Improving Insider Threat Detection with Evidence-Based Reporting

As companies invest more and more money in preventing insider threats, incidents are rising at an alarming rate. According to a recently released study by the Ponemon Institute, the cost and frequency of cases have dramatically increased in just two years: Costs have risen 31 percent and the number of incidents has increased 47 percent. Despite these increases, reporting mechanisms don’t seem to be working. Individuals are reluctant to share information about themselves, and supervisors and co-workers are often hesitant.

As previously addressed in Part 1 and Part 2 of this series, the likelihood of misinterpreting and overlooking important information increases when a system lacks a clear framework to accurately judge risk. Ambiguous guidance, the use of risk predictors from unrelated cases, and failing to accurately account for situational influences on behavior can result in poor reporting. Standing up a system that promotes evidence-based reporting and acknowledges potential areas of bias is essential.

The Three C’s: Clarity, Context and Credibility

POINT # 1: Clear Reporting

Does the report set forth simple, specific behaviors and actions (not interpretations, impressions, or conclusions)?

Credible reporting depends on being able to identify simple, concrete behaviors devoid of personal judgment. In contrast, when we report outcomes, impressions, or others’ observations, we miss the social and situational factors that are essential for accurately assessing behavior.

There is a significant difference between simply reporting a co-worker as “unreliable” vs. reporting a series of behaviors and explaining in context what may have led to that conclusion. For example: “For the past two weeks, Jim has been coming to work at 9 a.m., two hours later than his normal time. Not only has he missed our regular 8 a.m. staff meetings each day, but he’s been leaving at 3 p.m., rather than his usual 6 p.m. And today Jim came to work at 10:30 a.m. and left at noon. He told our administrative assistant that he would be back in one hour but never returned. This is a big change from his usual schedule.”

Recording the onset of atypical behaviors, objectively and without inferring intention, allows for alternative explanations to be generated and for the information to be evaluated in a larger context.

POINT # 2: Contextualized Behaviors

Does the report provide context for the observations?

Most decision-making errors occur because of a failure to account for the circumstances under which the behavior occurred. Without context it is impossible to interpret behavior, make sense of a situation, or accurately assess risk. Knowing how the reporter came upon the situation and made sense of the unfolding event is critical to knowing what really occurred.

Since people’s lives and actions are ever-evolving, behaviors may easily be taken out of context, such as when an observer fails to consider a reason for a behavior that may have occurred prior to an observation. Accordingly, reports should:

  • Provide information about the circumstances under which the observations were made (e.g., time, day, location, people in the situation, events, actions).
  • Recount exactly what was said, to whom, and by what medium.
  • Identify what the reporter thinks the context to be, and identify how the reporter knows.
  • Provide alternative explanations for an event, comment, or observation.

POINT # 3: Credible Sourcing

Why is the source making this report, and why now?

It should not be assumed that all observers in the workplace are equally positioned to provide objective, accurate and meaningful information. Whether the reporter had the ability to make an accurate report should be assessed. The relationship of the reporter and the subject can significantly influence the content of the report, the timing and the tone. Consider the quality and duration of the relationship between the source and the subject.

  • What is the level of contact between the source and the subject, and their usual mode of communication?
  • Are there pre-existing issues between the reporter and the subject?
  • Does the reporter have any say over what the employee does and how he or she is evaluated in the workplace?
  • Is what is reported consistent with what the source would likely know about the subject? Is he or she reporting on direct observations or making inferences based on assumptions or others’ reports?
  • Consider how the timing (e.g. time of day, year and current events) might have motivated the individual to report at that juncture rather than some other time.

Strategies to Improve Reporting of Potential Insider Threats

False accusations can occur when important behavioral and situational information is misinterpreted or overlooked. Currently, there appears to be no guidance on how to identify and correct for biases derived from natural decision-making processes, social situations, or the framing of information. A relatively easy way to avoid these pitfalls is through training that focuses on these areas.

A wealth of psychological research suggests that increasing awareness of how various factors can bias decision-making can lead to greater objectivity in judgments. Just as consumers are taught to be wary of sales tricks, insider threat professionals can be trained to recognize situations in which mistakes are likely and adopt strategies to help limit subjective reporting. Awareness of how social situations, biases, heuristics, and characteristics of data influence what we see, pay attention to, and conclude can significantly reduce the potential for bias.

Know what “good” reporting looks like. One way to evaluate threat information is to have a basic understanding of what “good” data looks like. Having a comparison point from which to gauge the quality of a report is important for evaluating information and investigating the likelihood of risk a certain employee may pose. The most credible information and the most reliable data will:

  • Represent different points in a person’s life.
  • Be described in terms of frequency, intensity and duration.
  • Show repetition in dissimilar situations.
  • Come from sources who do not have a stake in the outcome.
  • Be documented according to time, place and situation.

Require that context be accounted for. Not all information that we’re drawn to is relevant to one’s risk of compromising classified information. Provide an easy-to-follow reporting mechanism that pulls for information regarding time, place, setting, numbers of people and rank of individuals present at the time of the observation. If not known, require that the report state that he or she is unsure how the statements or behaviors came about.

Create a standard form to document observations. The act of documenting what is seen, and accounting for one’s concerns in the moment, reduces potential biases that can arise when short-term memory is relied upon. A common reporting form reflecting these criteria could go a long way in improving transparency, standardization and accountability – making it easier for investigators to discern behavioral patterns when multiple reports are made.

Require a review of the reporter’s own credibility and potential motivations. People usually have opinions, whether favorable or not, about those with whom they work. It is important to understand those opinions when interpreting a report. For example, the inherent power differential between a manager and employee could have multiple biasing effects. A manager with an unfavorable perception of an employee may not trust that employee and misinterpret benign behaviors.

Reporting should not be discounted simply because the source has unfavorable views of the subject, but should be considered as one potential biasing factor. Requiring information about the source and the quality, duration and level of contact with the subject can help validate the information provided.

Require training for all employees so that they can distinguish simple, fact-based information from opinion-driven information. Know the difference between direct, simple behaviors and opinion-based statements, subjectivity, gaps, and assumptions. Everyone should be able to identify potential biases or missing information.

Document positive life events in addition to negative ones. Generally speaking, both favorable and unfavorable life events generate challenges to which an individual must respond. When assessing risk, it is equally important to determine the effect of positive life events on the individual’s risk potential. Looking only for negative life events will distort findings.

Investigators should “triage” reports as part of a standard protocol. Triage, a concept from the field of medicine that relates to prioritizing urgencies, should be part of the investigative process. Before proceeding further, the report should be reviewed to ensure that the wording is objective, clear and devoid of assumptions about what the subject may have intended, thought, or meant. Reports should communicate exactly what is known, what isn’t known, and what is needed in order to make an accurate determination. In addition, investigators should be required to generate alternative explanations for why the observation may not be indicative of a threat.

When observations are made with more care, and reporting is less ambiguous and subjective, fewer false positives may be reported and investigations resolved more quickly.

Four Reasons Why It Will Be Harder to Catch the Next Insider Threat

Why ‘See Something, Say Something’ Isn’t Enough to Detect the Next Insider Threat

(Visited 627 times, 1 visits today)

Dr. Judy Philipson is President of Behavioral Sciences Group LLC. A recognized expert in threat detection, risk assessment, operational tradecraft, and investigative methods, she has over 20 years of experience providing advice, analysis, and training to clients in the Intelligence Community, Department of Defense, Law Enforcement and Homeland Security. From 2009-2014, she served as Social Influence Advisor to the Counterterrorism Center at the Central Intelligence Agency. She is a Senior Associate Fellow at Narrative Strategies, LLC, a consultant to the Insider Threat Management Group, and a Lecturer in Criminology and Criminal Justice at the University of Maryland, College Park. She has a Ph.D. in clinical psychology from Drexel University where she focused on forensic populations and issues relating to deception and risk assessment.

Leave a Reply

Latest from Cybersecurity

Like HSToday?  Want to Keep the News, Commentary, and Practitioner Insights Coming? The COVID emergency has hit us hard and as a non-profit 501(c)(6) we are ineligible for any relief.

Please support us with a donation of $5 so we don't need to lay anyone off!

Thank you in advance for your consideration!

DONATE NOW
Go to Top
X
X