We’ve been reading about insider threats to organisations for a while now. Indeed 60% of respondents to the 2015 ACSC Cyber Security Survey listed “trusted insiders” as the cyber actors of most concern to their organisation.

In February 2017 the ACSC created strategies to mitigate cyber security incidents, including those caused by “malicious insiders who steal data such as customer details or intellectual property.” Whilst a September 2018 McKinsey report found 44% of insider attacks came from negligence, followed by 38% from malicious activity.

Who are these insiders; how do we predict who might become one; and what are the conditions (external or internal) which might turn an employee into a threat? And are they really the ‘disgruntled employee’ which is often assumed? These issues were examined by Professor Monica Whitty from the University of Melbourne, albeit from a British context.

In analysing a broad sample perpetrators of insider attacks, Whitty’s study observed some interesting psychological and social characteristics traits.

25% of perpetrators identified as being extraverted – outgoing, sensation seeking, and enthusiastic; 56% identified as having a strong work affiliation – hard workers that appeared happy with their jobs and the organisation; whilst 15% stated they had suffered personal hardship – needing money.

The motivations for conducting an insider attacks revealed 55% did so due to greed – intense and selfish desire to acquire wealth; right down to 3% who stated they were addicted to crime – gaining a sense of enjoyment from the act itself.

With regards to opportunity, 45% sought weaknesses in security – discovering vulnerabilities in security (physical or cyber) in order to commit the crime; whilst 38% exploited others – seeking ways to exploit/manipulate others in order to commit the crime.

Discovering an insider attack can be difficult. 61% were caught via digital evidence – digital or cyber evidence obtained after the attack due to suspicions having been raised; with 28% due to physical or online monitoring – with the person being closely monitored after complaints or suspicions being raised.

Putting this all together the analysis resulted in the group most likely to perform an insider attack was The Addict – having either a gambling, drug, or alcohol addiction; followed by an employee experiencing Harder Times – having recently suffered a change in family or social circumstances; followed by Pure Greed – those employees who sought out opportunities purely for greed. Most of the individuals in this last group were Machiavellian and Narcissist. The Disgruntled Employee rated fifth.

Preventing and detecting insider attacks is difficult. Vetting and reducing opportunity is important, but equally important is behaviour and changes in an individual’s circumstances.

Moreover, when an insider is identified, organisations are often more concerned with removing the threat (employee) than learning about the person who caused the attack and their reasons for causing harm to the organisation.

More work needs to be done, but gaining a greater understanding of the psychological make-up of an insider might help organisations identify at-risk employees.