ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

User Behavior Analytics (UBA)

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.

Sections

ID Name Description
MT020Ideology

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

 

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

 

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

IF023Regulatory Non-Compliance

Regulatory non-compliance refers to insider actions that lead to breaches of laws, regulations, or industry standards governing organizational conduct. These violations may arise from deliberate misconduct, willful disregard, or negligent failure to follow established legal or compliance frameworks. In many cases, insiders exploit their access or authority to bypass controls, misrepresent information, or act in ways that conflict with regulatory obligations.

 

Incidents of regulatory non-compliance may involve unauthorized exports, sanctions breaches, anti-competitive behavior, or unreported conflicts of interest. Such infringements not only expose the organization to fines, legal action, and operational restrictions but also erode trust with customers, regulators, and partners.

ME024Access

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

 

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

 

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

ME025Placement

A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.

 

Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.

 

Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity.

MT017Espionage

A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.

MT009Fear of Reprisals

A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies in an attempt to prevent professional reprisals against them or other persons.

MT016Human Error

The subject has no threatening motive and is not reckless in their actions. The infringement is a result of an honest mistake made by the subject.

MT008Lack of Awareness

A subject is unaware that they are prohibited from accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies.

MT013Misapprehension or Delusion

A subject accesses and exfiltrates of destroys sensitive data or otherwise contravenes internal policies as a result of motives not grounded in reality.

MT004Political or Philosophical Beliefs

A subject is motivated by their political or philosophical beliefs to access and destroy or exfiltrate sensitive data or otherwise contravene internal policies.

MT015Recklessness

The subject does not have a threatening motive. However, the subject under takes actions without due care and attention to the outcome, which causes an infringement.

MT007Resentment

Resentment is a sustained internal feeling of injustice, bitterness, or perceived mistreatment that may develop over time within a subject. While not always leading to overt action, resentment alters the subject’s psychological orientation toward the organization or its members, potentially lowering thresholds for future misconduct.


Resentment often originates from subjective perceptions of unfairness—such as feeling overlooked, underappreciated, marginalized, or treated unequally. It may be directed at individuals (e.g., managers, peers) or the organization itself. Unlike motives that are reactive or sudden, resentment is typically a chronic state that develops quietly and may go undetected in traditional monitoring systems.


Resentment should be viewed as a risk amplifier rather than an immediate driver of malicious action. It often lays the psychological groundwork for escalation into more active motives, including retaliation or sabotage. Intervention strategies may be more effective during this stage than after escalation.

MT019Rogue Nationalism

A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.

 

While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization.

MT010Self Sabotage

A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to be caught and penalised.

MT006Third Party Collusion Motivated by Personal Gain

A subject is recruited by a third party to access and exfiltrate or destroy sensitive data or otherwise contravene internal policies for in exchange for a personal gain.

MT012Coercion

A subject is persuaded against their will to access and exfiltrate or destroy sensitive data, or conduct some other act that harms or undermines the target organization. 

MT018Curiosity

A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization.

MT023Revenge

Revenge is an active motive in which the subject intends to inflict harm, embarrassment, or disruption in response to a perceived personal injustice. It is retaliatory in nature, targeted in intent, and often emotionally charged.


Unlike resentment, which may remain latent or passive, revenge is characterized by intentional, action-oriented behavior aimed at redressing a specific grievance. It often follows triggering events such as disciplinary action, demotion, termination, or perceived betrayal. Revenge may be premeditated or impulsive but is consistently deliberate.


Revenge poses an immediate risk due to its deliberate and often time-sensitive nature. It frequently coincides with high-risk departure windows, formal grievances, or disciplinary measures. Revenge-driven cases tend to escalate quickly and require urgent containment and coordination.

IF002.010Exfiltration via Bring Your Own Device (BYOD)

A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.

AF018.002Environment Tripwires

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

 

This tripwire API is embedded within various parts of the environment:

  • Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
  • Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
  • Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

 

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

  • Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
  • Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
  • System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

 

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

 

Upon detecting activity, the API tripwire can take immediate evasive actions:

  • Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
  • Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
  • Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
  • Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.
IF023.003Anti-Trust or Anti-Competition

Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.

 

Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.

 

Examples of Anti-Trust or Anti-Competition Violations:

 

  • A subject shares sensitive pricing or bidding information between competing companies, enabling coordinated pricing or market manipulation.
  • An insider with knowledge of a merger or acquisition shares details with competitors, leading to coordinated actions that suppress competition.
  • An employee uses confidential market data to form agreements with competitors on market control, stifling competition and violating anti-trust laws.

 

Regulatory Framework:

 

Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act.

ME025.001Proximity to Strategic Business Functions

A subject’s placement within critical business units or specialized teams can grant them access to highly sensitive operational data, strategic initiatives, and proprietary information. Roles within departments such as executive leadership, corporate strategy, legal, finance, R&D, supply chain management, and security operations position the subject to interact with confidential communications, forward-looking business plans, and strategic decision-making processes.

 

Subjects in close proximity to organizational leadership—including C-suite executives, senior directors, or key decision-makers—are uniquely positioned to access sensitive insights, manipulate decision-making, or gather intelligence on high-stakes initiatives. These individuals may be exposed to:

 

  • Privileged communications such as internal memos, executive briefings, and strategic planning documents that are typically restricted.
  • Pre-decisional data, including merger and acquisition strategies, product development pipelines, and market positioning strategies.
  • Strategic operational plans outlining organizational direction, key resource allocation, and long-term goals.

 

Having direct or indirect access to leaders facilitates eavesdropping on confidential conversations and provides early awareness of business initiatives. This proximity allows the subject to assess organizational vulnerabilities or identify high-value targets for insider exploitation. Furthermore, the subject may be positioned to:

 

  • Influence decision-making through the selective manipulation of information presented to decision-makers. This could include distorting risk profiles or promoting particular courses of action that align with their objectives.
  • Shape the outcome of high-value transactions such as mergers, acquisitions, and partnerships by influencing the information executives receive or the strategies they adopt.
  • Alter project and resource prioritization by subtly steering leadership towards certain initiatives, products, or investments.
  • Impact compliance and risk management practices, potentially distorting organizational responses to regulatory requirements or operational risks.

 

Subjects in such positions hold considerable power to shape business outcomes—both through direct influence over strategic initiatives and by gaining early insights into organizational direction, which can be exploited for personal gain, external manipulation, or other malicious intents.

 

Additionally, such individuals may become targets for recruitment by external entities seeking to exploit their access to confidential business data or influence over strategic decisions. Their proximity to leadership and critical business functions makes them an ideal conduit for conducting insider threats on behalf of external adversaries.

ME025.002Leadership and Influence Over Direct Reports

A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:

 

  • Influence team members to inadvertently or deliberately carry out tasks that contribute to the subject’s insider objectives. For instance, a manager might ask a subordinate to access or move sensitive data under the guise of a legitimate business need or direct them to work on projects that will inadvertently support a malicious agenda.
  • Exert pressure on employees to bypass security protocols, disregard organizational policies, or perform actions that could compromise the organization’s integrity. For example, a manager might encourage their team to take shortcuts in security or compliance checks to meet deadlines or targets.
  • Control access to sensitive information, either by virtue of the manager’s role or through the information shared within their team. A people manager may have direct visibility into highly sensitive internal communications, strategic plans, and confidential projects, which can be leveraged for malicious purposes.
  • Isolate team members or limit their exposure to security training, potentially creating vulnerabilities within the team that could be exploited. By controlling the flow of information or limiting access to security awareness resources, a manager can enable an environment conducive to insider threats.
  • Recruit or hire individuals within their team or external candidates who are susceptible to manipulation or willing to participate in insider activities. A subject in a management role could use their hiring influence to bring in new team members who align with or are manipulated into assisting in the subject's illicit plans, increasing the risk of coordinated insider actions.

 

In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.

 

Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain.

MT005.002Corporate Espionage

A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit.

MT005.003Financial Desperation

A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain.

MT005.001Speculative Corporate Espionage

A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization.

IF012.002Statements On Personal Social Media

A subject uses personal social media accounts to post statements or other media that can result in brand damage through association between the subject and their employer.

IF012.001Statements On Organization's Social Media

A subject uses existing access to social media accounts owned by the organization to post statements or other media that can result in brand damage.

AF022.001Use of a Virtual Machine

The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

AF022.002Use of Windows Subsystem for Linux (WSL)

The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.

 

WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.

 

Example Scenarios:

 

  • The subject downloads and processes sensitive files inside the WSL environment using native Linux tools (e.g., scp, gpg, rsync), preventing access and modification timestamps from appearing in Windows Explorer or standard audit logs.
  • A subject extracts and stages exfiltration material in /mnt/c within WSL, using symbolic links and Linux file permissions to obscure its presence from Windows search and indexing services.
  • WSL is used to execute recon and credential-harvesting scripts (e.g., nmap, hydra, ssh enumeration tools), with no execution trace in Windows Event Logs.
  • Upon completion of activity, the subject deletes the WSL distribution, leaving minimal residue on the host system—especially if no antivirus or EDR coverage extends into the WSL layer.
AF022.004Snapshots and Rollbacks to Remove Evidence

The subject uses virtual machine snapshots, checkpoints, or revert-to-save-state features to erase forensic evidence of activity within a virtualized environment. By taking a snapshot before conducting malicious or high-risk operations, the subject ensures they can later roll the system back—removing all traces of files, commands, logs, and process history created during the session.

 

This technique allows the subject to:

 

  • Create disposable execution environments for malware, exfiltration staging, or credential harvesting.
  • Test or refine malicious payloads without contaminating the final operating state.
  • Erase system logs, shell history, temp files, or volatile indicators without needing individual cleanup.
  • Avoid triggering file integrity monitoring or host-based change detection on the base image.
  • Delay detection by performing actions in a timeline that no longer exists once the rollback is complete.

 

Example Scenarios:

 

  • A subject launches a virtual machine, takes a snapshot, and performs a simulated ransomware attack using internal files. After testing, they roll back to the original snapshot, deleting all evidence of tool execution, encryption activity, and lateral movement.
  • During a data staging operation, the subject collects documents within a VM and compresses them. After extraction, they revert the VM to a pre-staging snapshot, eliminating any trace of the aggregation.
  • An insider uses nested virtualization to test payload delivery across OS versions. Each test is followed by a rollback, leaving no visible trace of the toolsets used or the compromised states created.
MT017.001Nation-State Alignment

The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization.

 

Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence.

 

Example Scenarios:

 

  • A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.
  • A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.
IF022.005Media Leak

The intentional or negligent disclosure of internal data, documents, or communications to members of the press or external media outlets—resulting in the loss of confidentiality, reputational harm, or operational compromise.


Media leaks represent a unique form of data loss. Unlike data exfiltration for financial gain or competitive advantage, this form of loss often involves symbolic targeting, reputational damage, or pressure tactics. Subjects may seek to embarrass the organization, expose internal misconduct, or spark public or political consequences. Leaks may be anonymous, pseudonymous, or openly attributed.

This behavior is sometimes rationalized by the subject as whistleblowing, though it often occurs outside authorized internal reporting channels and in violation of confidentiality agreements, regulatory constraints, or national security laws.


Media leaks blur the line between insider threat and whistleblowing. While some disclosures may raise legitimate ethical concerns, organizations must distinguish between protected disclosures under law (e.g., protected whistle-blower status) and unauthorized leaks that expose sensitive, regulated, or classified information.

These events often generate external investigative pressure (from regulators, media, or lawmakers) and may undermine internal trust—requiring not just forensic containment, but narrative and reputational management.