The Psychology Behind an Insider Threat

September 29, 2020
Vectra AI Security Research team
The Psychology Behind an Insider Threat

As mentioned in my previous blog, the difference between the types of insider threats comes down to motivation. Analyzing the psychological underpinnings of an insider threat case is a complex undertaking because there is little evidence and scant public data about insider threat incidents. My undergraduate education was in behavioral science, and even though my professional career didn’t follow that path, I have always maintained a keen interest in understanding the relationship between motivation and action. David L. Charney wrote an interesting white paper based on his research, including several infamous spies such as Robert P. Hanssen (FBI) and Brian P. Regan (U.S. Air Force) that gives insight into the true psychology of the insider spy.

The fraud triangle

The fraud triangle theory focuses on the triggers that lay the groundwork for the insider to turn. In contrast, the multiple life-stage model considers a much longer timeline, including the period before, during and after an attack.

Similar to the fraud triangle, the multiple life-stage model starts off with sensitization and stress stages. Hurtful experiences in childhood may scar and sensitize, but do not necessarily lead to insider spying.

Additional stressors in work and private life (e.g., IRS audit, divorce, demotion) that occur in a short timeframe (6-12 months) may develop into a stress spiral that, along with a deep sense of being underprivileged, may open an individual to certain opportunities. The actual decision to take action is made when the stress becomes unbearable in professional or personal life or both.

Beware of the personal bubble

In the fraud triangle—when the rationalization of potential spying or theft kicks in—the insider creates a personal bubble within which everything makes perfect sense and the actions are clear and justified. A possible sense of inner failure to face climatic stress is denied and blame is projected outwards to colleagues, the workplace or life circumstances.

The insider creates a plan of payback within the personal bubble, where money problems are solved and pressures are relieved through one simple, completely justified action. At this stage, if a third party is involved in the insider spying or theft, little or no recruiting effort is needed because the insider reaches out and self-recruits in an effort to relieve the inner pressure. The climax and decision typically occur within a short timeframe of 1-2 months.

Honeymoon and a cold shower

Once the decision is made, the malicious insider enters the honeymoon phase where there is a feeling of relief and resolution of financial pressures, work stresses or family problems. Everything makes perfect sense now within the personal bubble.

However, once the pressure is relieved, reality kicks in.

The personal bubble was created and decisions were made while the insider felt intense inner pressure. Once these pressures are relieved, the reasoning that made complete sense earlier is suddenly hard to follow. The insider is left with a shocking cold-shower sense of “What was I thinking?!”

As Charney describes it, the insider is now faced with two failures. First is the inability to deal with life, which created enormous inner pressures. Second is being stuck in the role of a thief or traitor that cannot be resolved without losing life’s achievements and facing punishment.

No way out

There is no way back for the malicious insider. Because the decision to steal confidential information or spy on an organization is highly unacceptable and punishable by law, the insider—feeling remorse or not—has no way back to the old reality of a normal life.

Malicious insiders will actively steal and spy for some time—concealing their actions—and might enter what is called a dormancy stage, where there is no activity. Stages of dormancy and activity can alternate over a period of months to several years.

Most insiders who become malicious ultimately face remorse and fear, and the constant uncertainty of being caught. As a result, their ultimate arrest may be associated with high-stress levels but might also bear relief from the uncertainty. For some, the public revelation of their actions might constitute a demonstration of their technical abilities and sophistication. For others, it’s another shameful point of failure in life.

The final stage of punishment, which in most cases involves imprisonment, is often the first time they reflect on their actions. Previously torn between comparison to others, life pressures, and opportunities, isolation—physical, social or both—will eliminate these distractions and provide a more realistic view into the insider’s life, poor choices and consequences.

Ultimately, it’s critical to understand the psychology of an insider threat if you’re going to be successful at catching them. I have yet to see a technology that can detect if someone is about to hit a tipping point based on stressors, but thankfully Vectra Cognito can detect if they are starting to act maliciously!

It's National Insider Threat Awareness Month. If you'd like to learn how Vectra can help, you can schedule a demo.