Submitted:
12 June 2026
Posted:
15 June 2026
You are already at the latest version
Abstract

Keywords:
1. Introduction
2. Conceptual Framework
2.1. Classified Information and the Regulatory Landscape
2.2. Access Control Models
2.3. Key Security Principles
3. Risk Analysis
3.1. Accidental Disclosure and Data Spillage
3.2. Insider Threat Amplification
3.3. Privilege Escalation and Lateral Movement
3.4. Data Exfiltration Pathways
4. Root Causes and Contributing Factors
4.1. Human Error and Cognitive Complexity
4.2. Poor Change Management and Configuration Drift
4.3. Legacy Systems and Technical Debt
4.4. Weak Auditing and Monitoring Gaps
4.5. Unclear Responsibility and Organizational Culture
5. Prevention and Mitigation Strategies
5.1. Secure Baselines and Hardened Configuration Management
5.2. Periodic Access Reviews and Recertification
5.3. Privileged Access Management and Multi-Factor Authentication
5.4. Logging, Monitoring, and Security Information and Event Management
5.5. Incident Response for Permission-Related Breaches
6. Discussion
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
| ABAC | Attribute-Based Access Control |
| ACL | Access Control List |
| CIS | Center for Internet Security |
| CNSSI | Committee on National Security Systems Instruction |
| DAC | Discretionary Access Control |
| DBIR | Data Breach Investigations Report |
| ISCM | Information Security Continuous Monitoring |
| MAC | Mandatory Access Control |
| MFA | Multi-Factor Authentication |
| NATO | North Atlantic Treaty Organization |
| NIST | National Institute of Standards and Technology |
| NSS | National Security Systems |
| OWASP | Open Web Application Security Project |
| PAM | Privileged Access Management |
| RBAC | Role-Based Access Control |
| SIEM | Security Information and Event Management |
References
- Obama, B. Executive Order 13526—Classified National Security Information. Federal Register. 2009. Available online: https://www.govinfo.gov/content/pkg/CFR-2010-title3-vol1/pdf/CFR-2010-title3-vol1-eo13526.pdf (accessed on 10 May 2026).
- North Atlantic Treaty Organization. Security Within the North Atlantic Treaty Organisation, C-M(2002)49-REV1. NATO: Brussels, Belgium, 2020. Available online: https://www.gns.gov.pt/docs/cm-2002.pdf (accessed on 15 May 2026).
- Federal Times. Manning/Snowden Leaks: The Threat from Within Emerges. Federal Times. 2015. Available online: https://www.federaltimes.com/smr/50-years-federal-times/2015/12/04/manning-snowden-leaks-the-threat-from-within-emerges/ (accessed on 14 May 2026).
- Reading, Dark. How Did Snowden Do It? Dark Reading, 2013. Available online: https://www.darkreading.com/cyberattacks-data-breaches/how-did-snowden-do-it- (accessed on 16 May 2026).
- Scarfone, K.; Jansen, W.; Tracy, M. Guide to General Server Security. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2008. Available online: https://csrc.nist.gov/pubs/sp/800/123/final (accessed on 13 May 2026).
- Defense Counterintelligence and Security Agency. Data Spill—An Everyday Threat to National Security. CDSE Student Guide, 2018. Available online: https://www.cdse.edu/Portals/124/Documents/student-guides/IF140-guide.pdf (accessed on 16 May 2026).
- Joint Task Force. Security and Privacy Controls for Information Systems and Organizations; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020; Available online: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final (accessed on 15 May 2026).
- Samarati, P.; de Vimercati, S.C. Access Control: Policies, Models, and Mechanisms. In Foundations of Security Analysis and Design; Focardi, R., Gorrieri, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 137–196. [Google Scholar]
- Bell, D.E.; LaPadula, L.J. Secure Computer Systems: Mathematical Foundations; Technical Report MTR-2547, Volume I; The MITRE Corporation: Bedford, MA, USA, 1973. [Google Scholar]
- Smalley, S.; Vance, C.; Salamon, W. Implementing SELinux as a Linux Security Module; NAI Labs Report #01-043; NAI Labs: Glendale, MD, USA, 2001. [Google Scholar]
- Ferraiolo, D.F.; Sandhu, R.; Gavrila, S.; Kuhn, D.R.; Chandramouli, R. Proposed NIST Standard for Role-Based Access Control. ACM Trans. Inf. Syst. Secur. 2001, 4, 224–274. [Google Scholar] [CrossRef]
- Sandhu, R.S.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. Role-Based Access Control Models. Computer 1996, 29, 38–47. [Google Scholar] [CrossRef]
- Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. Available online: https://csrc.nist.gov/pubs/sp/800/207/final (accessed on 17 May 2026).
- Clark, D.D.; Wilson, D.R. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 27–29 April 1987; pp. 184–194. [Google Scholar]
- BeyondTrust. Addressing Privilege Creep & Enforcing Least Privilege. BeyondTrust Blog, 2023. Available online: https://www.beyondtrust.com/blog/entry/addressing-privilege-creep (accessed on 16 May 2026).
- Magazine, Cyber Defense. Data Spill—An Everyday Threat to National Security. Cyber Defense Magazine. 2020. Available online: https://www.cyberdefensemagazine.com/data-spill-an-everyday/ (accessed on 16 May 2026).
- Verizon. 2024 Data Breach Investigations Report; Verizon Business: New York, NY, USA, 2024; Available online: https://www.verizon.com/business/resources/reports/2024-dbir-executive-summary.pdf (accessed on 16 May 2026).
- Cloudflare. What Is Lateral Movement? Cloudflare Learning Center, 2024. Available online: https://www.cloudflare.com/learning/security/glossary/what-is-lateral-movement/ (accessed on 16 May 2026).
- OWASP Foundation. A05:2021—Security Misconfiguration. OWASP Top 10:2021, 2021. Available online: https://owasp.org/Top10/2021/A05_2021-Security_Misconfiguration/ (accessed on 15 May 2026).
- Center for Internet Security. CIS Benchmarks. Center for Internet Security, 2024. Available online: https://www.cisecurity.org/cis-benchmarks (accessed on 16 May 2026).
- Dempsey, K.; Chawla, N.S.; Johnson, A.; Johnston, R.; Jones, A.C.; Orebaugh, A.; Scholl, M.; Stine, K. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2011. Available online: https://csrc.nist.gov/pubs/sp/800/137/final (accessed on 19 May 2026).
- International Organization for Standardization. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO: Geneva, Switzerland, 2022.
- National Cybersecurity Center of Excellence. Privileged Account Management for the Financial Services Sector. National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. Available online: https://csrc.nist.gov/pubs/sp/1800/18/final (accessed on 16 May 2026).
- SearchInform. SIEM for Privileged Access Management: Enhancing Security and Compliance. SearchInform. 2024. Available online: https://searchinform.com/articles/cybersecurity/measures/siem/use-cases/siem-for-privileged-access-management/ (accessed on 16 May 2026).
- Committee on National Security Systems. CNSSI No. 1253—Categorization and Control Selection for National Security Systems; CNSS: Fort Meade, MD, USA, 2022; Available online: https://rmf.org/wp-content/uploads/2022/03/CNSSI-1253.pdf (accessed on 16 May 2026).
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).