Stress Management and Mistake Minimization (Part 8 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The eighth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 8: Structure management and tasks to minimize insider stress and mistakes. In this post, I discuss the importance of understanding the psychology of your organization's workforce and how it can help its employees balance work pressures while maintaining an atmosphere that supports productivity and minimizes stress and mistakes.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The eighth of the 20 best practices follows.
Practice 8: Structure management and tasks to minimize insider stress and mistakes.
Work environments today have many pitfalls that can cause challenges for organizations and employees. For example, a team with an important deadline may not properly communicate to another team, creating a conflict with another team that is already planning a system outage for upgrades at the same time as the deadline. Without good communication, the deadline could be missed in favor of another process that was not as urgent. These problems and the potential for errors often increase in multi-task and high-stress environments. Beyond increasing the risk of mistakes, high levels of stress in the workplace can foster lack of trust among employees and increase the potential for retaliatory activity. Consistently prioritizing productivity above the workforce's culture and health can actually reduce both employee efficiency and organizational security.
Not all insider incidents are malicious--some are unintentional, caused by unfocused, stressed, and distracted employees. Other incidents, without malicious intent, can occur due to lack of security training for employees. We will address this topic in next week's blog post, Practice 9: Security Training and Awareness. With this in mind, organizations should strive to understand the psychology of their workforce and acknowledge that the demands placed on employees can sometimes conflict with one another. Organizations should strive to create a work environment that maximizes positive outcomes.
The following key challenges provide some insight:
Balancing stress level with productivity. Organizations find it challenging to either measure or determine an acceptable level of stress for employees while also achieving desired productivity goals.
Baselining employee productivity. Not only is it difficult to measure employee stress, but it's hard to determine when employees bypass important steps to get a job done. Organizations should encourage employees to prioritize organizational values above shortcuts and recognize them when they do.
Getting a return on investment. Organizations must understand that ignoring stressors to achieve desired outcomes can increase the risk of an insider event.
How can an organization foster a work environment that maximizes positive outcomes? Here are some sample quick wins and high-impact solutions:
- Establish a work culture that measures success based on appropriate metrics for the work environment. For instance, some organizations might primarily measure success based on outcomes and impact rather than employee attendance.
- Establish a culture that encourages employees to develop a plan and execute projects, actions, and statements before committing to them; the organizations should be willing and able to adjust plans and schedules when multiple goals may be in conflict.
- Offer employees opportunities to de-stress such as taking paid time off and using Employee Assistance Programs (EAPs). In addition, encouraging social connections with co-workers can also aid in alleviating stress.
- Monitor employee workloads to ensure that they are commensurate with the employee's skills and available organizational resources; intervene before expectations become excessive.
Creating a lasting culture that expects realistic workloads and deadlines, respects employees, and intervenes to reduce pressures and stress can mitigate unnecessary mistakes and increase operational security.
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats and the SEI technical report The Critical Role of Positive Incentives for Reducing Insider Threat for a comprehensive understanding of the issues and recommendations mentioned in this post.
Check back next week to read Practice 9: Security Training and Awareness, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.