The faster a data breach can be identified and contained, the lower the costs. The 2017 Ponemon Institute Report on Data Breaches found that the time to identify and contain a breach were highest for malicious and criminal attacks (214 and 77 days, respectively) and much lower for data breaches caused by human error (168 and 54 days, respectively). For a sample of 419 companies, the mean time to identify (MTTI) was 191 days, with a range of 24 to 546 days and the mean time to contain (MTTC) was 66 days with a range of 10 to 164 days and the average cost was approximately $156 per record. The capability to respond quickly, or identify the potential for insider risk is therefore pivotal to successful resolution of breaches.
Insider threat comes from a confluence of a number of factors, and there is a fine line between the individual who crosses that line and becomes an insider versus the rising stars of an organisation who think out of the box, have strong values and belief systems and may have a personal history that may be conventionally perceived as risky. It is increasingly important to be able to recognise and manage the worldview of these individuals to enable an organisation to successfully manage any risk associated with personnel who may fall into this category.
In a joint study by the Secret Service NTAC and CERT on insider events within the telecommunications industry in 2008, 67% of all breaches perpetrated by insiders were motivated by work related issues, such as the termination of employment, a dispute with a former or current employer, demotions, and a variety of other issues (Kowalski, et al., 2008). In a study conducted on organisations related to critical infrastructure, “a negative work related event triggered most insiders‟ actions” (Keeney et al., 2005, pp. 14). Insider acts are generally categorised as either deliberate or opportunistic. Both are underpinned by many of the same triggers; disaffection, disenfranchisement and alienation, which themselves are caused by a unique combination of factors. According to CPNI research conducted in 2013, which studied over 120 UK-based insider cases from both the public and private sectors, disaffection displayed by the employee was often the main reason for the employee deciding to commit an insider act, alongside disengagement, where personnel no longer felt committed to their organisation.
There is a clear link between an insider act taking place and a businesses protective security and management processes. The organisational factors relate to; poor management, lack of auditing functions, lack of protective security controls and poor security culture as well as a lack of adequate, role-based, personnel security risk assessment. Other factors include pre-employment screening, lack of communication within the organisation between different sectors or branches, a lack of awareness of people risk at a senior level and finally inadequate corporate governance. All of these factors contribute to failure to identify the potential for insider risk, poor response times and a maladaptive organisational response to at-risk employees in the event of an insider-related security breach.
However, underpinning all of these circumstantial stressors is a personal predisposition to coping maladaptively with hardship, challenges or change.
What are the Root Causes of Insider Threat?
While everyone experiences stress in life, research indicates that stressors place pressure on those whose psychological predispositions make them more vulnerable to these changes and can subsequently motivate them to act with intention to harm. There are therefore both internal, psychological stressors as well as external organisational or circumstantial stressors that contribute to the decision to engage in an insider act.
What are the early warning signs of an insider threat?
As with any behaviour, there are key psychological factors that contribute to the potential for an individual to be at-risk for insider behaviour. These are related to resilience and include coping mechanisms; ability to maintain effective decision making under stress and psychologically manage difficult circumstances.
Insiders have usually displayed either adverse coping mechanisms or individual pathologies associated with risk. For example, emotional vulnerability, low self-esteem, unmet needs and a maladaptive ability to cope with change are among the characteristics often found in insiders. However, both the situation itself, as well as personality variables determine our perception of an event and it is not the characteristics in and of themselves that cause an insider to act. It is the combination of external stressors alongside these vulnerabilities that will trigger an individual to form an intention to act maliciously against their organisation, or make them vulnerable to coercion by an insider, and so should not be viewed independently as a problem without considering the external stressors.
Coping Mechanisms and Resilience to Stress
Research has found that individual differences in the adoption of different coping patterns, when reacting to change, is related to personality variables and a constellation of personality characteristics composed of three different dimensions; commitment, control and challenge are key to understanding insider behaviours.
Commitment: An individual’s ability to feel deeply involved in or committed to the activity of their lives. Committed persons have a belief system that minimises the perceived threat of any given stressful life event. An ability to recognise one’s distinctive values, goals, and priorities and an appreciation of one’s capacity to have purpose and to make decisions is central to the accurate assessment of the threat posed by a particular life situation and for the competent handling of it.
Control is defined as an individual’s belief that they can control or influence the events of their experience. Control in this sense is comprised of: decisional control, or the capability of autonomously choosing among various courses of action to handle the stress; cognitive control, or the ability to interpret, appraise, and incorporate various sorts of stressful events into an ongoing life plan and, thereby, deactivate their jarring effects. A perception of decisional control brings with it a greater repertoire of suitable responses to stress especially when an individual can adopt a course of action to cope with the situation they face.
Challenge is defined as the ‘anticipation of change as an exciting challenge to further development’. Those who feel positively about change are catalysts in their environment and are well practised at responding to the unexpected. Change seekers have explored their environment and know where to turn for resources to aid them in coping with difficult circumstances. They have a predisposition to be cognitively flexible, which allows them to integrate and effectively appraise the threat of new situations.
In the perception and evaluation of specific stressful life events, effective individuals find opportunities for the exercise of decision making, the confirmation of life’s priorities, the setting of new goals, and other complex activities that they appreciate as important human capabilities. Further, they are capable of evaluating events in the context of an overall life plan. Their sense of purpose and involvement in life mitigates the potential disruptiveness of any single occurrence. Coping for them consists of turning stressful events into possibilities and opportunities for their personal development and that of others around them.
A successful organisation uses tools to both recognise these characteristics, can identify when their personnel are facing difficulty, and adopts processes to enable personnel to cope positively with change.
A number of other factors provide insight into the character of known insiders. The following indicators identified by CPNI in 2013 are considered to be of particular interest, when significant signs had a clear and negative impact on work and/or colleagues. It is important to note these characteristics are easily masked but can be identified in digital communications:
The following external, circumstantial vulnerabilities have also been present within organisations who have suffered an insider threat:
Insiders typically have multiple motives for carrying out their activities. The culture of the organisation, and the organisational intervention strategy can mitigate this risk and stop the stressors from interacting.
How can insiders be identified?
Until now, organisations have had no other option but to engage reactively, at the point of exposure, once an insider has effected the event and it has been detected, but the right knowledge and approach can help organisations assess their vulnerabilities and manage this risk.
The ability to identify insider risk through the detection of psychological state, attitude, and changes in sentiment, emotion, and personality has been in development for several years. Many organisations currently use software to identify keywords and phrases in email and communications but while the content of a subject’s communications can provide insight into their attitudes and intent, the languages and phrases are often sector specific and can be affected by current trends in popular culture. Innocent references to TV shows and catch phrases can be known to flood insider fraud monitoring with false flags. In order to improve the identification of potential risk we now turn to the analysis of language, or its semantic structure which takes the language itself rather than its subject matter as the primary focus of study, in order to analyse the underlying psychological make-up of the individual.
Linguistic markers can provide information on the syntax and semantic structure of employees digital communications that can provide early warning indicators of personnel under stress. While tools cannot categorically define whether any employee will act against the organisation, they can reduce the noise to provide insight into the communications of individuals and enable the organisation to identify where an employee may be at-risk and where necessary, intervene. The Critical Pathway to Insider Risk is an approach used by Insider Risk professionals to investigate the prevalence of both the internal and external factors that may contribute to insider risk in the organisation.
Analysis of meaningful digital communications can provide markers for potential risk through assessing motivation, personality, attitudes and relationships for an individual or network, as well as changes over time in these characteristics; especially those psychological indicators associated with the risk of insider actions or the potential malicious intent of employees leaving organisations.
Behavioural assessment can then help management professionals evaluate the risk profile of individuals to assist management efforts to change the risk trajectory for that member of staff either by bringing the individual back to equilibrium or managing their exit from the company effectively without triggering insider risk.
For more information, or to investigate how we can help you to identify your organisation's susceptibility to insider risk and develop an intervention strategy to mitigate this risk, contact us.