With malevolent intent or not ...
Whether the hacker's hat is black or white, he would probably probe the system from outside along predictable paths, You will therefore attempt to protect access to your system along those paths. You can also protect your system from damage by the internal user, but if, for example, the user legitimately and necessarily has access to key parts of your database, do you have credibility checks on input values, for example? I know of one case where an order clerk thought he was ordering 3000 pieces of turf, and ordered 3000000; fortunately the supplier queried it. And how easy is it for somebody to delete your major customer from the database?
