When it comes to the most significant threats, companies often think of their competitors and cybercrime. But many do not realize that the biggest threats may already be hiding inside the company and be human.
Often, it is the disaffected or disgruntled employee who can do the most harm. These people are also found in trusted positions or developed the critical software that the business depends on.
Their grievances are based on a perception that they haven’t been sufficiently recognized.
Science of the Badly Behaved
One person who deals with these very human risks daily is Dr. Lisa Warren. She is a Melbourne-based clinical and forensic psychologist who understands behavioral threats.
Dr. Warren spoke at the annual ASIAL Security Conference in Sydney “Code Black Threat Management.” She discussed her career focused on “working with the badly behaved.”
Her point is that many risks facing organizations come from insiders with privileged access. It is also possible to transform these serious threats into advocates.
“They are the people who are meant to go through your security. But when they turn, it can result in malfeasance in the form of fraud, espionage, sabotage, data theft or even workplace violence,” she said.
The complexity comes from the need to trust employees in the workplace. It makes space for potential malfeasance and is the potential downside of workplace cultures where freedom of expression is encouraged. There will be inevitably cases in which this backfired.
“If you could have an absolutely ideal security framework, you wouldn’t need to trust anybody. [It is] because every single behavior in the workplace will either be permissible or absolutely impossible,” Dr. Warren said.
Bad Behavior is Not Abnormal
Bad behavior is not new. It always existed in a cultural context, said Dr. Warren.
It is also hard to define. What is unacceptable in the boardroom can be welcome in team building. So, the organizational culture needs tight social mores. These can help create rules that people can follow for their own safety.
“Being normal is context-specific,” said Dr. Warren.
In too many cases, however, people step outside of this accepted cultural behavior. The most common justification is feeling ignored and exploited.
“People feel entitled; they feel they deserve more accolades and recognition,” Dr. Warren said.
"In many cases, these insiders have privileged access to the technology, or are the creators of it.”
Pathway to Violence
Not everyone is capable of developing into a potent or even violent threat. Those who do become internal threats are ones who follow what psychologists now understand as a "pathway to violence."
“People become insider threats when they are not heard,” said Dr. Warren.
“While some people come in with the intent [to do harm], this is the exception and not the rule. [The norm] is that people come in with the best intention and then become disgruntled.”
In the U.S. and Europe, organizations are learning how to combine their resources and multi-disciplinary teams. These span security, HR, occupational health and safety and legal. They then put these together to deal with “behavioral threat management.”
Australia Slow in Recognizing Threat
Australia has been much slower in adopting this approach. Many Australian organizations have yet to identify human aggression on their risk registers.
“Human aggression is actually one of the biggest risks to your reputation and business continuity,” Dr. Warren said.
“You might have someone who is a risk to your data, but they need access to that to do their jobs. Or, you might have someone disgruntled, and they are regularly interacting with the media.”
It was through using multi-disciplinary behavioral strategies, she said, that it was possible to “deter malfeasance and motivate benevolence.” Not only to balance security and trust but marry the two together.
It can also help to transform these threats. “Some of an organization’s best advocates were previously insider threats,” said Dr. Warren.