The Insider Threat Matrix™: A Holistic Approach to Insider Threats

Industry frameworks play a critical role in cybersecurity. For one, they help security teams assess their controls against a common, industry-proven framework. Mapping to a framework helps a security team identify crucial gaps that could leave their organization vulnerable to a cyberattack. A framework also provides a common language that can be used by security practitioners across industries and disciplines. MITRE ATT&CK and NIST are two commonly used, well-established frameworks.

Newer to the security industry, the Insider Threat Matrix™ is an open, public framework focused exclusively on detecting and preventing insider threats. We recently had the opportunity to sit down with the founders of the Insider Threat Matrix™, James Weston and Joshua Beaman.

During our conversation, we discussed why the matrix was built, their vision for its future, and how it can help Insider Risk teams. As former insider threat practitioners, James and Joshua have extensive experience identifying and responding to insider threats and leading insider investigations. Below is a summary of our conversation.

Why did you develop the Insider Threat Matrix™?

We know firsthand that insider investigations are often messy, ambiguous, and underserved by existing frameworks. Other industry models focus primarily on external adversaries, not insiders. We saw this as a gap and wanted to build a framework devoted to insider threats. As a result, the Insider Threat Matrix™ is built entirely around the human element-how trust is broken from within an organization. It helps insider threat teams to classify, detect, and respond to insider threat events.

Insider threat management, more than any other security discipline, relies on cross-functional collaboration. Our goal was to give investigators a consistent taxonomy and language they could apply across cyber, HR, legal, and compliance functions.

Who do you consider the primary target users of the Insider Threat Matrix™?

The primary users we had in mind when developing the matrix are insider threat investigators and security operations analysts. Basically, the teams tasked with making sense of the full spectrum of insider events. Events can range from subtle acts to high-stakes incidents where methods and intent are often unclear.

At Proofpoint we make a distinction between insider risk vs. insider threat. What are your definitions of both? How do they relate to each other?

We also make a clear distinction between insider risk and insider threat. And we use an important clarifying term: population.

Population refers to a collective body of individuals, employees, contractors, affiliates, and other personnel who comprise an organization's workforce and are subject to its policies, controls, and access governance.

We define insider risk as the likelihood that a member of a population's action or inaction could result in harm or loss to the organization, along with the potential impact of that outcome. Insider risk includes both intentional and unintentional behaviors.

Insider threat is defined as a member, or group of members, of the population who intend to, or are likely to, cause harm or loss to the organization. This term applies specifically to those whose actions, motivations, or circumstances present a credible risk.

In short: all insider threats exist within the broader spectrum of insider risk, but not all risks manifest into threats.

What has been the reaction to the matrix from the insider threat community? What has surprised you the most?

Since launching the Insider Threat Matrix™ at Black Hat in 2024, the response has been overwhelmingly positive. Investigators and program leads tell us the matrix provides the shared language and structure that this domain has historically lacked. We've seen it adopted in detection engineering, investigative process design, security auditing, and even policy development.

What has surprised us most is the breadth of interest. It's not only dedicated insider threat teams, but also security operations center (SOC) analysts, HR professionals, and legal and compliance stakeholders who recognize the value of a common framework that bridges their disciplines. The cross-functional uptake has been far greater than we anticipated.

How do you capture feedback on the matrix? What is the change process?

The Insider Threat Matrix™ is deliberately open and continuously evolving. Feedback comes through practitioner submissions, professional forums, and direct engagement during investigations and our own internal research. Each submission is reviewed by a small team of experienced insider threat professionals and aligned with Insider Threat Matrix™ terminology and structure. This ensures consistency before the submission is accepted into the framework. Contributors are credited publicly, both within the knowledge object itself and on the official Insider Threat Matrix™ contributors' page.

What's the next step for the Insider Threat Matrix™? What's your vision?

Our vision is for the Insider Threat Matrix™ to become the living repository of the insider threat community's combined wisdom and experience. We want it to stand as the definitive reference for describing the trajectory of insider threats. We hope that it supports all stakeholders and dramatically improves the quality of insider risk programs across organizations and institutions.

We are continually evolving and maturing the matrix. Over the next year, we plan to create visualizations that show trajectories of insider events over time, expand integrations of the matrix directly into insider threat-related software platforms, and grow the contributor community. Our goal is for the matrix to become the de facto investigative language for insider threat.

What advice do you have for security teams that want to operationalize the matrix? How should they get started?

The Insider Threat Matrix™ is designed to be immediately usable, regardless of program maturity. For new programs, the best starting point is simple: use the matrix to establish policy baselines and map what we call "volume infringements." These are the relatively minor, but frequent policy violations that often signal broader behavioral drift. For established programs, the matrix can identify gaps in controls, align detections to ensure coverage, guide the development of detection rules, and bring consistency across investigations.

There is no "too early" moment. The right time to introduce the Insider Threat Matrix™ is whenever a team wants to move from ad hoc controls and responses to structured, defensible detections, preventions, and investigations. A practical first step is to map recent insider events your organization has faced against the matrix categories. That single exercise often reveals patterns and gaps that can immediately inform both detection and policy.

Learn More

To learn more about the Insider Threat Matrix™, attend our two-part webinar series in October.