As mentioned in my previous blog, the difference between the types of insider threats comes down to motivation. Analyzing the psychological underpinnings of an insider threat case is a complex undertaking because there is little evidence and scant public data about insider threat incidents. My undergraduate education was in behavioral science, and even though my professional career didn’t follow that path, I have always maintained a keen interest in understanding the relationship between motivation and action. David L. Charney wrote an interesting white paper based on his research, including several infamous spies such as Robert P. Hanssen (FBI) and Brian P. Regan (U.S. Air Force) that gives insight into the true psychology of the insider spy.
The fraud triangle
The fraud triangle theory focuses on the triggers that lay the groundwork for the insider to turn. In contrast, the multiple life-stage model considers a much longer timeline, including the period before, during and after an attack.
Similar to the fraud triangle, the multiple life-stage model starts off with sensitization and stress stages. Hurtful experiences in childhood may scar and sensitize, but do not necessarily lead to insider spying.
Additional stressors in work and private life (e.g., IRS audit, divorce, demotion) that occur in a short timeframe (6-12 months) may develop into a stress spiral that, along with a deep sense of being underprivileged, may open an individual to certain opportunities. The actual decision to take action is made when the stress becomes unbearable in professional or personal life or both.
Beware of the personal bubble
In the fraud triangle—when the rationalization of potential spying or theft kicks in—the insider creates a personal bubble within which everything makes perfect sense and the actions are clear and justified. A possible sense of inner failure to face climatic stress is denied and blame is projected outwards to colleagues, the workplace or life circumstances.
The insider creates a plan of payback within the personal bubble, where money problems are solved and pressures are relieved through one simple, completely justified action.
At this stage, if a third party is involved in the insider spying or theft, little or no recruiting effort is needed because the insider reaches out and self-recruits in an effort to relieve the inner pressure. The climax and decision typically occur within a short timeframe of 1-2 months.
Honeymoon and a cold shower
Once the decision is made, the malicious insider enters the honeymoon phase where there is a feeling of relief and resolution of financial pressures, work stresses or family problems. Everything makes perfect sense now within the personal bubble.
However, once the pressure is relieved, reality kicks in.
The personal bubble was created and decisions were made while the insider felt intense inner pressure. Once these pressures are relieved, the reasoning that made complete sense earlier is suddenly hard to follow. The insider is left with a shocking cold-shower sense of “What was I thinking?!”
As Charney describes it, the insider is now faced with two failures. First is the inability to deal with life, which created enormous inner pressures. Second is being stuck in the role of a thief or traitor that cannot be resolved without losing life’s achievements and facing punishment.
No way out
There is no way back for the malicious insider. Because the decision to steal confidential information or spy on an organization is highly unacceptable and punishable by law, the insider—feeling remorse or not—has no way back to the old reality of a normal life.
Malicious insiders will actively steal and spy for some time—concealing their actions—and might enter what is called a dormancy stage, where there is no activity. Stages of dormancy and activity can alternate over a period of months to several years.
Most insiders who become malicious ultimately face remorse and fear, and the constant uncertainty of being caught. As a result, their ultimate arrest may be associated with high-stress levels but might also bear relief from the uncertainty.
For some, the public revelation of their actions might constitute a demonstration of their technical abilities and sophistication. For others, it’s another shameful point of failure in life.
The final stage of punishment, which in most cases involves imprisonment, is often the first time they reflect on their actions. Previously torn between comparison to others, life pressures, and opportunities, isolation—physical, social or both—will eliminate these distractions and provide a more realistic view into the insider’s life, poor choices and consequences.
Ultimately, it’s critical to understand the psychology of an insider threat if you’re going to be successful at catching them. I have yet to see a technology that can detect if someone is about to hit a tipping point based on stressors, but thankfully Vectra Cognito can detect if they are starting to act maliciously!
Joe Malenfant is the Vice President of Product Marketing at Vectra. Joe and his team are responsible for creating differentiated position for Vectra’s solutions, providing clarity to prospects, customers, and partners. Joe has spent over 10 years driving innovation in cyber security including endpoint detection and response, industrial control systems (ICS), IoT, and network security. He has launched category defining products from pure play SaaS to hardware solutions for IT, IoT, and ICS environments. He regularly presents at industry conference including RSA, Cisco Live, and IIoT World.
Prior to Vectra, he led marketing for Cisco’s Internet of Things business, a $1B portfolio spanning over 5 product segments including cloud, networking, and security. Prior to joining Cisco in 2014 he led product and solutions marketing Lockheed Martin Commercial cyber security solutions through the acquisition of ICS security company, Industrial Defender. Joe holds an MBA from Johnson & Wales in Providence, RI and an undergraduate degree from Concordia University in Montreal, Canada.