Turning Bad Apples Good: Using Soft Skills for Threat Assessment
Actions, thoughts, and emotions do not exist in isolation. The way they interact will influence your perception of the world around you. Alongside attempting to meet your basic and psychological needs, as emphasized by Abraham Maslow in his influential paper “A Theory of Human Motivation,” our behaviors are influenced by the way we experience feelings of confidence in our personal and professional activities or how we feel valued and respected by our friends, families, teammates, and wider social structures.
When individuals’ values align with the organization’s, this expression can be positive. In cases where those values clash, negative emotions—sadness, frustration, anger—can result in inappropriate behaviors and choices. This can be detrimental in the workplace and requires employees to be empowered with the knowledge of potential insider threats and options available to mitigate them which can include behavioral analytics systems, data loss prevention tools, ongoing vetting, and internal employee monitoring processes.
This proactive approach takes a different stance to traditional security—it assumes that people have good intent.
In fostering a multidisciplinary approach to countering insider threats—involving insider protection teams, intelligence and investigations, legal, and human resources—an educational campaign can provide employees with confidence that they can operate openly and quickly to help mitigate risk.
Security professionals can also take proportionate and cost-effective action to managing insider threats by proactively managing disgruntled employees.
Reflection Required
All employees should strive to provide a strong example of appropriate behavior that both develops and underpins an effective business and security culture. If an employee’s behavior breaches those expectations security leaders may benefit from taking the time to observe the incident and ask some reflective questions.
- Who am I looking at, and are they behaving differently?
- What did I expect them to do, and how was their action different?
- Where did this take place, and do I think the location or circumstances may have influenced the observed behaviors?
- When did this take place, and do I think it may have influenced the observed behaviors?
- How could they have performed differently? What can they learn from this experience? How can I manage or approach this?
- Why did they behave that way, and was it appropriate?
This proactive approach to managing risks to teams, business processes, intellectual property, and confidential information takes a different stance to traditional security—it assumes that people have good intent. Such threats may be averted through emotional, rather than security intelligence. Employees who identify a change in the behavior of others can act quickly to engage with the individual in question to investigate concerns, detect threats, offer support, or escalate concerns.
For example, asking why someone may be acting in a way that is unexpected and considering whether something in his or her personal life may have influenced his or her behavioral choices. This can provide leaders with an opportunity to use soft skills to demonstrate care to employees and increase team unity and loyalty, which in itself can positively benefit security posture. In addition, posing reflective questions to employees to encourage them to consider their choices’ impacts can provide growth opportunities, which will help develop them as both individual practitioners and team members. Such reflective practice can be performed during team performance reviews, after service incidents, and potentially after engagements between individuals that were observed as being potentially inappropriate.
Such a caring approach may in fact be the support the employee in question needs to get back on track to being the high performer you originally invited to join the team.
There are a range of training resources available—in addition to Daniel Goleman’s essential book, Emotional Intelligence—to develop communication skills and an awareness of emotional intelligence. Behavioral change takes time, however, and managers seeking to adjust security culture may need to be patient with employees and colleagues.
Managers seeking to adjust security culture may need to be patient with employees and colleagues.
If security leaders are advising asset custodians and managers about how they can approach this shift, they might consider three conditions that are commonly accepted as prerequisites for malicious activity: opportunity, rationalization, and incentive. Leaders should also consider the ways that one—or all of them—can be reduced during a period of behavioral change to protect the business and to give the employee the best chance of success.
Opportunity can be reduced through the design and implementation of asset protection systems. The personal motivations of employees can be influenced through a range of employee loyalty rewards and schemes, which can be financial or focused on positive reinforcement of appropriate behaviours.
Building Deeper Connections for Threat Assessment
Taking the time to develop a deeper understanding about colleagues and employees can play an important role in the development of a holistic risk management system. It will help security leaders assess situations and judge them against expected behaviors. A phased approach can be adopted.
Take the time to develop an understanding and awareness of team members. Getting to know employees plays a crucial role in motivating them to deliver their best work, and it can help managers understand their needs and the organization’s expectations. This is crucial information for determining whether team members are happy with their jobs, whether they feel ignored or left out, and if anything may be going on in their personal lives which could influence behavior.
Identify security threats and risks. It is imperative that assets are identified and classified according to sensitivity and value. Through a business impact analysis, security leaders can determine what the effects would be if assets are damaged or fall into the wrong hands. Managers and employees should become familiar with the security threats to their organization and team, and leaders should provide clear information about the behavior that is expected of employees.
Determine appropriate security behaviors. Appropriate security behaviors should be determined in line with your organizational security policies, and all team members should be briefed on the expectations. Team performance can then be assessed against the security policies and the identified security behaviours to identify vulnerabilities and mistakes and respond or adjust accordingly.
Determine existing levels of security knowledge and awareness. It is important to determine what a team knows and what they do not know about security policies and procedures. The identification of skills and knowledge gaps will enable you to design appropriate training programs.
Encourage your team to care. Ensure that security conversations form part of your regular team meetings so that all employees have an opportunity to inform others of their concerns or questions. Team members should be encouraged to take the time to check in with each other. Along with holding regular calls or meetings to provide project updates, dedicate time to caring for each other by asking questions and taking an interest in what motivates team members, what their interests are, and what challenges them. This can help team members and managers identify when a behavioral change has taken place, giving colleagues and managers an opportunity to divert the person from becoming a potentially harmful disgruntled employee.
Act quickly. Security breaches can happen anywhere and at any time. Reporting, record keeping, and response systems must be in place to ensure that risks are tracked and mitigated as quickly as possible.
Paul Wood, CPP, is the managing director of Emerging Risks Global. He has extensive experience leading global intelligence and security services in government and corporate environments. Alongside being an ASIS Certified Protection Professional (CPP), Wood is a UK Chartered Security Professional, Fellow of the Institute of Security, Principal Member of the Register of Security Engineers and Specialists, and serves on the ASIS CSO Technical Committee and the BSI Information Security, Cybersecurity and Privacy Protection committee.