Posted on by Human-Machine Interactionsin
by Andrew P. Moore
CERT Insider Threat Center
In the 2016 Cyber Security Intelligence Index, IBM found that 60 percent of all cyber attacks were carried out by insiders. One reason that insider threat remains so problematic is that organizations typically respond to these threats with negative technical incentives, such as practices that monitor employee behavior, detect and punish misbehavior, and otherwise try to force employees to act in the best interest of the organization. In contrast, this blog post highlights results from our recent research that suggests organizations need to take a more holistic approach to mitigating insider threat: one that incorporates human involvement. In particular, positive incentives can produce better balance and security for organizations by complementing traditional practices to insider threat programs. This post also presents three practices to increase positive incentives that organizations can use to reduce insider threat.
In a recent column for CSO Brian Contos wrote "technology alone cannot help mitigate the insider threat; human involvement is critical to helping identify and reduce the risk of this threat." Likewise, our research has found that positive incentives can complement traditional practices by encouraging employees to act in the best interests of the organization, either extrinsically (e.g., through rewards and recognition), or intrinsically (by fostering a sense of commitment to the organization, the work, and the co-workers). Instead of solely focusing on ensuring that employees don't misbehave, positive incentives create a work environment where employees are internally driven to make only positive contributions to the organization.
Over the twelve months, we have sought to determine whether positive incentives can deter insider misbehavior from the outset of the employee-organization relationship with fewer negative consequences than traditional practices alone. We initially began this research by reviewing existing literature in the field and determining three areas in which an organization can positively align an employee's interests with the organization's interests:
As described in our recent technical report, there has already been extensive research in these areas that demonstrate their value in terms of employee satisfaction, commitment, performance, and retention.
We began by analyzing several high-profile insider incidents for levels of job engagement, co-worker connectedness, and perceived organizational support. Through our analysis, we found that perceived organizational support was more important than job engagement and connectedness at work with regard to reducing the threat. As a result of this analysis, we focused on organizational support in our survey research.
Conducting a Survey
We began by developing a survey to gain a better understanding of what types of organizational management practices affect the frequency of cyber-related workplace theft and sabotage. We conducted the survey with members of the Open Source Insider Threat Information Sharing Group (OSIT), a group responsible for establishing insider threat programs in organizations. The group's membership is growing because of an Executive Order requiring organizations that handle classified information to establish an insider threat program. At present, there are approximately 100 organizations that are members of OSIT.
Our survey sought to understand relationships between positive incentives and reduction of threat. We received 23 responses to our survey. The results suggested that as positive employee attitudes related to organizational supportiveness increase, insider threat decreases.
One surprising aspect of our survey was that employee perceptions of organizational justice (i.e., whether they are treated fairly in terms of promotions, raises, and equal opportunities) is the cause of a lot of disgruntlement. However, organizational support, which is a bigger umbrella, was found to be more important. One plausible conclusion to draw from this observation is that breadth of coverage across various aspects of perceived organizational support is more important than in-depth coverage--at least as it relates to organizational justice.
Three Positive-Incentive Practice Areas to Mitigate Insider Threat
To identify strategies for organizations to incorporate positive incentives for reducing insider threat, we first approached the SEI's Human Resources Department, led by Daniel Bauer, and the SEI's Organizational Effectiveness Group (OEG), led by Ellie Monaco. We also collaborated with Denise Rousseau, an organizational psychologist at Carnegie Mellon University's Heinz College, Palma Buttles-Valdez, special projects manager in the SEI's Office of the CTO, and heavily relied on the established theory of perceived organizational support. We worked together to identify practices organizations can adopt to positively incentivize their employees and improve overall organizational culture:
A key concept in Social Exchange Theory is the norm of reciprocity, which has both a positive and negative form. Positive reciprocity involves the actions of employees in the interests of the organization as a form of repayment (or obligation created) for favorable treatment by the organization. Negative reciprocity involves misbehaviors of employees performed because of perceived mistreatment.
Perceived organizational support can be encouraged through organizational justice, adequate rewards and recognition, effective communication, supporting management, and effective working conditions. As shown in the figure below, organizational justice involves the following components:
Today, the workforce employed by organizations in the United States commonly includes individuals who were born and reared outside the city, state, and region of the organization's location, as well as outside the United States. According to the Bureau of Labor Statistics, in 2014, 16.6 percent of those employed (16 years old and over) were born outside of the United States. A large percentage, 30.7 percent, of those were employed in the fields of management, professional, and related occupations.
The cultural diversity of the workforce has created organizations that can be described as being culturally heterogeneous. This cultural heterogeneity may require organizations to consider the cultural composition of the workforce and the culturally relevant motivators that encourage employees to act in a way consistent with their interest. For example, cultural variations in communication, concepts in time, and degree of individualism and collectivism adopted from their birth countries may directly impact how individuals and groups consume and interpret workforce management practices.
Wrapping Up and Looking Ahead
This blog posting is excerpted from our recently published technical report "The Critical Role of Positive Incentives for Reducing Insider Threat." This work raises many questions about how an insider threat program can or should incorporate positive incentives that improve employees' perceptions of organizational support. Our research established a connection between positive employee attitudes regarding organizational support and the frequency of cyber-related insider misbehavior for organizations. More research is needed, however, to identify and develop business-to-employee and human resource system technologies that promote employees' sense of organizational supportiveness, and demonstrate their use by organizational managers and their direct reports.
We also want to work with individual organizations to demonstrate the efficacy of positive-incentive-based practices and technologies in organization pilots, and identify the mix of positive and negative incentives that result in a net positive for both the employee and the organization. We believe that a balanced approach can mitigate negative unintended consequences associated with using negative incentives alone (See "Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls") so that insider threat programs become as much an advocate for employees as a monitor for illicit behaviors.
We are interested in working with other organizations on this upcoming phase of our work. If you would like to work with us on these topics, please send an email to firstname.lastname@example.org.
Read the SEI technical report "The Critical Role of Positive Incentives for Reducing Insider Threat" that I coauthored with, Jeff Savinda, Elizabeth A. Monaco, Jamie L. Moyes, Denise M. Rousseau (Carnegie Mellon University), Samuel J. Perl, Jennifer Cowley, Matthew L. Collins, Tracy Cassidy, Nathan VanHoudnos, Palma Buttles-Valdez, Daniel Bauer, and Allison Parshall.
Read the SEI white paper "Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls" that I coauthored with William E. Novak, Matthew L. Collins, Randall F. Trzeciak, and Michael C. Theis.