Experts are constantly pointing out that it is insiders who are responsible for almost half of all security breaches. Whether or not these are intentional or caused by misuse, it is important to address the risks and motivations of insider threats. David L. Charney has also tackled this issue in his white paper “True Psychology of the Insider Spy” in which he provides insights into the true psychology of an insider spy. We would like to briefly summarise the findings in the following blog article.
Why are insider threats increasing? One reason is the way we frequently hop from one job to another. The days when workers spent their entire career with a single company are long gone. Lack of loyalty to the employer and higher turnover rates increase the risk of theft of intellectual property and confidential information. Consequently, many employees also take data with them when they change jobs. As well as the increased likelihood of data exfiltration, the actual theft of data has also become much easier. Due to COVID-19, today's employees are now working from home and can access company data wherever they are. David L. Charney explains what is happening on a psychological level in the white paper “True Psychology of the Insider Spy”.
The theory of the fraud triangle focuses on the triggers that lay the foundation for the insider's reversal. In contrast, the Multiple Life Stage model looks at a much longer time span, including the time before, during and after an attack. In a similar way to the Fraud Triangle, the model starts with awareness and stress stages. Offending childhood experiences can increase the insider's sensitivity. Later, additional stressors in professional and private life (e.g. a tax audit, divorce, demotion) occurring in a short period of time (6-12 months) can develop into a stress spiral. The actual decision to take action is made when the stress in professional or private life, or both, becomes unbearable.
When rationalising their potential espionage or theft, the insider creates a personal bubble in which everything makes sense and their actions are clear and justified. There is a denial of any possibility of a sense of inner failure in the face of stress, and blame is projected outwards onto colleagues, the workplace or life circumstances. The insider creates a “payback” plan within their personal bubble where money problems are solved and pressure is relieved by committing a simple, completely justifiable action.
Once the decision to launch an attack has been made, the malicious insider enters a honeymoon phase, where there is a sense of relief and resolution from financial pressures, work stress or family problems. Everything makes sense now within their personal bubble. However, as soon as the pressure subsides, reality sets in. The rationale that made perfect sense before suddenly becomes difficult to comprehend. The insider is left with a shocking feeling of taking a “cold shower”: What was I even thinking?!
David L. Charney describes two blunders now confronting the insider. The first is the inability to deal with their life which creates enormous internal pressure. The second is being trapped in the role of thief or traitor, something that cannot be resolved without them losing everything they have achieved in their life and facing punishment.
There is no way back for the ill-intentioned insider. The decision to steal confidential information or to spy on an organisation is highly unacceptable and liable to prosecution, so whether the insider feels remorse or not, there is no way for them to go back to a normal life afterwards. Malicious insiders will actively steal and spy for a period of time while concealing their actions. They may enter what is called a dormant phase where they do not engage in any activity. Phases of dormancy and activity can alternate over a period of months up to several years.
Most insiders who go rogue will ultimately be confronted with remorse and fear, and the constant uncertainty of being caught. Consequently, their eventual arrest can be associated with a high level of stress, as well as a relief from this uncertainty.
In the final phase, in most cases involving consequences, they frequently reflect for the first time on what they have done. Whereas they were previously torn between comparing themselves to others, the pressures of life, isolation – physical, social or both – will enable them to gain a more realistic view of the insider's life, their bad choices and the consequences for them.
Ultimately, understanding the psychology behind insider threats is critical to successfully detecting them. As yet, there is no technology that can tell if someone is about to reach a tipping point based on stress factors – or at least, we are not aware of one. This means that the first step in responding appropriately to an insider threat is to raise awareness of the problem. However, the responsibility for detecting, intervening and preventing insider threats is often split between the information security, legal and human resources (HR) departments. A clear definition of measures and responsibilities is crucial to implementing an effective programme to counter insider threats. Appropriate breach detection solutions, for example those from our partner Vectra AI, help you to recognise possible signs of unusual behaviour by a user.
The Vectra AI Cognito platform provides real-time threat and attack analysis based on the continuous monitoring of network traffic. The combination of methods from data science, machine learning and behavioural analysis enables all phases of a cyber attack to be automatically detected. Vectra automatically detects when attackers are snooping around, proliferating on the network or ultimately trying to steal information. Vectra gives you full visibility of everything that is happening within your infrastructure, so you can spot signs of cyber attacks and insider threats early on. To learn more about Vectra AI's AI-based solution or to learn more about insider threats, contact our experts at the Cyber Defence Center.