An insider threat in information security is an event or person within the internal context of the organization whose direct or indirect impact could result in material or reputational damage.
Do standards help against insider threats?
There are a number of standards – ISO 27001 & NIST CSF, which aim to protect information through a holistic approach addressing a wide range of internal and external threats through security controls, but these should not be seen as providing absolute security, but only as aids and tools. Everything else depends on the people who implement, use and comply with them.
The individual in the context of information security and insider threats
In the field of information security, a well-known concept is launched that the human is the weakest link in information security. 95% of security breaches are the result of human error. People make mistakes. This is a fact, and to a large extent these errors are predictable, therefore can be controlled as a risk.
Conditionally we can distinguish two types of mistakes made by people – unintentional and intentional. The focus of this paper is on cases where there is a conscious and deliberate act by an insider that leads to a breach in information security, which violates the fundamental principles of information security, namely: confidentiality, integrity and availability.
Dark Triad Personality Traits and Insider Threats to Information Security
The Dark Triad is a psychological theory founded by Polhus and Williams in 2002 that unites three particularly negative non-pathological human personality types: Narcissism, Machiavellianism and Psychopathy. Unlike clinical psychology, which views them as personality disorders, Polhus and Williams view them as subclinical traits because a large proportion of society has them to a degree that cannot be accepted as clinical, but even at values lower than clinical but still high are predictors of counterproductive behaviors, many of which pose information security risks.
Narcissism
Trait narcissism is characterized by grandiosity, pride, selfishness, self-centeredness, and lack of empathy for others. This type of personality is particularly attractive in recruitment because they are top performers in 90% of cases (high performance confirms their personal status). They often rise without problem in the hierarchy, and as power and control become concentrated in them, the darker traits begin to come to the fore.
The narcissistic leader as an insider threat to information security
This type of leader tends to form a sycophantic attitude as they tend to appoint employees under them with questionable qualities who are susceptible to control, influence and a devoted deference to the narcissistic leader that reinforces his power and egocentrism.
A narcissistic leader is prone to revanchism towards the unruly and dissenting, which can escalate and lead to greater internal stress and social tension, making the organization more vulnerable to external attacks through social engineering.
The narcissistic leader is willing to take a greater risk that will garland them with additional glory, but if the risk taken results in losses, they tend to pass the buck to another.
A risk factor for narcissism is its positive correlation with extraversion, in which we have high social inclusion. In an attempt to highlight their contributions, status and achievements – narcissistic individuals tend to leak information and breach confidentiality by sharing more than necessary.
People with narcissistic traits have a pronounced sense of ownership and would not hesitate to hijack the customer base or source code of a project to which they have personally contributed when they leave the company.
Machiavellianism as an insider threat to information security
A dark line named after Niccolò Machiavelli based on his book The Ruler – 1532. Machiavellianism is characterized by manipulation, social engineering and exploitation of others, lack of morality, lack of emotions and a marked self-interest. Their actions and decisions are well calculated, taking into account their long-term goals. With this type of personality, personal prosperity and benefit come before those of the team and organization. They are prone to fraud, including shining a light on confidential information in order to compromise a person or organization, or for personal gain and advantage.
A person with such traits would work well when the company’s goals support their personal goals. Once they cease to have personal gain, they become an immediate threat to the organization because their goals and benefits are above all else, and they are willing to do anything to achieve them, including counterproductive behaviors that result in losses to the organization and/or a threat to information security.
Machiavellians tend to deliberately bypass security controls and established processes in order to avoid being caught red-handed, and good risk handling makes them a difficult threat to identify. This type of personality does not sit low in the hierarchy, but always climbs purposefully and reaches the highest positions, on their way tending to orchestrate intrigues and discord compromising their opponents.
Psychopathy
It is characterized by antisocial behavior, impulsivity, selfishness, insensitivity, and the search for strong sensations. Due to the lack of self-control and empathy, this type of personality is prone to persistent deviant behavior in a work context, and the lack of guilt contributes to a total degradation of interpersonal relationships and work ethic. In a study by Babiak (2010), it appears that the distribution of employees with such a trait is relatively rare (between 0.2% – 1%). Aaron Cohen (2016) adds that they not only get satisfaction from bullying others, but use this behavior as a tactic to achieve their own goals.
Psychopaths may bully as a means of distraction from a specific goal, which is not always material, it may be related to satisfying their basic psychological needs.
The impact of psychopathy in information security is through their counterproductive behaviors that affect the stress level in the organization. The higher the stress level, the greater the likelihood of unintentional errors – respectively, the possibility of illuminating confidential data is high.
How can we reduce the risk and impact of insider threats to information security?
By informing and educating employees involved in the selection and management of people about behaviors and traits to watch out for; educating them on how to identify how to work with them if these individuals are part of the organization so as to avoid information security risks. Such is our Cyber Security at Work training
Bibliography:
- Aaron Cohen, Are they among us? A conceptual framework of the relationship between the dark triad personality and counterproductive work behaviors (CWBs),Human Resource Management Review,Volume 26, Issue 1, 2016
- Diller, S.J., Czibor, A., Szabó, Z.P. et al. The positive connection between dark triad traits and leadership levels in self- and other-ratings. Leadersh Educ Personal Interdiscip J 3, 117-131 (2021). https://doi.org/10.1365/s42681-021-00025-6
- Machiavelli, Niccolò, 1469-1527. The Prince. Harmondsworth, Eng. ; New York, N.Y. :Penguin Books, 1981.
- Paul Babiak at al (2010), Corporate Psychopathy.