Dr. David Charney was part of a worldwide group of insider threat experts who were consulted for a University of Antwerp doctoral project on insider threats, which was published in April 2022. The project used the Delphi technique, which is “a widely used method of gathering group consensus from a panel of knowledgeable persons”.  The researchers are PhD-candidate Mathias Reveraert, University of Antwerp and Professor Tom Sauer, University of Antwerp.

From the report:

An insider threat is interpreted here as the possibility that individuals who are or used to be trusted by the organization with the privilege of access to and/or knowledge about the organizational assets cause harm to the organization because they intentionally misuse this access or knowledge (Reveraert & Sauer, 2021a).

The goal of the doctoral project is two-fold, namely on the one hand raising awareness on the insider threat problem, and on the other hand providing organizations with mitigation measures to better secure themselves against insider threats.

The research outlined in this report particularly concerns the second objective.

It builds upon a theoretical insider threat mitigation framework established by Reveraert & Sauer (2022a), a conceptual model that consists of nine insider threat mitigation stages, namely:

  • recruitment (NOIR NOTE: as an employee of an organization, ie the HR pre-employment process, not as a recruitment by a foreign intelligence service or competitor)
  • organizational socialization
  • observation
  • investigation
  • anticipation
  • damage limitation
  • reconstruction
  • deliberation and termination.

The aim of the study is to take the first step towards transforming the conceptual model into an insider threat mitigation framework with practical usability.

Its main goal is to discover (1) potential ‘red flags’ of insider threat incidents (i.e. factors that may point to insider threat), (2) good practices on insider threat mitigation throughout the employee life cycle (before, during and after employment), (3) actors responsible for insider threat mitigation and (4) difficulties related to insider threat mitigation.

Read Report: Evaluating insider threat indicators and mitigation measures: A Delphi study (pdf)

NOIR NOTE: Of interest, here are what was deemed by the experts as High-rated red flags during pre-employment process:

  • False information on professional history (work/education)
  • Membership of certain illegal or illegitimate organizations/associations
  • False reason for ending previous job(s)
  • Current or previous extremist ideology
  • Negative advice following security clearance screening by government authorities
  • Reluctance to approve background screening
  • False criminal record
  • Conflict of interest
  • Low score on integrity
  • Gambling addiction
  • Indiscretion
  • Current or previous interpersonal violence (harm to self or others)
  • Being dishonest/incomplete about involvement in bankruptcy
  • Drug addiction
  • Alcohol addiction
  • Manipulative nature
  • Having been fired from similar jobs before
  • Negative references (conflict with previous manager/employer, violations of policies in previous workplaces, …)
  • Maladaptive behaviors in current or previous affiliations outside workplace (school, church,..)
  • Reluctance to provide references
  • Candidate supported societal upheaval in the past
  • Inadequate/deviating responses to questions during interview

And here is what they deemed High-rated red flags during employment:

  • Attempts to remove sensitive data (physical and cyber methods)
  • Participating in illegal activities
  • Making threats against employer or other employees
  • Warnings received from other employees, clients or third parties on the behavior of the employee
  • Making or defending statements of extremist/radical point of view
  • Unauthorized access attempts to systems or physical locations not necessary for the job
  • Unnecessary copying of material (physical or digital)
  • Abnormal cyber activities on- and off-site (for example large up/downloads)
  • Vulnerability to blackmail
  • Participating in manifestations of extreme organizations
  • Signals of radicalization (like change in physical appearance)
  • Unexplained wealth
  • Negative security screening advice from government authorities
  • Employee is not open to audits
  • Unexplained irregularities in the accountancy of the organization
  • Organizational culture of fear and silence
  • Being flexible with ethics or morals24
  • Employee pushes rules to see whether he/she can get away with it (boundary probing)
  • Gambling
  • Increase in organizational losses
  • Drug abuse
  • Alcohol abuse
  • Remotely accessing systems at uncharacteristic hours
  • Not complying to safety and (cyber)security policies and procedures
  • Disgruntlement as a result of career disappointment
  • Inappropriate communications (in person or online)
  • Changes in lifestyle (new car, expensive clothes, …)

Read Report: Evaluating insider threat indicators and mitigation measures: A Delphi study (pdf)