What do we do about insider threats? Prevailing wisdom recommends doing more: look harder, submit our fellows and ourselves to newer and more microscopic security audits and restrictions, the better to detect our adversaries. How well do such defenses work? At best, results are mixed. At worst, doing more of the same delivers results more promissory than substantive, while alienating the average employee.

This book looks at the insider threat from a multidisciplinary perspective. It reviews the literature on this subject and draws on Delphi research tapping seasoned professionals with broad career experiences. Ultimately, the book arrives at an alternative to prevailing wisdom. That alternative proposes taking institutional defense out of the arcane realm of specialists and distributing the role more widely at the work team level. The proposed approach deputizes coworkers to take a hand in their own protection, as a copilot must be ready to fly a plane if the pilot falters by mischief or misadventure. The resulting team-level engagement leaves fewer places for hostile insiders to elude scrutiny, hence fewer opportunities to prepare and carry out an insider attack.

In this context, the insider threat has generally attained secondary status. One possible reason is that there is a dearth of statistically significant data on hostile insiders. As a review of the current literature indicates, trust betrayal—whether in espionage or other fields—remains statistically rare.²,³ Where analyzed further, the insider threat has been subordinated to cyber security studies centering on hackers and disgruntled employees, ex-employees, or consultants.^{4,5 and 6} Although such studies have supplied value and focused attention on the problem, they have offered few solutions other than to advise added scrutiny. Data compiled to date suggest that the vast majority of insider cyber attacks have been either fraud-driven or moderate in scope and impact. In other words, such attacks remain less than devastating to the targeted employer—the modern, electronic equivalent of embezzlement or vandalism.⁷

Similarly, such studies preserve their narrow focus by intentionally excluding cases of espionage, while at the same time avowing that the threat remains real and advising ordinary, more-of-the-same solutions such as layered defense.⁸ Consequently, it is difficult for security practitioners to derive new insights from cyber-centric insider threat investigations and their attending platitudes. The net result is that today’s insider threat remains substantially as it did yesterday: frequently studied retroactively yet seldom yielding practical tools, tactics, or recommendations that would serve a defender in countering the threat.

The overall aim of this research was to identify countermeasures that defenders can use to prevent terrorist attacks via trust betrayers and thereby reduce the vulnerability of critical infrastructure and institutions. The journey to this destination involved applying lessons of experts from other, more mature arenas of defense from insider threats, such as workplace violence, line management, corporate security, and counterespionage. In the course of following this path, the inquiry also sought to answer, “If current indicators and countermeasures fall short, what should we do differently?”

This book’s focus is on the kind of hostile insider that poses an existential threat to the institution. Accordingly, the foundational research described focuses less on unbounded definitions of insider threat that include malingering or contentious employees or naysayers who may pose a nuisance or cause difficulties for the organization yet stop short of bringing it down to its knees.

Increasingly, government works appear to subordinate the insider threat to cyber security studies,⁹ centering on hackers and disgruntled employees, ex-employees, or consultants who cause damage via computer networks. Although such studies have value, some have also limited their focus by concentrating exclusively on the specialized area of information technology.¹⁰,¹¹ Indeed, in one report to the President, infrastructure experts underscored this danger of focusing too intently on IT:

Efforts to develop predictive models to detect and thwart malicious insiders have ranged from a quantitatively based yet unproven formula¹³ to broad-based theoretical models designed mainly to predict the triggers that lead an assassin or radical group to take violent action.¹⁴,¹⁵ Others focus exclusively on detecting anomalous behavior in hindsight, on the assumption that trust betrayers are disgruntled and detectable by mistakes rooted in character flaws—while standing mute about infiltrators disciplined enough to avoid such mistakes.¹⁶ The literature contains much analysis on the psyches,¹⁷,¹⁸ social climates,¹⁹ and cyber vulnerabilities²⁰,²¹ associated with malicious insiders. Yet analysis appears more limited when it treats pragmatic lessons and inferential guidance that apply directly to practical countermeasures. However, research on threats from assassins to saboteurs suggests that applicable findings may be adaptable from indirectly related works and may offer more promise in charting a course to defending against the malicious insider who is more dangerous than a computer hacker.^{22,23 and 24}