ITM is an open framework - Submit your contributions now.

Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Internal Whistleblowing

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

ID: PV039
Created: 13th September 2024
Updated: 13th September 2024
Contributor: Malik Girondin

Employee Mental Health & Support Program

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

Sections

ID	Name	Description
IF021	Harassment and Discrimination	A subject engages in unauthorized conduct that amounts to harassment or discriminatory behavior within the workplace, targeting individuals or groups based on protected characteristics, such as race, gender, religion, or other personal attributes. Incidents of harassment and discrimination may expose the organization to legal risks, potential reputational damage, and regulatory penalties. Additionally, individuals affected by such behavior may be at higher risk of retaliating or disengaging from their work, potentially leading to further insider risks.
MT012.003	Psychological Manipulation	A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests.
MT012.005	Romantic Seduction	A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization.
MT012.007	Sexual Extortion	A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated, ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access.
MT012.006	Long-Term Relationship Building	A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject.
MT012.004	Emotional Vulnerability	A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization.
MT005.003	Financial Desperation	A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain.
MT012.002	Extortion	A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization.
MT012.001	Social Engineering (Inbound)	A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.

References

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10536959/