This article from this month’s Security Management magazine (ASIS publication) provides a lot of insight into understanding how people inside your organization could be motivated to betray you. The writer delves into areas such as personality traits, background checks, risk assessment and dealing with terminations.

Confronting the Insider Threat
By Laura Spadanuta

Edward Snowden, who has leaked classified information about intelligence collection activities of the National Security Agency (NSA), reportedly told the South China Morning Post that he sought a job as a contractor at government consulting firm Booz Allen Hamilton with a goal: to collect proof about the NSA’s domestic surveillance programs and alert the public to the programs. However, Snowden is not the typical insider threat. Most insiders who later betray their employer’s trust don’t start out with that intent. The change from benign employee to malicious insider can be spurred by anything from home-life stress to frustration at being passed over for a promotion to the thought that the company does not appreciate one’s contributions.

Though the risk is great, it is not possible to deny insiders the access to data that they will need to do their jobs. So what can a company do?

The company must have clear policies regarding how corporate data is to be handled and safeguarded, and confidential data should be clearly labeled, with access as restricted as feasible. Additionally, the company should secure the data itself and use software to track access and seek signs of suspicious activity, especially with regard to what information leaves the system or is copied. This article focuses, however, on the human factor—what companies can do in the hiring process and throughout employment to detect signs that a person is likely to become, or has become, an insider threat.

Personality Traits

Individuals who end up becoming an insider threat exhibit some common traits. That doesn’t mean all insider threats have these traits or that all people with these traits will become a threat. But it can be useful to know what these traits are. 
One possible worrisome trait is narcissism, according to Satyamoorthy Kabilan, director of National Security and Strategic Foresight at the Conference Board of Canada: “It’s about people who perceive that they’re far more valuable than they actually are; they have an exaggerated value or view of the value that they bring to the organization, an exaggerated view of their abilities and achievements, and

[they] are usually very intolerant of criticism. They minimize the significance of the contributions of others.”

Narcissism is also singled out as a possible red flag by Dan McGarvey, security program director for Global Skills X-Change (GSX) and member of the insider threat working group under the ASIS International Defense and Intelligence Council. 

Histrionic personality disorder is another. That disorder is associated with a need for attention, and approval, and excessive emotion. A third red flag is antisocial personality disorder, which is often known as sociopathy.

Of course, it’s important to recognize that with some of these characteristics, such as narcissism, they may also be present in high performers in certain organizations, so they can’t be something that you simply use to screen out potential threats. The real problem is distinguishing between the types of people who are not a danger to the company and those who have a higher potential to become one, says Kabilan.
 
McGarvey has been doing research that tries to identify certain models that incorporate the various types of personalities that are often seen in insider threats. He believes they have encapsulated most threats in three models. The first is the counterproductive workplace behavior model, which McGarvey says has to do with issues of control, and a feeling of a need to take back individual control. He says this model includes someone like Bradley Manning, a soldier who passed classified material to the Web site WikiLeaks. McGarvey says this model also describes perpetrators of workplace violence, such as Army Major Nidal Hasan, who went on a shooting spree at Fort Hood.

The second model is the organizational citizen, which is where Snowden might fit. These are “individuals who have a very strong sense of justice and in what they believe is right,” says McGarvey.

The third model is called Ten Stages in the Life of a Spy, and it looks at the steps an individual must go through to become a spy and sustain spying.

“So those three models put together actually then account for just about everyone we’ve seen in terms of inappropriate behavior in the work force,” McGarvey says.

Harley Stock, a forensic psychologist who has worked with insider theft, advises that when companies are looking to weed out people like Snowden, it’s important to include personality assessments in the screening. “Some of the things that you look for [indicating] a guy like [Snowden] is somebody who’s overly moralistic, who has very strongly held beliefs about how the world should operate, so they have the kind of rigidity in their personality that things are right or wrong, black or white. There’s no gray area. There’s no area for negotiation, compromise, or alternative views of the world. And that, somehow, his view is the correct view.”

Stock says Snowden uses a psychological justification mechanism to say, “They’re wrong, I’m right, therefore, I have a moral, ethical obligation to do something about it.”

Continued: [Read More]