Detections
- Home
- - Detections
- -DT113
- ID: DT113
- Created: 28th April 2025
- Updated: 28th April 2025
- Contributor: The ITM Team
Tracking Patterns of Policy Violations
Monitor and analyze minor policy violations over time to detect emerging behavioral patterns that may indicate boundary testing, behavioural drift, or preparation for more serious misconduct. Isolated minor infringements may appear benign, but repeated or clustered incidents can signal a developing threat trajectory.
Detection Methods
- Maintain centralized logging of all recorded policy violations, including low-severity infractions, within case management, HR, or security systems.
- Implement analytical tools or workflows that flag individuals with multiple minor violations within defined timeframes (e.g., repeated unauthorized device use, bypassing security protocols, small unauthorized disclosures).
- Correlate minor violation data with other risk indicators such as unauthorized access attempts, changes in behavioral baselines, or indicators of disgruntlement.
- Analyze patterns across teams, units, or operational areas to detect systemic issues or cultural tolerance of rule-breaking behaviors.
- Conduct periodic behavioral risk reviews that explicitly include minor infractions as part of insider threat monitoring programs.
Indicators
- Subjects accumulating multiple low-level infractions without corresponding corrective action or behavioral improvement.
- Increased frequency or severity of minor violations over time, suggesting desensitization or emboldenment.
- Violations spanning multiple domains (e.g., IT security, operational protocols, HR policy), indicating generalized disregard for rules.
- Evidence that minor violations are clustered around operational pressures, major organizational changes, or periods of reduced oversight.
Sections
ID | Name | Description |
---|---|---|
MT022 | Boundary Testing | The subject deliberately pushes or tests organizational policies, rules, or controls to assess tolerance levels, detect oversight gaps, or gain a sense of impunity. While initial actions may appear minor or exploratory, boundary testing serves as a psychological and operational precursor to more serious misconduct.
Characteristics
Example ScenarioA subject repeatedly circumvents minor IT security controls (e.g., bypassing content filters, using personal devices against policy) without immediate consequences. Encouraged by the lack of enforcement, the subject later undertakes unauthorized data transfers, rationalizing the behavior based on perceived inefficiencies and low risk of detection. |
MT015.001 | Opportunism | The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.
Characteristics
Example ScenarioSenior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain. |