The subject is coerced by a third party into harmful or otherwise policy-violating activity through explicit or credible threats of violence, either directed at themselves or at others (e.g., family members, colleagues). This type of coercion often includes real-world intimidation, such as direct verbal or written threats, or more ambiguous references that imply the actor possesses the means or knowledge to inflict physical harm. Examples may include:Stated intent to harm the subject’s family unless a system is accessed or data is provided.Demonstrations of knowledge of personal routines or addresses.Implied physical threat (“We know where you work.” / “Think about your daughter.”) intended to coerce compliance. In some cases, the coercive actor may belong to or adopt the tactics and posture of organized crime groups or hybrid cyber-physical groups, lending credibility to the threat. The subject’s response may be reluctant, sudden, and inconsistent with previous behavior, reflecting actions taken under acute psychological and physical duress. This motive reflects extreme coercion and requires careful investigative sensitivity. It may also intersect with criminal law, necessitating immediate coordination with internal legal teams, law enforcement, and/or protective services. In almost all such cases, the organization has a duty to treat the subject as a victim of crime.
Offering mental health support and conflict resolution programs tohelp employees identify and report manipulative behavior in theworkplace
Offering mental health support and conflict resolution programs tohelp employees identify and report manipulative behavior in theworkplace...
A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.
A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows e...
Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat. Mental Health and Personal StrugglesTrigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation. Negative Statements or Discontent with the CompanyTrigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization). Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment. Hearsay and Indirect ReportsTrigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems. Implementation ConsiderationsCollaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.
Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of...
Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion.
Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organiza...
Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.
Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into considerati...
This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.
This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system....
An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity. The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat). Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software. Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.
System logs
An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity. The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established. A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious. Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.
System logs
A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers). Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.
System logs
Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association).
Multiple sources
Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.
Network traffic
Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.
Multiple sources
This technique is part of the ForScie Insider Threat Matrix, a community-driven knowledge base for insider threat intelligence.
View on ForScie Matrix