We're continuously bombarded by statistics showing insider activities as an organization's biggest threat. Vendors ply marketing of insider exploit detection tools and other security products, ostensibly to protect our organizations from their employees. However, proactive detection and intervention processes to identify potential employee security risks and prevent them from becoming security incidents are usually ignored.
In this post, I step through behavior characteristics usually present before an employee intentionally causes a security breach. I use research conducted to assess why convicted spies violated national security protocols including,
- Exploring the Mind of the Spy, Dr. Mike Gelles, Naval Criminal Investigative Service
- Reporting Improper, Unreliable, & Suspicious Behavior, Employee's Guide to Security Responsibilities, Texas A&M Research Foundation
- Security and Suitability Issues, Employee's Guide to Security Responsibilities, Texas A&M Research Foundation
- People Who Made a Difference, Texas A&M Research Foundation
Although most of us aren't protecting national defense secrets, I believe the reasons our employees "go rogue" are very similar to why spies betray our trust.
Why employees decide to do the wrong thing
Most of the employees who I personally found violating security policy were at one time valued employees. They earned the trust of their peers and their managers. But in every case, there was a trigger that caused an already borderline employee to cross the border. Could we have prevented these security incidents? Would intervention have prevented information compromise or system loss? Could the employee have been helped in a way that prevented an incident? The answer to all these questions is maybe.
Dr. Mike Gelles researched convicted spies to understand what made them commit treason. They had all undergone background investigations, were granted security clearances, and, for a time, performed as expected. Gelles found three conditions which explained why they betrayed their country: presence of a character weakness, a precipitating crisis, and lack of intervention.
No one trait by itself is typically enough to trigger unwanted behavior. Rather, it is a collection of conditions and character issues which cause an otherwise reliable person to intentionally compromise security.
(from Security and Suitability Issues)
According to Gelles, a personality or character weakness is "A pattern of behavior that is poorly adapted to the circumstances in which it occurs." This behavior, often observable by co-workers, leads to difficulties at work, problems with relationships, and periodic emotional shifts. The two most common weaknesses observed are anti-social personality and narcissism.
Anti-social in this context does not refer to someone who avoids contact with others. Rather, it describes a character flaw resulting in rejection of social norms and rules. Anti-social behavior may lead to a person being unable to develop strong loyalties.
Narcissism results in unwarranted feelings of self-importance. A person with this character trait is unable to accept failure or criticism. He or she might accept social rules or norms, but feels he or she is above them.
A character weakness by itself is usually not enough to cause a person to do the wrong thing.
Crises come in many forms. An economic downturn can result in career uncertainty. Financial problems can apply significant pressure on employees and their families. Office politics, perception of mistreatment, or a belief that a person is not getting what he or she deserves can also push an employee toward the wrong side of the line dividing acceptable and criminal behavior.
Lack of intervention
Employees about to go rogue often exhibit behavior observable by co-workers. Examples include (Security and Suitability Issues),
- Appearing intoxicated at work
- Sleeping at the desk
- Unexplained, repeated absences on Monday or Friday
- Actual or threatened use of force or violence
- Pattern of disregard for rules and regulations
- Spouse or child abuse or neglect
- Attempts to enlist others in illegal or questionable activity
- Drug abuse
- Pattern of significant change from past behavior, especially relating to increased nervousness or anxiety, unexplained depression, hyperactivity, decline in performance or work habits, deterioration of personal hygiene, increased friction in relationships with co-workers, isolating oneself by rejecting any social interaction
- Expression of bizarre thoughts, perceptions, or expectations
- Pattern of lying and deception of co-workers or supervisors
- Talk of or attempt to harm oneself
- Argumentative or insulting behavior toward work associates or family to the extent that this has generated workplace discussion or has disrupted the workplace environment
- Writing bad checks
- Failure to make child support payments
- Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator, other than as part of a legitimate system testing or security research
The problem is that co-workers and managers either don't recognize the signs or are unwilling to get involved. If employees learn to identify and report predictive behavior, steps can be taken to prevent possible security incidents.
Preventing rogue behavior
Most organizations have controls in place to detect or prevent unwanted behavior. But as we know, no control or set of controls is 100 percent effective, especially when the attacker is an authorized user of our information resources. We also know that prevention is much better than trying to detect, contain, and recover from an incident. So, how can we prevent employees from doing bad things?
The most effective means of identifying a potential employee security threat is employee education and participation. Train your employees to look for suspicious or questionable behavior. Provide a means to report this behavior and allow anonymity. Employee understanding of danger signals and a willingness to report them is your best insider threat control.
(from Security and Suitability Issues)
The paper, People Who Made a Difference, contains several examples of how government employees helped identify security risks, including the following:
A co-worker reported in 1986 that Michael H. Allen was spending excessive time at the photocopier in their office. This report led to investigation by the Naval Investigative Service. A hidden camera was installed near the photocopier in Allen's office. The resulting videotape showed Allen copying documents and hiding them in his pocket.
Allen was a retired Navy Senior Chief Radioman working at the Cubi Point Naval Air Station in the Philippines. He confessed to passing classified information to Philippine Intelligence in an effort to promote his local business interests. He was found guilty of ten counts of espionage.
It also contains examples of what happens when employees either look the other way or don't think about what they see.
Army Warrant Officer James W. Hall, III was sentenced to 40 years in prison for spying for both the former East Germany and Soviet Union from 1982 to 1988. He compromised U.S. and NATO plans for the defense of Western Europe. After his arrest, Hall said there were many indicators visible to those around him that he was involved in questionable activity.
Hall sometimes spent up to two hours of his workday reproducing classified documents to provide to the Soviets and East Germans. Concerned that he was not putting in his regular duty time, he consistently worked late to complete his regular assignments. Using his illegal income, Hall paid cash for a brand new Volvo and a new truck. He also made a large down payment on a home and took flying lessons. He is said to have given his military colleagues at least six conflicting stories to explain his lavish life style, but Hall's co-workers never reported any of his unusual activities. After returning from Germany to the U.S., he traveled to Vienna, Austria, to meet with his Soviet handler.
Once an employee is identified as having an issue, and before he or she actually commits a crime, intervention might be the answer. Encouraging an employee to make use of services, like an Employee Assistance Program, might help him or her get the counseling or other help necessary to deal with personal or family crises. Often, employees suffering from common psychological conditions, such as depression, receive the help they need. They gradually find their way back from the brink, you get to keep a valuable member of your workforce, and your information assets remain safe.
The final wordYes, employees are an organization's biggest security threat. But they are also its greatest defense against employees who might cross over to the dark side. Make sure your employee security awareness training includes information about detecting and reporting suspicious behavior.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.