Our Approach

Background 

While technical approaches are excellent at documenting insider activities after the fact, most insiders steal, corrupt, or otherwise impact organizational assets to which they have routine access, reducing the effectiveness of many technical systems designed to identify anomalous behavior. Also, the false positive rate for some technical detection systems alone significantly undermines their utility in insider risk identification.

Our empirical research indicates that Disgruntlement—defined as feelings and attributions of anger, victimization and blame differentiate employees who are at-risk for insider actions from those who are more generally unhappy at work but do not present significant risk. It is this syndrome of Disgruntlement that often powers employees down the CPIR. A range of resources can be deployed to detect risk indicators, including psychological content analysis detection of risk from communications, reports from supervisors, coworkers and others, technical monitoring of organizational and network behavior, and Human Resource data. The availability of these data sources may be governed by local legal guidelines and the culture of the organization involved.

The Critical Pathway to Insider Risk

Mitre has observed that the CPIR has “benefited the insider threat community by motivating security analysts and law enforcement to consider the whole-person, recognize risk factors beyond concerning behaviors, and realize that malicious insider activities are not isolated but instead result from a series of events.” The CPIR describes the personal predispositions past insiders have brought to their organizations (personality and psychiatric issues, previous violations, social network risks), the triggers or stressors that have stimulated higher levels of insider risk, the concerning behaviors that signal observable behavioral indicators of increased insider risk in the workplace, the often maladaptive organizational responses that have failed to deter insider risks and the crime scripts that have accompanied insider actions. This framework for understanding insider risk is depicted in Figure 1 below, which portrays the observed accumulation of risk over time by subjects as they travel down the Critical Pathway. Our approach searches for communicated indicators of this risk by screening email, chat and other communications for indicators of disgruntlement, behavioral risks such as manifestations of financial distress, significant stressors, substance abuse and other risk factors associated with the CPIR. Typically, our reports on subject insider risk contain a description of these risk indicators over time along with communications specifically supporting these assessments.

As Figure 1 below illustrates, the CPIR generates guidance regarding screening and selection of employees, the importance of identifying and ameliorating common stressors, the importance and seriousness of concerning behaviors which may be the tip of the iceberg for employee risk indicators and the care that must go in to organizational interventions so as to not contribute to risk escalation. As the Figure indicates, IRG concentrates not just on risk management but also on identifying these risks and taking these employees off the pathway before risk escalates.

Mitigating Strategies and Risk Management 

The CPIR also emphasizes the role of mitigating factors that can help exit an employee from the pathway. Positive and strong family connections, religious beliefs, social support, capability for insight, empathy and judgment, can determine the difference between a subject whom may be helped and taken off the risk pathway and one who must be immediately constrained from damaging the organization and his or her own future. Premature interventions that do not take these factors in to account are routinely responsible for risk escalation. Abrupt terminations, failed attempts to remove an employee from access to critical data, systems or coworkers, administrative penalties and temporary suspensions are all examples of well-meaning interventions that backfired by further aggravating an employee and then returning him or her to the workplace.

We believe that risk management of an identified individual is best accomplished by a multidisciplinary team of professionals representing an organization’s management, security, human resources and legal departments with the resources to collect information, analyze that data and act to manage insider threats. Mental Health clinicians are the members of such a team best positioned to predict how a subject is likely to react to proposed interventions and help tailor these communications and activities to the psychological profile of the subject involved.

Clinician Support 

These interventions can range from referral to organization and community resources (financial and psychological counseling programs) to more complicated and active interventions involving investigative personnel working with law enforcement and other affiliates. Our clinicians with operational psychology experience are well positioned to assist in this full range of interventions.  These activities may include referring a subject for psychotherapy, monitoring his or her treatment and clearing them for a return to work. In other cases, involving more active interventions, the clinician can assist in selecting the personnel and approaches most likely to succeed given a subject’s psychological and risk profile.