Are Insider Threats caused by Bad Management?

As a manager in a variety of workplace settings including the military, public service, private industry and academia, I know how management philosophy and application can affect the workforce for both good and bad.  Most bad managers are usually bullies, forcing their staff to perform unnecessary or repetitive work in order to exert control.  Most employees just take this abuse, or else look for employment elsewhere.  But what if these employees were not malicious, but just made human errors as a result of the work environment, where they were stressed and overworked?

I did some preliminary research on this subject and found a great article on Human Factors in Critical Infrastructure Security by Ayhan Gucuyener on LinkedIn (https://www.linkedin.com/pulse/human-factor-critical-infrastructure-security-insider-ayhan-gucuyener).  In this article, Ms Gucuyener gives some fantastic research data from several sources including Carnegie-Mellon University and the Department of Homeland Security on why individuals become an insider threat and what positions they have at the time they commit that threat.  The results are relatively predictable, with the majority of individuals stating that the commit the act out of financial gain, and the positions they possess are usually in the IT area of the company.  The recommendation that she gives are also very good, focusing on the Human Resources side of the company in the form of hiring practices and different security controls.

What does this have to do with the line management responsibility?  Everything!  I realize that Human Resources is the first line of defense when it comes to the insider threat, but the management is the consistent line of defense for employees once they enter the workforce.  I say that from decades of experience.  I know first hand what bad management can do to the workforce and how that workforce can strike back in ways that are both subtle and effective.  At several times in my management career I was a bad manager, expecting more than reasonable and demanding results, no matter what the cost.  The way that my workforce struck back was relatively low tech – following instructions to the letter, ensuring my documentation on tasks were thrown back in my face in a very respectful manner, and just basic stalling using my words and tasking against me.  As a workforce member with a bad manager, I did the same thing.  In a highly bureaucratic organization, this is done more than you  think, and is unpunished since the manager sets themselves up for the fall.  Of course, by expecting unreasonable goals, I also placed my staff in a stress mode, them wanting to satisfy my desires and spending more time in the office to do so, resulting in fatigue and more human error.  So, the conclusion is that you have insider threats already existing in the organization and now they have the technology to not only put a wrench in the works, they can do so with a machine’s ability to perform tasks in nanoseconds.

I was also in IT as a systems administrator and can tell you that systems administrators have the ability to place little bugs in the system that may not be found for months and in the meantime spread poison throughout the system.  Even when the mistake is not intentional, an IT systems administrator has great impact on the computer environment and as much impact on the security of that environment.  I see through some of my research that people do not always commit insider threat because they are being malicious.  A study completed by Carnegie-Mellon University for the Department of Homeland Security  in 2013 called “Unintentional Insider Threats”(http://www.sei.cmu.edu/reports/13tn022.pdf) notes that there are instances when an insider threat is not done out of retribution but are unintentional because of fatigue, incidental use of drugs or hormones, along with other factors.  On page 42 of this report, one of the main recommendations for mitigation of these unintentional insider threats (or UIT as in the report) is focused on “human error.”

“Human error plays a significant role in UIT. Countermeasures and mitigations to decrease UIT incidents should include strategies for improving and maintaining productive work environments, healthy security cultures, and human factors for increased usability of security tools to decrease the likelihood of human errors that lead to UIT incidents.” (page 42 of the report).
Human error in this case is associated with work environments, of which the manager is the lead observer of the workforce in this environment.  I postulate that trust is a major factor between the workforce and manager, so if the trust is absent, so is the observation of the environment.  One real life example of this was when I was a manager of IT project managers.  Because of the trust that I kept with that workforce, my staff brought problems to me prior to those problems being disasters.  It also helped that I did not punish them for mistakes, which helped keep that trust relationship solid.  Human error is not something that we can eliminate, but it is something that we can control through good communication and trust relationships, all an essential part of good management.
More articles on this in the future.  A quick note to the managers out there:  read my book “L.O.V.E. is the Answer” available through http://www.lulu.com.  It gives you some basic essentials for how to treat your staff and make you a better manager and person.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s