VIEW 23
Psychology: the human firewall and the rogue insider
An IBM cyber security report11 concluded that 95% of cyber incidents involved some type of human error. At the most basic level, this could just be an employee mistakenly sending confidential information to the wrong recipients—known as a “fat finger” error from hitting the wrong key on the keyboard. Then there are phishing attacks which exploit human psychology.
Office workers are expected to be helpful to colleagues, to avoid confrontation, and to be efficient. They are also prone to gossip. All of these psychological traits are vulnerable to manipulation through social engineering, and well-crafted phishing emails will exploit them.
The best defense against social engineering is staff training.
Cyber security awareness amongst employees can be raised through simulated phishing campaigns; teaching people not to click on dodgy emails. The aim here is to create a “human firewall” of educated staff that mirrors the system firewall but in the psychological domain. Progress can be measured through the improvement in click rates.
Spotting a rogue employee Beyond such accidental human error, there is also deliberately malicious behavior from rogue employees who have a grievance and try to damage the company. Psychological literature on these rogue or malicious insiders shows they tend to have certain characteristics in common. Their personality profiles display tendencies towards narcissistic, Machiavellian, or psychopathic behavior.
This type of analysis puts all the blame on the individual, but note that corporate culture has an important role to play too. There are five factors in the corporate environment that can trigger destructive behavior in employees, as identified by Furnham and Taylor in their book Bad Apples.12
The first trigger is an uncaring company atmosphere where bullying is rife, and employees feel downtrodden. The second is unmet expectations, where promises made during the interview process are not upheld. Third is corporate hypocrisy, a huge rift between the CEO’s vision statement on the website and the reality of daily work. In this environment, words clearly don’t match deeds. Fourth is a lack of trust—managers are suspicious of workers and vice versa.
Last is a high level of inequality, where employees receive vastly different treatment; loyalty and diligence is unrewarded while sycophants are promoted.
Any organization where these five factors are characteristic of the corporate culture is creating a toxic mix that is bound to produce malicious behavior from rogue employees. Thankfully, all five factors are completely within the compass of corporate control.
This is a good illustration of the way in which an HR department can contribute to cyber security, by making sure that the corporate culture does not engender that type of environment.
