There are more than 3 million cleared professionals working across the government. They are dedicated, committed, dependable people working to secure the nation in government and industry, for the most part. However, they are people, and people and their roles, positions, and views in life change as the world around them changes. In that evolution of personality, Intelligence and National Security Alliance (INSA) explains, lies the insider threat. Here are some highlights from INSA’s “Assessing the Mind of the Malicious Insider”
from employee to insider threat
In its insider threat study, INSA “assumes that an initially loyal employee does not suddenly transform into a malicious insider.” According to INSA, insider threats are made, not necessarily born, though one’s personality type may very well make one more vulnerable. For instance, INSA notes that “the narcissistic/anti-social personality type…is the type most prevalent in studies of those who commit espionage.” However, INSA also reports, “These traits, however, relatively rarely lead an individual to commit malicious acts.” The traits may make one more vulnerable to the generally natural and predictable stresses of life and work.
Indeed, most every one of us may very well face one or two or three of these challenges. For instance, navigating what many some call the “mid-life crisis” years can be a challenge. During this period, employees “tend to reevaluate their lives, their choices, and their goals.” That’s a natural part of maturity. But coupling the mid-life crisis years with other significant challenges could be problematic, making an employee vulnerable to behavior that might grow into a security threat. For instance, “Vulnerabilities associated with greater likelihood of espionage or sabotage include social and personal frustrations, ethical flexibility, reduced loyalty, sense of entitlement, lack of empathy, and anger at authority.”
According to the INSA report, the organization has a role, responsibility, and interest in mitigating the threat to vulnerable employees, the threat to the enterprise. This is both a business interest and a national security requirement codified in last year’s change to the National Industrial Security Training Manual (NISPOM).
Reports INSA, “The lack of recognition or response by the organization in many cases encouraged the employees’ sense of entitlement and reduced their sense of accountability for their own actions.” Because the challenges that push one towards behavior that may cause in a security breach are recognizable—“an employee’s transition from trusted to risky is the product of some reasonably recognizable causes”—vigilant organizations can take steps to head off the threat. “The key to improving an organization’s prospects for preventing a major malicious act,” reads the report, “is knowing what behaviors to look for and having effective monitoring tools in place.”
What’s clear from INSA’s report is that good leadership and proactive management should be an important part of your organization’s insider threat management program.