By Luke Treglown – Organisational Psychologist at PGI
We are becoming increasingly more digitised. Both our private and professional lives are becoming engrossed in technology and there is no real stopping this rapid progression.
So, it’s understandable that some companies are becoming increasingly pessimistic and paranoid about the cost of an impending external attack: viruses through emails, customer credit card details being cloned, and emaciated teenagers who can hack your website from their bedroom.
Yet, is the worry being misplaced? There is no doubt that the external threat is real and worthy of concern. The recent WannaCry ransomware attack is estimated to amount to global losses of close to $4billion. However, is the external threat the most ominous one that faces businesses? Organisation leaders often focus so narrowly on fortifying themselves against external intruders that they become blind to the wolves within.
The nature of an insider attack is diverse with the big-hitters including fraud, sabotage, intellectual property theft and IT security breaches. When you start to look at the numbers, the risk from within begins to eclipse the external threat: $2.9trillion per year is lost globally through employee fraud. In its 2017 Global Economic Crime Survey, PWC found that 86 per cent of organisations suffered from at least one instance of fraud that year (up from 82 per cent the previous year). Yet, it is insiders who are responsible for 81 per cent of these attacks. Roughly 90 per cent of Economic Espionage Act prosecutions and thefts of trade secrets involve an insider. When it comes to IT security, the average organisation can expect to experience around four insider breaches a year. Carnegie Mellon University found that of 103 instances of insider-perpetrated intellectual property theft, half resulted in losses that exceed $1million. Research conducted by the FBI and CSI units found the average cost of an external attack is around $57,000. The average cost of an attack from an insider is $2.7million.
Employees are the largest resource available to a company, yet they can also be the greatest source of liability. They are at their most dangerous when they are dishonest, devious and disenchanted. They are already one step ahead of external threats; they are within the barricades and know exactly where is most sensitive. They can bide their time, wait to strike and inflict damage that far exceeds what any external hacker can do.
Hitting the headlines
The most familiar insider attacks are those that have captivated headlines. These attacks have been perpetrated by highly skilled individuals within an organisation, who aim to inflict harm in a dramatic and public manner. They are your ‘Edward Snowden types’.
In these cases, it is difficult to know how best to measure the damage done to an organisation. Vitek Boden caused enormous financial and environmental damage by leaking 800,000 litres of sewage water into local parks, rivers and businesses in Queensland, Australia. Companies can have their reputations wrecked as a result of an insider leaking sensitive information – or giving entrance to a hacker who can. Amy Pascal was forced to resign from Sony Pictures after private and confidential emails of staff were made public. Target, the US retailer, had the credit card information of 40 million customers leaked by external hackers with the aid of a current employee. Yet, the very worst cost of an insider threat is that of a human life. The Ashley Madison leaks, now thought to have involved the help of an insider, resulted in at least two users of site committing suicide.
“Employees are the largest resource available to a company, yet they can also be the greatest source of liability. They are at their most dangerous when they are dishonest, devious and disenchanted”
Not all insider attacks are as high profile as these. The attacks that make the news
do so because they are so highly visible. The problem is that potential attacks that emerge from within are broad and disparate in scope. Just because an attack does not fill the tabloids does not mean it is any less devastating. Organisation leaders and their senior staff often have an appreciation of what the insider threat constitutes in this sense, but rarely do they grasp the full magnitude of its potential damage.
The reason that hackers and malware are discussed with such vigour is due to the visible damage they leave. The problem is that the inside threat is being treated as a technological problem when it needs to be thought of as a human one. To do that, organisations need to understand what factors influence an employee to become a threat.
The bad apple
What motivates an employee to go rogue? To turn against their organisation and become a potential security risk?
Organisations often want to be able to point the finger and distance themselves from current or former employees that have done the damage. There is a desire to explain the employee’s behaviour in relation to dispositional aspects; something about the employee that made them do it. Psychologists have spent the past few decades studying and understanding what personality variables or ‘dark’ traits make an employee inherently more likely to be a risk to their organisation; that make them likely to be ‘bad apples’.
Academic research has mostly focussed on understanding the role of ‘dark’ personality traits. These are aspects of personality that are inherently self-serving and exploitative. They are damaging to the individual as well as those around them. There are three traits in particular that have attracted a large amount of empirical attention – this is the dark triad of narcissism, Machiavellianism and psychopathy.
Narcissists are characterised by an overexaggerated belief in their own ability and an over-inflated sense of self. They believe that they are the best at what they do and want to ascend to positions of authority and power so that they can have this belief reinforced and confirmed by others. Narcissists become ‘bad apples’ when their ego is threatened; when they feel that others are not paying attention to them or giving them the recognition they feel they deserve. It pushes them either to make rash decisions in the hope it will make them appear impressive, or to act callously to undermine and punish people so that they feel socially superior.
Machiavellianism is characterised by manipulation, a cynical view of human nature and a moral outlook that prioritises expediency over principle. Machiavellians desire control over information, materials and money because of the influence and power that it brings. However, Machiavellians become bad apples because they will act deviantly to get ahead. They will happily commit fraud or engage in sabotage if it helps put them in a position of power.
Psychopaths have a disregard for others, impulsivity and a lack of guilt or remorse. Psychopaths become bad apples because of how these aspects interact. Psychopaths are thrill seekers and will do things impulsively if it brings them excitement. The problem is that committing fraud or sabotaging their colleagues falls into this category. And, as they have no remorse, guilt, or conscience, they have absolutely no issues in behaving this way.
There has been ample high-quality evidence to support the bad apples hypothesis. However, it only explains half of the story. While there are dark traits that make someone more likely to become a risk, there are also perfectly normal traits that contribute to this literature. After reviewing the evidence, organisational psychologists found that an employee’s conscientiousness and agreeableness were direct predictors of deviant behaviour.[1] The problem is that this only provides us with part of the picture. There are millions of employees who are low on both conscientiousness and agreeableness, but this does not adequately explain the prevalence of counterproductive work behaviours.
The bad barrel: disenchantment
The forgotten half of the picture is the ‘bad barrel’; if the apple is not rotten because of the core, then it must be something about the environment it is in. To have this kind of impact, the conditions of the barrel would have to leave the employee motivated to act against his/her own organisation. The most powerful driver for this is injustice; a belief that you have been wronged. Employees who feel unjustly treated become the bad apples because they are no longer motivated to follow compliance guidelines whilst simultaneously being motived to ‘balance the scales’ and enact revenge against their organisation or colleagues.
When a secure, cyber infrastructure is operated by a disenchanted employee, the threat still remains. These employees are not inherently malicious, but have become disgruntled over time due to poor management and an abrasive culture. They resort to these types of attacks in order to rectify the inequity that they have experienced.
“Protection against the wolves lies in routing out the causes of disenchantment and making it right before it comes back to bite you”
PGI’s research with psychologists at University College London (UCL) have discovered that workplaces that foster disenchantment – a cognitive-affective response to workplace injustice – are the ones that turn normal, engaged employees into potential risks. It is about understanding what elements of the workplace are present and are driving disenchantment. Disenchanted employees have become detached, disillusioned and disengaged as a response to poor management practices and unfair organisational processes.
Professor Adrian Furnham of UCL, along with John Taylor and Luke Treglown of PGI have been researching how management practices and organisational processes promote disenchantment and prevent engagement. Their research has identified five key factors that underpin disenchantment:
Bullying and disrespect This is the belief that some senior people are callous, uncaring and nasty. The organisation is a place where being tough and ruthless is encouraged. Employees feel downtrodden and belittled each day as they fall victim to continuous incivility.
Broken promises This is all about expectations not being met, or that the organisation has not held up its end of the bargain. For some, the selection interview and the induction period are where people set your expectations about working for the organisation. They tell you what they stand for, what they expect and how things work. Employees become disenchanted when these expectations are broken.
Perceived inequity The idea that some people in the organisation are treated very differently from others. The hottest word at work is fair: that people are fairly assessed, promoted and rewarded. Yet, it can seem to some that loyalty, hard work and productivity have less to do with success than some other attributes, such as demography, brown-nosing, or nepotism.
Distrust The feeling that the organisation does not even trust its own employees. Employees grow suspicious of their managers and colleagues, questioning the genuineness of their behaviour. Employees look over their shoulder, vigilant that a colleague might stab them in the back. Disenchantment grows in two directions: managers are unwilling to let employees work without being monitored or scrutinised, while the colleagues are secretive and uncooperative.
Organisational hypocrisy This is the perception by the employee that what the organisation says about itself in public and even to its employees is a pack of lies. There is an inconsistency between the words, actions and decisions in the workplace. The organisation is seen as deceitful and lacking integrity. Employees become disenchanted when they realise their workplace is nothing like how it appears on the corporate brochure or website.
Our research has shown that disenchantment is a powerful predictor of who will become the bad apples and act against their organisation. It acts like a relay model; as disenchantment increases, so too does the risk of an employee engaging in abuse, product deviance, fraud and sabotage. The important aspect is that it is actionable; it is possible to identify where employees are going bad and how to remove the drivers before they cause any damage.
Taming the wolves
The bad barrel approach is not a new idea. Employee disgruntlement has frequently been cited as a leading cause for why employees go rogue and damage their organisation.
But senior board members and managers have placed little attention into discovering the what, how and why of this issue. Our research into understanding disenchantment has led the way in developing a scientific and academic measure of this phenomenon and how it leads to theft, fraud and sabotage.
The barrel can have a profound impact on the apple and can even have a reversing effect. A recent study at UCL found that disenchantment (or more importantly, the lack of it) had a controlling influence over dark personality traits.Psychopathy is consistently noted to be the most powerful personality predictor of insider activity. However, when the organisation is causing little to no disenchantment, psychopathy no longer has an effect. It does not matter how ‘dark’ an employee is, if they feel enchanted at work they are no more likely to damage their company than their ‘bright’ counterparts. However, when disenchantment was high, they became significantly darker and a far greater risk. Enchantment has the power to temper the bad apples, but disenchantment has the power to exacerbate the risk.
Detecting the insider should not be a witch-hunt, but an investigation into how the organisation is inspiring resentment within its employees. There is little accountability within organisations for how or why disgruntled employees get to where they are. The reality is that insiders are often made by their environment, not born. It comes down to this: how do you know which of your employees are Red Riding Hood and which have become wolves in Grandma’s nightie? Protection against the wolves lies in routing out the causes of disenchantment and making it right before it comes back to bite you.
About the Author:
Luke Treglown is Director of Organisational Psychologist at PGI. Luke’s work has helped organisations to understand the human element of security; how culture and management practices can be the spark that promotes engagement and compliance or the derailing factor that manifests the insider threat. Luke is also a PhD student at University College London where he studies the psychological processes that underpin employee disenchantment.
Footnote:
1.Salgado, J. F. (2002). The Big Five Personality Dimensions and Counterproductive Behaviours. International Journal of Selection and Assessment, 10(1–2), 117-125.