Insider Threat Matrix™

Infringement explains harm. Anti-Forensics explains what was hidden. 🔴 Anti-Forensics (AR5) Is the attempt to obstruct or disguise activity after an incident has occurred. With concealment, uncertainty collapses. 🔗 insiderthreatmatrix.org/articles/AR5 Forscie®. Inside Matters

Preparation explains readiness. Infringement explains when harm actually occurs. 🔴 Infringement (AR4) Infringement is the moment intent becomes action and trust is breached. By this stage, impact is real. 🔗 insiderthreatmatrix.org/articles/AR4 Forscie®. Inside Matters

Motive explains what could happen. 🔴 Preparation (AR3) Explains when risk begins to crystallize... It is not the incident itself. It is the deliberate actions that ready a subject for one to occur. 🔗 insiderthreatmatrix.org/articles/AR3 Forscie®. Inside Matters

Motive explains why risk may exist. Means explains how it becomes possible. 🔴 Means (AR2) In the Insider Threat Matrix, Means represents access and positioning. Means is not enough alone. For risk to progress, it must intersect with Preparation. insiderthreatmatrix.org/articles/AR2

Every insider incident begins long before any action. 🔴 Motive (AR1) In the Insider Threat Matrix, Motive describes the underlying reason that prompts behavior. It is an investigative lens that helps contextualize and guide proportionate response. insiderthreatmatrix.org/articles/AR1

Some of the most effective insider data exfiltration methods are also the simplest... Built-in utilities, such as screenshot tools, enable visual capture of sensitive information without introducing new software, hardware, or permissions. From an investigative perspective, this creates a problem. These tools are: ◾Ubiquitous ◾Legitimate ◾Rarely monitored as exfiltration vectors 🔴 As a result, they often fall outside traditional data loss assumptions. Yet their use still produces artifacts, execution evidence, file traces, and temporal patterns, that can support attribution and case building when examined deliberately. The risk is not the tool itself. It’s the assumption that “simple” equals “low impact.” knowledge.forscie.com/article/snippi… Forscie®. Inside Matters

The Insider Threat Matrix is maintained through versioned releases on the @Forscie GitHub, enabling organizations to adopt the full framework internally and reference specific versions across investigative, policy, and detection workflows. github.com/forscie/inside…

Repeated low-severity AUP violations (such as accessing pirated media on corporate devices) are early indicators of behavioral drift. Left unaddressed, they increase the risk of serious insider threat incidents. knowledge.forscie.com/article/identi…

The Insider Threat Matrix is evolving. The @Forscie team is developing an additional capability layered onto the Matrix, introducing a new approach for recording and communicating insider threat incidents. Further details will be released in the coming weeks.

Insider Threat Matrix v2.1.0 is available on GitHub. Published for programmatic use by developers, detection engineers, and vendors. Consume it. Map it into detections. Embed it into platforms. Public. Versioned. Forkable. 🔴 github.com/forscie/inside…

The Insider Threat Matrix isn’t static. It evolves through experience. Every meaningful addition comes from experienced practitioners. Not all insight is added. But when it is, it sharpens the framework for everyone. 🔴 insiderthreatmatrix.org/contributors

As post-December financial pressure rises, a quieter risk appears. Debt lowers resistance to coercion, making insiders vulnerable to ◼️ MT006 – Third Party Collusion. 🔴 Is your organization prepared? insiderthreatmatrix.org/articles/AR1/s… Forscie®. Inside Matters

Financial pressure doesn’t peak on at the end of December, it peaks after it. For some, January debt can trigger MT005.003: Financial Desperation, an Insider Risk for organizations. insiderthreatmatrix.org/articles/AR1/s… Forscie®. Inside Matters

An overlooked aspect of insider investigations is role classification. Forscie’s SWIO model defines it: Subject, Witness, Informant, Official. Clear roles enhance evidence, communication, and decisions. 🔴Learn more: knowledge.forscie.com/glossary Forscie®. Inside Matters

Some insider behaviours don’t just hide data, they hide the fact anything happened at all. ◼️ Steganography - A data smuggling technique designed to appear like nothing is happening. 🔴 insiderthreatmatrix.org/articles/AR5/s… Forscie®. Inside Matters

Insider risk is rising, but we’re still using language built for external adversaries. Battles, campaigns, kill chains… none describe the realities of Insider Threat. Our discipline needs an investigative lexicon: neutral, precise, aligned with HR, Legal, and governance. 🔴 knowledge.forscie.com/article/perime… Forscie®. Inside Matters

Retirement looks low-risk. It isn’t. Long-tenured staff often hold deep knowledge, legacy access, and a sense of ownership that can drive “harmless” data copying. ◼️ Retirement is a JML inflection point - not a pause in risk. 🔴 insiderthreatmatrix.org/articles/AR1/s… Forscie®. Inside Matters

The Insider Threat Matrix™ now breaks the Leaver Motive into clearer sub-sections, each with its own behaviours, risks, preventions, and detections. JML is one of the highest-risk transitions. Treat it that way. insiderthreatmatrix.org/articles/AR1/s… Forscie®. Inside Matters

Behavioral Drift drives most insider incidents: small violations accumulate, become tolerated, then normalised, and eventually escalate. Often triggered by volume infringements: Unapproved tools, cloud apps, encrypted messengers. 🔴 knowledge.forscie.com/article/behavi… Forscie®. Inside Matters

Most organizations want stronger insider threat defenses, few know which controls to implement. The ITM now lists every prevention in one simple page. 🔴 insiderthreatmatrix.org/preventions Forscie®. Inside Matters