Neutralising inside threats
Many of the risks facing organisations today come from insiders with privileged access to key assets, but it is possible to transform these individuals from threats to advocates.
Dr Lisa Warren, a Clinical and Forensic Psychologist with deep experience in behavioural threats, addressed the ASIAL Security Conference on the subject of “Code Black Threat Management” and talked about her career focused on “working with the badly behaved.”
“These people who are insider threats are people who use their privileged access to do harm,” she said.
“They are the people who are meant to go through your security, the people are meant to have their retinas scanned, but when they turn it can result in malfeasance in the form of fraud, espionage, sabotage, data theft or even workplace violence.”
Dr Warren said it was too narrow to look at areas such as Information Technology and Cybersecurity as the main targets of inside threats.
In many cases these people had used legal cases, workplace harassment and even violence as a reaction against the organisation and a way of expressing their anger.
The complexity in the modern workplace, Dr Warren said, came from the need to trust employees and make creative and rewarding workplaces, a need which also made space for potential malfeasance.
“If you could have an absolutely ideal security framework you wouldn’t need to trust anybody because every single behavior in the workplace would either be permissible or absolutely impossible,” she said.
“If the workplace was based just on security you would eliminate the need for trust, and every single person would follow every rule in the same way.”
Bad behavior always existed in a cultural context, said Dr Warren. Behaviour which was unacceptable in the boardroom could be welcomed in a team building session, so organisational culture needed tight social mores which created rules which people could follow for their own safety.
“Being normal is context specific,” said Dr Warren.
In too many cases, however, people stepped outside of this accepted cultural behaviour and the most common justification was that they felt ignored and exploited.
“People feel entitled, they feel they deserve more accolades and recognition,” Dr Warren said.
“They say “I developed this software and its my IP and my employer didn’t give me recognition.’
“In many cases these insiders have privileged access to the technology, or they are the creators of it.”
Not everyone was capable of developing into a potent or even violent threat, but those who did followed what psychologists now understood as a “pathway to violence”.
“People become insider threats when they are not heard,” said Dr Warren.
“While some people come in with intent before they even arrive, this is the exception and not the rule, which is that people come in with the best intent and then become disgruntled.”
In the US and Europe, organisations were learning how to combine their resources and multi-disciplinary teams – spanning security, HR, occupational health and safety and legal – and put them together to deal with “behavioural threat management.”
Australia has been much slower in adopting this approach, and many Australian organisations were yet to identify human aggression on their risk registers.
“Human aggression is actually one of the biggest risks to your reputation and business continuity,” Dr Warren said.
“You might have someone who is a risk to your data, but they need access to that to do their job, or you might have someone who is disgruntled and they are interacting regularly with the media.”
It was through using multi-disciplinary behavioural strategies, she said, that it was possible to “deter malfeasance and motivate benevolence” and not only balance security and trust, but marry the two together.
“I have seen some of an organisation’s best advocates in people who have previously been insider threats,” said Dr Warren.
Dr Lisa Warren was speaking at the 2019 ASIAL Security Exhibition & Conference at the ICC Sydney in Darling Harbour.