HomeLearnBody of KnowledgeEvents & Case Studies
Incident-Learning Layer

Events and Case Studies Hub

Insider risk events show how trusted access can create harm to people, systems, data, facilities, intellectual property, customers, and business operations. The Events and Case Studies Hub organizes common insider-risk events into practical categories so leaders and practitioners can learn what happened, why the exposure mattered, which controls are relevant, and how to improve prevention, detection, response, and governance.

This hub is not a news feed. It is a structured library of event types, case-study patterns, and lessons learned. Each page connects event patterns to insider-risk personas, high-value assets, relevant procedures, metrics, standards, legal considerations, and the Insider Risk Capability Framework™.

Showing 20 of 20 detailed sheets
Core Event

Leak / Unauthorized Disclosure

A leak is the unauthorized disclosure of sensitive information by a trusted insider. Leaks may be intentional, careless, coerced, or enabled by weak a...

Explore Case Profile
Core Event

Misuse of Enterprise Resources

Misuse occurs when an insider uses enterprise resources outside approved purpose, policy, security, safety, or legal boundaries. Misuse can be careles...

Explore Case Profile
Core Event

Insider Fraud and Misappropriation

Insider fraud involves using trusted access, authority, or information to divert money, value, benefits, opportunities, or customer assets to the insi...

Explore Case Profile
Core Event

Physical Theft of Enterprise Assets

Physical theft occurs when an insider removes, retains, transfers, or misuses tangible organizational property without authorization. Physical theft m...

Explore Case Profile
Core Event

Workplace Violence and Threats

Workplace violence and threat events involve threats, intimidation, coercion, stalking, harassment, physical harm, or behaviors that may create safety...

Explore Case Profile
Core Event

Insider Sabotage

Insider sabotage is the intentional destruction, degradation, manipulation, or disruption of systems, data, software, equipment, facilities, or operat...

Explore Case Profile
Core Event

Intellectual Property Theft

Intellectual property theft occurs when an insider copies, removes, retains, transfers, or uses protected business, technical, scientific, or creative...

Explore Case Profile
Core Event

Corporate Espionage

Corporate espionage is targeted collection or transfer of confidential information through a trusted insider for strategic, economic, competitive, or ...

Explore Case Profile
Case Study

Source Code Theft and Repository Misuse

Source code theft and repository misuse involve unauthorized cloning, copying, sharing, retaining, manipulating, or exposing software assets, build ar...

Explore Case Profile
Case Study

Customer Data Misuse

Customer data misuse occurs when an insider accesses, views, copies, shares, sells, manipulates, or uses customer information without a legitimate bus...

Explore Case Profile
Case Study

Healthcare Snooping and Medical Record Misuse

Healthcare snooping occurs when a workforce member accesses patient, member, or health information without a treatment, payment, healthcare operations...

Explore Case Profile
Case Study

Financial Services Insider Misuse and Insider Trading

Financial-services and market-abuse insider events involve trusted access to customer, account, payment, trading, transaction, or material nonpublic i...

Explore Case Profile
Case Study

Government, Classified, and CUI Disclosure

Government, classified, and CUI disclosure events involve unauthorized access, retention, transfer, disclosure, or mishandling of government informati...

Explore Case Profile
Case Study

AI and Sensitive Data Leakage

AI data leakage occurs when an insider exposes, enters, uploads, trains, retrieves, or shares sensitive information through AI systems or AI-enabled w...

Explore Case Profile
Case Study

Privileged Administrator Misuse

Privileged administrator misuse occurs when a trusted user with elevated rights uses those rights outside authorized business purpose, including unaut...

Explore Case Profile
Case Study

Contractor and MSP Insider Events

Contractor and MSP insider events involve trusted third-party users who misuse, retain, over-access, or fail to protect organizational systems, data, ...

Explore Case Profile
Case Study

Collusion and External Recruitment of Insiders

Collusion occurs when an insider coordinates with an external party to misuse access, share information, commit fraud, enable espionage, or harm the o...

Explore Case Profile
Case Study

Unintentional Insider Events and Careless Mistakes

Unintentional insider events occur when trusted users create exposure without intending harm, often through phishing, misdelivery, misconfiguration, p...

Explore Case Profile
Case Study

Departing Employee

Comprehensive case studies and risk patterns of departing employees. Learn about leaver trade-secret theft, IP exfiltration, DLP controls, and pre-departure monitoring.

Explore Case Profile
Case Study

Reduction-in-Force and Restructuring Events

Reduction-in-force and restructuring events involve layoffs, divestitures, acquisitions, major leadership changes, site closures, or role eliminations...

Explore Case Profile

How to Navigate This Hub

  • 1.Start with the event type when the organization knows what happened, such as leak, fraud, sabotage, or IP theft.
  • 2.Start with the case studies when the organization knows the population, context, or industry vector, such as departing employees, AI systems, or source code repositories.
  • 3.Use related procedure, metric, standard, law, persona, and tool pages to turn lessons into program improvement.

Operational Integrity

IRCF™ Alignment: Primary IRCF™ components vary by event type, but each event profile consistently aligns and links to relevant capability areas including Governance, Personnel Assurance, IAM, Data Protection, Monitoring, Analysis, Investigation, Physical Security, Oversight and Compliance, and Risk Management and Reporting.
Threat Matrix Integration: The Insider Threat Matrix™ serves as an investigative language layer. Event profiles align to motive, means, preparation, infringement, and anti-forensics depending on the observed behavior pattern. The Matrix is attributed to Forscie Limited and is not presented as an ITMG®-owned taxonomy.

Legal and Ethical Considerations

Insider-risk events often involve employment, privacy, labor, discrimination, retaliation, trade-secret, contract, criminal, regulatory, evidence, and privilege considerations. These profiles focus on operational and technical patterns rather than asserting legal conclusions or intent, and route jurisdiction-specific questions to qualified legal counsel.

Events Hub FAQs

Operationalize Your Learning

Need to evaluate whether these event patterns are covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate exposure, control coverage, and executive reporting needs.