Some insider threat incidents are caused by the negligence or even naiveté of insiders enabling an outside attack, while others are planned malicious actions of an insiders that involve stealing confidential company information or damaging company assets. But what makes such an insider actually 'malicious' in the first place? What is going on in his mind?
In previous posts, we have discussed various types of insider threats that affect US government, companies and organizations in charge of critical infrastructure. We have discussed various insider attack patterns, but what are the motivations and constraints that make an insider turn against his employer?
We have seen that so called 'whistle blowers' may act upon their own convictions and turn against their employer, but their numbers are very limited.As the majority of cases involves the theft of information and assets in an organization for own personal gain, what are the motivations and constraints in this case?
A good place to start is the Fraud Triangle, one of the most famous fraud-specific models, developed by the criminologist Donald Cressey. It explains the factors behind fraud, for example in cases such as Bernard Madoff. However, it is also directly applicable to the insider threat problem.
Cressey interviewed imprisoned bank embezzlers in the early 1950s and concluded that many of them who were trusted law-abiding citizens before they had a "non-sharable financial problem." The Fraud Triangle model is directly derived from this and consists of three elements: pressure, opportunity, and rationalization (see figure below).
"Pressure" to make a person commit fraud or an insider turn against his own company is the aspect of the fraud triangle that motivates the crime in the first place. In many cases, it is a financial problem of a personal or professional nature or just greed that underlies the pressure. The person often feels unable to share the underlying problem, such as an addiction or severe illness, with others as this might impact his social status. The individual is further unable to resolve the problem using 'conventional' means, so he begins to consider stepping over the line of legality and trust.
To step over the line, an "opportunity" needs to be present. The individual needs to have access to information or other resources of value, and perceive that, if illegally exploited, there is little risk of being caught.
The fear and perception of risk is further lowered by the fact that the root cause of the pressure is non-sharable - risking his social status may be as big of a risk as the crime itself. So stealing confidential company information might be perceived as being as "bad" as a drug problem, and if the latter cannot be resolved and concealed any more, why not commit the crime?
Sign up for CIO Asia eNewsletters.