ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

Preventions

ID Name Description
PV001No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

PV003Enforce an Acceptable Use Policy

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

PV004Enforce a Social Media Policy

A social media policy is a set of rules that governs how employees should use social media platforms in connection with their work. It outlines acceptable and unacceptable behaviors, helps employees understand the consequences of misuse, and serves as a deterrent by promoting accountability, raising awareness of risks, and ensuring consistent enforcement.

PV005Install an Anti-Virus Solution

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

PV006Install a Web Proxy Solution

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

PV007Restrict Access to Registry Editor

Windows Group Policy can be used to prevent specific accounts from accessing Registry Editor. This can prevent them from reading the registry or making modifications, if their permissions allow, using this utility.

PV008Enforce File Permissions

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

PV009Prohibition of Devices On-site

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

PV011Physical Access Controls

Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge.

PV012End-User Security Awareness Training

Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others.

PV013Pre-Employment Background Checks

Background checks should be conducted to ensure whether the information provided by the candidate during the interview process is truthful. This could include employment and educational reference checks, and a criminal background check. Background checks can highlight specific risks, such as a potential for extortion.

PV014Disable Printing, Windows

Group Policy can be used to disable printing for specific user accounts.

PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV016Enforce a Data Classification Policy

A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file.

PV017Prohibit Email Auto-Forwarding to External Domains, Exchange

Various methods can be used within Exchange to prevent internal emails being auto-forwarded to remote domains. This can prevent exfiltration via email auto-forwarding rules.

PV018Network Intrusion Prevention Systems

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

PV020Data Loss Prevention Solution

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

 

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

PV021DNS Filtering

Domain Name System (DNS) filtering allows the blocking of domain resolution for specific domains or automatically categorized classes of domains (depending on the functionality of the software or appliance being used). DNS filtering prevents users from accessing blocked domains, regardless of the IP address the domains resolve to.

 

Examples of automatically categorized classes of domains are ‘gambling’ or ‘social networking’ domains. Automatic categorizations of domains are typically conducted by the software or appliance being used, whereas specific domains can be blocked manually. Most DNS filtering software or appliances will provide the ability to use Regular Expressions (RegEx) to (for example) also filter all subdomains on a specified domain.

DNS filtering can be applied on an individual host, such as with the hosts file, or for multiple hosts via a DNS server or firewall.

PV022Internal Whistleblowing

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

PV023Access Reviews

Routine reviews of user accounts and their associated privileges and permissions should be conducted to identify overly-permissive accounts, or accounts that are no longer required to be active.

PV024Employee Off-boarding Process

When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

PV025Full Disk Encryption

Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.

 

Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed.

PV026Restrict Mobile Clipboard via Intune App Protection Policies

On mobile devices managed by Microsoft Intune, and where Protected Apps are being used, it is possible to apply app protection policies to protect corporate data on mobile devices. This functionality can prevent users from copying and pasting corporate data into personal apps.

PV027Financial Approval Process

The financial approval process is a structured procedure used by organizations to review and authorize financial transactions. It includes segregation of duties, authorization levels, and documentation and audit trails to prevent financial abuse and ensure adherence to policies and budgets.

PV028Corporate Card Spending Limits

Applying spending limits to corporate cards can control the amount of funds a subject could spend legitimately or illegitimately.

PV029Enterprise-Managed Web Browsers

An enterprise-managed browser is a web browser controlled by an organization to enforce security policies, manage employee access, and ensure compliance. It allows IT administrators to monitor and restrict browsing activities, apply security updates, and integrate with other enterprise tools for a secure browsing environment.

PV031Bootloader Password

First stage bootloaders such as BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) or second stage bootloaders such as GNU GRUB (GNU GRand Unified Bootloader) and iBoot, generally provide the ability to configure a bootloader password as a security measure. This password restricts access to the computer’s firmware settings and, in some cases, the boot process.

 

When a bootloader password is set, it is stored in a non-volatile memory within the firmware. Upon powering on the system (and the bootloader settings being selected) the bootloader prompts the user to enter the password before allowing access to the firmware settings, thereby preventing unauthorized users from altering system settings or booting from unauthorized devices.

PV032Next-Generation Firewalls

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

 

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

PV033Native Anti-Tampering Protections

Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files.

PV034Protocol Allow Listing

Only allow necessary protocols to communicate over the network. Implement strict access controls to prevent unauthorized protocols from being used. Typically these controls would be implemented on next-generation firewalls with Deep Packet Inspection (DPI) and other network security appliances.

PV035Restrict Disc Media Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a CD/DVD drive.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

CD and DVD: Deny execute access,

CD and DVD: Deny read access,

CD and DVD: Deny write access

PV036Restrict Floppy Drive Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a floppy disk.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

Floppy Drives: Deny execute access

Floppy Drives: Deny read access

Floppy Drives: Deny write access

PV037Restrict Removable Disk Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

Removeable Disk: Deny execute access

Removeable Disk: Deny read access

Removeable Disk: Deny write access

PV038Insider Threat Awareness Training

Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.

PV039Employee Mental Health & Support Program

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

PV040Network Access Control (NAC)

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

  • Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
  • Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
  • Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
  • Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
  • Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

 

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

PV041Mobile Device Management (MDM)

MDM solutions require employees to register their personal devices with the organization's MDM system before gaining access to corporate networks and applications. This process ensures that only approved and known devices are permitted to connect.

 

Once a device is enrolled, the MDM system can enforce security policies that include:

  • Access Control: Restricting or granting access based on the device's compliance with corporate security standards.
  • Configuration Management: Ensuring that devices are configured securely, with up-to-date operating systems and applications.
  • Remote Wipe and Lock: Allowing the organization to remotely wipe or lock a device if it is lost, stolen, or if suspicious activity is detected.
  • Data Encryption: Enforcing encryption for data stored on and transmitted by the device to protect sensitive information.
  • Application Control: Managing and restricting the installation of unauthorized applications that could pose security risks.
PV042Employee Vulnerability Support Program

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

PV043Restrict Windows System Time Modification

Using Group Policy on Windows it is possible to block the ability for users to modify the system date/time.

 

In the Group Policy Editor, navigate to:
Computer Configuration -> Windows Settings -> Security Settings → Local Policies → User Rights Assignment → Change the system time

 

Remove any users or groups that do not need this permission.

PV044Windows Time Service Synchronization

The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). While this does not prevent local system tampering, it ensures that any changes are temporary and will only last until the next synchronization.

 

Alternatively, hosts can be configured to use an internal or external Network Time Protocol (NTP) server, that can synchronize the system time.

PV045Exchange Restrict Outbound Emails via Recipient Domain

Mail flow rules can be used within Microsoft Exchange to reject outbound emails to specific domains, such as domains associated with personal email, including gmail.com, outlook.com, and yahoo.com.

 

  1. Log in to Exchange Admin Centre (https://admin.exchange.microsoft.com)
  2. Click “Mail flow” on the navigation menu, then the “Rules” tab
  3. Click “+ Add a rule” then “Create a new rule”
  4. Give it an appropriate name, such as “Block outbound to gmail.com”
  5. Set “Apply this rule if" to “The recipient” and “Domain is” then add the domain “gmail.com”
  6. Set “Do the following” to “Block the message” and either “Reject the message and include an explanation” (if you want to notify the sending mailbox), or “Delete the message without notifying anyone” (if you do not want to notify the sending mailbox)

 

It is important to note that this could cause operational disruption if emailing from within the organization to the listed blocked domains is expected. It is possible to configure the “Except if” condition of the rule to whitelist outbound emails based on properties such as the sending mailbox, subject line, or other conditions.

PV046Regulation Awareness Training

Regulation Awareness Training equips staff with the knowledge and understanding required to comply with legal, regulatory, and policy obligations relevant to their roles. This includes, but is not limited to, export controls, international sanctions, anti-bribery laws, conflict-of-interest rules, antitrust regulations, and data protection requirements.

 

The training should be customized according to the specific risks of different roles within the organization, ensuring that employees in high-risk areas—such as legal, procurement, sales, finance, engineering, and senior management—receive in-depth education on how to recognize and avoid behaviors that could lead to regulatory violations. Scenarios that could result in inadvertent or intentional breaches should be addressed, alongside practical advice on how to report concerns and escalate issues.

 

To accommodate varying learning styles and operational needs, Regulation Awareness Training can be delivered through multiple formats:

 

  • eLearning Modules: For general staff, to provide flexible, scalable training on compliance topics, which can be completed at the employee's convenience.
  • Instructor-led Sessions: For higher-risk roles or senior management, where more interactive, in-depth training may be necessary to address complex regulatory requirements and nuanced decision-making.
  • Scenario-based Workshops: To reinforce learning with real-world examples and role-playing exercises that help employees internalize regulatory concepts.

 

By fostering a culture of compliance and accountability, Regulation Awareness Training helps minimize the risk of breaches, whether intentional or accidental, and strengthens the organization’s ability to identify, prevent, and respond to regulatory infringements.

PV047Implement MIP Sensitivity Labels

Microsoft Information Protection (MIP) sensitivity labels are powerful tools for preventing unauthorized access, data leakage, data loss and other types of insider events through classification and protection of sensitive content. When applied to documents, emails, and other content, MIP labels embed metadata that enforces encryption, access control policies, and usage restrictions — all of which persist even if the content is shared or moved outside the organization’s environment. This proactive protection mechanism helps to ensure that data loss, misuse, or regulatory breaches are minimized, regardless of where or how the data is accessed.

 

Persistent Protection through Azure Rights Management (Azure RMS)
One of the key features of MIP labels is their ability to enforce encryption and access control via Azure Rights Management (Azure RMS). When a document or email is assigned a sensitivity label such as Highly Confidential, it triggers policies that encrypt the file, limiting who can open it and what actions can be performed. For example, a Highly Confidential document might be encrypted so that only authorized users in specific security groups can access it. Additionally, these policies may prevent recipients from forwarding, printing, copying, or even accessing the document offline, ensuring that sensitive data cannot be shared beyond authorized channels.

 

Automatic and Recommended Labeling
MIP labels also support automatic and recommended labeling. Labels can be automatically applied based on content that is identified as sensitive (such as credit card numbers, Social Security numbers, or intellectual property). This reduces reliance on users to manually select the correct label, ensuring that content is always classified according to its sensitivity level. For example, a file containing financial data or personally identifiable information (PII) may automatically receive a Confidential label, which immediately triggers encryption and access controls. By applying labels automatically, organizations can minimize the risk of human error in classifying sensitive content and ensure that protective measures are consistently applied.

 

Enforcing Access Governance and User Restrictions
MIP labels are directly integrated with Azure Active Directory (Azure AD) and Microsoft 365 security groups, allowing organizations to enforce access governance. Each label can define the users or groups who are permitted to access certain types of content. For example, a document labeled Confidential may be restricted to a specific department or team, preventing unauthorized users from viewing or editing it. Access to content labeled with higher sensitivity, such as Highly Confidential, can be further restricted to executives or security professionals, ensuring that only authorized individuals can access critical business data. These policies persist even when the content is shared outside the organization or accessed on non-corporate devices.

 

Blocking Unauthorized Sharing and Transfers
Through integration with Microsoft Defender for Office 365 and Data Loss Prevention (DLP) policies, MIP labels can enforce automatic blocking of unauthorized sharing or transfer of sensitive content. For example, when a document is labeled as Internal Use Only, any attempt to share it externally via email, cloud storage, or external USB devices can be blocked automatically by DLP policies. Labels can also be configured to restrict sharing links to specific people or groups and can enforce expiration on shared links. This ensures that sensitive data remains within the organization and cannot be accessed by unauthorized individuals or systems.

 

Policy Enforcement in Microsoft Teams and SharePoint
MIP labels are integrated across key collaboration tools like Microsoft Teams and SharePoint, providing seamless protection in the cloud. In these environments, sensitivity labels govern sharing permissions, access rights, and file handling. For instance, if a file is labeled as Confidential, it might be restricted from being shared externally via Teams or SharePoint. These platforms can also prevent file download and sharing for users in unmanaged or non-compliant environments, ensuring that sensitive data cannot be accessed outside the organization's controlled infrastructure. MIP labels also enable policies that enforce restrictions on guest access, preventing external parties from viewing or editing sensitive content unless explicitly permitted.

 

Blocking Label Downgrades and Enforcing Label Change Justification
To prevent unauthorized downgrading of content labels, MIP provides mechanisms to block label downgrades without proper justification. For example, a user may not be allowed to change a document’s label from Confidential to Public without providing an explicit justification. Such actions are logged and may trigger alerts for review by security teams. This ensures that users cannot bypass sensitive information protection policies by reclassifying content to a lower sensitivity level. Moreover, any label changes are auditable, helping organizations track and monitor potential attempts to circumvent security protocols.

 

Preventing Exfiltration in Cloud and Endpoint Contexts
MIP labels integrate with Microsoft Defender for Endpoint and Defender for Cloud Apps, providing protection against exfiltration of sensitive data through cloud and endpoint channels. By applying labels to sensitive documents, organizations can enforce controls that restrict their movement across corporate boundaries. For example, when a file labeled Confidential is accessed from an unmanaged device or through a risky application, it may be blocked from being downloaded or printed, preventing potential exfiltration. Additionally, organizations can configure conditional access policies to prevent data access based on the device’s compliance or security status, ensuring that sensitive information is protected even when users access it from external sources.

PV048Privileged Access Management (PAM)

Privileged Access Management (PAM) is a critical security practice designed to control and monitor access to sensitive systems and data. By managing and securing accounts with elevated privileges, PAM helps reduce the risk of insider threats and unauthorized access to critical infrastructure.

 

Key Prevention Measures:


Least Privilege Access: PAM enforces the principle of least privilege by ensuring users only have access to the systems and data necessary for their role, limiting opportunities for misuse.

  • Just-in-Time (JIT) Access: PAM solutions provide temporary, on-demand access to privileged accounts, ensuring users can only access sensitive environments for a defined period, minimizing exposure.
  • Centralized Credential Management: PAM centralizes the management of privileged accounts and credentials, automatically rotating passwords and securely storing sensitive information to prevent unauthorized access.
  • Monitoring and Auditing: PAM solutions continuously monitor and log privileged user activities, providing a detailed audit trail for detecting suspicious behavior and ensuring accountability.
  • Approval Workflows: PAM incorporates approval processes for accessing privileged accounts, ensuring that elevated access is granted only when justified and authorized by relevant stakeholders.

 

Benefits:


PAM enhances security by reducing the attack surface, improving compliance with regulatory standards, and enabling greater control over privileged access. It provides robust protection for critical systems by limiting unnecessary exposure to high-level access, facilitating auditing and accountability, and minimizing opportunities for both insider and external threats.