Last Reviewed: 2026-06-24
Reviewer: ITMG® Security Advisory
BoK Reference Sheet
Core Event taxonomy

Insider Sabotage

Insider sabotage is the intentional destruction, degradation, manipulation, or disruption of systems, data, software, equipment, facilities, or operational processes.

Based on real event: malicious code and data deletion by former software developer.

Incident Case Analysis & Real-World Context

Case basis: Based on real event. A former software developer was convicted for writing and deploying malicious code on an employer network, including code that affected source code and deleted data. The case demonstrates how trusted technical access can be used to create delayed or hidden disruption, particularly when a user has knowledge of systems, code paths, authentication dependencies, and recovery processes.

Why This Event Pattern Matters

Sabotage can create operational outage, safety risk, data loss, business-continuity impact, and forensic complexity. Developer and administrator sabotage is especially serious because the insider may understand where controls, logs, backups, and dependencies are weakest.

Common Event Scenarios & Progression Path

Trusted technical or privileged access.

Code, script, configuration, or control change that causes disruption.

Potential trigger tied to termination, account change, date, or system event.

Possible concealment through naming, log deletion, or obstruction of recovery.

IRCF™ Capability Alignment

Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:

IAMMonitoringAnalysisInvestigationData ProtectionSecure EngineeringBusiness ContinuityPhysical SecurityGovernance

Insider Threat Matrix Alignment

Matrix mapping includes preparation through tool placement or persistence, infringement through destructive action or malicious code deployment, and anti-forensics through log deletion or artifact clearing.

*The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Controls & Safeguards to Leverage

Separation of duties for production changes.
Code review, signed commits, branch protection, and change approval.
Privileged access management and just-in-time administration.
Immutable logging and independent monitoring of security-control changes.
Backup resilience and recovery testing.

Relevant Program Metrics & KPIs

Metric
Unauthorized configuration or code changes.
Metric
Privileged change exceptions.
Metric
Mean time to contain destructive events.
Metric
Backup recovery test completion.
Metric
Terminated privileged access revocation time.

Legal, Privacy, and Ethical Cautions

Sabotage cases may involve criminal referral, evidence preservation, employment action, product liability, safety, customer notification, and incident reporting. Avoid publishing technical detail that could enable replication.

Source References & Investigation Fact-Verification

DOJ, Office of Public Affairs, Texas Man Convicted of Sabotaging his Employer�s Computer Systems and Deleting Data, Mar. 7, 2025. DOJ, Northern District of Ohio, Texas Man Formerly Employed by Ohio Company Convicted of Damaging Source Code and Deleting Data, Mar. 7, 2025.

Operationalize This Learning

Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.