In the previous post, we examined the motivations and constraints that make an insider ‘malicious,’ and we saw that external and mental pressure, an opportunity to steal confidential information and rationalization of the potential theft are the factors that contribute for an insider to turn against his employer.
While these three factors are necessary triggers for becoming malicious, there is much more going on in an insider’s mind before, during and after an attack. What are the mental stages that a ‘turning’ insider goes through? And what are potential indicators for each stage?
Analyzing the psychological underpinnings in an insider threat case is a very complex undertaking, particulary because there is very little evidence and publicly available data about insider threat incidents. David L. Charney wrote an interesting white paper providing insights into the true psychology of the insider spy.
Charney is a trained psychiatrist and had the opportunity to interview several highly ranked imprisoned US government insider spies includingRobert Hanssen (FBI)andBrian Regan (Air Force). Based on his interactions with several insider spieshe developed a multiple life-stage model of the psychology of the insider spy.
It all starts with sensitization and stress
As we have seen, theFraud Triangle theory focuses on the actual triggers that lay the ground for the insider to turn. In contrast, the multiple life-stage model described here considers a much longer timeline, including the period before, during and after an attack.
Similar to the Fraud Triangle, the multiple life-stage model starts off with sensitization and stress stages. Hurtful experiences in childhood may scar and sensitize, but do not necessarily lead to insider spying. Additional stressors in work and private life (e.g., IRS audit, divorce, demotion) that occur in a short timeframe (6-12 months) may develop into a stress spiral that, along with a deep sense of being underprivileged, may open an individual to certain “opportunities.” The actual decision to take action is made when the stress becomes unbearable either in professional or personal life, or both.
Beware of the personal bubble
As we have seen in the Fraud Triangle, when the rationalization of potential spying or theft kicks in, the insider creates a personal bubble within which everything makes perfect sense and the actions are clear and justified. A possible sense of inner failure in facing the climactic stress is denied and blame is projected outwards to colleagues, the workplace or even just life circumstances.The insider creates a plan of “paying back” within his personal bubble, where money problems are solved and pressures relieved through one simple, completely justified action.
At this stage, if a third party is involved in the insider spying or theft, little or no recruiting effort is needed because the insider reaches out and self recruits in an effort to relieve his own inner pressure. The climax and decision typically occur within a short timeframe of 1-2 months.
Honeymoon and cold shower
Once the decision is made, the malicious insider enters the honeymoon phase. He feels relief by finally “paying back,” and potentially resolving financial pressures, family problems or similar. Everything makes perfect sense now within his personal bubble.
However, once the pressure is relieved, reality kicks in.
The personal bubble was created and decisions were made while the insider felt intense inner pressure. Once these pressures have been relieved, the reasoning that made complete sense earlier is suddenly hard to follow, and the insider is left with a shocking cold-shower sense of “What was I thinking?!”
As Charney describes it, the insider is now faced with two failures. First, he was not able to deal with his own life, which created enormous inner pressures. Second, he now finds himself stuck in a role of thief or traitor that he cannot resolve without losing his life’s achievements and facing punishment.
As far as his spying takes him
There is no way back for the malicious insider. As the decision to steal confidential information or spy on his organization is highly unacceptable and punishable by law, the insider, feeling remorse or not, has no way back to the old reality of a completely normal life. He will actively steal and spy for some time -- concealing his actions -- and he may enter into what is called a ‘dormancy stage’ where he is not active. Stages of dormancy and activity can alternate over a period of months to several years.
Most insiders who become malicious ultimately face remorse and fear, and the constant uncertainty of potentially being caught. So their ultimate arrest may be associated with high stress levels, but might also be a relief from this uncertainty. For some, the public revelation of their actions might constitute a demonstration of their technical abilities and sophistication. For others it’s another shameful point of failure in their life.
The final stage of punishment, which in most cases involves imprisonment, is often the first time for them to reflect on their own actions. Previously torn between comparison to others, life pressures, and opportunities, isolation (physical, social, or both) will eliminate these distractions and provide a more realistic view into his own life, poor choices and consequences.
Watch this brief demo video to learn how Vectra's Community Threat Analysis Report visually indicates the proximity of hosts with detections to key assets and enables the detection of targeted and insider threats.
Oliver Brdiczka is an AI Architect at Adobe. He has led R&D teams and designed/build AI systems that understand and respond to human behavior, relying on data from various sensors and deployments.