Insider threats beyond data and computer systems

SECURITY FEATURE

InsiderThreats

Beyond data and computer systems

By Dr Lisa Warren, Clinical/ Forensic Psychologist and Founder of Code Black Threat

The world has changed. Cars are now being used as weapons, major incidents are broadcast almost live to air and mass shootings are reported with increasing frequency (Advanced Law Enforcement Rapid Response Training Centre, 2018). It feels like our need for security has never been higher.

While our national security is aided by us being “alert, but not alarmed” (www.nationalsecurity.gov.au), subtle threats can still be difficult to detect, especially when they come from people that are meant to be trustworthy. Consider the following hypothetical example:“Max is in his 50’s and has worked in the security industry for over 30 years. He is well respected by many within the industry. Max views himself as role model to all junior staff, although has a reputation for taking special interest in promoting female security staff. The latest example is Melissa - young, energetic and wanting to impress. While she says she has enjoyed Max’s mentoring, Melissa recently disclosed to another senior staff

member that Max had begun texting her after hours, offering advice. She tried to laugh it off but was clearly uncomfortable. As the conversation progressed Melissa appeared conflicted and said she felt Max’s texts were becoming more personal and last night he said he was tired of life and his career, feeling burnt out, however, was inspired to keep going due to the energy she brought to the team”.An insider threat is traditionally defined as an employee, or former employee, who takes proprietary data for their own gain. There is benefit in challenging this definition to include the range of behaviours that threaten the work environment. Melissa’s case is an example of the threat emerging as subtle and ambiguous then

escalating. When not detected and contained early, staff like Max become an expensive, disruptive and damaging insider threat.

Aggression and Psychological Safety

Sometimes called mind games, the problem behaviours of colleagues can distract, frustrate and distress even the most psychologically resilient. Mind games can be hard to describe, even when your instincts make it clear you’re being targeted. Sometimes mind games are very subtle and involve rudeness and inflexibility. Other times the behaviour is more overt and involves intimidation and explicit threats. As a forensic psychologist, I have worked with many people who

20 SECURITY INSIDER | JUN/JUL 2018

SECURITY FEATURE

play mind games and use aggression in all its forms to try and meet their needs. The subtler the behaviour, the more it can be denied and the more important it is to challenge it and prevent repetition or escalation. When these behaviours are repeated, they can be definable as bullying. To support the definition of the subtler behaviours, I developed an Aggression Continuum (See p22) to describe the behaviours that cause others distress, offence, fear or trauma. All of these behaviours use force to interact. Force that ranges from applying mild psychological pressure (such as saying: “You must…you have to….you need to…”), to physical force so strong it results in loss of life. While Max has arguably not been aggressive, he has applied force through coercion to a young and ambitious employee who is struggling outside her skill set.

Who uses aggression? While anyone can, some people are more likely. One group, are people in a position of power who believe they are not competent. This was highlighted in a study where groups of workers were primed to power and authority by writing about a time they were in authority (Fast & Chen, 2009). Some were asked to write about a time they were competent and skilful, priming them for competence. Workers who were primed for power but not competence were the most aggressive and punitive. Age and gender made no difference at all, only the degree to which workers felt powerful yet incompetent.

My research focused on people who use the most extreme form of psychological aggression – uttering threats to assault, rape or kill. Men who threatened to kill and caused fear were often suspicious of others, tended to brood, lacked energy to tackle their problems and were often pessimistic (Warren, Ogloff, & Mullen, 2013). Threatening increased the risk of committing acts of physical violence, including homicide (Warren, Mullen, Thomas, Ogloff, & Burgess, 2008). The research added support to the growing acceptance that, much like threatening suicide, all threateners needed to be taken seriously and supported to choose another way

to manage their distress. This was an important finding for workplaces as the people we interact with most often are the people who we are most likely to hurt.

Called the intimacy-effect, risk is greatest in cases where the threatener and their target are well acquainted (Calhoun & Weston, 2003). Max is pushing the boundaries with Melissa in an attempt to create intimacy. Having colleagues means interacting regularly with people who can be either enjoyable to interact with, a mystery to understand, or completely frustrating. This is the usual spectrum of workplace interactions. Knowing the threshold, however subtle, of the interactions that should be labelled psychologically unsafe and therefore and insider threat is an area of considerable debate. Terms such as bullying help define some interactions, although definitions often require the behaviour to be repeated to reach the threshold for intervention.

Warning Behaviours

While any level of force is unacceptable, some behaviours have been found to carry greater risk of serious violence. On the face of it Max’s disclosure he: ‘was tired of life and his career, feeling burnt out, however, was inspired to keep going due to the energy she brought to the team’ may be interpreted as two colleagues sharing thoughts. In a similar case, this lack of boundaries was not reciprocated and left the young female troubled to the point she required time off work and moved department. An underlying mental health issue complicated matters for her. Team disruption, financial loss and staff performance were all impacted. Max’s behaviour had escalated to a point of concern and a forensic assessment of violence risk was required. He had become an insider threat. The research on violence risk is considerable. Researchers have found that those not trained in violence risk can be guided in their concern levels by analysing warning behaviours (Meloy, Hoffman, Guldimann, & James, 2011).

1

2

3

4

5

6

7

8

THE WARNING BEHAVIOURS ARE:

Pathway behaviours: Planning, researching or preparing for violence.

Fixation behaviours: Perseverating on one or more people, causes or perceived injustices where a person’s attention becomes increasingly narrowed, caustic and negative.

Identification behaviours: Dress, declarations or idealization of sectors of the community affiliated with frequent violence.

Energy bursts: Discrete periods of increased frequency, intensity or duration of seeking out and intruding upon a targeted person.

Last resort behaviour: A declaration that a person has reached the limit of their coping and now see violence as the justified, and sometimes only, option.

Novel aggression: Behavioural try-outs that appear to be unrelated to the people or issues persons of concern are focused upon. Behaviour that appears more a test of nerve and commitment, such as carrying a concealed weapon to a public place.

Threats: Explicit utterances of violence to the intended target of the violence.

Leakage: Utterances of intended violence to persons other than the intended victim. This is not uncommonly a professional who witnesses a person of concern threaten to harm or kill someone they believe deserves their wrath.

Continues over page >

SECURITY INSIDER | JUN/JUL 2018 21

FEATURE

There is no one, or combination, of these behaviours that should elicit the greatest concern. However, the presence of any concern suggests the need for evaluation by someone well versed in targeted violence and threat assessment. In this case forensic investigation provided the context to discover and intervene providing Max the support he required given he was found to have made a last resort statement to Melissa, this was not the only leakage but an important sign post to investigate further.

Management of Insider Threats

As well as managing the security of company data, management is the ability to assess staff for the motive and capacity to harm. Management of psychological violence has frustratingly limited scientific evidence to guide strategies that meaningfully reduce risk (Schindeler & Reynald, 2017). Policies and procedures that are clear and specific help, as does a Code of Conduct that sets out the values to which all employees aspire and will be held to account. These tools help define the reasonably practicable efforts every workplace must make to under their OH&S obligations. They do not resonate, however, with staff who are motivated to harm their

Skilled interaction

codeblacktm.com

colleagues. Managing these people requires a hierarchy of increasingly intrusive interventions - from employee support to performance management to police involvement.

When faced with a colleague who has become an insider threat like Max, collaborating with management and Human Resources is the ideal course of action. Supporting psychological resilience starts with validating the people impacted, silencing your inner critic to buy out of the mind games and focusing on preventing further harm. Guide the person of concern to support before discipline as an educative rather than disciplinary approach is more likely to prevent escalation and recidivism. Workplaces that engage their staff through learning opportunities that interest and suit the skill set of as many staff as possible have been found to increase performance as well as safety as teams are psychologically safer to share ideas, offer feedback, make mistakes and learn from experience (Idris, Dollard, & Tuckey, 2015).

Conclusion

Traditional insider threats can be overlooked when computer systems are made less accessible to external hackers and similar precautions are considered unnecessary for employees who either inadvertently breach protocols by clicking on sinister links or attachments or who profit from thieving company data. The deliberate insider can detect weak spots and plot to exploit this for their own purposes. This behaviour goes well beyond the risks to computer data. Expanding the definition to include the range of behaviours that threaten the work environment protects Melissa’s and supports a physically and psychologically safe workplace. Not taking these situations seriously and containing them quickly means staff like Max are an expensive, disruptive and damaging insider threat.

AGGRESSION CONTINUUM

Inflexibility Autocracy Explicit Threats

Rudeness

Intimidation

Deliberate

Property

Damage

Physical and Sexual Assault

Fatal Assault

©Copyright CodeBlackTM 2018

About the Author:

Dr Warren is a pioneer of the behavioural threat management field in Australia. This is an internationally recognised field of expertise in the evaluation of those who persistently perpetrate aggression, sexual harms and social media harms. She was the Foundation President of the Asia Pacific Association of Threat Assessment Professionals (APATAP) and has collaborated with the European Threat Assessment Professionals (AETAP) on developing professional standards for threat managers. She has presented at the American Association of Threat Assessment Professionals (ATAP) conferences and is a Senior Editor for the Journal of Threat Assessment and Management. Her research in this field has focused on clinical and risk evaluation of those who threaten to kill themselves and others.

References

- Advanced Law Enforcement Rapid Response Training Centre. (2018). Active shooter incidents in the United States in 2016 and 2017. Washington, DC: Texas State University and Federal Bureau of Investigation

- Calhoun, F. S., & Weston, S. W. (2003). Contempoary threat management. San Diego, CA: Specialized Training Services.

- Fast, N. J., & Chen, S. (2009). When the boss feels inadequate: Power, incompetence and aggression. Psychological Science, 20(11), 1406-1413

- Idris, M. A., Dollard, M. F., & Tuckey, M. R. (2015). Psychosocial safety climate as a management tool for employee engagement and performance: A multilevel analysis. International Journal of Stress Management, 22(2), 183-206. doi:10.1037/a0038986

- Meloy, J. R., Hoffman, J. L., Guldimann, A., & James, D. V. (2011). The role of warning behaviors in threat assessment: An exploration and suggested typology. Behavioral Sciences and the Law, 30(3), 256-279.

- Schindeler, E., & Reynald, D. M. (2017). What is the evidence? Preventing psychological violence in the workplace. Aggression and Violent Behavior, 36, 25-33. doi:10.1016/j.avb.2017.07.004

- Warren, L. J., Mullen, P. E., Thomas, S. D., Ogloff, J. R., & Burgess, P. M. (2008). Threats to kill: A follow-up study. Psychological Medicine, 38(4), 599-605. doi:10.1017/S003329170700181X

- Warren, L. J., Ogloff, J. R. P., & Mullen, P. E. (2013). The psychological basis of threatening behaviour. Psychiatry, Psychology and Law, 20(3), 329-343. doi:10.1080/13218719.2012.674716

22 SECURITY INSIDER | JUN/JUL 2018