Insidious insiders: Psychology provides clues in handling invisible threats

Dominic Vogel considers the insider threat risk in organizations and suggests that cross-departmental collaboration could help shore up data loss prevention methods.

Enterprise information security teams tend to pay lip service when it comes to proactively dealing with insider threats. Daily news accounts about database hacking and mass malware attacks strike fear in the heart of companies and consequently, these oft "overhyped" external threats garner far more attention and protection than malicious insider behaviour. Since it is difficult to gather much in the way of cold hard facts about security breaches (due to the ambivalence across industries and countries as to what exactly constitutes a breach), there are varying opinions as to whether the majority of security breaches are caused by internal or external threats.

What we should agree on though, is that the majority of security breaches involve internal employees to a certain degree. This can vary widely based on intent and severity. On one end of the spectrum you have inadvertent employee error (sending out sensitive information to the wrong person or responding to a phishing scam), laptop theft, contractors' unauthorized access to information, and disgruntled employees. The commonality of all of these factors is that they can all result in revenue loss, legal liabilities, and ultimately affect the financial bottom line. There are various technical safeguards and security processes and procedures that can be used to deal with such issues. However, they alone do not provide adequate defence against disgruntled employees hell-bent on stealing sensitive company data.

One of the more extreme examples in recent memory was Private Bradley Manning, the U.S. Army Private accused of sending U.S. national security information to WikiLeaks. Were there any warning signs that could have prevented this from occurring (or at least led to any earlier detection)? In fact there were several psychological clues that hinted at something being wrong. Various news reports have mentioned that Manning was reportedly alternately violent and withdrawn, going through violent mood-swings. Other officers described him as moody and unreliable. It was allegedly common to see Manning slam his fists or books down on his desk and then descend into a completely unresponsive state.

Such psychological displays (which would not necessarily become known to IT per se) are clear indicators of troubling behavior and, as Manning's lawyer argues, should have led to his security clearance being revoked long before WikiLeaks received any material. Such a situation could easily happen in an organizational setting. There can be signs that an employee is exhibiting troublesome behavior that are invisible to IT. Whether it's a conflict with managers (or co-workers) or a disagreement with the company over the ownership of intellectual property, such signs need to be reported to the human resources department.

Solutions such as data loss prevention can aid in identifying "technological" behaviors that are atypical, such as a dramatic increase in the frequency of copying data. However, they alone do not provide the complete picture. By themselves, DLPs will not be able to effectively prevent (or detect) insiders leaking out information. When viewed in the context of concerning psychological artifacts however, this can serve as an indicator of potential insider issues. Such an effort requires IT to work across multiple organizational boundaries with departments such as HR so that concerning behaviors such as policy violations or signs of disgruntlement that are normally invisible to IT are fully revealed.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

Editor's Picks