ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF013
  • Created: 20th June 2024
  • Updated: 02nd October 2025
  • Contributor: The ITM Team

Disruption of Business Operations

The subject causes interruptions, degradation, or instability in organizational systems, processes, or data flows that impair day‑to‑day operations and affect availability, integrity, or service continuity. This category encompasses non‑exfiltrative and non‑theft forms of disruption, distinct from data exfiltration or malware aimed at permanent destruction.

 

Disruptive actions may include misuse of administrative tools, intentional misconfiguration, suppression of services, logic interference, dependency tampering, or selective disabling of critical functions. The objective is operational impact; slowing, blocking, or misrouting workflows, rather than data removal or theft.

Subsections (2)

ID Name Description
IF013.001File or Data Deletion

A subject deletes organizational files or data (manually or through tooling) outside authorized workflows, resulting in the loss, concealment, or unavailability of operational assets. This infringement encompasses both targeted deletion (e.g. selected records, logs, or documents) and bulk removal (e.g. recursive deletion of directories or volumes).

 

Unlike Destructive Malware Deployment, which uses self-propagating or malicious code to irreversibly damage systems, this behavior reflects direct user-driven actions or scripts that remove or purge data without employing destructive payloads. Deletions may be conducted via built-in utilities, custom scripts, scheduled tasks, or misuse of administrative tools such as backup managers or version control systems.

 

This activity frequently occurs to:

 

  • Conceal evidence of other infringing actions (e.g. log deletion to frustrate investigation)
  • Sabotage availability of critical information (e.g. deleting shared drives or project directories)
  • Facilitate exfiltration or preparation (e.g. purging redundant files before copying sensitive data)

 

It may also involve secondary actions such as emptying recycle bins, purging shadow copies, disabling version histories, or wiping removable media to obscure the scope of deletion.

IF013.002Operational Disruption Impacting Customers

The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust.

 

Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access.

 

Examples include:

 

  • Intentionally disabling authentication or API endpoints
  • Modifying DNS, firewall, or routing rules to block legitimate traffic
  • Tampering with load balancers or HA/failover logic
  • Altering service configurations to break dependency chains (e.g. pointing production systems to empty dev databases)
  • Injecting false flags into monitoring or orchestration tools to trigger auto-scaling failures or mis-alerts
  • Enabling excessive logging or computation to induce service latency or memory exhaustion
  • Locking critical service accounts, API keys, or secrets in vault systems

 

These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly.