This is a guest article written by Stuart Winter-Tear. The author’s views are entirely his own and may not reflect the views of IT Governance.
Following on from my last post, in which I noted that a recent security survey revealed that 31% of all information security incidents were employee-related, I wanted to spend a little time on the insider threat.
In as many different ways as the inside threat can manifest – from sabotage to theft – there are as many reasons and personality types engaging in such activity.
Thus, this is not an examination of insider-threat criminology, but given we expend so much of our time keeping the bad actor out of our networks, this is an exploration of what might be done to prevent the potential bad actor already within the castle walls.
There are already available technological tools claiming to detect the malicious actor inside in real-time based on behavioural biometrics (human-computer interaction behaviour). While I have no idea as to the veracity of such claims and research, I’ve no doubt we will see this field advance as we move forward.
As fascinating as the field of insider-threat detection is, I want to focus on preventative measures.
Hopefully, we have in place tried and tested controls such as job rotation, enforced holidays, separation of duties, dual control, surprise audits, fraud policy, screening, reviews, and so on.
Some of the above incorporate powerful psychological preventative elements. Knowing that at any moment you may be asked to go on leave and someone else take your role or, similarly, your role changed entirely, or an unannounced audit may take place, alongside robust and known fraud policies, etc., all help exert psychological pressure to dissuade an actor from malicious activity.
Even with this in mind, the psychological aspect of insider-threat prevention is something I feel is not often fully addressed or realised.
To take something positive from the leaked GCHQ Joint Threat Research Intelligence Group (JTRIG) “PSYOPs” document, we need to “dissuade, disrupt, delay, deny, degrade, deter” the inside threat.
Humans consider themselves rational beings and, confirmation bias aside, will employ heuristic calculation on the perceived risk-reward of committing the inside crime.
It is our job to sway that balance and create the impression the risk far outweighs the reward. This is termed by GCHQ as the “psycho-criminological approach to influencing prevention” and incorporates social and cultural psychological behavioural influencers.
To my mind these preventative strategies are articulated succinctly by Felson and Clarke:
These methods derive from rational choice theory and aim, (i) to increase the perceived effort of crime, (ii) to increase the perceived risks, (iii) to reduce the anticipated rewards, and (iv) to remove excuses for crime.
It is known that if a bad actor is under the impression they are being surveilled, this can in itself be enough to dissuade. In other words, creating the impression of an omniscient security department may be enough to increase perceived effort and risk.
Psychological coercive measures are not enough, however, and may even have the opposite effect at times.
And so, I want to highlight (iv) “to remove excuses for crime”.
Anybody can justify anything in their own minds if they so wish, but we must play our part in removing excuses for crime, and I believe this is primarily through the mechanism of business culture.
Know thy employees
In security and risk the mantra rings loud ‘know thy assets’ but we rarely hear ‘know thy employees’. It is our responsibility to know our employees, to create a safe positive business culture and environment within which they can talk to somebody about their problems, troubles, addictions, mental health, relationship difficulties, debts, etc., without fear of repercussion, knowing they will be supported as far as it is practical and possible.
Within the cognitive process of calculating the insider crime risk-reward analysis, it has been noted that some perpetrators had nowhere to turn for help, or even to talk through, the circumstances and problems that gave impetus to the crime. This simple fact alone weighted the risk-reward calculation in favour of committing the act. Sometimes – just sometimes – having someone to talk to and be supported by in the workplace might be the very antidote against maladaptive escalation in itself.
In short, I believe we are as responsible for playing our part in removing the excuse for insider crime as we are for increasing the perceived risk and effort. This is achieved as much through positive and supportive business culture as it is through coercive controls.
A by-product of this will create a business atmosphere that makes inside crime socially and culturally unacceptable, thereby ramping up the psychological risk element still further for the would-be inside attacker.
Some commit insider crime because they are simply criminals in mind and deed, but others commit crime for desperate reasons and, in those cases, the most effective preventative ‘security’ measures may take a surprising path.
Culture influences behaviour.