavesdropping on confidential conversations and provides early awareness of business initiatives. This proximity allows the subject to assess organizational vulnerabilities or identify high-value targets for insider exploitation. Furthermore, the subject may be positioned to:

 

  • Influence decision-making through the selective manipulation of information presented to decision-makers. This could include distorting risk profiles or promoting particular courses of action that align with their objectives.
  • Shape the outcome of high-value transactions such as mergers, acquisitions, and partnerships by influencing the information executives receive or the strategies they adopt.
  • Alter project and resource prioritization by subtly steering leadership towards certain initiatives, products, or investments.
  • Impact compliance and risk management practices, potentially distorting organizational responses to regulatory requirements or operational risks.

 

Subjects in such positions hold considerable power to shape business outcomes—both through direct influence over strategic initiatives and by gaining early insights into organizational direction, which can be exploited for personal gain, external manipulation, or other malicious intents.

 

Additionally, such individuals may become targets for recruitment by external entities seeking to exploit their access to confidential business data or influence over strategic decisions. Their proximity to leadership and critical business functions makes them an ideal conduit for conducting insider threats on behalf of external adversaries.

ME025.002Leadership and Influence Over Direct Reports

A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:

 

  • Influence team members to inadvertently or deliberately carry out tasks that contribute to the subject’s insider objectives. For instance, a manager might ask a subordinate to access or move sensitive data under the guise of a legitimate business need or direct them to work on projects that will inadvertently support a malicious agenda.
  • Exert pressure on employees to bypass security protocols, disregard organizational policies, or perform actions that could compromise the organization’s integrity. For example, a manager might encourage their team to take shortcuts in security or compliance checks to meet deadlines or targets.
  • Control access to sensitive information, either by virtue of the manager’s role or through the information shared within their team. A people manager may have direct visibility into highly sensitive internal communications, strategic plans, and confidential projects, which can be leveraged for malicious purposes.
  • Isolate team members or limit their exposure to security training, potentially creating vulnerabilities within the team that could be exploited. By controlling the flow of information or limiting access to security awareness resources, a manager can enable an environment conducive to insider threats.
  • Recruit or hire individuals within their team or external candidates who are susceptible to manipulation or willing to participate in insider activities. A subject in a management role could use their hiring influence to bring in new team members who align with or are manipulated into assisting in the subject's illicit plans, increasing the risk of coordinated insider actions.

 

In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.

 

Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain.