Insider threat programs aim to mitigate risks, such as embezzlement, espionage, loss of strategic assets, sabotage, and physical violence. Although entities know that they need to turn off the access credentials of former employees, the current literature is largely silent on what employees who directly or indirectly had access credentials after termination have done. This study reviews the federal court cases of the past decade where an employee’s endpoint access was not disabled before intellectual property could be stolen or a cyberattack could be launched. Some breaches led to economic gains for the employee, whereas the remainder were acts of pure sabotage motivated by retaliation. The discussion includes preventive suggestions, including having IT personnel brainstorm each departure case on its merits and employee training that stresses that an attack on a protected computer system is a felony. The discussion also reviews the limitations of using AI for insider threat detection.

Data Availability: The case data collected for this study and subsequent updates are available in the supplemental files InsiderThreatCases.xlsx and Indictments.zip. The author will provide an updated table upon request.

JEL Classifications: K42; M15; M54.

Keywords:
insider threats, network access, endpoint access, former employee, cybersecurity, AI threat detection
This content is only available via PDF.
2025