Preventions
- ID: PV038
- Created: 13th September 2024
- Updated: 13th September 2024
- Contributor: Malik Girondin
Insider Threat Awareness Training
Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.
Sections
| ID | Name | Description |
|---|---|---|
| MT002 | Mover | A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies. |
| MT003 | Leaver | A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies. |
| MT012.003 | Psychological Manipulation | A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests. |
| MT012.007 | Sexual Extortion | A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated, ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access. |
| MT012.006 | Long-Term Relationship Building | A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject. |
| MT012.005 | Romantic Seduction | A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization. |
| MT012.004 | Emotional Vulnerability | A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization. |
| MT005.003 | Financial Desperation | A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain. |
| MT012.002 | Extortion | A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization. |
| MT012.001 | Social Engineering (Inbound) | A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization. |