Focuses on attacks that could be launched by an insider. In contrast to a remote attacker, this attacker may have some form of authorized access and already has access to the internal network. The insider can also have more knowledge of the location of valuable data.