Trust: The Center of Gravity of Insider Threats
For decades, organizational security programs have been shaped by a fundamentally external view of risk. Firewalls, intrusion detection systems, end-point defenses, and perimeter controls reflect an assumption that danger originates from outside the organization. Yet many of the most damaging security incidents arise from within—from trusted individuals already inside the defensive perimeter.
These incidents are collectively described as insider threats: malicious, negligent, or compromised actors who misuse legitimate access to cause harm. Insider threats are dangerous not because insiders possess exceptional technical skill, but because they operate from positions of trust, familiarity, and authorization. Unlike external adversaries, insiders do not need to break in. They log in and, increasingly, they walk in.
Prussian military theorist Carl von Clausewitz’s concept of the center of gravity provides a useful strategic context for understanding why insider threats persist. Clausewitz defined the center of gravity as the source of power that grants freedom of action and cohesion. In the context of an insider threat, that center of gravity is legitimate access derived from organizational trust. As Clausewitz warned, striking everywhere except the decisive point expends effort without achieving victory against the threat.
Try examining insider threats through this Clausewitzian lens. The central argument is that insider threats endure because organizations consistently misidentify the decisive point of risk. Security programs focus on tools and perimeters while leaving the true center of gravity—trust converted into unchecked access—insufficiently governed. This vulnerability exists not just in digital systems but also in physical environments where trust translates into unrestricted movement and proximity to what matters most.
Trust Without Controls
In the early days of industry, insider threats were shaped by physical proximity and trust-based security models. Organizations relied on employee loyalty and informal oversight. Data resided on paper, in filing cabinets, or in the minds of key personnel. Valuable assets sat in warehouses, laboratories, and production facilities. Logging was minimal, access controls were broad, and separation of duties was weak.
Trust translated directly into access, authority, and freedom of action. When insider incidents occurred—prototype theft, equipment sabotage, document copying, or the sale of proprietary formulas—they were attributed to individual misconduct rather than systemic weakness. The threat actor’s effectiveness flowed from legitimate access embedded in trusted roles. The methods of insider theft or harm were simple, such as copying files, removing samples, photographing designs, or abusing privileged access to restricted areas.
The lesson from this era is clear: Trust alone is not a security solution. By allowing trust to transform into unrestricted access—whether to systems, buildings, or assets—organizations reinforced the insider threat center of gravity rather than attacking it.
Complexity, Scale, and Diffuse Centers of Gravity
Today’s insider threat landscape is far more complex. Insiders now include full-time employees, contractors, temporary workers, vendors, and business partners. Remote and hybrid work have dissolved physical boundaries, making identity and credentials the primary perimeter. But physical insider threats have not disappeared—instead they have evolved.
Modern insider threats fall into three categories: malicious, negligent, and compromised. While their intent differs, each derives operational strength from the same center of gravity—authorized access operating under assumed trust. This access manifests in both digital and physical domains.
Consider Mo Hailong, who, with help from coconspirators and other insiders, systematically stole more than 1,000 pounds of proprietary corn seed genetics from two major seed companies: DuPont Pioneer and Monsanto. His method was strikingly simple: He walked into test fields in Iowa and took seeds by hand. Mo didn’t breach firewalls or exploit vulnerabilities. Since at least 2011 and until 2013, he exploited the trust that allows agricultural professionals to access fields and purchase seeds.
Mo established a legitimate presence by purchasing farmland in Iowa and Illinois, creating the appearance of a genuine agricultural businessman. This manufactured trust converted directly into physical access. So, although the companies had invested heavily in protecting their IT infrastructure and laboratory facilities, they left their actual center of gravity—parent seed lines that are each worth $30 million to $40 million and represent five to eight years of research—sitting in accessible fields. United States v. Mo Hailong, Southern District of Iowa, No. 3:13-cr-04063, 2016)
Gilbert Basaldua represents the digital manifestation of the same principle. As a numerical control engineer for a contractor, Hi-Tek Professionals Inc., Basaldua was assigned to an unnamed aircraft manufacturing company, where he used his authorized access to search internal systems for proprietary aircraft wing designs and test data, exfiltrating information through personal email and printed copies. He had received training on protecting trade secrets and signed agreements acknowledging his obligations, yet he violated that trust. (United States v. Gilbert Basaldua, Southern District Court of Georgia, No. 4:19-cr-00069, 2022)
What the two men share is more significant than methodology. Both exploited the fundamental center of gravity: trust converted into access. With Basaldua, trust manifested as system credentials and database permissions, while Mo had the ability to walk into fields and claim legitimate agricultural interest. Different attack surfaces, identical strategic vulnerability.
This pattern appears across insider threat cases. Trusted employees with badge access remove prototypes from facilities. Contractors photograph proprietary equipment. Field technicians steal samples or sabotage equipment. The digital and physical dimensions of insider threats are not separate problems—they are expressions of the same center of gravity operating in different domains.
Modern defensive tools offer meaningful protection only when applied directly against the center of gravity in both digital and physical contexts. Behavioral monitoring must extend beyond network activity to include physical access patterns, badge swipes, visitor logs, and field site access. When used to reduce standing privilege, constrain access, and detect behavioral deviation across all domains, these controls erode insiders’ freedom of action. When deployed merely as compliance checkboxes, their strategic impact remains minimal.
The center of gravity has diffused across identities, platforms, facilities, and locations. Legitimate access is now distributed across cloud platforms, office buildings, laboratories, production facilities, warehouses, and remote field sites. This diffusion makes the center of gravity harder to observe and control, but no less decisive.
Negligent insiders compound the problem by falling victim to phishing or leaving secure facilities unsecured. Compromised insiders—whose credentials or badge access are hijacked by external attackers—blur the distinction between insider and outsider threats. Social engineering extends beyond phishing emails to include tailgating into facilities, impersonating vendors, and exploiting trust to gain physical proximity to assets.
Insider Threats as a Strategic Contest
Emerging technologies will further shape insider threats, but they do not introduce a fundamentally new strategic problem. Artificial intelligence (AI) can accelerate data discovery, automate exfiltration, and generate convincing phishing content. However, these technologies do not create a new center of gravity; they instead amplify the existing one. AI accelerates the speed, scale, and subtlety with which authorized permissions can be misused, whether those permissions provide access to systems or facilities.
Workforce trends—short-term contracts, organizational restructuring, and increased use of third-party specialists—continually regenerate insider risk around the same trust relationship. Every new employee, contractor, or vendor who receives credentials and badge access represents a refresh of the center of gravity.
Future insider incidents are likely to involve low-and-slow abuse rather than overt sabotage. Incremental data theft, subtle removal of samples over time, and gradual erosion of intellectual property will challenge detection efforts. The insider who removes one seed sample per visit over months is harder to detect than one who attempts to steal an entire crop at once.
Attacking the Center of Gravity
With legitimate access derived from trust constituting the center of gravity, identity-centric security becomes the decisive line of effort. But identity must be understood broadly—not just as digital credentials but as the summation of permissions, both virtual and physical. Least-privilege access, just-in-time permissions, and continuous authentication prevent trust from morphing into unchecked authority.
Behavioral monitoring and analytics constrain insider freedom of action by increasing visibility and friction. Rather than attempting to prevent every misuse, these controls make sustained abuse difficult to conceal and costly to maintain. This applies equally whether the abuse involves downloading wing designs or collecting seed samples from test fields.
Effective insider threat programs must address organizational and cultural dimensions. Insider risk management succeeds when security is framed as a shared responsibility, reinforced through clear governance, transparent oversight, and consistent enforcement. Field managers must understand that people walking through test sites require the same scrutiny as people accessing databases. Security must extend to where strategic assets actually exist, not just where security controls are easy to implement.
Insider threats are not a new phenomenon, but they are an enduring one. From the trust-based environments of the past to the distributed, identity-driven systems of the present and the AI-enabled risks of the future, the decisive vulnerability remains constant.
The question every security leader must answer is, “Where does trust convert into access in your organization, and what happens when that trust is violated?” Until that question is answered honestly for systems, facilities, and field operations alike, insider threats will continue to succeed.
Michael Bailey Sr., CPP, is a 30-year veteran of law enforcement and security operations. He currently operates as a security control official, overseeing physical security operations for Collins Aerospace in Cedar Rapids, Iowa.
