ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV042
  • Created: 22nd September 2024
  • Updated: 22nd September 2024
  • Contributor: The ITM Team

Employee Vulnerability Support Program

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

Sections

ID Name Description
IF021Harassment and Discrimination

A subject engages in unauthorized conduct that amounts to harassment or discriminatory behavior within the workplace, targeting individuals or groups based on protected characteristics, such as race, gender, religion, or other personal attributes. Incidents of harassment and discrimination may expose the organization to legal risks, potential reputational damage, and regulatory penalties. Additionally, individuals affected by such behavior may be at higher risk of retaliating or disengaging from their work, potentially leading to further insider risks.

MT021Conflicts of Interest

A subject may be motivated by personal, financial, or professional interests that directly conflict with their duties and obligations to the organization. This inherent conflict of interest can lead the subject to engage in actions that compromise the organization’s values, objectives, or legal standing.

 

For instance, a subject who serves as a senior procurement officer at a company may have a financial stake in a vendor company that is bidding for a contract. Despite knowing that the vendor's offer is subpar or overpriced, the subject might influence the decision-making process to favor that vendor, as it directly benefits their personal financial interests. This conflict of interest could lead to awarding the contract in a way that harms the organization, such as incurring higher costs, receiving lower-quality goods or services, or violating anti-corruption regulations.

 

The presence of a conflict of interest can create a situation where the subject makes decisions that intentionally or unintentionally harm the organization, such as promoting anti-competitive actions, distorting market outcomes, or violating regulatory frameworks. While the subject’s actions may be hidden behind professional duties, the conflict itself acts as the driving force behind unethical or illegal behavior. These infringements can have far-reaching consequences, including legal ramifications, financial penalties, and damage to the organization’s reputation.

ME024Access

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

 

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

 

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

ME025Placement

A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.

 

Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.

 

Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity.

MT012.007Sexual Extortion

A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access.

MT012.006Long-Term Relationship Building

A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject.

MT012.005Romantic Seduction

A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization.

MT012.004Emotional Vulnerability

A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization.

MT005.003Financial Desperation

A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain.

MT012.003Psychological Manipulation

A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests.

MT012.002Extortion

A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization.

MT012.001Social Engineering (Inbound)

A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.

IF023.001Export Violations

Export violations occur when a subject engages in the unauthorized transfer of controlled goods, software, technology, or technical data to foreign persons or destinations, in breach of applicable export control laws and regulations. These laws are designed to protect national security, economic interests, and international agreements by restricting the dissemination of sensitive materials and know-how.

 

Such violations often involve the failure to obtain the necessary export licenses, misclassification of export-controlled items, or the improper handling of technical data subject to regulatory oversight. The relevant legal frameworks may include the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and similar export control regimes in other jurisdictions.

 

Insiders may contribute to export violations by sending restricted files abroad, sharing controlled technical specifications with foreign nationals (even within the same organization), or circumventing export controls through the use of unauthorized communication channels or cloud services. These actions are considered violations regardless of the recipient’s sanction status and may occur entirely within legal jurisdictions if export-controlled information is shared with unauthorized individuals.

 

Export violations are distinct from sanction violations in that they pertain specifically to the nature of the goods, data, or services exported, and the mechanism of transfer, rather than the status of the recipient.

Failure to comply with export control laws can result in civil and criminal penalties, loss of export privileges, and reputational damage to the organization.

IF023.003Anti-Trust or Anti-Competition

Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.

 

Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.

 

Examples of Anti-Trust or Anti-Competition Violations:

 

  • A subject shares sensitive pricing or bidding information between competing companies, enabling coordinated pricing or market manipulation.
  • An insider with knowledge of a merger or acquisition shares details with competitors, leading to coordinated actions that suppress competition.
  • An employee uses confidential market data to form agreements with competitors on market control, stifling competition and violating anti-trust laws.

 

Regulatory Framework:

 

Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act.

ME024.001Access to Customer Data

A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration.

Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.

 

In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse.

ME024.002Access to Privileged Groups and Non-User Accounts

A subject with access to privileged groups (e.g., Domain Admins, Enterprise Admins, or Security Groups) or non-user accounts (such as service accounts, application identities, or shared mailboxes) gains elevated control over systems, applications, and sensitive organizational data. Access to these groups or accounts often provides the subject with knowledge of security configurations, user roles, and potentially unmonitored or sensitive activities that occur within the system.

 

Shared mailboxes, in particular, are valuable targets. These mailboxes are often used for group communication across departments or functions, containing sensitive or confidential information, such as internal discussions on financials, strategic plans, or employee data. A subject with access to shared mailboxes can gather intelligence from ongoing conversations, identify targets for further exploitation, or exfiltrate sensitive data without raising immediate suspicion. These mailboxes may also bypass some security filters, as their contents are typically considered routine and may not be closely monitored.

 

Access to privileged accounts and shared mailboxes also allows subjects to escalate privileges, alter system configurations, access secure data repositories, or manipulate security settings, making it easier to both conduct malicious activities and cover their tracks. Moreover, service and application accounts often have broader access rights across systems or environments than typical user accounts and are frequently excluded from standard monitoring protocols, offering potential pathways for undetected exfiltration or malicious action.

 

This elevated access gives subjects insight into critical system operations and internal communications, such as unencrypted data flows or internal vulnerabilities. This knowledge not only heightens their potential for malicious conduct but can also make them a target for external threat actors seeking to exploit this elevated access.

ME024.004Access to Physical Hardware

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

 

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

 

With this type of access, a subject can:

  • Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
  • Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
  • Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
  • Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
  • Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
  • Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

 

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

 

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

ME024.005Access to Physical Spaces

Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.

 

Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.

 

This type of access can be leveraged to:

  • Obtain unattended or discarded sensitive information, such as printouts, notes, or credentials left on desks.
  • Observe operational activity or decision-making, gaining insight into projects, personnel, or internal dynamics.
  • Access unlocked devices or improperly secured terminals, allowing direct system interaction or credential harvesting.
  • Bypass digital controls via physical means, such as tailgating into secure spaces or using misappropriated access cards.
  • Covertly install or remove equipment, such as data exfiltration tools, recording devices, or physical implants.
  • Eavesdrop on confidential conversations, either directly or through concealed recording equipment, enabling the collection of sensitive verbal disclosures, strategic discussions, or authentication procedures.

 

Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.

 

Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.

 

The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints.

ME025.001Proximity to Strategic Business Functions

A subject’s placement within critical business units or specialized teams can grant them access to highly sensitive operational data, strategic initiatives, and proprietary information. Roles within departments such as executive leadership, corporate strategy, legal, finance, R&D, supply chain management, and security operations position the subject to interact with confidential communications, forward-looking business plans, and strategic decision-making processes.

 

Subjects in close proximity to organizational leadership—including C-suite executives, senior directors, or key decision-makers—are uniquely positioned to access sensitive insights, manipulate decision-making, or gather intelligence on high-stakes initiatives. These individuals may be exposed to:

 

  • Privileged communications such as internal memos, executive briefings, and strategic planning documents that are typically restricted.
  • Pre-decisional data, including merger and acquisition strategies, product development pipelines, and market positioning strategies.
  • Strategic operational plans outlining organizational direction, key resource allocation, and long-term goals.

 

Having direct or indirect access to leaders facilitates eavesdropping on confidential conversations and provides early awareness of business initiatives. This proximity allows the subject to assess organizational vulnerabilities or identify high-value targets for insider exploitation. Furthermore, the subject may be positioned to:

 

  • Influence decision-making through the selective manipulation of information presented to decision-makers. This could include distorting risk profiles or promoting particular courses of action that align with their objectives.
  • Shape the outcome of high-value transactions such as mergers, acquisitions, and partnerships by influencing the information executives receive or the strategies they adopt.
  • Alter project and resource prioritization by subtly steering leadership towards certain initiatives, products, or investments.
  • Impact compliance and risk management practices, potentially distorting organizational responses to regulatory requirements or operational risks.

 

Subjects in such positions hold considerable power to shape business outcomes—both through direct influence over strategic initiatives and by gaining early insights into organizational direction, which can be exploited for personal gain, external manipulation, or other malicious intents.

 

Additionally, such individuals may become targets for recruitment by external entities seeking to exploit their access to confidential business data or influence over strategic decisions. Their proximity to leadership and critical business functions makes them an ideal conduit for conducting insider threats on behalf of external adversaries.

ME025.002Leadership and Influence Over Direct Reports

A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:

 

  • Influence team members to inadvertently or deliberately carry out tasks that contribute to the subject’s insider objectives. For instance, a manager might ask a subordinate to access or move sensitive data under the guise of a legitimate business need or direct them to work on projects that will inadvertently support a malicious agenda.
  • Exert pressure on employees to bypass security protocols, disregard organizational policies, or perform actions that could compromise the organization’s integrity. For example, a manager might encourage their team to take shortcuts in security or compliance checks to meet deadlines or targets.
  • Control access to sensitive information, either by virtue of the manager’s role or through the information shared within their team. A people manager may have direct visibility into highly sensitive internal communications, strategic plans, and confidential projects, which can be leveraged for malicious purposes.
  • Isolate team members or limit their exposure to security training, potentially creating vulnerabilities within the team that could be exploited. By controlling the flow of information or limiting access to security awareness resources, a manager can enable an environment conducive to insider threats.
  • Recruit or hire individuals within their team or external candidates who are susceptible to manipulation or willing to participate in insider activities. A subject in a management role could use their hiring influence to bring in new team members who align with or are manipulated into assisting in the subject's illicit plans, increasing the risk of coordinated insider actions.

 

In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.

 

Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain.