Assessing the Mind of the Malicious Insider

The Intelligence and National Security Alliance (INSA) tackles one of the most difficult challenges of the intelligence community today – detecting and protecting against insider threats. “Assessing the Mind of the Malicious Insider: Using a Behavioral Model and Data Analytics to Improve Continuous Evaluation” unifies established psychological norms and behavioral patterns into an integrated model that better identifies and mitigates against malicious insider threats.  According to their extensive research, implementing effective monitoring tools as well as recognizing malicious and counterproductive workplace behavior are key to preventing loss of sensitive information that could harm national security. The paper cites a wide array of research on insider threats, including studies done by Dr. David Charney and former CIA psychiatrist Dr. Jerrold Post, which are used to construct behavioral models that are in line with established psychological constructs. One psychological characteristic highlighted is the narcissistic/anti-social personality type, characterized by extreme entitlement and lack of empathy for others, that can predispose an employee to commit espionage. The combination of this personality type with environmental and organizational stressors can lead towards resentment and counterproductive behavior in the workplace. Counterproductive work behaviors can be against fellow employees, called interpersonal deviance or CWB-I, or the institution as a whole, which is referred to as organization deviance or CWB-O. Counterproductive work behavior and malicious insider acts do not happen out of the blue, however, this paper demonstrates what Dr. Post coined as the ‘critical pathway’ that progressively deteriorates employee loyalty. The transformation of an initially loyal employee to one that commits treason is typically in response to life stressors and inadequate organizational response to signs of distress or dissatisfaction. The integrated model serves as an early warning system that can improve recognition and mitigation of threatening behavior before it escalates. The report states, “integrating these factors into a model (see Figure 6) takes account of the process by which events can trigger stressors that are related to the individual’s personality characteristics and perceived sense of control. An individual’s perceived lack of control can amplify feelings of being unjustly treated. Those negative emotions create psychological, physical, and behavioral strains that can result in counterproductive work behaviors and ultimately a major insider act.”

INSA integrated model for insider threat detection

This report is particularly groundbreaking in the field of insider threat detection because it considers the benefit of monitoring and evaluating employees on a continuous basis. Insider threat detection of the past only used screening technology and data source analysis in the initial hiring phase or after suspicious behavior had occurred. INSA suggests using advanced monitoring tools like psycholinguistic tools and text analysis that investigate deeper than standard employee screening like criminal records, financial history, and computer activity. Tools, such as personality mapping, life-event detection, and emotion detection track an employee’s communications on social media to determine possible stressors in their life that could lead them to act maliciously. These screening systems analyze social media posts, tweets, emails, and text messages with up to 90% accuracy for detecting not only life events but also immediate emotional changes, which is critical to understanding the threat and developing mitigation accordingly. However, intrusive technology like the monitoring of employee communication and social media can raise concerns on where to draw the line between national security and personal privacy. The report deliberates the right balance of privacy and security as well as other issues for discussion, such as improving organization communication, focusing on awareness and mitigation, and practicing risk management. INSA makes the following recommendations in order to best implement the insider threat protection strategies proposed in this paper:

  • Share and refine the vision
  • Clarify authorities, roles, and policies
  • Validate the model, data sources, and tools
  • Plan ahead for training adjudicators, analysts, managers, and employees to do business differently
  • Seek better solutions

For details about follow-up initiatives or to read the full document, click here. More information about insider threat detection and protection can be found at the Homeland Security Digital Library.