Insider threat security professionals have a new, proven best practice which not only helps to deter and mitigate insider threats, but also leads to a happier workforce: positive deterrence. Timm Davis, an intelligence analyst on Concentric’s corporate intelligence team, who also focuses on insider threat activities as part of his portfolio, examined this approach and details his findings in this article.
Traditional deterrence methods, often referred to as the “command-and-control approach,” pressure employees to act in the interest of the organization through strict rules, regulations, constraints, monitoring, and punishment. Yet recent studies show exclusive reliance on command-and-control may lead to unintended consequences, such as:
- Infringing on employee privacy rights and civil liberties,
- Undermining goodwill of employees,
- Reduced trust in leadership,
- Reducing retention of good employees, and
- A confrontational workplace
Positive deterrence, however, is proactive, reduces the frequency of insider incidents before they occur, and creates a protective and supportive work culture which compliments traditional deterrence methods and reinforces the bond between the organization and its employees, ultimately benefiting both.
- In a 2022 report which surveyed 300 U.S. security and compliance professionals, Microsoft concluded positive organizational support addresses the root cause of insider risk: employees who are negligent with data or deliberately taking steps to exfiltrate or leak data inappropriately.
- In a 2021 survey of over 70 insider risk management practitioners, the Carnegie Mellon Security and Privacy Institute determined the majority of insider incidents are perpetrated by employees who were once loyal to the organization but were likely negatively influenced by personal or professional stressors. They concluded positive deterrence helps to align the organization and employee perspectives, which can reduce work and life stressors, and disincentivize insider misbehaviors.
- The Cybersecurity and Infrastructure Security Agency’s 2020 Annual report states positive incentives complement traditional practices by deterring insider misbehavior though extrinsic (e.g. rewards and recognition) or intrinsic (e.g. a sense of commitment to the mission, organization, and coworkers) incentives, which leads to fewer negative consequences than the “command-and-control approach” alone.
In short, if an individual is enticed to act in the interest of the organization, the baseline risk of insider threat is significantly reduced.
Implementing Positive Deterrence
Positive deterrence can be implemented as part of your existing insider threat program, or a cornerstone of a budding program, through:
- Job Engagement. The organization should invest in strength-based management and professional development so employees become excited and absorbed in their work.
- Perceived Organizational Support. In an effort to show employees their contributions are valued, organizations should institute programs which promote flexibility, work/life balance, workforce member assistance, fair compensation, and constructive supervision.
- Connectedness. Team building and job rotation practices help to improve an employee’s sense of connection, trust, and respect with their co-workers, managers, and the organization.
These methods not only reduce the base riskline for insider threats, they also increase employees’ positive feelings and attitudes, which leads to happier coworkers and improvements in overall job performance. Positive deterrence is a win-win and in the coming years, almost certainly will prove to be the foundation of successful insider threat programs in all industries.
Author: Timothy Davis, Concentric’s Intelligence Analyst for Global Intelligence