As a manager in a variety of workplace settings including the military, public service, private industry and academia, I know how management philosophy and application can affect the workforce for both good and bad. Most bad managers are usually bullies, forcing their staff to perform unnecessary or repetitive work in order to exert control. Most employees just take this abuse, or else look for employment elsewhere. But what if these employees were not malicious, but just made human errors as a result of the work environment, where they were stressed and overworked?
I did some preliminary research on this subject and found a great article on Human Factors in Critical Infrastructure Security by Ayhan Gucuyener on LinkedIn (https://www.linkedin.com/pulse/human-factor-critical-infrastructure-security-insider-ayhan-gucuyener). In this article, Ms Gucuyener gives some fantastic research data from several sources including Carnegie-Mellon University and the Department of Homeland Security on why individuals become an insider threat and what positions they have at the time they commit that threat. The results are relatively predictable, with the majority of individuals stating that the commit the act out of financial gain, and the positions they possess are usually in the IT area of the company. The recommendation that she gives are also very good, focusing on the Human Resources side of the company in the form of hiring practices and different security controls.
What does this have to do with the line management responsibility? Everything! I realize that Human Resources is the first line of defense when it comes to the insider threat, but the management is the consistent line of defense for employees once they enter the workforce. I say that from decades of experience. I know first hand what bad management can do to the workforce and how that workforce can strike back in ways that are both subtle and effective. At several times in my management career I was a bad manager, expecting more than reasonable and demanding results, no matter what the cost. The way that my workforce struck back was relatively low tech – following instructions to the letter, ensuring my documentation on tasks were thrown back in my face in a very respectful manner, and just basic stalling using my words and tasking against me. As a workforce member with a bad manager, I did the same thing. In a highly bureaucratic organization, this is done more than you think, and is unpunished since the manager sets themselves up for the fall. Of course, by expecting unreasonable goals, I also placed my staff in a stress mode, them wanting to satisfy my desires and spending more time in the office to do so, resulting in fatigue and more human error. So, the conclusion is that you have insider threats already existing in the organization and now they have the technology to not only put a wrench in the works, they can do so with a machine’s ability to perform tasks in nanoseconds.
I was also in IT as a systems administrator and can tell you that systems administrators have the ability to place little bugs in the system that may not be found for months and in the meantime spread poison throughout the system. Even when the mistake is not intentional, an IT systems administrator has great impact on the computer environment and as much impact on the security of that environment. I see through some of my research that people do not always commit insider threat because they are being malicious. A study completed by Carnegie-Mellon University for the Department of Homeland Security in 2013 called “Unintentional Insider Threats”(http://www.sei.cmu.edu/reports/13tn022.pdf) notes that there are instances when an insider threat is not done out of retribution but are unintentional because of fatigue, incidental use of drugs or hormones, along with other factors. On page 42 of this report, one of the main recommendations for mitigation of these unintentional insider threats (or UIT as in the report) is focused on “human error.”