Collusion and External Recruitment of Insiders
Collusion occurs when an insider coordinates with an external party to misuse access, share information, commit fraud, enable espionage, or harm the organization.
Incident Case Analysis & Real-World Context
Case basis: Based on real event. A resident of China pleaded guilty to conspiring to send trade secrets belonging to a leading U.S.-based electric-vehicle company. DOJ stated that former employees took trade secrets from their employer and later used them to build a business marketed as a replacement for the victim company�s products. The case shows how insider access, post-employment opportunity, and external commercialization can converge.
Why This Event Pattern Matters
Collusion cases are difficult because the event is not confined to one user or one system. The insider�s activity may connect to outside businesses, competitors, vendors, handlers, customers, or personal associates.
Common Event Scenarios & Progression Path
Sensitive access by current or former employee.
External business or competitor beneficiary.
Use of protected information in a new product, service, or commercial offering.
Potential communication, payment, travel, or relationship evidence outside core security logs.
IRCF™ Capability Alignment
Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:
Insider Threat Matrix Alignment
Matrix mapping includes motive, means, preparation, infringement, and anti-forensics when supported by facts. Collusion mapping should include external direction, relationship, communication, and data movement.
Controls & Safeguards to Leverage
Relevant Program Metrics & KPIs
Legal, Privacy, and Ethical Cautions
Collusion may implicate trade-secret law, employment law, privacy, criminal law, anti-bribery, sanctions, export controls, procurement, and law-enforcement referral. Avoid alleging conspiracy unless the source and legal review support the term.
Source References & Investigation Fact-Verification
Related BoK Hub Reference Pages
Operationalize This Learning
Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.