The Naval Postgraduate School & The U.S. Department of Homeland Security

A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Scenario: Mike sits at his cubicle where he works on nuclear power plant architecture. He is careful to wait for Sally to leave the room so he can take snapshots of the schematics with his cellphone, alone. He is up-to-date on all of his clearances and security training, but two days ago he received a letter threatening to expose his wife's gambling debt if he does not deliver the photos of the sensitive nuclear information by tonight, to a mystery buyer. With the money he will make, he can pay off his wife's debt...

You've seeInsider Threatn it before in public service announcements and workplace-mandated training: the insider threat that seems obvious enough that you can safely assume that you will neither be confronted with such a threat nor fall for the perpetrator's traps if you are. This is exactly the type of mindset that the authors of the report, "A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes" warn about. It is exactly these threats that pose the greatest risk to nuclear security systems--which also have the most at stake.

American Academy of Arts and Sciences authors Scott Sagan and Matthew Bunn postulate that there are "deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their nuclear facilities and operations" and that "those managing nuclear security often have limited information about incidents that have happened in other countries or in other industries, and the lessons that might be learned from them." Their report focuses less on "best practices" and more on "worst practices" as the title suggests. The authors feel that more can be learned from serious mistakes when it comes to shaping an organizational security practice.

Much can be gleaned from their "lesson plan" which aims to reinforce leadership values that are anything but complacent. "Lesson #1: Don't Assume that Serious Insider Problems are NIMO (Not In My Organization)" is amplified by, "Lesson #2: Don't Assume that Background Checks will Solve the Insider Problem" which discusses the psychology of trustworthiness and company loyalty. Lesson #3 is "Don't Assume that Red Flags will be Read Properly" which suggests that information sharing is essential to proper evaluation of insider threats. "Lesson #4: Don't Assume that Insider Conspiracies are Impossible" and "Lesson #5: Don't Rely on Single Protection Measures" remind us that being confident about security can quickly slide to being in denial about the feasibility of an insider threat.

The 10 lessons contained within the report offer a refreshing and convincing take on how to address insider threats from the business psychology perspective. Nothing is impossible, do not assume, always assess,  and prepare for the worst.

For more on insider threats and ways that the U.S. Government tracks persons of interest, check out the HSDL's Insider Threat resources.