John is concerned about internal security threats on the network he administers. He believes that he has taken every reasonable precaution against external threats, but is concerned that he may have gaps in his internal security. Which of the following is the most likely internal threat?

A.
Employees not following security policy

B.
Privilege Escalation

C.
SQL Injection

D.
Employees selling sensitive data

Explanation:
Employees may disregard policies, such as policies limiting the use of USB devices or the ability to download programs from the internet. This is the most pervasive internal security threat. Answer option D is incorrect. Employees selling sensitive data is, of course, possible. However, this scenario is less likely that option A.

Answer option C is incorrect. SQL Injection is most likely accomplished by an external hacker. Answer option B is incorrect. Privilege escalation can be done by internal or external attackers. However, even with internal attackers, it is far less likely than option B.