This study addresses a critical yet often overlooked issue in enterprise LANs: benign internal actions—such as frequent plugging and unplugging of endpoint devices—are frequently misclassified as security threats, inadvertently triggering Rapid Spanning Tree Protocol (RSTP) control-plane reconvergence. This results in transient forwarding interruptions lasting 2–4 seconds, which significantly disrupt real-time audiovisual services and evade detection by conventional monitoring systems. For the first time, this work maps such behavior to the NIST and MITRE insider threat frameworks, classifying it as “unintentional insider-induced availability disruption.” Through empirical analysis, the authors propose a targeted mitigation strategy: explicitly configuring edge ports effectively eliminates these brief outages caused by legitimate user activity, substantially enhancing network availability without compromising loop-prevention safeguards.

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention