Assessing the Mind of the Malicious Insider: Using A Behavioral Model and Data Analytics to Improve Continuous Evaluation
Here is a brief survey of this document:
The Intelligence and National Security Alliance (INSA) presents a behavioral analysis of insider threats, revealing a complex psychological landscape where trusted employees can transform into potential security risks. The document deconstructs the critical pathway leading individuals from loyal professionals to malicious actors, emphasizing that such transitions are rarely sudden but instead result from a progressive deterioration of psychological and organizational dynamics. By integrating psychological research, counterproductive work behavior studies, and advanced data analytics, the report introduces a model for detecting and mitigating insider threats before they escalate.
Key insights emerge from the study’s comprehensive examination of personality traits, life stages, and organizational stressors. The research identifies specific psychological characteristics—such as narcissistic/anti-social tendencies, reduced empathy, and ethical flexibility—that can predispose individuals to potential malicious actions. Critically, the paper argues that these traits alone do not guarantee misconduct; instead, environmental factors and organizational responses play pivotal roles in an individual’s trajectory toward harmful behavior. Emerging technologies like psycholinguistic tools and sentiment analysis offer promising methods for early detection, allowing organizations to identify and support employees experiencing significant life stressors before they reach a critical point.
The document provides actionable recommendations for government and industry instead of mere problem admiration. It advocates for a holistic approach to insider threat management, emphasizing improved organizational communication, transparent employee assistance programs, and robust risk management practices. By recommending clearer role definitions, comprehensive training, and continuous model validation, INSA provides a forward-thinking framework for preventing insider threats while maintaining employee privacy and organizational integrity.
Executive Summary
Insider threat detection is one of the most difficult challenges facing industry and the Intelligence Community (IC) today. With roughly three million individuals cleared to access classified information1 and a multitude of ways to compromise it, determining who may pose a significant threat at a particular point in time is a monumental task. The key to improving an organization’s prospects for preventing a major malicious act is knowing what behaviors to look for and having effective monitoring tools in place.
This paper reviews and integrates several accepted psychological constructs into a behavioral model that can be adapted for practical use and suggests new tools to leverage this model to mitigate threats from insiders who may intentionally decide to harm their organization or our national security. It continues the exploration of security issues in two earlier INSA papers: “Leveraging Emerging Technologies in the Personnel Security Process,”2 which offered ways to continuously evaluate and monitor those accessing sensitive information, and “A Preliminary Examination of Insider Threat Programs in the US Private Sector,”3 which sought ways to assess and compare industry’s initial implementation of Insider Threat programs.
The model of behaviors in this paper, derived from a body of research studies on malicious insiders, assumes that an initially loyal employee does not suddenly transform into a malicious insider. Certain personality traits may predispose an employee to acts of espionage, theft, violence, or destruction. These traits may be reinforced by environmental and organizational stressors. Less severe counterproductive work behaviors commonly occur before the decision to initiate a major damaging act. Clustering these behaviors into families may help define an “early warning system” and improve understanding of how individual characteristics and environmental factors may mitigate or intensify concerning behaviors.
Effective monitoring tools that can work in tandem with this model take advantage of technology to surpass standard screening for biographic factors (i.e. criminal record, financial history) or the monitoring of computer activity. In particular, advanced text analytics and psycholinguistic tools that track an employee’s communications across social media and other platforms to detect life stressors and analyze sentiment can help detect potential issues early in the transformation process. Another critical element is improving the sharing of information within organizations among managers, human resources, information technology (IT), security, and legal advisers regarding minor counterproductive work behaviors that may indicate an employee is struggling and at heightened risk of committing a malicious act.
Introducing sophisticated new tools and effective monitoring immediately raises a host of questions that require further discussion to assess how best to incorporate them in Continuous Evaluation programs. These include how to balance privacy and security, assess the impact on workplace morale, determine the triggers for undertaking additional monitoring and action, and incorporate oversight and protections for civil liberties. We anticipate that organizations will reach very different outcomes depending on their institutional cultures. In the end, this is a critical risk management exercise for senior leaders in all organizations as the destructive power of malicious insiders grows and the tools to monitor and mitigate become more sophisticated and intrusive.
INSA’s Security Policy Reform Council recommends a number of follow-up initiatives to further explore the key concepts outlined in this paper, focusing in particular on validating the use of behavioral models and automated tools to identify at-risk individuals and to design mitigation strategies that help employees change course – or that remove employees’ access to sensitive data, systems, and facilities – before they commit malicious acts. Both government and industry have significant equities and interest in making progress to improve insider threat programs. INSA is committed to creating partnerships and forums to advance both research and dialogue on these complex issues.
