Harm and Disruption Use Cases
Harm and disruption use cases involve insider activity that can interrupt operations, damage systems, compromise infrastructure, misuse funds, create regulatory exposure, or harm the organization’s reputation.
These scenarios may involve privileged access, physical placement, operational knowledge, cloud-resource modification, destructive software, control degradation, unauthorized system changes, financial workflow abuse, or public statements that create brand damage.
A mature insider-risk program connects technical, physical, personnel, legal, compliance, and business-continuity perspectives so that harmful activity can be prevented, detected, investigated, and reported with appropriate governance.
The following section labels and copy blocks can be used consistently across individual use-case pages.
Aligned ITM Objects Board
These core Insider Threat Matrix™ objects are frequently observed in connection with this threat domain. Aligning monitoring controls to these objects ensures targeted coverage of preparation and infringement pathways. For complete framework definitions, refer to the Insider Threat Matrix™.
| ITM ID | Object Name | Tactical Context |
|---|---|---|
| MT023 | Revenge | Disgruntled state that drives malicious destruction of resources, software systems, or physical enterprise hardware. |
| MT007 | Resentment | Employee disgruntlement due to passed-over promotions, reducing the psychological barrier to performing sabotage. |
| IF013 | Disruption of Business Operations | Deliberate operations to trigger downtime, such as shutting down production databases or deleting key repositories. |
| IF014 | Unauthorized Changes to IT Systems | Modifying routing tables, DNS entries, or domain-admin configurations to lock defenders out of system control. |
| IF026 | Denial of Service | Flooding APIs, misconfiguring resource clusters, or triggering loops to intentionally crash essential services. |
| IF037 | Physical Sabotage | Direct physical destruction of server racks, network lines, or building access infrastructure inside secured spaces. |
| IF016 | Misappropriation of Funds | Abusing billing systems, modifying payment directions, or altering accounting records to misappropriate corporate funds. |
| IF012 | Public Statements Resulting in Brand Damage | Leaking sensitive internal communications, posting customer data to public hubs, or defacing digital brand assets. |
| AF002 | Log Deletion | Purging event logs, system logs, or security agent records to wipe digital forensics trails after unauthorized edits. |
| AF026 | Log Modification | Altering system logs or server configuration trails to erase traces of operational modifications or deletions. |
Priority Use Cases in this Category (3)
Fraud or Misappropriation
A user abuses authority, access, or workflow knowledge to create fictitious invoices, work orders, overtime claims, expense claims, or other financial misappropriation schemes.
Insider Sabotage
A disgruntled or ideologically motivated insider disrupts operations by deleting files, changing systems, disabling controls, deploying destructive software, or damaging physical infrastructure.
Physical Sabotage
An insider uses physical placement, facility access, or device access to damage, disconnect, remove, or destroy equipment, media, or facility support systems.