Cyber-sabotage incidents - as for insider threat incidents in general - tend to be underreported to authorities by organizations because organizations have strong incentives to limit reputation harm by avoiding publicity on the event and chances of obtaining reparation are low ().

For these reasons, statistics should be considered from a critical perspective. Statistics provided in this article are extracted from the studies referenced in the bibliographic section. These studies have several limitations (geographic location, underreporting, etc.). The statistics in this article are provided in parenthesis with the mention “e.g.” to stress these limitations.

Most saboteurs had personal predispositions , including:

• Serious mental health disorders.

• Social skill difficulties and decision-making biases.

• A history of rule violations.

• Saboteurs tend to not share common characteristics, i.e. their gender, IT expertise, age, marital status, professional success, ethnicity, etc. are not meaningful predictors ().

• Most insider plan their attack in advance (e.g. 81% in)

• A majority of them tend to not properly consider the potential negative consequences of their action (e.g. 65% in ). Some had the sentiment that committing sabotage on a computer was less serious than causing physical damage ().

• For general insider attacks, a majority of incidents do not require technical sophistication but use simple and legitimate capabilities or exploit systemic vulnerabilities in applications or business processes (e.g.: 87% in ). In contrast, IT saboteurs tend to hold technical positions (e.g. 86% in ), often with high privileged accesses.

• While most insider attacks are executed at the workplace and during normal business hours (), a majority of saboteurs are former employees (e.g. 59% in )

• A minority of insiders were known for being difficult to manage (e.g. 15%) or untrustwothy (e.g. 4%).

• Unmet expectations (salary, bonus, promotion, recognition, and/or personal control of IT systems) causing dissatisfaction or disgruntlement, and a desire of revenge. A majority of saboteurs were perceived as disgruntled employees before the attack (e.g., 57% in ), many were motivated by revenge (e.g., 84% in and 23% of general insider attackers in ), or a desire for respect (e.g., 15% in ).

• A minority of inside attackers tend to have multiple motives (e.g. 27% in ), financial gain being the most prevalent motive for general inside attackers ().

For general insider attacks, the insider’s planning behavior is noticeable in a number of cases (e.g.: 31% in ). More specifically for IT saboteurs, behavioral incidents seem to come to the attention of supervisors or co-workers before the sabotage takes place in a high number of cases (97% in ). Such incidents comprise:

• Conflicts with co-workers, aggressive or violent behavior, mood swings, sexual harassment.

• Poor job performance.

• Deception about qualifications.

• Absence or tardiness. Violations of explicit organizational policies and rules. Inappropriate purchases on company accounts. Violations of dress code, poor hygiene. Drug abuse.