CISOs should hire behavioural psychologists to beat the insider threat

News by Doug Drinkwater

Two information security consultants believe that the much-publicised insider threat - where a company employee leaks data intentionally or unconsciously - could be countered by building employee loyalty and hiring behavioural psychologists.

The experts – unnamed under Chatham House rules - both previously holding roles in UK government  - told a conference on financial services at JPMorgan offices in London on Wednesday that the employee remains a potent threat as far as cyber-crime is concerned, and is unlikely to be overcome with existing methodologies.

Citing 120 independent studies carried out in 2013, one of the experts detailed how the insider threat is often assumed to be a contractor or another third-party. The studies indicated that 88 percent of leakers are permanent employees with 45 percent holding management positions. Approximately 47 percent of rogue employees do it for financial gain, with another 20 percent doing so because it fits their ideology. According to the research, 82 percent of insiders are men.

The spokesman added that motivation can be hard to pinpoint but said that most leakers – including the likes of Edward Snowden and Aldrich Ames, a former CIA officer who spied for the Soviet Union and Russia – were narcissist.

He said that companies must find ways to test an employee's loyalty to a company and said that managing employees properly would remove most risks around data leakage.

“If there is a transactional relationship between a person and employee, that person's loyalty is quite easy to subvert – it's not that difficult. A lot of the insider threats we've seen don't want to make money, they either resent the company in some way or they are being mismanaged.”

He added: “What kind of deal you have with your employees...that's something that's going to be discussed in a much wider debate.”

Meanwhile, another spokesman said that cyber-crime is more than just a technical issue affecting computers, data, hardware, software and networks but also to do with ‘human issues' shaped by our use of the web online.

“This isn't just a technical issue. A huge amount of our problems relate to human issues and, as far as I am concerned, understanding on how people perform in cyber space is rudimentary.”

He added that cyber-criminals ‘perhaps have the best anecdotal understanding' of how people work in cyber-space – even if this is confined to the observation that people will carelessly click on web links – and urged CISOs and other IT security managers to think outside the box.

“IT security is designed around machines not people – passwords are the building block of IT security...and that basic building fundamentally doesn't work; you can't help but repeat them or write them down. From a basic human behaviour thing, it's just useless.

“Get someone who knows about behaviouralism and evolutionary psychologists,” he said, before adding on the need for incident response management: “Exercise, exercise and exercise it when it's not happening, when it's not live.”

Insider threat is still recognised as the number one threat to an organisation, according to the Internet Organised Crime Threat Assessment (iOCTA) study from the European Cybercrime Centre (EC3).

This event was held under the Chatham House rule

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews