Cyber-sabotage incidents - as for insider threat incidents in general - tend to be underreported to authorities by organizations because organizations have strong incentives to limit reputation harm by avoiding publicity on the event and chances of obtaining reparation are low (Randazzo et al., 2005).

For these reasons, statistics should be considered from a critical perspective. Statistics provided in this article are extracted from the studies referenced in the bibliographic section. These studies have several limitations (geographic location, underreporting, etc.). The statistics in this article are provided in parenthesis with the mention “e.g.” to stress these limitations.

Most saboteurs had personal predispositions Moore et al., 2008, including:

• Serious mental health disorders.

• Social skill difficulties and decision-making biases.

• A history of rule violations.

• Saboteurs tend to not share common characteristics, i.e. their gender, IT expertise, age, marital status, professional success, ethnicity, etc. are not meaningful predictors (Randazzo et al., 2005).

• Most insider plan their attack in advance (e.g. 81% inRandazzo et al., 2005)

• A majority of them tend to not properly consider the potential negative consequences of their action (e.g. 65% in Randazzo et al., 2005). Some had the sentiment that committing sabotage on a computer was less serious than causing physical damage (Randazzo et al., 2005).

• For general insider attacks, a majority of incidents do not require technical sophistication but use simple and legitimate capabilities or exploit systemic vulnerabilities in applications or business processes (e.g.: 87% in Randazzo et al., 2005). In contrast, IT saboteurs tend to hold technical positions (e.g. 86% in Moore et al., 2008), often with high privileged accesses.

• While most insider attacks are executed at the workplace and during normal business hours (Randazzo et al., 2005), a majority of saboteurs are former employees (e.g. 59% in Moore et al., 2008)

• A minority of insiders were known for being difficult to manage (e.g. 15%) or untrustwothy (e.g. 4%).

• Unmet expectations (salary, bonus, promotion, recognition, and/or personal control of IT systems) causing dissatisfaction or disgruntlement, and a desire of revenge. A majority of saboteurs were perceived as disgruntled employees before the attack (e.g., 57% in Moore et al., 2008), many were motivated by revenge (e.g., 84% in Moore et al., 2008 and 23% of general insider attackers in Randazzo et al., 2005), or a desire for respect (e.g., 15% in Randazzo et al., 2005).

• A minority of inside attackers tend to have multiple motives (e.g. 27% in Randazzo et al., 2005), financial gain being the most prevalent motive for general inside attackers (Randazzo et al., 2005).

For general insider attacks, the insider’s planning behavior is noticeable in a number of cases (e.g.: 31% in Randazzo et al., 2005). More specifically for IT saboteurs, behavioral incidents seem to come to the attention of supervisors or co-workers before the sabotage takes place in a high number of cases (97% in Moore et al., 2008). Such incidents comprise:

• Conflicts with co-workers, aggressive or violent behavior, mood swings, sexual harassment.

• Poor job performance.

• Deception about qualifications.

• Absence or tardiness. Violations of explicit organizational policies and rules. Inappropriate purchases on company accounts. Violations of dress code, poor hygiene. Drug abuse.