Monica Whitty’s keynote at the FIRST Conference (recording available on YouTube) used interviews at organisations that had been victims of insider attacks to try to understand these attackers – and possible defences – from a psychological perspective.
It turns out that thinking about stereotypical “insider threats” probably doesn’t help. Notably, disgruntled employees were responsible for a surprisingly small proportion of such incidents. Far more were identified by their colleagues as having a strong company loyalty. In demographic terms, attackers (at least those that were detected) show very similar patterns to typical workforces. Personality traits appear more promising, until you realise that the traits most likely be involved in insider incidents are also those in demand among successful organisations, particularly in ICT.
One thing that does seem to distinguish insider threats from other workers is motivation. By far the most common is addiction (including to something as innocent as bingo), followed by challenging circumstances in their personal life. And, strikingly, these were often known to the organisation before the incident took place. The trigger for them acting was often a sudden increase in anxiety. So it seems that a significant reduction in insider threat may be possible simply by providing better support for employees who seek help in dealing with personal problems. Organisational culture can also reduce the opportunity for insider threat – if someone is behaving strangely, it should be acceptable to ask if they are OK. Refusing to share passwords, let someone in to an area where they are not authorised, etc. should not be seen as lack of trust, but as helping them avoid a self-destructive path.
For more details, see the insider threat project’s home page.
My attention has been drawn to research by the Software Engineering Institute that highlights the importance of (perceived) organisational support in general, not just when employees are experiencing difficulties.
