Three Practice Areas for Using Positive Incentives to Reduce Insider Threat
In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In contrast, this blog post highlights results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that incorporates human involvement. In particular, positive incentives can produce better balance and security for organizations by complementing traditional practices to insider threat programs. This post also presents three practices to increase positive incentives that organizations can use to reduce insider threat.
In a recent column for CSO Brian Contos wrote "technology alone cannot help mitigate the insider threat; human involvement is critical to helping identify and reduce the risk of this threat." Likewise, our research has found that positive incentives can complement traditional practices by encouraging employees to act in the best interests of the organization, either extrinsically (e.g., through rewards and recognition), or intrinsically (by fostering a sense of commitment to the organization, the work, and the co-workers). Instead of solely focusing on ensuring that employees don't misbehave, positive incentives create a work environment where employees are internally driven to make only positive contributions to the organization.
Over the twelve months, we have sought to determine whether positive incentives can deter insider misbehavior from the outset of the employee-organization relationship with fewer negative consequences than traditional practices alone. We initially began this research by reviewing existing literature in the field and determining three areas in which an organization can positively align an employee's interests with the organization's interests:
- Job engagement involves the extent to which employees are excited by and absorbed in their work.
- Perceived organizational support involves the extent to which employees believe their organization values their contributions, cares about their well-being, supports their socio-emotional needs, and treats them fairly.
- Connectedness at work involves the extent to which employees trust, feel close to, and want to interact with coworkers. For example, practices involving team building and job rotation can boost employees' sense of interpersonal connectedness.
As described in our recent technical report, there has already been extensive research in these areas that demonstrate their value in terms of employee satisfaction, commitment, performance, and retention.
We began by analyzing several high-profile insider incidents for levels of job engagement, co-worker connectedness, and perceived organizational support. Through our analysis, we found that perceived organizational support was more important than job engagement and connectedness at work with regard to reducing the threat. As a result of this analysis, we focused on organizational support in our survey research.
Conducting a Survey
We began by developing a survey to gain a better understanding of what types of organizational management practices affect the frequency of cyber-related workplace theft and sabotage. We conducted the survey with members of the Open Source Insider Threat Information Sharing Group (OSIT), a group responsible for establishing insider threat programs in organizations. The group's membership is growing because of an Executive Order requiring organizations that handle classified information to establish an insider threat program. At present, there are approximately 100 organizations that are members of OSIT.
Our survey sought to understand relationships between positive incentives and reduction of threat. We received 23 responses to our survey. The results suggested that as positive employee attitudes related to organizational supportiveness increase, insider threat decreases.
One surprising aspect of our survey was that employee perceptions of organizational justice (i.e., whether they are treated fairly in terms of promotions, raises, and equal opportunities) is the cause of a lot of disgruntlement. However, organizational support, which is a bigger umbrella, was found to be more important. One plausible conclusion to draw from this observation is that breadth of coverage across various aspects of perceived organizational support is more important than in-depth coverage--at least as it relates to organizational justice.
Three Positive-Incentive Practice Areas to Mitigate Insider Threat
To identify strategies for organizations to incorporate positive incentives for reducing insider threat, we first approached the SEI's Human Resources Department, led by Daniel Bauer, and the SEI's Organizational Effectiveness Group (OEG), led by Ellie Monaco. We also collaborated with Denise Rousseau, an organizational psychologist at Carnegie Mellon University's Heinz College, Palma Buttles-Valdez, special projects manager in the SEI's Office of the CTO, and heavily relied on the established theory of perceived organizational support. We worked together to identify practices organizations can adopt to positively incentivize their employees and improve overall organizational culture:
- Hiring the right staff. Establishing and maintaining the right workforce is a precondition of using positive incentive-based practices to help align employee and organizational interests. Congruence of values among employees and the organization inherently promotes perceptions of organizational support. While background checks and reference checks are common practices, some organizations may decide to conduct personality or background tests to approximate a candidate's values as a screening mechanism in the hiring process. For federal government organizations, government-sponsored labs, and contractors, the ability to obtain a security clearance involving extensive background checks may also be a condition of employment.
Factors involved in hiring the right staff are detailed in the figure below:
- Perceived organizational support. Perceived organizational support (POS) involves the extent to which employees believe their organization values their contributions, cares about their well-being, supports their socio-emotional needs, and treats them fairly. A foundation of POS is Social Exchange Theory, in which individuals interact with others and invest in relationships in a way that maximally benefits themselves.
A key concept in Social Exchange Theory is the norm of reciprocity, which has both a positive and negative form. Positive reciprocity involves the actions of employees in the interests of the organization as a form of repayment (or obligation created) for favorable treatment by the organization. Negative reciprocity involves misbehaviors of employees performed because of perceived mistreatment.
Perceived organizational support can be encouraged through organizational justice, adequate rewards and recognition, effective communication, supporting management, and effective working conditions. As shown in the figure below, organizational justice involves the following components:
- Distributive justice. Staff feel the distribution of resources with the organization is fair.
- Procedural justice. Staff feel the processes and procedures in the organization are fair.
- Interactional justice. Staff feel the quality of their treatment is respectful and informative.
- Sociocultural considerations. Sociocultural considerations at the individual, group, and organizational levels are also pertinent to the successful adoption of positive incentives that reduce insider threat. They are important, in part, due to the diverse cultural backgrounds of the individuals employed by organizations, as well as the culture and subcultures of the organization and its sub units.
Today, the workforce employed by organizations in the United States commonly includes individuals who were born and reared outside the city, state, and region of the organization's location, as well as outside the United States. According to the Bureau of Labor Statistics, in 2014, 16.6 percent of those employed (16 years old and over) were born outside of the United States. A large percentage, 30.7 percent, of those were employed in the fields of management, professional, and related occupations.
The cultural diversity of the workforce has created organizations that can be described as being culturally heterogeneous. This cultural heterogeneity may require organizations to consider the cultural composition of the workforce and the culturally relevant motivators that encourage employees to act in a way consistent with their interest. For example, cultural variations in communication, concepts in time, and degree of individualism and collectivism adopted from their birth countries may directly impact how individuals and groups consume and interpret workforce management practices.
Wrapping Up and Looking Ahead
This blog posting is excerpted from our recently published technical report "The Critical Role of Positive Incentives for Reducing Insider Threat." This work raises many questions about how an insider threat program can or should incorporate positive incentives that improve employees' perceptions of organizational support. Our research established a connection between positive employee attitudes regarding organizational support and the frequency of cyber-related insider misbehavior for organizations. More research is needed, however, to identify and develop business-to-employee and human resource system technologies that promote employees' sense of organizational supportiveness, and demonstrate their use by organizational managers and their direct reports.
We also want to work with individual organizations to demonstrate the efficacy of positive-incentive-based practices and technologies in organization pilots, and identify the mix of positive and negative incentives that result in a net positive for both the employee and the organization. We believe that a balanced approach can mitigate negative unintended consequences associated with using negative incentives alone (See "Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls") so that insider threat programs become as much an advocate for employees as a monitor for illicit behaviors.
We are interested in working with other organizations on this upcoming phase of our work. If you would like to work with us on these topics, please send an email to email@example.com.
Read the SEI technical report "The Critical Role of Positive Incentives for Reducing Insider Threat" that I coauthored with, Jeff Savinda, Elizabeth A. Monaco, Jamie L. Moyes, Denise M. Rousseau (Carnegie Mellon University), Samuel J. Perl, Jennifer Cowley, Matthew L. Collins, Tracy Cassidy, Nathan VanHoudnos, Palma Buttles-Valdez, Daniel Bauer, and Allison Parshall.
Read the SEI white paper "Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls" that I coauthored with William E. Novak, Matthew L. Collins, Randall F. Trzeciak, and Michael C. Theis.