Cyber Security.
Some thoughts on "Insider" threats.

Many factors can cause cyber security to fail or to be overcome by dedicated planners with bad intentions. The “insider threat” is real and a study of personal values systems and behavioural motivations of employees can help identify trigger points that can lead to bad outcomes when dedicated opponents attack the "insider organizational structure" by targeting the personal values system of the insider.

There is much literature about the values of dedicated opponents – those that try to subvert people identified as insiders. These “bad actors” are mostly typified as having either governmental (political) motivations or non-governmental (often organized crime) motivations; but there are significant numbers of other threats to cyber-security. Sometimes it comes from groups with oppositional values to the target organization. It could be "sneaky business" - as simple as commercial espionage.

But in a smaller number of instances it may even come from “quasi-values” cultures from the extreme left and right wings of mainstream politics - not looking for power as much as they are attempting to maim or destroy something the organization represents to them.

Religious beliefs can be another values trigger – classified as a moral crusade or movement - to disable the organization that has different values than the insider.

Another reason may stem from a loss of faith/trust in their organization by the member of staff or employee, who then feels it is an ethical duty to expose sensitive data to non-authorized people – a much more personal, rather than ideological, reason.

But there may be another reason to be concerned about insider threats – call it “unintentional” – and has been identified as the major cause of many everyday breaches of cyber security.

This comes in line with a lot work CDSM is doing now with organizational auditing and organizational cultures, and the huge failure of traditional organizations to satisfy the values-driven needs of their staff and employees.

There are multiple personal factors that lead people to be lax in protection of corporate resources held on corporate communications systems. For example, not adhering to basic security procedures prescribed by their own systems administrators and security providers, such as warnings against leaving password codes open for others to see or easily access, using corporate material on home systems, or casual use of thumbnail drives that can be compromised by third parties, etc.

Though it can comparatively easy to track down the source of many breaches of cyber security to specific people, it is often the case there is a high degree of unintentionality in the breach. Appropriate procedures weren’t followed, despite the fact that the person creating the breach was cognizant of the proper procedures, but just couldn’t be bothered to follow them.

For cybersecurity professionals and managers the question that keeps recurring is “Why”?

In answering the question, many factors about the person’s mindset need to be part of the answer. Primary amongst these are those aspects of the mindset created by today’s highly connected personal environment outside of work and also the, often contrary, demands of the work cultures in which they spend much of their waking hours. These factors often operate below consciousness, a part of the subconscious world of values and emotions.

A better question might be framed as, “If security breaches are unintentional, what was the motivation for the negligent behaviour?”. In other words, what was happening in the personal values environment that was more relevant than the corporate values environment?

This approach to cybersecurity is richer and more nuanced in explanation, and potentially much more useful in preventing future breaches, because if the subconscious triggers that lead to the laxity in corporate procedures can be identified then systems can be devised to prevent similar situations.


To successfully provide a background for creating better security systems that include the human values system, CDSM constantly scans the cultural environment through active search of academic data bases and papers, media scanning and original research at both national levels and client specific areas of inquiry.

We are currently looking at this in a variety of ways - e.g. the gig economy,;increased automating of knowledge work; the increasing use of mobile communications; the changing nature of personal connection in the world of Facebook - and other platforms of connection; and the increasing numbers of people who say they are lonely in this world of unprecedented interconnectivity.

All of this is being examined in terms of the Maslow Groups & Values Modes and the likely impact of the tensions between the values groups; likely future impacts on organizational structures; and micro working situations– along with development of more values congruent working conditions. The use of our data enables us to identify and measure those of threat, and those whose values systems need to be integral to success.

Below is a quick overview of some of our views, based on just one of CDSM’s work values trends and the implications for the understanding of unintentional actions leading to insider threat.

Unintentional but Inevitable

Careless – a symptom of being disengaged from organizational culture and the communications generated by centralized departments.

Military and governmental organizations (public service based for the most part) shouldn’t have as great a problem as commercial organizations or NGOs.

 

But there is increasing use of outsourcing in all organizations, including military and intelligence services, and the work role is becoming more transactional and less relational. Because of the nature of outsourcing and limited time contracts replacing traditional work contracts – a factor very likely to increase in the coming years – the potential for carelessness increases as a factor in the nature of cyber threats.

Insiders may no longer feel themselves to be insiders.

Recent figures show that 37% of working people in North America are part of the gig economy – from zero hours minimum wage contracts (or below) to highly paid experts working on fixed term contracts, rather than being directly and exclusively employed by a single employer. This figure is expected to rise to over 50% of the workforce by 2027.

This is a relatively new form of employment. The same source estimated the beginning of the gig economy as only only nine years ago (2009/10). From our investigations of satisfaction of work related needs – measuring a range of factors like teamwork, autonomy, preciseness of process, corporate reputation, etc – we have found that, of the 31 factors we measure, no single factor scores more than 50% satisfaction - i.e. most employees measured either "go along to get along" with work practices, or actively reject factors deemed as important by others in the culture but not to themselves. Gallup measure similar practices and records similar percentages of passive acceptance or outright dissatisfaction.

The extensive “disengagement” with their own work culture is a reflection of misalignment between employee’s personal values and the working environment – a form of alienation (not concerned about many aspects of work) at best and anomie (a complete loss of identification with corporate values and work culture) in extreme circumstances.


The problems generated by these statistics are only now beginning to be addressed by boards searching for greater productivity. Alienated staff and employees are unlikely to be “resilient” and “agile”, or “innovative” and “self – reflective” – all virtues sought by top management in the largest organizations in the world.

40% of employees report a feeling of loneliness at work – this is a manifestation of the alienation resulting from much of the corporate culture that employees inhabit. Other research shows that this loneliness/alienation further manifests itself in dysfunctional behaviour.

In SETTLERS this likely to be resistance to change and a desire to work with people more like themselves (a need to feel belonging) – a rejection of innovation and diversity so prized by the PIONEERS. If cybersecurity measures are perceived as “coming from them” (not “us”), they are likely to be subconsciously devalued – not worth the time to think about – and although they know the instructions for protection exist, they are not really important to “people like us”. Carelessness motivated by care-less.

In PROSPECTORS the behaviour and attitudes are more likely to be pragmatic and actively antagonistic – trolling and denigrating of both old and new objectives and targets; inappropriate behaviour to attract the attention of others who feel “left behind”, or “left out” – which, as we’ve noted, is most of us in work at any one time. As there are many more PROSPECTORS in work than SETTLERS, the work place environment is likely to feel more hostile than dull; more aggressive than passive. In other words, an environment conducive to rejecting policies and messages that call for cyber-safety and security behaviours, because they are the enemy of good and easy working conditions; they are the “thought police”; they are those who think they are “better than us and treating us like children”, rather than a passive carelessness that is often exhibited by SETTLERS. Careless is a result of caring more about personal satisfaction at work rather than adhering to corporate policies.

PIONEERS are likely to become careless when the organization’s policies and procedures fail to provide a “sense of purpose” in their work. In traditional companies (post WW2 until about the end of the 20th Century) contracts were assured and mostly open ended – finishing on retirement, or until the company moved, or the employee chose to the leave the company. There was a sense of fulfilment when projects were finished, or targets achieved and new objectives were set on an annual basis - all with the long term viability of the organization assumed to be the goal of all involved.

With the new economic conditions and increasing automation of “knowledge workers” - those more likely to be PIONEERS – the future is seen as chaotic with little chance to easily see a higher/wider purpose in the work environment. Though PIONEERS are the most self-starting – taking responsibility for their own futures - they are not always confident of the leaders of their organizations to guide them in a manner that leads it to higher purpose. This disengagement from their personal needs can lead to carelessness about behaviours that deeply impact the organization, like cyber security. Careless is not some much lack of caring – rather it’s having no purpose to care about.

Each of the three main values groups react differently to corporate cybersecurity measures – which can be measured in relation to their “engagement” or “un-engagement” with corporate values. (Note that this is NOT the same as the much-vaunted “alignment” of values).

By identifying corporate values and communications through an audit of all employees’ personal values and seeking responses to the range of 31 factors we measure, any organization can pinpoint what “is not right” and have the tools to potentially fix the issues relatively simply. But the solutions are unlikely to be “one size fits all”!

Below is an example of how personal values-based disengagement can facilitate “bad actor” cyber security breaches.


Careless enabled behaviour - Spoofing – a systemic effect of being disengaged from organizational culture and the security focused communications generated by centralized departments.

Unengaged employees are more likely to be spoofed by active subversion tactics from third parties than highly engaged staff. Going through the motions and getting through the day as a prime motivation at work is not likely to create a culture that places cyber security as a priority.

Skilled spoofers can appeal to the personal values of employees to make their illegitimate forays into corporate MIS systems. SETTLERS can be spoofed by pretending to be someone from their own company - ideally a higher-ranking member of staff. This person, perceived to be of higher status in a hierarchy, is the type of person that SETTLER feels has the moral authority to order them to “bend the rules” – to further achieve the aims of the company.

PROSPECTORS can be spoofed by an appeal based on a similar type person, but further appealing to the recipient’s good nature in helping them “get out of a little jam”, or a boss that needs something that they can’t get themselves, or something “really important and time delimited”. This form of quid pro quo contributes to the PROSPECTOR’s sense of self-identity.

The PIONEERs can be spoofed as well, just in a different way. Here the activity may be a bit more complex and take a bit more time; but the appeal could be based on trust. A trusted confidant “grooms” them until the spoofer is ready to ask for the next step. The PIONEER would be susceptible to this type of appeal - even more so if they are feeling “purposeless”, and open to changes in their life.

Each of the unengaged groups were successfully “made” to be careless through the use of their personal values to subvert organizational values and policies.

Through understanding the values environment of employees, boards and policy makers can develop corporate values-based policies and procedures that prevent “disengagement” and create the conditions for engagement to the extent that following the policies “make sense” and, because they make sense, are easy to follow.

Easy to do, difficult to do without values research being part of the mix.

Call us and let’s start a dialog that will improve your organization's cyber-security! Our contact details are below.