Critical Roles

High Value Target Roles - Public Request for Comments

Why the Concept of High Value Target Roles

Defining High Value Target Roles is essential for cyber resilience because certain positions hold privileges, access paths, or decision power that can create outsized impact if misused or compromised. By identifying these roles, organizations can quantify and mitigate the magnitude of damage a threat actor—external or insider—could cause, ensuring that resilience controls, monitoring, and response capabilities are prioritised where failure would matter most.

Understanding these roles is essential to the discipline of cyber resilience, as they represent focal points where human, procedural, and technical domains intersect. The misuse or compromise of an HVT role can amplify the impact of an incident, accelerate lateral movement, or enable strategic disruption. The table below represents the essence of this framework, summarizing the primary High Value Target role types.

The Request For Comments (RFC) is open.

Definition

A High Value Target role is the function of an internal or external actor with pre-authorised access who wittingly or unwittingly may significantly impair the cyber resilience posture of an organisation through the application of their abilities and knowledge. High Value Target roles may have pre-authorised access to either High Value Target systems, data, processes or third parties which may contain sensitive information or provide attributes which may serve further exploitation, compromise, unauthorised disclosure or tampering resulting in partial or complete mission degradation or impairment.

Attributes of High Value Target Roles

References

Definition of roles and actors, TOGAF

https://pubs.opengroup.org/architecture/togaf9-doc/arch/chap03.html

"TOGAF 3.2 Actor A person, organization, or system that has one or more roles that initiates or interacts with activities; for example, a sales representative who travels to visit customers. Actors may be internal or external to an organization.

3.63 Role The usual or expected function of an actor, or the part somebody or something plays in a particular action or event. An actor may have a number of roles. The part an individual plays in an organization and the contribution they make through the application of their skills, knowledge, experience, and abilities."

Definition of insider threat, White House

https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net

"Deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies"

Additional resources with potential to be leveraged

https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf

https://www.cisa.gov/defining-insider-threats

https://csrc.nist.gov/glossary/term/insider_threat

https://insights.sei.cmu.edu/blog/cert-definition-of-insider-threat-updated/

https://www.cisa.gov/resources-tools/resources/insider-threat-mitigation-guide

https://csf.tools/?s=insider

Key Contributors

Francesco Chiarini - author, CEO at High Value Target

Karol Bieniek - co-author, Cyber Resilience Threat Analyst at High Value Target