Social Media Screening

A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies.

A subject may be motivated by personal, financial, or professional interests that directly conflict with their duties and obligations to the organization. This inherent conflict of interest can lead the subject to engage in actions that compromise the organization’s values, objectives, or legal standing.

For instance, a subject who serves as a senior procurement officer at a company may have a financial stake in a vendor company that is bidding for a contract. Despite knowing that the vendor's offer is subpar or overpriced, the subject might influence the decision-making process to favor that vendor, as it directly benefits their personal financial interests. This conflict of interest could lead to awarding the contract in a way that harms the organization, such as incurring higher costs, receiving lower-quality goods or services, or violating anti-corruption regulations.

The presence of a conflict of interest can create a situation where the subject makes decisions that intentionally or unintentionally harm the organization, such as promoting anti-competitive actions, distorting market outcomes, or violating regulatory frameworks. While the subject’s actions may be hidden behind professional duties, the conflict itself acts as the driving force behind unethical or illegal behavior. These infringements can have far-reaching consequences, including legal ramifications, financial penalties, and damage to the organization’s reputation.

A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state.

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

A subject accesses and exfiltrates of destroys sensitive data or otherwise contravenes internal policies as a result of motives not grounded in reality.

A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies.

A subject is motivated by their political or philosophical beliefs to access and destroy or exfiltrate sensitive data or otherwise contravene internal policies.

The subject does not have a threatening motive. However, the subject under takes actions without due care and attention to the outcome, which causes an infringement.

A subject is motivated by resentment towards the organisation to access and exfiltrate or destroy data or otherwise contravene internal policies. 

A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.

While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization.

A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to be caught and penalised.

A subject is recruited by a third party to access and exfiltrate or destroy sensitive data or otherwise contravene internal policies for in exchange for a personal gain.

A subject makes comments either in-person or online that can damage the organization's brand through association.

A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization.

The subject has no threatening motive and is not reckless in their actions. The infringement is a result of an honest mistake made by the subject.

The subject deliberately pushes or tests organizational policies, rules, or controls to assess tolerance levels, detect oversight gaps, or gain a sense of impunity. While initial actions may appear minor or exploratory, boundary testing serves as a psychological and operational precursor to more serious misconduct.

Characteristics

• Motivated by curiosity, challenge-seeking, or early-stage dissatisfaction.
• Actions often start small: minor policy violations, unauthorized accesses, or circumvention of procedures.
• Rationalizations include beliefs that policies are overly rigid, outdated, or unfair.
• Boundary testing behavior may escalate if it is unchallenged, normalized, or inadvertently rewarded.
• Subjects often seek to gauge the likelihood and severity of consequences before considering larger or riskier actions.
• Testing may be isolated or gradually evolve into opportunism, retaliation, or deliberate harm.

Example Scenario

A subject repeatedly circumvents minor IT security controls (e.g., bypassing content filters, using personal devices against policy) without immediate consequences. Encouraged by the lack of enforcement, the subject later undertakes unauthorized data transfers, rationalizing the behavior based on perceived inefficiencies and low risk of detection.

A subject with access to payment environments or transactional data may deliberately or inadvertently leak sensitive payment card information. Payment Card Data Leakage refers to the unauthorized exposure, transmission, or exfiltration of data governed by the Payment Card Industry Data Security Standard (PCI DSS). This includes both Cardholder Data (CHD)—such as the Primary Account Number (PAN), cardholder name, expiration date, and service code—and Sensitive Authentication Data (SAD), which encompasses full track data, card verification values (e.g., CVV2, CVC2, CID), and PIN-related information.

Subjects with privileged, technical, or unsupervised access to point-of-sale systems, payment gateways, backend databases, or log repositories may mishandle or deliberately exfiltrate CHD or SAD. In some scenarios, insiders may exploit access to system-level data stores, intercept transactional payloads, or scrape logs that improperly store SAD in violation of PCI DSS mandates. This may include exporting payment data in plaintext, capturing full card data from logs, or replicating data to unmonitored environments for later retrieval.

Weak controls, such as the absence of data encryption, improper tokenization of PANs, misconfigured retention policies, or lack of field-level access restrictions, can facilitate misuse by insiders. In some cases, access may be shared or escalated informally, bypassing formal entitlement reviews or just-in-time provisioning protocols. These gaps in security can be manipulated by a subject seeking to leak or profit from payment card data.

Insiders may also use legitimate business tools—such as reporting platforms or data exports—to intentionally bypass obfuscation mechanisms or deliver raw payment data to unauthorized recipients. Additionally, compromised service accounts or insider-created backdoors can provide long-term persistence for continued exfiltration of sensitive data.

Data loss involving CHD or SAD often trigger mandatory breach disclosures, regulatory scrutiny, and severe financial penalties. They also pose reputational risks, particularly when data loss undermines consumer trust or payment processing agreements. In high-volume environments, even small-scale leaks can result in widespread exposure of customer data and fraud.

A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.

Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm.

PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.

HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.

In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.

This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.

Examples of Infringement:

• A healthcare worker intentionally accesses a patient's medical records without authorization for personal reasons, such as to obtain information on a celebrity or acquaintance.
• An employee negligently sends patient health data to the wrong recipient via email, exposing sensitive health information.
• An insider bypasses security controls to access and exfiltrate medical records for malicious use, such as identity theft or selling PHI on the dark web.

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

With this type of access, a subject can:

• Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
• Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
• Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
• Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
• Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
• Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration.

Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.

In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse.

A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit.

A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain.

A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization.

A subject uses personal social media accounts to post statements or other media that can result in brand damage through association between the subject and their employer.

A subject uses existing access to social media accounts owned by the organization to post statements or other media that can result in brand damage.

A malicious third party gradually builds a relationship with the subject over an extended period, slowly gaining their trust. This trust is then exploited to access sensitive information or systems, often without the knowledge of the subject.

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

A subject with access to a billing system or indirect access to a billing system misuses their access to create fraudulent invoices, causing payments to be diverted to themselves, a business they own, or a third party.

A subject that self reports hours worked, and/or is eligible to claim overtime or an individual responsible for reporting such working time may falsify time records or make false representations to a working time system to cause payment or time in lieu for unperformed work.

A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company.

A subject with access to a billing system or indirect access to a billing system misuses their access to modify existing invoices, causing payments to be diverted to themselves, a business they own, or a third party.

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.

A subject steals other digital assets, such as monitors, hard drives, or peripherals, belonging to an organization.

A subject steals a corporate laptop belonging to an organization.