What makes an insider a threat?

No employee joins an organisation with bad intentions.

No independent contractor or third party member provides supplies or services with the objective of harming the organisation. So what makes these insiders turn into threats, and why?

Let’s first take the case of an unintended insider threat – an insider who unintentionally causes harm or substantially increases the probability of future serious harm to the organisation’s confidentiality, integrity or availability (the definition according to Software Engineering Institute at Carnegie-Mellon University).

The reason for this insider threat can be the lack of education among employees, regular monitoring and frequent security assessments. However, a malicious insider threat intentionally harms the organisation for personal or financial gain. They are willing to sell proprietary data or customer information for profit. Negative intentions and feelings develop over time, and inadequate attention and action by the employer can increase the likelihood of a calculated insider threat.

Employees who voluntarily become insider threats have a variety of reasons – either their grievances are not addressed or they feel ignored or mistreated, and those who feel they have been wronged are more likely to become insider threats. An example from CERT cites a system administrator who feared being laid off, so he embedded malicious code into scripts on his employer’s servers and set it to execute on his next birthday. He did not get laid off, but still kept the code in the scripts and just moved the date forward.

Eventually, the malicious code was discovered, but the important point here is that sometimes employees plan retaliation when they anticipate being fired or demoted. Thus, unfulfilled employee needs can drive them towards becoming insider threats. For instance, if employees feel that their salaries are too low, they are being given unrealistic deadlines or have been passed over for a promotion, they would possibly decide to cause damage to the organisation.

It has long been suggested that most threats can be prevented by timely and effective action to address the anger, pain, anxiety, or psychological outbursts of insiders who exhibit signs of vulnerability or risk.

Numerous studies have sought to identify the psychological conditions consistent with insider threat through research into the psychology and motivation of insiders who become threats and monitoring of all behavioural and demographic employee data. If such data is to be monitored then the following types of data should be acquired:-

Personal information: though employers should not delve much into the personal lives of their employees, knowledge of an employee’s life events that can increase stress is critical, such as marital and financial problems, divorce or death in the family or even work-related stress due to performance issues.

Examination of employee morale: an attentive supervisor/manager should be mindful of an employee’s personal situation and whether their behaviour reflects stress or other issues. Such attention and analysis can be instrumental in a monitoring/analysis program.

Social information: most work-related data can prove useful in correcting inappropriate or suspicious behaviour. Annual performance reviews that address issues about productivity, attitude and interpersonal skills are useful – these observations can be the elements towards understanding the psyche of an insider threat as the influence of management decisions, policies and work environment reflects on employee behaviour.

This predictive approach can detect and prevent potential insider threats as there is a clear identification of underlying problems and insider threat indicators. But is it enough?