The Security Paradox: Protecting Assets While Preserving Culture
How can your organization reasonably institute protective action of a threat that may not exist?
In today's organizations, particularly in the tech sector, intellectual property theft represents an existential threat. Recent research shows that malicious insider threats inflict damage 20 times greater than external actors, with an average cost of $4.5 million per breach (Alzaabi & Mehmood, 2024). So taking protective action seems paramount.
Research has consistently shown that organizations with strong, positive cultures experienced fewer insider incidents, particularly in cases involving data theft and sabotage (Moore et al., 2016). When employees feel valued, trusted, and part of a supportive community, they're less likely to engage in behaviors that harm the organization. And it is understandable - employees feel more loyal to their organization, are more likely to report concerning behavior they witness in others, and likely to communicate and receive support for matters that breed frustration.
The opposite is true in a toxic work environment, in one that involves excessive monitoring and suspicion. In an environment of intense monitoring, a self-fulfilling prophecy risks being born. Employees feel distrusted, are therefore less engaged in the organization’s mission and values. This may increase their disgruntlement with the company and create an adversarial dynamic. It may also alienate them and cause them to be increasingly likely to rationalize harmful actions as justified response to mistreatment.
The challenge of insider threat reduction programs in creating safety and alertness, without alienating employees and creating increased risk.
Understanding this relationship between organizational culture and insider threat risk is crucial when considering security measures and monitoring systems. Searching for potential insider threats is, as Neuman (2022) eloquently puts it, "like searching for a needle in a haystack and for a needle that doesn't necessarily exist." And herein lies the tightrope organizations must walk. How do you protect against a threat that may never materialize, without creating the very environment that breeds just such a threat?
The High Cost of Vigilance
The traditional response to insider threats often involves increased monitoring and surveillance. But as stated, this approach carries its own significant risks:
It sets a tone of distrust between employee and employer, which makes company dynamics more adversarial and actually increases likelihood of a potential threat actor taking offensive action.
Legal restrictions, particularly in private companies, limit monitoring capabilities.
Aggressive monitoring generates overwhelming false positives. Most employees, even disgruntled ones, will never harm the company.
Insider threats represent what Neuman describes as an "adaptive system." An adaptive system means that potential threats can learn, adjust, and evolve in response to security measures - unlike a natural disaster that follows predictable patterns, human actors can observe security measures and deliberately modify their behavior to avoid detection. The more aggressive the security measures, the more sophisticated the evasion techniques become.
Moving Beyond Binary Thinking: A Developmental Approach to Risk
The reality is that, despite how much research exists on the matter, there's no clear-cut profile of an insider threat. Many employees might display concerning behaviors or risk factors without ever becoming actual threats. Think back to your own work experience - have you ever felt angry at an employer or disdain toward their mission? If every disgruntled or financially stressed employee is considered a risk, the number of potential threats quickly reaches inflated proportions.
To properly scan for insider threats we must think about the developmental trajectory of the employee as he or she moves toward committing an offense. We need to begin thinking in terms of incremental warning signs rather than binary indicators. We want to look at a gradual journey toward offense rather than searching for definitive "red flags."
Let’s think about the case of Michael mentioned in the last blog post. Initially a model employee, Michael's trajectory began with personal stressors—a workplace romance that ended poorly—creating daily tension at the office. This was followed by organizational changes that disrupted his professional relationships and sense of belonging. When passed over for promotion by a new supervisor unfamiliar with his contributions, these stressors began intersecting with his strong need for professional recognition.
Rather than any single "red flag" marking him as a threat, it was this gradual accumulation of personal, professional, and psychological factors that ultimately led to his decision to take proprietary code upon departure—an action he rationalized as "taking his work" rather than theft. Michael's case illustrates why binary thinking about insider threats falls short; we need to understand how personal vulnerabilities, organizational changes, and workplace dynamics interact and compound over time. Each flag alone, or even in combination, wasn't as significant as the progression of how his experience developed over time.
As Michael's case demonstrates, understanding insider threats requires recognizing them as something that develops over time through interaction with the environment. This developmental perspective suggests we need a system that recognizes the dynamic interaction between the individual and environment, builds concerns incrementally, and allows for interventions at various stages along the way.
There’s a lot of interesting research, building on theories from Alexander Luria & Lev Vygotsky on how to build a theoretical approach to scanning for threats that accounts for the adaptive and developmental nature of a threat. I’ll come back and address this in more detail in an upcoming blog post, as well as explaining some of the sophisticated response models such as a framework Nurse et al. (2014) describes, which offers a comprehensive approach to understanding the interaction between person, environment, and potential attacks.
The Balance Point
The key challenge for organizations isn't just identifying potential threats—it's doing so while maintaining a healthy, productive work environment. As Dalal and Gorab (2016) note, while insider threats can be more damaging than external attacks, the solution isn't simply more surveillance or stricter controls.
Instead, organizations need to develop what might be called "intelligent vigilance"—security measures that recognize the complexity of human behavior and the importance of organizational culture. This approach:
Acknowledges that most employees are trustworthy
Focuses on understanding rather than just monitoring
Builds security into organizational culture rather than imposing it from above
Recognizes early warning signs without jumping to conclusions
Maintains appropriate boundaries in employee monitoring
Moving Forward
The path to effective insider threat prevention lies not in treating every employee as a potential threat, but in understanding how organizational environment, individual circumstances, and security measures interact. By taking a more nuanced, developmental approach, organizations can better protect their assets while fostering the trust and positive culture essential for long-term success.
In a future post, we'll dive deeper into the specific biological, developmental, and cultural factors that shape insider threat risk, and explore practical strategies for assessment, prevention, and intervention. These strategies will focus on early detection of potential vulnerabilities and the implementation of targeted support systems. By addressing underlying issues and providing appropriate resources, organizations can significantly reduce the likelihood of insider threats while simultaneously improving employee well-being and job satisfaction. This holistic approach not only enhances security but also contributes to a more resilient and productive workplace environment.
Sources:
Alzaabi, F. R., & Mehmood, A. (2024). A review of recent advances, challenges, and opportunities in malicious insider threat detection using machine learning methods. IEEE Access, 12, 30907-30927. https://doi.org/10.1109/ACCESS.2024.3369906
Dalal, R. S., & Gorab, A. K. (2016). Insider threat in cyber security: What the organizational psychology literature on counterproductive work behavior can and cannot (yet) tell us. In S. J. Zaccaro, R. S. Dalal, L. E. Tetrick, & J. A. Steinke (Eds.), Psychosocial dynamics of cyber security (1st ed., pp. 19-38). Routledge. https://doi.org/10.4324/9781315796352
Moore, A. P. (2016). The critical role of positive incentives for reducing insider threat. Carnegie Mellon University Software Engineering Institute.
Neuman, Y. (2022). How to find a needle in a haystack. CRC Press.
Nurse, J. R. C., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R. T., & Whitty, M. (2014). Understanding insider threat: A framework for characterising attacks. In 2014 IEEE Security and Privacy Workshops (pp. 214-228). IEEE. https://doi.org/10.1109/SPW.2014.38
