This is a narrative on insider threat; assessment and mitigation of risks is a story that should be told, a story that I feel compelled to tell for the common good, so that you and others may incorporate your perspectives, protect your organizations, and grow the existing body of knowledge even further. It is also my hope that you will also use the knowledge gained to better protect yourself, as an asset, as well as your family members.

This is a unique story grounded in subject matter expertise and in part derived from an innovative qualitative study that uncovered some chilling results about the reality of insider threat. I’ve concluded that the best thing to do is to present for your consumption what I have come to know. I don’t know all that you will take away, but am confident you will have an enlightened perspective when you have completely read this book. I have attempted to make this enjoyably readable, because there is a lot of confusing, less-informed, redundant, and quite frankly difficult material to read out there. I have also tried to make it somewhat entertaining, but there are no false stories here. What I am to share is so much more than the current body of knowledge, and significantly more than when I started on this journey of interest and quest for knowledge.

This book is informed by my original works—a qualitative research study as a foundation, but it takes on a greater depth of the understanding about insider threat; assessment and mitigation of risks. This knowledge on insider threat is provided on the one hand for the sake of learning, and on the other hand for the value of storytelling, which can be a mitigation tool itself—awareness of scenarios, best practices, and lessons learned. I’m grateful for the opportunity to be able to share this story with others, and the lessons I have learned along the way that got me here. It is important that individuals and organizations each come to better understand insider threat, to protect best interests, and the interests of others in business practice.

This book will be readable and informative, and ever so slightly entertaining to most. Every time I attend a conference or workshop on insider threat and listen to the speakers on this topic, I want to shout out “you are missing part of the story,” and yet I know that I hold part of this story. I can’t hold onto it, nor do I want to for much longer. This story belongs to more than me, my practitioner experiences, or my academic undertaking, and even my school of hard knocks—I have a few of them that hit me fairly hard right in the gut, or I suppose the heart—greatly contribute to this undertaking. If vignette stories you find off putting, just note that for without them, I don’t think I would have made it through the writing of this book.

Logistically, because my primary income is derived from the U.S. federal government, specifically the U.S. Coast Guard where I work as a cybersecurity strategist and advisor to the chief information security officer, I must disclose the following: This book is an original work. The views expressed herein are those of the author and are not to be construed as official or reflecting the views of the commandant or of the U.S. Coast Guard. This book was not developed in consultation with the Coast Guard, but parts of the text may have been drawn from my professional life experiences, which include my role as a federal civil service employee working for the Coast Guard, U.S. Department of Homeland Security. I am also an associate faculty member for a private university in the college of information systems and technology and criminal justice. These roles are complementary from a practitioner-academic learning perspective. The views expressed are also not considered official views or reflect views of this or any other private organization.

Additionally, the purpose and scope of this book is significantly different from a qualitative research study that I published in 2014 as an academic venture, focused on investigating the phenomenon of unintended insider threat and contributed to the theoretical literature of insider threat. In that self-funded academic study, the Coast Guard was a community research partner, but for which those views, as stated in the study, were also not to be construed as official or reflecting views of the commandant or of the Coast Guard.

I would like to stipulate that some of the knowledge learned, including several categorical findings, have been applied to inform the development of this book, especially the theoretical underpinnings in the information technology security that remained limited before that original study. The new sociological lens acquired during the 2014 study, as well as my ongoing experience in the field of cybersecurity and applied leadership in the organizational transformation that include cybersecurity response and remediation, has matured the topic in cybersecurity. It is, however, important to note the conceptual framework that inspired my study and for which I have added to the body of the literature since that time.

In 1992, Loch, Carr, and Warkentin identified threats to information systems in four dimensions, which included (1) sources that were internal or external; (2) perpetrators that were either human or nonhuman, and that could originate from either internal or external sources; (3) intent that was either accidental or intentional and could originate from human or nonhuman perpetrators, and that may be introduced by internal or external sources; and (4) consequences that included disclosure, modification destruction or denial of use and are as a result of either accidental or unintentional intent, which originates from either human or nonhuman perpetrators and may be introduced by internal or external sources.¹

I used this conceptual framework to inform my original study, and as a result of my study, I proposed that a fifth and sixth category be added as mediums and enforcers. Mediums are the convergence points or crossroads where the internal and external source connects—as the doorway, an in between. A convergence may occur in between numerous internal and external pathways, created by humans and nonhumans. The risks, vulnerabilities, consequences, and mitigation measures will vary and need to be considered from a convergence perspective between the in and out. Opportunity exists to mitigate risk at the crossroads and prevent threat from becoming realized. Enforcers may be responding or policing, and are either human or nonhuman in the pragmatic of resilient countermeasures derived from analytic tools, risk management process, technological, or other human instruments that can originate from internal or external sources. The conceptual framework could then be reordered as a foundation to be sources, mediums, perpetrators, intent, enforcers, and consequences.

The concept of risk includes the possibility and probability of a particular event occurring. Loch et al. further describe the manifestation, extent, and severity of the consequences that are connected to the probability and the modifying factors. Modifying factors are seen as the internal and external influences that the probability will actually happen. Loch et al. categorized modifying factors for internal threats as employee acts and administrative procedures; for external threats, competitors and hackers. It is this work that I have expanded upon, but you should be aware of its existence as an important conceptual framework.

Researchers Warkentin and Willison have indicated that maturity in a given field is gained as study increases and there is a shift of scope from the technical to the organizational or managerial, and this book demonstrates, in part, that maturation process.²

It is time to look upon the face of what insider threat actually is, to incorporate better practices for the assessment and mitigation of risks, as well as to understand more holistically what insider threat actually is in practice. The more well-known category of malicious insider is only one primary category. The insider threat, through our actions or in-actions, dwell in each of us, and in everyone we connect with, in one way or another—and I have identified several specific categories discussed later in this book that may be addressed at an individual and managerial level to reduce risk and preserve your future.

I started this journey, as adventures often start, by being curious. This particular journey has led me much further into an adventure quest than I had anticipated. It is this knowledge that I share throughout this book. I have combined a sociological approach to an information technology problem. What has emerged is truly eye opening and useful to a wide breadth of stakeholders including the chief executive officer, chief information officer, chief information security officer, professional protection officers, organizational security managers, supervisors, and general managers as well as other practitioners, students, and individuals as lifelong learners.

Make haste! As you have likely observed, you are in it—virtually and physically in it—and together, we are in the cybersecurity time of our lives. With technology, this time could potentially be infinite, even lasting beyond our physical forms as our intellectual capital may take a life of its own. We exist in a crescendo of technological advances and a flurry of communications. We must not only make sense of the sensory madness but also ensure that we have a solid grasp on security technology, all the while maintaining a firm grasp on traditional security practices. Practical application of organizational security risk management is necessary for organizations to survive and thrive in a globally competitive, highly visible, and nearly unforgiving social media environment.

The need for increased cybersecurity to reduce insider threat is also soundly upon us. Almost every day there is a new story in the media being shared about another instance of an organizational compromise or intrusion impacting customers, employees, government, and other stakeholders. This intrusion or attack may have originated from within or be external to the organization; both can result in catastrophic consequences. However, to penetrate from outside the organization, it is likely that an insider created an opening for this to occur; this unsecured door or opening may have been created either intentionally or unintentionally. There is clearly a documented need for an increased focus on traditional and cybersecurity. Insider threat is an excellent place to start, that you may develop an insider threat program that addresses the assessment and mitigation of risk related to this threat.

Clearly, the rapid transformation of society into a digital culture has been on the upswing since the early 1990s, and it hasn’t even slowed; evidence points to the fact that it will continue to grow exponentially. As a result of this rapid upswing, competency gaps were created within the workplace, partly because traditional college curriculums often failed to keep pace with the changes in interdisciplinary areas. In my opinion and through personal observation, they are now just starting to catch up, though not all of the professors have had the opportunity to self-develop in these complex technology disciplines, even at a strategic level. There are some exceptions where universities have established centers of excellence and partnerships with both industry and government in the area of cybersecurity. Even in practice, traditional security has at times been at arm’s length with cybersecurity, when both should have been collaborating together a great deal more for a broader holistic security approach.

Since I am going to be forthright in this book, here it is—the need for increased information technology security arrived at least four decades ago. It is readily apparent that organizations just weren’t in listening mode, or other priorities overshadowed these security decisions for lack of urgency, or decision makers were dialed into the wrong frequency. However, as time has progressed, and more cyber-havoc has been created, tremendous financial loss has occurred because of security mistakes inside the perimeter. A choice really doesn’t exist now. There is so much threat, originating both internally and externally, that there has been a start to an ideological shift. More organizations and their leadership have recently, especially since 2015, realized that they must tune into the right cybersecurity frequency, metaphorically speaking, in order to hear the proper communications and filter out the competing background noise.

In well-known practice, the U.S. Department of Homeland Security, along with other agencies, develops risk landscapes and uses them to inform the strategists and others in the public and private sectors who create and inform various products and plans. These risk landscapes are often credited as providing a foundation for national level plans with impacts across infrastructure sectors. Risk landscapes can be considered the backstory along with articulating the general conditions that a government entity, particular industry segment, or sector must operate within. These are the known or expected conditions. They may predict a potential threat and speculate increased risk in the future, in general terms, or in projected/expected forecast.

Your specific insider threat landscape will vary slightly depending on your location, the nature of your business, and the potential known threats. You likely already have a baseline in place and some mitigating measures that address organizational risk, but you will have to conduct a deeper dive than that to then deduce other aspects of insider threat you likely have not considered. You may have some risk reduction mitigation measures already in place, either voluntary, being required by regulation, or other policies you must adhere to simply by local ordinance. For example, the risk of liability may be offset through various insurance policies. Later in the book, you will discover various insider threats that should be considered as you relook at your present landscape and reassess your mitigation of risks. Lack of proper understanding of the risk landscape that insiders present can create holes in your security fence—virtual cyber vulnerabilities however small, left unchecked, can have the consequences of a Grand Canyon opening. You need to protect your future by reducing the risk of insider threat, to reduce unwanted accessibility or your potential loss.

Typically, risk landscapes should be created to inform the decision making as well as the development of organizational products such as strategies, plans, projects, and blueprints. They help to shape prioritization of the assessment and mitigation of risk, and also help to inform decision makers at all levels. Many people are simply not aware of the landscape that personally impacts them. While the entire landscape will never be fully revealed, they can be developed to remove some of the blinders to contribute to a more optimal assessment. Landscapes should, whenever possible, incorporate aspects of physical, cyber, and human risk elements. Landscape development should also include a diversity of stakeholders. In the case of a business or organization, perspectives of individuals who are more junior in the organization may also bring a wealth of insight into the landscape. If only someone trusted would ask, and then be able to interpret the communicated perceived risks. As an associate faculty, I’m always amazed at the level of insight provided by my students who are often mid-level security personnel, including security guards; they have insights that are rarely filtered up to the senior level decision makers due to layers of bureaucracy.

It is best to remember that landscapes extend well beyond the horizon. Indeed, with today’s technology it is a layered landscape that includes traditional security risk, but also cybersecurity risk. Multiple stakeholders or contributors can also be reviewers of this landscape built from various perspectives that help to refine it from their informed perspective. Not everyone can easily see the pitfalls that lay ahead—unexpected changes in technology security requiring significant investment like particular operating systems no longer supported making specialized custom software no longer usable—living downstream from a century-old dam having no alerts and warnings, for example. In some cases, a risk landscape can make a venture either a good idea or a not so good idea. That information technology investment in a major acquisition, for example, may not have had very good cybersecurity life cycle cost estimates when it was originally acquired. A current risk landscape can help determine what level of risk can be accepted, as well as the level of risk that needs to be specifically mitigated, even if a threat is an unknown factor or placeholder.

The formation of a risk landscape can also help to identify emergent needs to balance particular risks. For illustrative purposes, I use an example of a physical w...