ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT113
  • Created: 28th April 2025
  • Updated: 28th April 2025
  • Contributor: The ITM Team

Tracking Patterns of Policy Violations

Monitor and analyze minor policy violations over time to detect emerging behavioral patterns that may indicate boundary testing, behavioural drift, or preparation for more serious misconduct. Isolated minor infringements may appear benign, but repeated or clustered incidents can signal a developing threat trajectory.

 

Detection Methods

  • Maintain centralized logging of all recorded policy violations, including low-severity infractions, within case management, HR, or security systems.
  • Implement analytical tools or workflows that flag individuals with multiple minor violations within defined timeframes (e.g., repeated unauthorized device use, bypassing security protocols, small unauthorized disclosures).
  • Correlate minor violation data with other risk indicators such as unauthorized access attempts, changes in behavioral baselines, or indicators of disgruntlement.
  • Analyze patterns across teams, units, or operational areas to detect systemic issues or cultural tolerance of rule-breaking behaviors.
  • Conduct periodic behavioral risk reviews that explicitly include minor infractions as part of insider threat monitoring programs.
  •  

Indicators

  • Subjects accumulating multiple low-level infractions without corresponding corrective action or behavioral improvement.
  • Increased frequency or severity of minor violations over time, suggesting desensitization or emboldenment.
  • Violations spanning multiple domains (e.g., IT security, operational protocols, HR policy), indicating generalized disregard for rules.
  • Evidence that minor violations are clustered around operational pressures, major organizational changes, or periods of reduced oversight.

Sections

ID Name Description
MT022Boundary Testing

The subject deliberately pushes or tests organizational policies, rules, or controls to assess tolerance levels, detect oversight gaps, or gain a sense of impunity. While initial actions may appear minor or exploratory, boundary testing serves as a psychological and operational precursor to more serious misconduct.

 

Characteristics

  • Motivated by curiosity, challenge-seeking, or early-stage dissatisfaction.
  • Actions often start small: minor policy violations, unauthorized accesses, or circumvention of procedures.
  • Rationalizations include beliefs that policies are overly rigid, outdated, or unfair.
  • Boundary testing behavior may escalate if it is unchallenged, normalized, or inadvertently rewarded.
  • Subjects often seek to gauge the likelihood and severity of consequences before considering larger or riskier actions.
  • Testing may be isolated or gradually evolve into opportunism, retaliation, or deliberate harm.

 

Example Scenario

A subject repeatedly circumvents minor IT security controls (e.g., bypassing content filters, using personal devices against policy) without immediate consequences. Encouraged by the lack of enforcement, the subject later undertakes unauthorized data transfers, rationalizing the behavior based on perceived inefficiencies and low risk of detection.

MT015.001Opportunism

The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.

 

Characteristics

  • Motivated by immediate self-interest rather than deep-seated grievance or ideology.
  • May rationalize actions as minor, justified, or harmless ("no one will notice," "this helps everyone," "it's not a big deal").
  • Often triggered by environmental factors such as poor oversight, operational stress, or unmet personal needs.
  • May escalate over time if not detected and corrected early.
  • Subjects often do not view themselves as "threat actors" and may retain a positive view of their organization.
  •  

Example Scenario

Senior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain.