Threat Domain / Category Index

Harm and Disruption Use Cases

Harm and disruption use cases involve insider activity that can interrupt operations, damage systems, compromise infrastructure, misuse funds, create regulatory exposure, or harm the organization’s reputation.

These scenarios may involve privileged access, physical placement, operational knowledge, cloud-resource modification, destructive software, control degradation, unauthorized system changes, financial workflow abuse, or public statements that create brand damage.

A mature insider-risk program connects technical, physical, personnel, legal, compliance, and business-continuity perspectives so that harmful activity can be prevented, detected, investigated, and reported with appropriate governance.

The following section labels and copy blocks can be used consistently across individual use-case pages.

Aligned ITM Objects Board

These core Insider Threat Matrix™ objects are frequently observed in connection with this threat domain. Aligning monitoring controls to these objects ensures targeted coverage of preparation and infringement pathways. For complete framework definitions, refer to the Insider Threat Matrix™.

ITM IDObject NameTactical Context
MT023RevengeDisgruntled state that drives malicious destruction of resources, software systems, or physical enterprise hardware.
MT007ResentmentEmployee disgruntlement due to passed-over promotions, reducing the psychological barrier to performing sabotage.
IF013Disruption of Business OperationsDeliberate operations to trigger downtime, such as shutting down production databases or deleting key repositories.
IF014Unauthorized Changes to IT SystemsModifying routing tables, DNS entries, or domain-admin configurations to lock defenders out of system control.
IF026Denial of ServiceFlooding APIs, misconfiguring resource clusters, or triggering loops to intentionally crash essential services.
IF037Physical SabotageDirect physical destruction of server racks, network lines, or building access infrastructure inside secured spaces.
IF016Misappropriation of FundsAbusing billing systems, modifying payment directions, or altering accounting records to misappropriate corporate funds.
IF012Public Statements Resulting in Brand DamageLeaking sensitive internal communications, posting customer data to public hubs, or defacing digital brand assets.
AF002Log DeletionPurging event logs, system logs, or security agent records to wipe digital forensics trails after unauthorized edits.
AF026Log ModificationAltering system logs or server configuration trails to erase traces of operational modifications or deletions.

Priority Use Cases in this Category (3)

Fraud or Misappropriation

A user abuses authority, access, or workflow knowledge to create fictitious invoices, work orders, overtime claims, expense claims, or other financial misappropriation schemes.

/fraud-or-misappropriation/Explore use case detail

Insider Sabotage

A disgruntled or ideologically motivated insider disrupts operations by deleting files, changing systems, disabling controls, deploying destructive software, or damaging physical infrastructure.

/insider-sabotage/Explore use case detail

Physical Sabotage

An insider uses physical placement, facility access, or device access to damage, disconnect, remove, or destroy equipment, media, or facility support systems.

/physical-sabotage/Explore use case detail
Educational Reference NoteThis category index page is part of the ITMG® Insider Risk Body of Knowledge™. The Insider Threat Matrix™ is an open framework maintained by Forscie Limited. All rights reserved. For program implementation frameworks, metrics baselines, or proprietary assessment algorithms, please consult the Insider Risk Capability Framework™ (IRCF™) or schedule a Guided Exposure Assessment with ITMG®.