The Forscie Glossary

A formal document or collection of related policies that defines the expectations, responsibilities, and limitations placed on individuals in their use of organization-owned systems, services, networks, and assets. It establishes the behavioral and technical boundaries required to protect operational integrity, ensure compliance, and preserve trust.

A cross-functional governance body with executive support, composed of representatives from HR, Legal, employee groups, cybersecurity operations, and the Insider Threat Investigation Team. It oversees the development, feedback mechanisms, and change control of the organization’s Acceptable Use Policy (AUP). The panel holds formal authority over the AUP and, by extension, legitimizes the Insider Threat Investigation Team’s enforcement role. This delegation of authority should be formally recorded in policy to ensure clarity, accountability, and legal defensibility particularly in sensitive enforcement scenarios.

A unique, persistent pseudonym assigned to a subject at the start of a sufficiently serious insider threat investigation. An alias is created by the Insider Threat Investigation Team and used as a non-identifying reference for that subject across all current and future cases. Aliases are always written in all capital letters (e.g., BUCKLEY) to ensure consistency and recognition across investigative materials. The use of an alias enables secure, discreet communication between investigators and authorized stakeholders without revealing the subject’s true identity. This helps prevent premature awareness, internal tip-offs, or unintended disclosure during the course of an investigation. Aliases also support regulatory compliance by reducing the risk of exposure during Digital Subject Access Requests (DSARs), as subjects are never made aware of their assigned alias. All documentation, communications, and supporting materials must reference the alias exclusively. Any identifying information, such as names, email addresses, or user accounts - must be fully redacted to preserve the integrity and confidentiality of the investigation.

A confidential, internal register maintained by Insider Threat Investigation Teams to map each subject under investigation to a unique, persistent pseudonym (alias). An alias is assigned at the outset of any sufficiently serious investigation and remains permanently associated with that subject for all future cases. Aliases are written in all capital letters (e.g., BUCKLEY) and serve as a standardized, non-identifying reference across investigations. The Alias Register is a critical mechanism for case correlation, enabling investigators to identify behavioral patterns and link related incidents without exposing personally identifiable information (PII). It facilitates secure communication between investigators and authorized stakeholders while preserving the integrity and discretion of the investigation especially important for preventing tip-offs or unintended disclosure. Aliases must be used consistently in all investigation notes, emails, internal communications, and documentation. The subject’s real identity must not be referenced directly, and any identifying details such as names, email addresses, or user account information must be fully redacted in screenshots or supporting materials. Because aliases are never disclosed to the subject, their use also reduces the risk of unintended exposure during Digital Subject Access Requests (DSARs), strengthening operational secrecy and regulatory compliance.

A category within the Insider Threat Matrix covering actions taken by a subject to frustrate, obscure, or hinder subsequent investigation. This includes deleting logs, disabling telemetry, modifying timestamps, or using anonymisation techniques to conceal activity. Anti-forensics complicates detection, delays response, and can undermine the integrity of investigative findings.

The highest-level category in the Insider Threat Matrix. Articles represent core investigative domains such as Motive, Means, Preparation, Infringement, and Anti-Forensics. Each Article serves as a thematic pillar, grouping related behaviours and investigative considerations across insider threat cases.

A Forscie hypothesis inspired by the Broken Windows Theory from policing, describing the gradual shift in user behaviour away from policy or organisational norms. It often begins with small, unchallenged infractions and can lead to a broader erosion of acceptable standards within teams or entire organisations. Over time, these behaviours may become informally tolerated or culturally embedded, increasing the organisation’s exposure to risk. Behavioral drift progresses through the Drift Trajectory phases: Deviation, Normalization, and Escalation. Forscie uses this model to guide proactive detection and structured enforcement aimed at resetting norms before harmful acts occur.

A professional responsible for protecting the organization from internal risk, specifically from threats that emerge within trusted environments. Defenders include insider threat investigators, security analysts, responders, and program leads who manage insider risk at an operational level.

A term used in the Insider Threat Matrix: A formal entry within a sub-section describing how the associated behaviour can be identified through technical, procedural, or analytical means. Detections help investigators recognise indicators of insider threat activity using logs, alerts, monitoring, or contextual evidence.

The first phase of the Drift Trajectory, and the initial signal of Behavioral Drift. Deviation occurs when individuals begin to violate policy or behavioral expectations, often through minor infractions that go unchallenged. These early violations may seem inconsequential in isolation, but when ignored, they begin to lower the perceived standard of acceptable conduct. As others observe that enforcement is absent or inconsistent, a permissive mindset begins to take hold. Deviation marks the start of an organization’s behavioral erosion if corrective action is not taken.

A three-phase model describing how Behavioral violations can evolve and spread within an organisation if left unaddressed. It begins with Deviation, where policy violations occur and go unchallenged, lowering Behavioral standards among individuals or teams. This may lead to Normalization, where risky behaviours become common and culturally accepted across larger groups. Finally, Escalation occurs when the permissive environment enables more severe or malicious actions, such as boundary testing, conflicts of interest, or external exploitation. The drift trajectory highlights the critical need for early detection and response to prevent small infractions from transforming into systemic risk.

A formatting method used in policy documents, particularly Acceptable Use Policies (AUPs) - to organize content in a clear, hierarchical, and referenceable format using alphanumeric identifiers. This structure assigns a unique number or letter to each clause or sub-clause (e.g., 3.2, 3.2.a, 3.2.a.i), allowing for precise citation and unambiguous reference. In the context of Forscie’s approach to insider threat and policy enforcement, enumerated structure improves clarity, supports consistent enforcement, and enables direct linkage between observed behavior and specific policy clauses. It simplifies documentation in investigative reports, disciplinary processes, and legal reviews, while also aiding in structured document control and version comparison. Enumerated structure is especially critical in sections dealing with unacceptable use, access restrictions, and enforcement actions.

The final and most dangerous phase of the Drift Trajectory, representing the unchecked culmination of Behavioral Drift. Escalation occurs when a culture of informal tolerance becomes embedded within the population. Widespread acceptance of policy infringements evolves into a state of active risk, where individuals begin to engage in more serious or deliberate misconduct, such as boundary testing, exploitation of access, or actions driven by malicious intent. This phase significantly increases organizational exposure and may even attract external threat actors who perceive the environment as permissive or unguarded and therefore a soft target. Without intervention, Escalation can lead to severe insider incidents and lasting institutional harm.

A category within the Insider Threat Matrix referring to the act itself that harms or undermines an organisation. This includes data exfiltration, sabotage, unauthorised access, or any violation of policy that results in operational, reputational, or legal impact. Infringement represents the culmination of motive, means, and preparation into a concrete harmful action.

Any individual who currently has, or previously had, authorized access to an organization’s resources. This includes access to people, processes, information, technology, and physical facilities. Insiders may include employees, contractors, vendors, or others granted legitimate access due to their role or relationship with the organization.

Any activity carried out by an insider, whether intentional or accidental, that could lead to, or has led to, harm or loss to the organization. Insider events are observable occurrences that may indicate elevated insider risk or serve as precursors to insider threats.

The likelihood that an insider’s action or inaction could result in harm or loss to the organization, along with the potential impact of that outcome. Insider risk includes both intentional and unintentional behaviors.

An insider, or group of insiders, who intends to or is likely to cause harm or loss to the organization. The term applies specifically to those whose actions, motivations, or circumstances present a credible risk.

Forscie’s structured framework for categorising insider threat behaviour across the lifecycle of an incident. It maps actions, motives, and investigative considerations into defined categories - Motive, Means, Preparation, Infringement, and Anti-Forensics - each containing specific, labelled techniques. The matrix enables consistent investigation, reporting, and understanding of insider activity, supporting both operational casework and strategic program design. Publicly available at insiderthreatmatrix.org, it serves as a knowledge foundation for the Forscie IARS platform and CITI certification. The Matrix also evolves through public contributions, allowing practitioners and experts to submit updates, techniques, and improvements to ensure it reflects real-world insider threat activity.

The accumulated knowledge, patterns, decisions, and investigative insight retained within an organization over time, used to inform future responses to insider risk.

A professional formally tasked and trained to conduct insider threat investigations. Investigators are responsible for gathering, analyzing, and documenting evidence to determine whether a subject’s actions constitute policy violations, risk indicators, or malicious activity. Their work spans case intake, triage, behavioral analysis, digital forensics, and structured reporting. Unlike the broader category of defenders (who include analysts, responders, and program leads) investigators focus specifically on the investigative lifecycle, ensuring findings are accurate, defensible, and actionable. They operate under formal authority, often within an Insider Threat Investigation Team, and their judgments shape both immediate response and long-term institutional intelligence.

A structured, recurring process that tracks and resolves designated volume infringements across the previous calendar month. MVIR focuses on behaviours such as inappropriate browsing, use of unapproved applications (e.g., encrypted messengers or generative AI), or possession of pirated media - provided the risk level permits up to a one-month delay in detection. Incidents are grouped by infringement type and subject, with enforcement actions applied per incident. MVIR supports consistent enforcement, prevents duplication of effort, and contributes to long-term Behavioral analysis by identifying patterns of re-offending. It forms part of Forscie’s broader approach to managing Behavioral drift and enhances subject risk profiling when integrated with HR and stakeholder input.

A category within the Insider Threat Matrix representing the reason or underlying cause that prompts a subject to engage in an infringement. Motives may include personal gain, ideology, curiosity, recklessness, coercion, or emotional drivers. Understanding motive helps investigators contextualise actions, assess intent, and guide appropriate response or remediation strategies.

The second phase of the Drift Trajectory, where the effects of Behavioral Drift spread from isolated individuals to broader teams or populations. Behaviors that began as individual deviations become routine and informally accepted. Colleagues may imitate or tolerate the behavior, and over time, previously unacceptable actions are no longer viewed as problematic. This cultural shift often happens subtly, driven by observation, communication, and the absence of visible consequences. Normalization signals that the organization is drifting toward systemic tolerance of risk.

The cumulative level of enforcement - or lack thereof - that an organization applies to policy violations, behavioral deviations, and security infractions. It reflects how consistently the organization upholds its standards of conduct, whether through formal intervention, informal correction, or passive omission. Over time, this tolerance - whether intentional or incidental - shapes workplace norms and signals to the population which behaviors are truly sanctioned, which are negotiable, and which are ignored.

The collective body of individuals - employees, contractors, affiliates, and other personnel - who comprise an organization's operational workforce and are subject to its policies, controls, and access governance.

A category within the Insider Threat Matrix encompassing the activities a subject undertakes to aid or enable an infringement. This may include gathering information, testing access, installing tools, or modifying systems in advance of a policy violation. Preparation signals intent and provides early opportunities for detection before harm occurs.

A term used in the Insider Threat Matrix: A formal entry within a section or sub-section offering guidance on how organisations can reduce the likelihood of the behaviour occurring. Preventions focus on controls, policy design, governance mechanisms, or technical safeguards that reduce insider risk in advance.

A term used in the Insider Threat Matrix: A primary subdivision within an Article, representing a specific Behavioral concept, capability, or investigative focus. Sections are numbered (e.g. MT015 – Recklessness) and provide structure to the Matrix by grouping closely related sub-sections under a common theme.

Discrete technical identifiers that can be used to link, correlate, or pivot between insider threat cases and investigative evidence. Selectors may include email addresses, usernames, device identifiers, IP addresses, file hashes, domains, or other unique markers. Selectors provide the technical dimension of correlation, complementing human role associations captured under the SWIO model. Exact selector matches indicate strong continuity across cases, while fuzzy selector matches, such as shared subnets, domains, or hostname prefixes, highlight potential relationships requiring further validation. By standardizing how selectors are recorded and analyzed, investigators can identify patterns, trace activity across systems, and connect disparate events into coherent investigative trajectories.

A structured decision-support tool used to assess and categorize the seriousness of an insider event. The severity matrix enables consistent triage by applying numerical weighting to a defined set of binary (yes/no) questions (referred to as tests) that measure key risk dimensions such as intent, impact, recurrence, sensitivity of data, and policy violation. Each test is scored, and the cumulative result places the event into a severity tier (e.g., low, medium, high, critical), guiding prioritization, escalation, and required response actions. This approach allows for a defensible, repeatable assessment that reduces subjectivity and improves coordination across teams.

A term used in the Insider Threat Matrix: A detailed Behavioral technique or condition nested within a Section. Sub-sections (e.g. MT015.001 – Opportunism) describe discrete, observable actions or patterns relevant to insider threat investigations. They provide operational granularity and are often used as tagging or triage references in investigative workflows.

An individual within the population who has been identified as a focus of interest in the context of behavioral analysis, policy violations, or insider threat investigations more broadly. The subject is not presumed to be malicious, but is monitored or investigated based on observed actions, access patterns, or risk indicators.

A structured model used in investigations to record and classify the human roles associated with a case. SWIO stands for Subject, Witness, Informant, Official; the four categories of individuals relevant to an insider threat investigation: Subject (S): The individual(s) under investigation. Witness (W): Individuals with direct, first-hand evidence of relevant events or actions. Informant (I): Individuals providing indirect, second-hand information, suspicions, or tip-offs. Official (O): Authorized investigators or analysts formally assigned to the case. This ordered model ensures consistent role definition, improves clarity in investigative records, and reduces ambiguity in case collaboration. By applying SWIO uniformly, investigators maintain precision in evidence handling, communication, and reporting – strengthening defensibility and institutional knowledge across cases.

Minor, frequently occurring violations of organizational policy, security controls, or behavioral expectations. While individually low impact, they collectively indicate patterns of noncompliance that may signify behavioral drift, normalization of deviance, or weakening organizational control.