Comprehensive threat intelligence covering motivations, capabilities, activities, and techniques from real-world insider threats, with prevention strategies and detection methods from the cybersecurity community.
The subject deliberately pushes or tests organizational policies, rules, or controls to assess tolerance levels, detect oversight gaps, or gain a sense of impunity. While initial actions may appear minor or exploratory, boundary testing serves as a psychological and operational precursor to more serious misconduct. CharacteristicsMotivated by curiosity, challenge-seeking, or early-stage dissatisfaction.Actions often start small: minor policy violations, unauthorized accesses, or circumvention of procedures.Rationalizations include beliefs that policies are overly rigid, outdated, or unfair.Boundary testing behavior may escalate if it is unchallenged, normalized, or inadvertently rewarded.Subjects often seek to gauge the likelihood and severity of consequences before considering larger or riskier actions.Testing may be isolated or gradually evolve into opportunism, retaliation, or deliberate harm. Example ScenarioA subject repeatedly circumvents minor IT security controls (e.g., bypassing content filters, using personal devices against policy) without immediate consequences. Encouraged by the lack of enforcement, the subject later undertakes unauthorized data transfers, rationalizing the behavior based on perceived inefficiencies and low risk of detection.
A subject is persuaded against their will to access and exfiltrate or destroy sensitive data, or conduct some other act that harms or undermines the target organization.
A subject’s emotional state is exploited by a malicious third party, particularly during periods of heightened stress, grief, or personal hardship. The third party leverages this vulnerability to manipulate the subject into revealing sensitive information or performing actions that could compromise the organization.
A third party uses threats or intimidation to demand that a subject divulge information, grant access to devices or systems, or otherwise cause harm or undermine a target organization.
A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject.
A third party uses deception, exploitation, or other unethical methods to psychologically manipulate a subject over time, with the intent to influence their perceptions, actions, and decisions. This manipulation can lead the subject to, knowingly or unknowingly, act against the organization’s interests.
A malicious third party employs romantic interest or seduction as a manipulation tactic. Through emotional and psychological engagement, the third party persuades the subject to reveal confidential information, grant access to restricted resources, or carry out actions detrimental to the organization.
A subject is extorted by a third party threatening to expose sexual or indecent images connected to them, a tactic commonly referred to as sextortion. These images may be real, obtained by a third party, AI-generated ‘deep fake’ images resembling the subject, or entirely fabricated claims. The extortion is typically financially motivated, which can drive the subject to harm the organization for personal gain. Alternatively, the third party may coerce the subject into compromising the organization by revealing sensitive information or granting unauthorized access.
A third party deceptively manipulates and/or persuades a subject to divulge information, or gain access to devices or systems, or to otherwise cause harm or undermine a target organization.
A subject may be motivated by personal, financial, or professional interests that directly conflict with their duties and obligations to the organization. This inherent conflict of interest can lead the subject to engage in actions that compromise the organization’s values, objectives, or legal standing. For instance, a subject who serves as a senior procurement officer at a company may have a financial stake in a vendor company that is bidding for a contract. Despite knowing that the vendor's offer is subpar or overpriced, the subject might influence the decision-making process to favor that vendor, as it directly benefits their personal financial interests. This conflict of interest could lead to awarding the contract in a way that harms the organization, such as incurring higher costs, receiving lower-quality goods or services, or violating anti-corruption regulations. The presence of a conflict of interest can create a situation where the subject makes decisions that intentionally or unintentionally harm the organization, such as promoting anti-competitive actions, distorting market outcomes, or violating regulatory frameworks. While the subject’s actions may be hidden behind professional duties, the conflict itself acts as the driving force behind unethical or illegal behavior. These infringements can have far-reaching consequences, including legal ramifications, financial penalties, and damage to the organization’s reputation.
A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization.
A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.
The subject is a current or former asset of a nation-state intelligence service, operating inside the organization with pre-existing loyalty to, or direct affiliation with, a foreign government. Unlike insiders who develop espionage motives post-employment, this subject is often inserted, recruited prior to hiring, or cultivated externally over time and then encouraged to seek access to a target organization. Their motive is the advancement of strategic objectives on behalf of a foreign nation-state. These objectives may include extracting sensitive information, degrading operational resilience, manipulating internal systems or decisions, weakening public or partner trust, or embedding long-term access for future exploitation. Such subjects may be formal intelligence officers, contract operatives, ideological affiliates, or individuals acting under recruitment, coercion, or influence. Example Scenarios: A subject recruited during university by a foreign security service secures a role in a telecommunications provider and enables covert surveillance access for state-level eavesdropping.A subject hired into a biopharmaceutical firm has pre-existing links to a state-sponsored “talent program” and transfers research data to affiliated institutions abroad via covert cloud channels.
A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies in an attempt to prevent professional reprisals against them or other persons.
Hubris refers to excessive self-confidence, often manifesting as a belief that the subject is above rules, policies, or consequences. The subject sees themselves as indispensable, superior, or uniquely capable—and may rationalize policy violations because they “know better.” The core trait of hubris is a sense of arrogance and superiority, where the subject views themselves as fundamentally above their peers in capability or judgment. The key driver behind this motive is the belief that "I am the exception"—that normal rules or controls are for others, not for someone of their perceived caliber. This often leads to behavior such as circumventing controls, overriding governance processes, or acting unilaterally without authorization, because the subject sees compliance as an unnecessary constraint on their effectiveness. Their justification typically rests on the idea that "the rules don’t apply to me because I’m smarter, more important, or more experienced than those who created them."
The subject has no threatening motive and is not reckless in their actions. The infringement is a result of an honest mistake made by the subject.
A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals. Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making. Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.
A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies.
A subject is unaware that they are prohibited from accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies.
A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies.
Data Source: The Insider Threat Matrix is maintained by the ForScie community (forscie.org), providing open-source threat intelligence for the cybersecurity community.
Integration: This assessment platform integrates Matrix techniques with Ponemon Institute cost data and Gartner implementation insights to provide actionable recommendations.