A Roadmap for Incorporating Positive Deterrence in Insider Risk Management
PUBLISHED IN
Insider ThreatIn the Wells Fargo cross-selling scandal of 2016, bank employees are reported to have created several million fraudulent savings and checking accounts in the name of Wells Fargo clients. While the initial blame fell on individual branch workers and managers, it later came out that high-level management had been pushing them to cross-sell, or sell multiple products to customers. A toxic sales culture gradually developed at Wells Fargo, where aggressive and unrealistic sales goals could make or break careers. These incentives pushed employees to open accounts customers did not want or even know about. Wells Fargo paid about $3 billion in fines and legal settlements for this fraud and suffered legal and reputational damage.
I work with a team of researchers in the SEI’s CERT Division who advocate a more holistic approach to addressing insider risk, one that incorporates positive deterrence to influence employee behavior. Positive deterrence is a set of evidence-based workforce practices promoting the mutual interests of employees and their organization in ways that reduce insider risk. This approach is based on more than two decades of experience in studying insider risk, a database of more than 3,000 cases, and a substantial scientific literature on organizational behavior. In this blog post, I discuss the importance of augmenting traditional insider threat controls with positive deterrence and a strategic roadmap developed at the CERT Division for incorporating positive deterrence in an insider risk management program (IRMP).
Positive Deterrence
To encourage employees to act in the best interests of the organization, IRMPs have typically relied on command-and-control strategies that pressure employees to act in the interests of the organization through extrinsic controls on their behavior, such as rules, policies, technical constraints, monitoring, and response. We have found, however, that excessive or exclusive reliance on command and control can reduce workforce goodwill and exacerbate the risk of insider-caused harm to an organization. In contrast, a positive-deterrence approach promotes internal behavioral drivers that motivate employees to wholeheartedly behave in ways that reduce insider risk.
Positive deterrence leverages workforce management practices to trigger intrinsic drivers, rather than rely on external controls. Positive deterrence combined with command-and-control approaches can reduce insider incident rates over command and control alone.
Positive deterrence practices can take three primary forms:
- Organizational support is the extent to which the organization values employees’ contributions and cares about their well-being. Relevant practice areas include performance-based rewards and recognition, employee assistance programs, and fair employee grievance mediation and resolution.
- Job engagement is the extent to which employees are excited by and absorbed in their work. Relevant practice areas include job crafting and strengths-based management.
- Connectedness at work is the extent to which employees trust, feel close to, and want to interact with their co-workers. Relevant practice areas include team building and job rotation.
For insider risk management, such positive-deterrence practices defend against intentional insider acts by reducing employee frustration and disgruntlement, a common motivator of insider sabotage, theft, espionage, or other negative behaviors spurred by toxic management. This article focuses specifically on organizational support as perceived by the workforce as this is where the most evidence from previous research exists that significant benefits accrue. More recently we have advocated the use of bundling, which I will describe below, to incorporate positive deterrence in an IRMP. Bundling exploits complementary positive deterrence and command and control activities where increases in one activity raise the marginal benefit of others. I will provide a few examples in the fourth practice in the next section.
5 Operational Practices for Incorporating Positive Deterrence in Insider Risk Management
The paper Reducing Insider Risk Through Positive Deterrence, which I coauthored with Carrie Gardner and Denise M. Rousseau, outlines five operational practices that help organizations incorporate positive deterrence into their IRMP. The figure below illustrates the roadmap for positive deterrence in insider threat risk management.
1. Build quality relationships with organizational stakeholders, including line managers and members of human resources (HR) teams. Organizations can promote stakeholder buy-in to insider risk management by advocating the value of positive deterrence for improved employee performance, higher retention, and less insider risk. Many aspects of positive deterrence overlap with the work of line managers and HR teams. Line managers need to work with HR practitioners to create the supportive work settings that make positive deterrence a reality.
Proactive threat management must be part of overall IRMP governance. The organization’s leadership should avoid tying the hands of the IRMP by restricting its scope to the command-and-control approach. IRMPs must advocate broader recognition of how company employment practices contribute to levels of insider risk. Taking on positive deterrence is not the expansion of scope it might first seem, but it does demand IRMP advocacy of supportive employment practices wherever insider risk exists. Such proactive threat management requires support and promotion from organizational leaders and other key stakeholders.
2. Work with stakeholders to identify and implement workforce management practices that increase perceived organizational support. An employee's positive perception of the organization and its practices reduces the risk of employee misbehavior. Here are some examples of workforce management practices that increase employee perceived organizational support (POS):
- organizational justice (e.g., treating employees with dignity and compensating them
equitably inside the organization and in line with industry standards) - performance-based rewards and recognition (e.g., using transparent criteria for promotions and other rewards, basing them on performance and other contributions)
- honest and respectful communication (e.g., setting clear expectations and offering regular feedback and mentoring)
- personal and professional support (e.g., offering employee assistance programs, promoting employee development, and empowering employees on the job)
Meta-analytic research provides substantial evidence that these aspects of POS result in a reduction of employees' counterproductive work behaviors as well as a variety of other beneficial outcomes: organizational commitment and trust, job satisfaction, and intention to stay with the organization. Social Exchange Theory establishes that individuals reciprocate their employer's treatment of them, whether that treatment is perceived as good or bad. Positive reciprocity, which is in force when employees have strong POS, is when employees act in the interests of the organization as a form of repayment or to establish an obligation for favorable treatment by the organization. On the other hand, negative reciprocity involves misbehaviors of employees due to perceived mistreatment when POS is lacking.
3. Regularly seek out and assess employee perspectives regarding the IRMP and the work environment, redesigning practices accordingly. Organizations benefit greatly from surveys and focus groups that keep them up to date on how employees feel about their working environment generally and IRMP practices specifically. Federal government organizations can take advantage of results from the annual Federal Employee Viewpoint Survey and then conduct more in-depth follow-on assessments to probe various issues (e.g., POS or IRMP practices). Private organizations can leverage previously conducted employee climate and job satisfaction surveys in much the same way. Since even small pockets of problematic management practices or supervisory behaviors can increase insider risk, analyzing employee feedback requires drilling down into employees negative responses regardless of how well the organization performed overall.
4. Bundle positive deterrence with command-and-control practices to balance organizational defense. Balanced defense bundles assemble command-and-control and positive-deterrence practices that work well together. Working well can mean that the advantages of practices in one area counter the disadvantages of practices in another. Research demonstrates that positive deterrence moderates the relationship between organizational power and the employee frustration that contributes to workplace deviance. In addition, evidence suggests that consistently implemented organizational controls, with clear messaging and supportive training, reinforces rather than undermines the positive relationship promoted by organizational support. Motivational focus theory can help identify the appropriate balance of prevention and promotion strategies at an individual or team level. Example balanced defense bundles include the following:
- combining practices that empower employees with those that implement employee monitoring—Evidence suggests that employee empowerment can mitigate the dissatisfaction associated with monitoring.
- bundling sanctions for rule violations with confidential grievance procedures to help ensure organizational justice—Evidence suggests that sticks, rather than carrots, only go so far in reducing insider risk and that giving employees a "voice" for their disagreements helps to disarm potentially volatile situations.
- ensuring investigations consider disconfirming as well as confirming evidence to increase perceptions of fairness —Evidence suggests that if investigators think about both sides of an incident, they consider situational as well as individual factors, thus reducing confirmation bias and improving organizational justice.
- These practices are not new for most organizations, but explicitly considering their combination in insider risk management is new. Importantly, associating IRMPs with the introduction of positive-deterrence practices into workforce management can increase employee goodwill toward both the IRMP and the organization.
5. Incentivize and train management to deliver positive-deterrence practices effectively. Positive-deterrence management practices require supervisor training to reinforce needed change in management behavior (e.g., supervisor supportiveness). An organization's management culture may need to shift to accommodate such behavioral changes. The best way to instill such change is to (1) align supervisors' goals and incentives with the practice's intent and (2) train supervisors on how to execute a new practice effectively. This process gradually helps supervisors internalize the values and beliefs that are consistent with new behaviors, promoting the required cultural change.
Future Work in Insider Risk
Bundled command-and-control approaches and positive deterrence methods should complement each other. Complementarity is created when different practices contribute to a common outcome, possibly through different psychological and social mechanisms. Evidence indicates that organizations exploiting complementarities provide a benefit to the organization that is "more than the sum of its parts."
While there is much research on complementarity in the organizational science literature, there is very little research in the area the contribution of specific practices and even less directly related to cybersecurity or insider risk. I suggest that researchers should conduct empirical studies on specific workforce management practices and balanced defense bundles, such as those described in this article, and propose others for reducing insider risk and improving organizational performance.
Practitioners may want to consider using this post's positive deterrence implementation roadmap, or individual practices from it, within their own organizations. Balanced defense bundles may serve as a starting point for thinking about what balance means in a given organization. Such an approach can help minimize insider risk and employees' negative perceptions of the command and control. It sends a message of advocacy to organizations' workforces and commitment to employee well-being. Such a message is valuable to all employees, particularly those who are turned off by programs focused strictly on discovering insider wrongdoing. As a complement to command-and-control, positive deterrence creates a work environment that reinforces the bond between the organization and its workforce, contributing to the well-being of both.
Additional Resources
- See practice 21 of the Common Sense Guide to Mitigating Insider Threats.
- For a foundational description of the positive deterrence domain, read the 2022 CITRAP paper Reducing Insider Risk Through Positive Deterrence - https://citrap.scholasticahq.com/article/34612-reducing-insider-risk-through-positive-deterrence.
- For more information on balanced defense bundles, see the 2024 Insider Risk Management Symposium presentation The Critical Role of Positive Deterrence in Insider Risk Management.
- View the 2021 WRIT workshop keynote presentation Positive Deterrence and its Role in Countering Extremist Acts against Organizations.
- Read the 2020 agent-based simulation modeling paper related to positive deterrence Modeling Interventions for Insider Threat
- View the podcast Positive Incentives for Reducing Insider Threat with Andrew Moore and previous SEI HR Director Dan Bauer - https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=509052
- Read the SEI blog post Three Practice Areas for Using Positive Incentives to Reduce Insider Threat - https://insights.sei.cmu.edu/blog/three-practice-areas-for-using-positive-incentives-to-reduce-insider-threat/
More By The Author
More In Insider Threat
PUBLISHED IN
Insider ThreatPart of a Collection
Positive Deterrence for Reducing Insider Threat Collection
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.
Subscribe Get our RSS feedMore In Insider Threat
Get updates on our latest work.
Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.
Subscribe Get our RSS feed