Insider acts: how to spot them and why they aren’t reported
Alison Bell
Insider acts occur when individuals misuse their authorized access to an organization’s assets or data for their own personal gain or to cause harm. Edward Snowden, who used his access to leak classified US government information, committed an insider act, as did Rajib Karim, the British Airways software engineer who passed sensitive data to a terrorist organization. Besides data theft and terrorism, other acts an insider might commit include sabotage, espionage and fraud. Insider acts can cause significant and widespread damage to individuals and organizations.
My research focuses on the insider threat within Critical National Infrastructure (CNI) organizations which provide essential public services, such as defence, food, energy, finance, health, and water. I explore the types of behaviours in the workplace that might suggest an insider act is being planned or is happening, as well as the likelihood of individuals who witness these behaviours reporting them.
What behaviours indicate someone might commit an insider act?
First it is crucial to establish which behaviours typically indicate the possibility of insider acts being committed. I reviewed academic literature and industry reports to establish what behaviours were associated with the five insider acts included in my study: espionage, intellectual property or data theft, fraud, sabotage, and terrorism. I then combined this with insights from expert interviewees.
The types of behaviour I identified include changes in working patterns, such as being present outside normal hours absenteeism and not taking annual leave. Behaviours such as conflict or withdrawing from social interaction were common indicators of insider threat, as well as not adhering to policy and protocol.
Why colleagues do (and don’t) report
I then investigated the factors which can influence the reporting decisions of employees who observe these behaviours, using Bystander Intervention Theory and Social Identity Theory. Bystander Intervention Theory was developed to explain how bystanders react to emergencies and considers the reasons why people might intervene or not. It identifies five stages in the process of deciding whether to intervene: noticing, interpreting, taking responsibility, deciding how to intervene, and implementing the intervention. Since its development, the theory has been applied to areas such as the reporting of behaviours associated with criminal acts, violent extremism, and, in a workplace context, to understand factors that influence whistleblowing and reporting bullying.
However, other factors in a workplace context might influence reporting; specifically group membership and identification. According to Social Identity Theory, social identity is based upon group membership, and the emotional value associated with that membership. This includes identifying with others, a sense of purpose and loyalty from and with other group members. Research combining Bystander Intervention Theory and Social Identity Theory has shown that an existing relationship or shared social identity between a group of bystanders may increase the likelihood of intervention. This is relevant to the workplace, where there are many group identities at play, such as team identity and organizational identity (also see here).
To apply this to employee reporting of insider threat behaviour, I interviewed expert practitioners in CNI organizations responsible for responding to insider threats. I then conducted focus groups to discuss reporting inclinations with ‘non experts’ using a scenario that incorporated behaviours from the literature and expert interviews. This enabled me to identify several factors which may inhibit reporting. For example, reporting may be viewed as ‘telling tales’ on colleagues, and can be particularly difficult when it is based solely on behaviours with no clear evidence of wrong-doing. There could also be many other reasons which could explain the behaviours, such as personal issues which may deter reporting. However, a clear process and training can respond to these concerns and help encourage reporting.
My research identifies recommendations that can be applied within CNI organizations to help improve reporting likelihood. This includes training programmes and creating a positive security culture, where there is a strong team and organizational identity. It is also important for organizations to provide feedback post reporting, as this enables employees to see that their concerns have been taken seriously. Insider acts are a significant threat to organizations which deliver key public services and infrastructure. Enabling organizations and individuals to better spot and report potential threats before they materialize is key to mitigating against these harmful occurrences and their potentially devastating consequences.
Alison Bell is a Personnel Security Practitioner, with 25 years’ experience in the energy sector; most latterly in specialist practitioner roles which allowed her to develop knowledge and expertise in human behaviour in the workplace, investigations and personnel security. She uses this experience coupled with her academic research to provide a blended approach to mitigating the insider threat.
New Voices in Global Security is a collaborative blog series between the School of Security Studies, King’s College London, and International Affairs. Drawing on cutting edge research, the blog series highlights diverse empirical, methodological and theoretical approaches to understanding global security and engages with questions of equality, diversity and inclusion within the discipline. Contributions are based on the New Voices event series — organized and chaired by Dr Amanda Chisholm, School Equality, Diversity and Inclusion lead — which promotes the research of PhD students and Early Career Researchers (ECRs) working both within and beyond the School of Security Studies.
