ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV057
  • Created: 28th April 2025
  • Updated: 28th April 2025
  • Contributor: The ITM Team

Structured Request Channels for Operational Needs

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

 

Implementation Approaches

  • Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
  • Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
  • Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
  • Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
  • Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

 

Operational Principles

  • Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
  • Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
  • Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
  • Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

 

Sections

ID Name Description
MT015.001Opportunism

The subject exploits circumstances for personal gain, convenience, or advantage, often without premeditation or major malicious intent. Opportunistic acts typically arise from perceived gaps in oversight, immediate personal needs, or desires, rather than long-term ideological, financial, or revenge-driven motivations.

 

Characteristics

  • Motivated by immediate self-interest rather than deep-seated grievance or ideology.
  • May rationalize actions as minor, justified, or harmless ("no one will notice," "this helps everyone," "it's not a big deal").
  • Often triggered by environmental factors such as poor oversight, operational stress, or unmet personal needs.
  • May escalate over time if not detected and corrected early.
  • Subjects often do not view themselves as "threat actors" and may retain a positive view of their organization.
  •  

Example Scenario

Senior enlisted personnel on a U.S. Navy warship collaborated to procure and install unauthorized satellite internet equipment (Starlink) to improve their onboard quality of life. Acting without command approval, they circumvented Navy IT security protocols, introducing significant operational security (OPSEC) risks. Their motive was personal convenience rather than espionage, sabotage, or financial gain.

IF001.006Exfiltration via Generative AI Platform

The subject transfers sensitive, proprietary, or classified information into an external generative AI platform through text input, file upload, API integration, or embedded application features. This results in uncontrolled data exposure to third-party environments outside organizational governance, potentially violating confidentiality, regulatory, or contractual obligations.

 

Characteristics

  • Involves manual or automated transfer of sensitive data through:
  • Web-based AI interfaces (e.g., ChatGPT, Claude, Gemini).
  • Upload of files (e.g., PDFs, DOCX, CSVs) for summarization, parsing, or analysis.
  • API calls to generative AI services from scripts or third-party SaaS integrations.
  • Embedded AI features inside productivity suites (e.g., Copilot in Microsoft 365, Gemini in Google Workspace).
  • Subjects may act with or without malicious intent—motivated by efficiency, convenience, curiosity, or deliberate exfiltration.
  • Data transmitted may be stored, cached, logged, or used for model retraining, depending on provider-specific terms of service and API configurations.
  • Exfiltration through generative AI channels often evades traditional DLP (Data Loss Prevention) patterns due to novel data formats, variable input methods, and encrypted traffic.

 

Example Scenario

A subject copies sensitive internal financial projections into a public generative AI chatbot to "optimize" executive presentation materials. The AI provider, per its terms of use, retains inputs for service improvement and model fine-tuning. Sensitive data—now stored outside corporate control—becomes vulnerable to exposure through potential data breaches, subpoena, insider misuse at the service provider, or future unintended model outputs.