Towards a Balanced Approach for Insider Risk
- Using cultural intelligence to make employees feel more connected to the organisation’s mission – and each other – pays dividends in insider risk mitigation.
- Bias comes in many forms and only a well-rounded understanding of how pervasive the issue is can lead to its effective management.
- As insider risk management (IRM) remains a matter of managing increasingly complex employer-employee relationships, the case for insights from social and behavioural sciences in insider risk becomes clearer than ever.
On the occasion of National Insider Threat Awareness Month, the Threat Lab and the National Insider Threat Task Force organised the second annual C-InT SBS Summit. The event provided a global audience with publicly-accessible talks, keynotes and presentations from leading figures in the field of insider risk. This September’s summit focused on the theme of cultural intelligence (CQ), a factor of growing importance for sustainably securing organisations. The insights of industry experts, academic researchers and practitioners from both the public and private sector revealed common questions across the IRM sector: How do we operationalise research findings, recommendations and success stories in a scalable way? How does the pervasive issue of bias influence insider risk management, and what can we do to mitigate it? Ultimately, how can input from the behavioral and social sciences make our organisations more resilient in the face of increasingly complex challenges?
Inclusivity, cultural intelligence and positive incentives: Future-proofing insider risk programmes
As organisations start feeling the shifts in dynamics brought about by an increasingly young, transient and diverse workforce, insider risk programmes are compelled to integrate new approaches in how relationships with employees are managed, cultivated and monitored. Indeed, as highlighted in Dr. Andrew Moore’s talk on balanced deterrence, while IRM tends to focus almost exclusively on individual behaviours, organisational context also needs to be taken into account. In practice, this means parallel deployment of both traditional security controls (negative deterrence) with actions that increase employee perceptions of organisational support (positive deterrence). Combining detection, reporting and incident sharing with wellness stories, team-building initiatives and performance-based awards creates deterrence bundles of increased security value, as a negative approach alone can often exacerbate movement along the critical pathway for troubled employees. Balanced deterrence primes organisational culture to better respond to insider threats, by improving management-employee relations through shifting behavioural norms.
Dr. Moore’s insights complement Carnegie Mellon University’s findings on aligning the interests of employees and with those of the organisation. According to CMU research, positive incentives – paired with existing security measures – can be very effective in reducing insider risk. Job engagement, perceived organisational support, and connectedness between co-workers form three main avenues through which this relationship can be built. In other words, insider risk can be mitigated if organisations make employees feel valued, connected and included.
Cultural intelligence has an important role to play in fostering workspaces of this type. As Dr. Liza Briggs highlighted, awareness and integration of culture provides a necessary context for understanding key steps along the critical pathway. In her talk on applying cultural intelligence in insider risk, Dr. Nicole Alford noted that inclusion forms only one aspect of cultural intelligence, which is different from mere phenotypical organisational diversity. In essence, CQ is about how well organisations take an individual’s cultural background and its effects on behaviour into account, using that knowledge to integrate people fully into organisational processes. This strategic application of cultural awareness is imperative for creating truly inclusive workplaces where everyone connects to the team’s mission.
Nevertheless, communicating cultural intelligence and effectively using it in an IRM setting would be extremely difficult in workplaces where trust is lacking. To guarantee successful implementation in diverse organisations, Mrs. Jessica Jones suggested falling back on the eight C’s of trust. Clarity is a necessary component of communicating the purpose and vision of an IRM programme and ensuring buy-in. Analysts must also operate with Compassion, as IRM programmes aim at helping employees succeed instead of endangering their organisations and themselves. Character and Contribution are about motivating people to be proactive in identifying concerning signs, while Competency ensures employees understand what to look for in reporting suspicious behaviour. Commitment to being security-conscious must be promoted as a key element of caring about the team, while frequent Connection with IRM staff allows employees to voice their concerns. Lastly, Consistency makes buy-in and reporting a continuous process.
From heuristics to statistics: Managing bias on two fronts
With IRM operations growing in scale and complexity, organisations increasingly invest in technical solutions for insider risk monitoring. Although IRM tools certainly provide practitioners with a greater flow of information and a better capacity to evade human bias, the wide adoption of a strictly technical approach is not without danger. In his presentation, Dr. Adam Trexler distinguished between human, cultural and statistical bias, noting that all of them need to be taken into account when crafting insider risk policy. Although the use of technical tools can remove certain types of bias from risk calculation, it can create a false sense of security that allows statistical errors, such as sampling or survivorship bias, to undermine IRM programme effectiveness. More specifically, reinforcement bias in IR data tools runs the risk of creating algorithmic echo chambers that require attentiveness to identify and evade. Although simulations show that these blind spots can be identified and exploited through random searches, accounting for cultural norms and using non-technical strategies remains critical for maintaining a successful IRM programme that optimally deploys these sophisticated and expensive technical tools.
After all, looking inward and accounting for lapses in decision making can be an invaluable skill for insider risk practitioners in both technical and non-technical settings. In his keynote speech, Dr. Kirk Kennedy stressed the importance of recognising the common mistakes we make in evaluating others as a result of bias, while also highlighting the role of cultural context in making these types of wrongful assumptions. In a period of intensifying political polarisation and wider geopolitical antagonism, being mindful of bias makes insider risk managers handle cases more effectively, by reducing false positives and maintaining a positive climate of interdepartmental and interpersonal trust in the workplace.
Social scientists: A foundational asset in insider risk management
Precipitating circumstances far beyond the reach of employers, such as the pandemic, rapid digitisation and the shifting concerns of a more skilled, diverse and young workforce, have brought organisations before complicated decisions regarding insider risk management. Nevertheless, a growing corpus of academic insights now provides solutions for organisations wishing to adapt their culture to these new challenges, ensuring business continuity and resilience. This year’s SBS Summit showcased that social scientists are at the forefront of recognising these issues and providing targeted solutions for various organisational contexts.
Multiple speakers illustrated, both with practical examples as well as research results, that insider risk management is an organisation-wide exercise that evades the purview of a single authority. Although dedicated insider risk teams, HR and security departments lead the way in insider programme implementation, effecting cultural change in any organisation starts by influencing behavioural norms in a way that ripples both downstream and upstream. Especially when it comes to championing inclusion and celebrating diversity within an organisation, managers across the board are crucial thought leaders whose input is paramount for successfully using cultural awareness to make employees feel valued and included.
Insights from social science are not only helpful in recognising what goes wrong. More importantly, they help us understand why something goes right. By inspecting successful insider risk programmes, as Dr. Eric Shaw did in his talk on employee monitoring, tailored organisational solutions reveal how insider risk as a domain can move forward. By transforming HR staff into reliable case officers that accompany talent throughout the employee lifecycle, and using critical pathway specialists to screen candidates from the first interview stages, organisations can create and cultivate a relationship of mutual trust from the early stages of their cooperation with an employee. In addition, using forced collusion with compliance personnel to safeguard “crown jewels” reduces fear for the employer (and the employee) by inserting organisational safeguards. Moving forward, organisations must focus on shifting the very cultural identity of IRM programmes – from tools for “hunting bad apples” to key support pillars for the organisation’s most crucial asset, its staff.
Are you interested in finding out how we use findings from the cutting edge of social and behavioural sciences to make organisations worldwide more secure? Please contact us on firstname.lastname@example.org if you would like to learn more about insider risk management in support of your organisation.