Grafvision - Fotolia


Insider threat behavior: How to identify warning signs

Enterprises can prevent insider threat incidents if they know what to look for. Peter Sullivan explains the precursors to and precipitating events for insider threat behavior.

Editor's note: This is part two of a series on insider threat behavior. Part one examines patterns of insider threats and IT sabotage, while part two looks at the precursors and warning signs for such security incidents.

A factor frequently observed around insider threat behavior and IT sabotage cases is disgruntlement on the part of the insider as a result of some unmet expectation. In fact, most insiders who commit IT sabotage are disgruntled due to unmet expectations.

An unmet expectation is something that the insider assumed was either going to happen or not happen in a certain way, but the insider's expectation proved to be false. Failure to meet the insider's expectation may be perceived as a personal insult or disrespect, and it can result in dissatisfaction and unhappiness, which could prompt the insider to strike out at the organization. Examples of unmet expectations include:

  • salary or bonus expectations;
  • promotion expectations;
  • job dissatisfaction, including being passed over for a promotion or being disciplined for poor performance; and
  • supervisor demands, especially with a new supervisor.

Behavioral precursors

Often times, unmet expectations have observable behavioral precursors that may show early signs of disgruntlement that could precede insider IT sabotage, such as:

  • conflicts with coworkers or supervisors;
  • a sudden pattern of missing work or arriving late and leaving early;
  • a sudden decline in job performance;
  • aggressive or violent behavior;
  • use of drugs or alcohol at work; and
  • poor personal hygiene.

Precipitating events

In IT sabotage, an insider attack is often preceded by some event that threatens the insider or causes him to feel like he is not getting the respect or recognition that he believes he deserves. It is these precipitating events that inform and confirm for the insider that his expectations are not being met and, thus, disgruntlement is triggered.

Precipitating events that have been observed include:

  • being passed over for a promotion or being demoted;
  • unwanted transfers between departments;
  • disagreements with supervisors or being unhappy with a new supervisor; and
  • disagreements about salary or a bonus.

What can be done?

How can a security manager deal with these elements of insider threat behavior?

The hiring process is the first place where an organization can attempt to reduce insider behavior. Background checks should be thoroughly conducted and should include checks for criminal history, resume inflation, and fraudulent claims of education and professional licenses or credentials, in addition to discussions with previous employers about the prospective employee's competence and ability to deal with workplace issues, including problems with coworkers.

Furthermore, policies on employee responsibilities and boundaries with respect to security should be clearly communicated and enforced. Uneven enforcement of policies can be seen as preferential treatment, which can lead to employee resentment and disgruntlement, leading to unmet expectations with respect to fair and equitable treatment and potentially harmful acts by insiders.

In IT sabotage, an insider attack is often preceded by some event that threatens the insider or causes him to feel like he is not getting the respect or recognition that he believes he deserves.

Organizations should have clear policies regarding employee conduct that clearly define expectations, including expectations of what employees should report regarding potential insider threat behavior, and they should have a process and procedure in place to generate those reports for management.

Understand what the organization's most critical IT assets are. Review access policies and roles to make sure that only those employees that require access receive access. Involve employees in the process and communicate how limiting access protects the organization and its employees.

In addition, look for signs that this access review and change is a precipitating event for insiders who already feel that their expectations are not being met. An access review may expose insiders who are already doing damage to the organization. Be prepared to deal with that.

Enterprises cannot ignore behavioral precursors as, all too often, these behaviors are seen by coworkers and supervisors, but do not initiate a response. This lack of response is often the result of inexperience or a lack of understanding of how to deal with these behaviors, or due to a desire to not get involved in a coworker's or subordinate's personal problems. However, not responding to these precursors is also a missed opportunity to help the employee before they decide to strike out at the organization.

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing