In previous posts, we have discussed various types of insider threats that affect US government, companies and organizations in charge of critical infrastructure. We have discussed various insider attack patterns, but what are the motivations and constraints that make an insider turn against his employer?
We have seen that so called ‘whistle blowers’ may act upon their own convictions and turn against their employer, but their numbers are very limited.As the majority of cases involves the theft of information and assets in an organization for own personal gain, what are the motivations and constraints in this case?
A good place to start is theFraud Triangle, one of the most famous fraud-specific models, developed by the criminologistDonald Cressey. It explains the factors behind fraud, for example in cases such asBernard Madoff. However, it is also directly applicable to the insider threat problem.
Cressey interviewed imprisoned bank embezzlers in the early 1950s and concluded that many of them who were trusted law-abiding citizens before they had a “non-sharable financial problem.” The Fraud Triangle model is directly derived from this and consists of three elements: pressure, opportunity, and rationalization (see figure below).
“Pressure” to make a person commit fraud or an insider turn against his own company is the aspect of the fraud triangle that motivates the crime in the first place. In many cases, it is a financial problem of a personal or professional nature or just greed that underlies the pressure. The person often feels unable to share the underlying problem, such as an addiction or severe illness, with others as this might impact his social status. The individual is further unable to resolve the problem using ‘conventional’ means, so he begins to consider stepping over the line of legality and trust.
To step over the line, an “opportunity” needs to be present. The individual needs to have access to information or other resources of value, and perceive that, if illegally exploited, there is little risk of being caught.
The fear and perception of risk is further lowered by the fact that the root cause of the pressure is non-sharable – risking his social status may be as big of a risk as the crime itself. So stealing confidential company information might be perceived as being as "bad" as a drug problem, and if the latter cannot be resolved and concealed any more, why not commit the crime?
Rationalization is the last leg of the Fraud Triangle. Most insiders that turn against their organization are first time offenders without any criminal record, and they do not perceive themselves as criminals. Rather, they see themselves caught in bad circumstances that they are trying to resolve.
Therefore, the insider needs to explain the act to himself in a way that makes it acceptable or even justified. Common explanations are “I just borrowed the money,” “my family needs the money,” or “my employer is dishonest and deserves to be cheated.” As a result, the actual crime becomes a legitimate act of self-defense or self-preservation and not a crime.
The factors of the Fraud Triangle prepare the ground for an insider to act maliciously on his own account. The pressure is the reason for the act, the opportunity provides a possible solution and the rationalization justifies the act.
While these are the foundation mechanisms for the malicious act to happen, there are various other psychological and personality factors at play when the insider prepares and executes actions against his own employer, including sensitization, the “morning after” stage and stress spirals. In the next couple of posts, we will do a deep dive into the dark sides of the insider’s mind and look at how it evolves during and after an attack.
To learn more about how Vectra detects insider threats, register to download this white paper.
Oliver Brdiczka is an AI Architect at Adobe. He has led R&D teams and designed/build AI systems that understand and respond to human behavior, relying on data from various sensors and deployments.