Identifying Someone Who May Become a Threat – Insider Attack Prevention

In discussion with Doctor Lisa Warren, Founder & Director at Code Black Threat Management, and Adjunct Senior Lecturer at Monash University. Dr Warren is a keynote speaker at the 2018 ASIAL Security Conference.


An ASIAL Security Conference Series article

With the advent of the World Wide Web in 1993, the workplace changed forever. Traditional methods of work have been replaced by sophisticated software and communication technologies, and companies are much more exposed to external scrutiny. The modern workplace heaps pressure on employees, mental health has become more complex, and companies are exposed to more risk vectors than ever.

With this massive growth in technology comes a rise in the vulnerabilities around storage of intellectual property (IP). Cyber-security threats to data and IP can severely compromise an organisation, and do serious damage to brand credibility.

Identifying an insider threat can be critical for risk avoidance

Insider threats to an organisation come from a number of sources, and there is no absolute distinction that classifies someone as high risk. However, there are patterns of behaviour that can trigger a warning.

Ideological motives based on politics, culture or religion are an increasing concern, arise when people are influenced by extreme, often highly right-wing views.

Radicalisation may occur where employees become sympathisers of extremism and cause threats to staff safety, the security of protected data and IP, and business continuity.

Explains Dr Warren: “Radicalisation can take several forms, such as condoning violence against particular targets, or adopting more extreme and radical views. This becomes the basis and justification for criminal activity perpetrated against an organisation.”

Insider attacks include data theft, malicious software downloads that halt or delay critical systems, violence, as well as blackmail and extortion.

“It pays to be aware of employees who hold particularly strong and fixed views that set them apart from the organisational culture, particularly when their colleagues report feeling apprehensive or fearful of them. When these fixations are about the responses they are planning for the injustices they perceive from their employer this should also herald concern. These employers justify in their minds how the company has done badly by them, thereby justifying an attack on the organisation as a way of evening up the ledger.”

Environmental extremism for example may incite an attack based on the person’s perception that a company has polluted the environment, or someone with very strong societal beliefs might have a grievance based on a company using child labour in developing nations.

Over-interpretation may involve something as simple as missing out on a promotion someone thought was clearly theirs. In one case, Dr Warren provided threat management for an organisation targeted for many years by an ex-employee who believed they were unfairly dismissed six weeks into the probationary period of their employment.

Poor psychological health can be a root cause of this over-interpretation, as individuals become fixated on one aspect of their life and work to the point where it consumes them. In cases where the individual is fixated on their workplace grievances, a dip in performance or something not going according to plan may result in grudges and attempts to strike out against the company. Social media, Dr Warren explains, can provide a place to vent, seek confirmation from others – many of whom have no knowledge of the situation – and publicly destroy the reputations of individuals and companies.

Fixation behaviour involves the situation where an employee keeps bringing a conversation back to a defined grievance, which is a sign that they are stewing on a particular topic or problem.

Identification behaviour is another sign that can lead to internal threats.

“We all say something about who we are, who we identify ourselves as, by the way we dress, the jobs we choose and how we interact with others. This extends to what we do with our time outside the workforce, the views and attitudes that we describe to others. However, if you notice that a colleague starting to talk about a particular, often divisive topic, such as radicalised religious groups, politics or violence then this should be raised with line management, security or HR. As well as a potential violation of Code of Conduct, such views can be a behaviour that signals the person is on a pathway to violence,” explains Dr Warren.

This also relates to changes in behaviour – for example where an employee changes their personal identification quite rapidly, such as shaving their head and getting tattoos, or dressing in a military style in the workplace.

What drives most crimes against an organisation?

Ultimately though, the majority of crimes against an organisation are motivated by the common factor of money. Embezzlement is a frequent form of attack, and in many cases is motivated by an addiction to gambling. This can involve the theft of data, files or anything that can be sold or passed on for monetary gain. Stealing to feed a gambling addiction is not limited to any particular demographic, but can be both male and female, involve older and younger workers, and not necessarily tied to employees at the lower end of the pay scale.

What steps can an organisation take to recognise the danger signs?

Warning signs, or trigger behaviours for rogue employees is an area where psychologists examine violent threat assessment and ask the questions:

  • What are the factors that should cause concern?
  • Are there warning behaviours in this situation?
  • Where are the opportunities for triaging risk, preventing escalation and managing the threat to negate it before it becomes a force in the organisation?

What measures should an organisation take to mitigate the risk of insider attack?

A code of conduct is a very important tool for an enterprise to include in their security and risk plan.

“A code of conduct allows an organisation to hold people accountable for problem behaviour, rather than punishing them for it. Punishing problem behaviour has never worked.”

It is critical to provide the right tools to approach a risky situation, identify the threat and nullify it with as little fuss as possible. A threat management approach is both restorative and educative and more effectively sets clear boundaries and expectations, reducing persistence and violence risks more effectively than a punitive approach.

Becoming proactive rather than reactive towards insider threats

Moving the discussion away from the IT space is important as well, as it allows a company to evaluate threats at the source and become proactive.

A collaborative response between policing, security and forensic mental health addresses risk in many situations, from counter-terrorism to workplace violence to family violence.

“Aggressive employees can be supported to understand the harm they have done to themselves and others by their behaviour, and have structures in place so that they do not choose problem behaviours in future.”

Large organisations in the US have for decades employed forensic mental health and threat assessment experts to map out risk mediation solutions and proactively protect employees and the organisation. This has begun in Australia but is less well-developed.

Dr Warren believes it is only a matter of time before Australian companies look routinely at threat management as a means of de-escalating insider threats by building threat management into human resources and mental health strategies in workplaces.

The two sectors leading the way in Australia are police forces such as Queensland Police and the AFP, who have developed Fixated Threat Assessment Centres, and universities who utilise threat management in their Safer Community teams.

Three steps towards recognising and mitigating the risk of insider attack

  1. Provide organisations with the opportunity to expand their definitions of insider threats to cover all circumstances where current or former staff have taken a more radical position in their attitudes, and use this as a justification for any problem.
  2. Broaden what constitutes a high-risk individual, and couple this with a strong set of rules and corporate governance.
  3. Take a boundaried, educative and stepwise rather than punitive approach, letting decision makers know what areas to be concerned about, then allowing the organisation to form ideas based around that knowledge and the company’s own ideologies.

Dr Lisa Warren will be speaking at the upcoming 2018 ASIAL Security Conference, held at the Security Exhibition & Conference. Conference Passes can be purchased from

Lisa Warren
Doctor Lisa Warren, Founder & Director at Code Black Threat Management, and Adjunct Senior Lecturer at Monash University. Dr Warren is a keynote speaker at the 2018 ASIAL Security Conference.