Understanding psychology of insider threats could stop the next one

Monday - 4/28/2014, 5:40pm EDT

Dr. Michael Gelles, Director, Deloitte Consulting LLP

Download mp3

By Sean McCalley
Federal News Radio

(Correction: The Deloitte report mentioned in this story was published in March 2012. A previous version incorrectly stated the report is new.)

When an Energy Department contractor found himself swimming in debt, he hatched a plan to make a secondary income and pay his bills: Try to sell uranium equipment used to build atomic weapons. The sensitivity of his position allowed access to the materials, which he stole and marketed to foreign government agents for $200,000.

Through interviews and record analysis, the FBI and DoE set up a sting operation to catch the contractor at the point of sale. Roy Oakley made off with a six-year prison sentence and the notorious honor as a DoE "Spy of the Month."

Oakley's attempt was foiled, but others still manage to get away.

From a number of recent shootings at military bases to the infamous leaks by former contractor Edward Snowden, the federal government struggles to mitigate insider threats.

"In many instances, whether its violence or the exploitation of some type of information, an individual has access, has a particular crisis and has a disposition to [attack]," said Dr. Michael Gelles, former chief psychologist for the Naval Criminal Investigative Service, on the Federal Drive with Tom Temin and Emily Kopp.

Gelles co-authored "Mitigating the Insider Threat", a report released by Deloitte in 2012.

In the report, he said understanding the psychology behind seemingly disgruntled or disloyal colleagues should be part of every agency's insider threat prevention plan.

The report preaches employee engagement with their colleagues to take notice to strange behavior or events that could warn of a future attack.

"If we can understand and begin to pay attention to those behaviors, and looking at them as data elements, we can begin to identify these behaviors and look at how they're different from baseline behavior of an employee, and interrupt forward motion," Gelles said.

The report identifies some key personality traits of an "at risk" employee:

  • Not impulsive

  • Has a history of managing crises inefficiently

  • Displays a pattern of frustration, disappointment and inadequacy

  • Constantly seeks validation

  • Has an exaggerated view of own abilities and achievements

  • A strong sense of entitlement

  • Views self above the rules

  • Needs immediate gratification, validation and satisfaction

For example, if an employee with access to sensitive data starts complaining about salary and lower-than-expected bonuses, that's a red flag. If the employee has a pattern of working on holidays but complains about it anyway, that's another flag. If the employee has access to an agency from a personal computer, three red flags. Add to those a criminal background including burglary, assaults or drug charges, Deloitte says the agency needs to raise shields and move to full red alert.

Risk-Prone Generation of Federal Employees

The standard psychology behind new and younger federal employees could foretell an increase of insider attacks, according to Deloitte.

As of 2009, more than 40 percent of the federal workforce was older than 50. As they're replaced by a younger generation with stronger backgrounds in computers and social media, the overall value placed on classified data might shift.

"It used to be that we'd do business in the world of bricks and mortar," Gelles said. "Now that we're in an environment where most business is done virtually, we're seeing that there's an increase in the way people are sharing and moving information."

Gelles said new federal employees might be at particular risk of complacency. Similar to how many people immediately click "Accept" when confronted by the terms and conditions of a software update, they might not follow the necessary security measures to keep data from falling into the wrong hands.

"If there aren't hard set policies, rules and the appropriate training, people aren't going to do things they don't feel are important," Gelles said. "Or they're going to do things because they're ignorant."

Deloitte said members of Generation Y and younger naturally view information as "readily available and accessible, and shared across a larger community."

Combined with personal connections to social media outlets and a less "passive" attitude about information sharing, the incoming federal workforce is already creating its own set of risk factors based on how they typically (and sometimes constantly) use the Internet.

Creating Prediction Models for Insider Threats

In its report, Deloitte offered agencies a model to try and predict which employee is most likely to become an insider threat. It calculates risk based on four different criteria:

    Internal Data:
  • Employee interviews
  • Interviews with coworkers
  • Computer log-in histories
  • Expense reports

    External Data:
  • Posts on social media accounts
  • Public filings (court cases, permits, etc.)

    Behavior Patterns:
  • Noticeable mood changes
  • Increasing negativity
  • Attempts to undermine coworkers

    External Precursors:
  • Not getting a bonus or promotion
  • Workplace dispute
  • Personal issue outside of work
  • Natural disaster affecting employee or family

Combining those elements with the length of an employee's career, the employee's amount of access to classified data and a background check, Deloitte argues that agencies should have a fair idea of which employees are most likely to commit an insider attack.

But that doesn't mean federal employees should fear a "guilty before proven innocent" policy or that good-intentioned whistleblowers should stop pursuing a call to action:

"What we're not doing here is looking to profile anyone," Gelles said. "What we're not doing here is pointing the finger at anyone. What we're trying to do is look for anomalous behavior. Those are behaviors that begin to look very different than what a person has been normally doing. By being able to identify that, [it then] leads to having a conversation with that person [and to] interrupt forward motion."

RELATED STORIES:

Report: Pentagon must focus on insider threat

Obama issues agencies new policies for combating insider threats