Insider Risk Body of Knowledge™

Insider Risk Glossary: Key Terms for Insider Risk and Insider Threat Management

The Insider Risk Glossary defines the terms organizations use to understand, communicate, and manage insider risk and insider threat. Insider risk is cross-functional. It involves security, risk, legal, privacy, HR, compliance, data protection, identity, physical security, investigations, and business leadership. A shared vocabulary helps those functions make better decisions together.

Filter by Starting Letter
Filter by Word Family / Category
Showing 50 terms of 50 total entries
Investigation and Evidence

Alert Triage

Alert triage is the initial review of a signal or alert to determine relevance, urgency, context, and next action.

/alert-triage/Read Definition
Investigation and Evidence

Behavioral Baseline

A behavioral baseline is an expected pattern of activity for a user, role, entity, system, or population used to identify meaningful deviations.

/behavioral-baseline/Read Definition
Tools and Technology

CASB

A Cloud Access Security Broker (CASB) helps organizations monitor and control access, use, and data movement across cloud applications and services.

Investigation and Evidence

Case Management

Case management is the structured process for opening, documenting, routing, investigating, resolving, and learning from insider-risk matters.

/case-management/Read Definition
Investigation and Evidence

Chain of Custody

Chain of custody is the documented record of how evidence is identified, collected, handled, transferred, stored, analyzed, and preserved.

/chain-of-custody/Read Definition
Insider Types

Coerced Insider

A coerced insider is an insider who is pressured, threatened, manipulated, or forced by another party to misuse access or disclose information.

/coerced-insider/Read Definition
Insider Types

Colluding Insider

A colluding insider is an insider who works with another insider or external party to misuse access, evade controls, or cause harm.

/colluding-insider/Read Definition
Insider Types

Compromised Insider

A compromised insider is a trusted user, account, device, or relationship that is used by an unauthorized party to access organizational resources.

/compromised-insider/Read Definition
Investigation and Evidence

Confidence Score

A confidence score is an expression of how much trust an analyst, program, or decision maker can place in a finding, assessment, or risk conclusion.

/confidence-score/Read Definition
Workforce Lifecycle Risk

Contractor Risk

Contractor risk is the insider-risk exposure created by temporary, contingent, outsourced, or third-party workers who need access to organizational resources.

/contractor-risk/Read Definition
Behaviors and Events

Data Exfiltration

Data exfiltration is the unauthorized movement, copying, transmission, or removal of data from approved systems, locations, or controls.

/data-exfiltration/Read Definition
Behaviors and Events

Data Hoarding

Data hoarding is the accumulation of more data than a user reasonably needs for their role, task, or business purpose.

/data-hoarding/Read Definition
Behaviors and Events

Data Staging

Data staging is the collection, aggregation, compression, relocation, or preparation of data before possible exfiltration or misuse.

/data-staging/Read Definition
Tools and Technology

DLP

Data Loss Prevention (DLP) refers to controls and technologies that help identify, monitor, restrict, or prevent unauthorized movement or exposure of sensitive data.

Tools and Technology

DSPM

Data Security Posture Management (DSPM) helps discover, classify, assess, and monitor sensitive data exposure across data environments.

Tools and Technology

EDR/XDR

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools collect and analyze endpoint or cross-domain security telemetry.

Workforce Lifecycle Risk

Executive Risk

Executive risk is the insider-risk exposure associated with senior leaders who have access to sensitive strategy, financial, personnel, legal, transaction, or reputational information.

/executive-risk/Read Definition
Risk Concepts

Exposure

Exposure is the condition of being open to potential insider-related harm because of access, assets, control gaps, business context, or behaviors.

/exposure/Read Definition
Investigation and Evidence

False Positive

A false positive is an alert, finding, or signal that appears concerning but is later determined not to represent the suspected risk or violation.

/false-positive/Read Definition
Behaviors and Events

Fraud

Fraud is intentional deception or misuse of trusted access to obtain unauthorized benefit, avoid obligation, or cause financial or operational harm.

Insider Personas and Populations

High-Risk Population

A high-risk population is a defined group whose roles, access, business circumstances, or lifecycle events create similar insider-risk exposure characteristics.

/high-risk-population/Read Definition
Insider Personas and Populations

High-Risk User

A high-risk user is a user whose access, role, behavior, business context, or event timing creates elevated insider-risk exposure.

/high-risk-user/Read Definition
Tools and Technology

IAM

Identity and Access Management (IAM) refers to the policies, processes, and technologies used to manage identities, authentication, authorization, and access lifecycle.

Tools and Technology

IGA

Identity Governance and Administration (IGA) focuses on governing access rights, certifications, approvals, roles, and identity lifecycle controls.

Insider Personas and Populations

Insider

An insider is any trusted person, account, relationship, or entity with authorized access to an organization asset, system, data set, facility, business process, or decision environment.

Risk Concepts

Insider Incident

An insider incident is an event involving trusted access that results in suspected or confirmed harm, misuse, policy violation, loss, exposure, or business disruption.

/insider-incident/Read Definition
Risk Concepts

Insider Risk

Insider risk is the likelihood and potential impact of harm, misuse, loss, or exposure arising from trusted access to organizational assets.

/insider-risk/Read Definition
Risk Concepts

Insider Threat

An insider threat is a person, account, relationship, or trusted entity that may cause harm to an organization through authorized or misused access.

/insider-threat/Read Definition
Workforce Lifecycle Risk

Joiner Risk

Joiner risk is the exposure associated with onboarding new employees, contractors, or trusted users into systems, data, facilities, and business processes.

/joiner-risk/Read Definition
Workforce Lifecycle Risk

Leaver Risk

Leaver risk is the insider-risk exposure associated with an employee, contractor, or trusted user leaving the organization or ending a role.

/leaver-risk/Read Definition
Investigation and Evidence

Legal Hold

A legal hold is a process used to preserve information that may be relevant to litigation, investigation, regulatory inquiry, or other legal obligation.

/legal-hold/Read Definition
Insider Types

Malicious Insider

A malicious insider is an insider who intentionally misuses trusted access to cause harm, steal assets, commit fraud, sabotage operations, or benefit themselves or another party.

/malicious-insider/Read Definition
Workforce Lifecycle Risk

Mover Risk

Mover risk is the exposure associated with a trusted user changing role, team, location, manager, project, or access requirements.

/mover-risk/Read Definition
Insider Types

Negligent Insider

A negligent insider is an insider whose careless, unaware, or noncompliant behavior creates risk or harm without clear malicious intent.

/negligent-insider/Read Definition
Tools and Technology

PAM

Privileged Access Management (PAM) refers to controls and technologies used to govern, monitor, secure, and review privileged accounts and privileged sessions.

Insider Personas and Populations

Privileged Insider

A privileged insider is an insider with elevated permissions that allow them to administer systems, access sensitive data, bypass ordinary controls, or affect business-critical operations.

/privileged-insider/Read Definition
Workforce Lifecycle Risk

Remote Worker Risk

Remote worker risk is the insider-risk exposure associated with work performed outside controlled enterprise locations, often involving remote access, home networks, unmanaged environments, or distributed collaboration.

/remote-worker-risk/Read Definition
Risk Concepts

Residual Risk

Residual risk is the insider-risk exposure that remains after controls, mitigations, decisions, or process changes have been applied.

/residual-risk/Read Definition
Risk Concepts

Risk Appetite

Risk appetite is the amount and type of insider-risk exposure an organization is willing to accept in pursuit of its objectives.

/risk-appetite/Read Definition
Risk Concepts

Risk Tolerance

Risk tolerance is the acceptable variation around an organization defined risk appetite for a specific context, asset, process, or business decision.

/risk-tolerance/Read Definition
Behaviors and Events

Sabotage

Sabotage is intentional disruption, damage, degradation, deletion, or manipulation of systems, data, facilities, operations, or business processes.

/sabotage/Read Definition
Tools and Technology

SIEM

Security Information and Event Management (SIEM) is a technology category that collects, correlates, and analyzes security log and event data.

Tools and Technology

SOAR

Security Orchestration, Automation, and Response (SOAR) tools help coordinate security workflows, enrichment, response actions, and case processes.

Behaviors and Events

Source Code Theft

Source code theft is the unauthorized copying, transfer, disclosure, or misuse of software source code or related development assets.

/source-code-theft/Read Definition
Insider Personas and Populations

Third-Party Insider

A third-party insider is a non-employee trusted entity or person, such as a contractor, vendor, partner, consultant, or managed service provider, with access to organizational resources.

/third-party-insider/Read Definition
Behaviors and Events

Trade Secret Theft

Trade secret theft is the unauthorized acquisition, use, disclosure, or transfer of confidential business information that derives value from being kept secret.

/trade-secret-theft/Read Definition
Insider Personas and Populations

Trusted Insider

A trusted insider is an insider whose role, relationship, or privileges give them approved access to sensitive resources or decisions.

/trusted-insider/Read Definition
Tools and Technology

UAM

User Activity Monitoring (UAM) is the collection and review of user activity data to support security, compliance, investigation, or insider-risk use cases.

Tools and Technology

UBA

User Behavior Analytics (UBA) is a technology approach that analyzes user activity patterns to identify unusual or risky behavior.

Tools and Technology

UEBA

User and Entity Behavior Analytics (UEBA) analyzes behavior patterns for users, accounts, devices, systems, and other entities to identify anomalies or risk signals.

How to Use this Glossary

Insider risk is cross-functional. A shared vocabulary helps security, HR, privacy, and compliance departments collaborate seamlessly. Use this hub to find definitions or browse category tracks.

1

Start with foundation terms such as insider risk, insider threat, insider incident, exposure, residual risk, risk appetite, and risk tolerance.

2

Use persona terms to understand who may create, own, observe, investigate, or reduce insider-risk exposure.

3

Use behavior and event terms to understand common insider-risk scenarios such as data exfiltration, data staging, data hoarding, sabotage, fraud, source code theft, and trade secret theft.

4

Use technology terms to understand tool categories such as UAM, UEBA, DLP, SIEM, SOAR, EDR/XDR, CASB, PAM, IAM, IGA, and DSPM.

5

Use investigation terms to understand concepts such as alert triage, behavioral baseline, chain of custody, legal hold, case management, false positive, and confidence score.

Glossary Frequently Asked Questions

General guidance regarding insider risk definitions, legal context, and scope boundaries.

Public Content Boundary & Educational Context

This glossary is part of the ITMG® Insider Risk Body of Knowledge™. Content is designed for educational context and represents a shared vocabulary. It does not contain proprietary RiskTKO® mathematical algorithms, scoring mechanisms, playbook routines, or implementation sequences.

  • Explains definitions and business risk scenarios at an educational level.
  • Does not constitute legal advice or formal monitoring specifications.

Want a Tailored Assessment?

Establish a quantified baseline of your company's actual exposure. Coordinate with ITMG®'s advisory group to complete a structured audit mapped against the 10 pillars of the IRCF™.

Request Guided Exposure Assessment

Manage Exposure with RiskTKO®

Connect terms and risk concepts to actual telemetry. The RiskTKO® platform automates the metrics, indicators, and scoring pathways that define modern program maturity.

Request Platform Demo