Reducing Insider Risk Through Positive Deterrence

Andrew P. Moore; Carrie Gardner; Denise M. Rousseau

Introduction

In this article, we describe why and how insider risk management programs (IRMPs) should consider promoting positive deterrence—a set of evidence-based workforce practices promoting the mutual interests of employees and their organization in ways that reduce insider risk. Positive deterrence complements the command-and-control approach that most IRMPs take.^[1] A command-and-control approach pressures employees to act in the interests of the organization through organizational controls on their behavior including rules, regulations, technical constraints, monitoring, and response. In contrast, a positive-deterrence approach promotes internal behavioral drivers that motivate employees to willingly behave in ways reducing insider risk.

We describe a specific type of positive deterrence—practices that bolster employee perceived organizational support (POS) (Eisenberger & Stinglhamber, 2011). POS practices can increase employee commitment to and trust in the organization by increasing the perception that the organization values their contributions, cares about their well-being, supports their socioemotional needs, and treats them fairly. POS practice areas include work flexibility, work/family balance, employee assistance, fair compensation, and constructive supervision. For insider risk management, these positive-deterrence practices defend against intentional (malicious) insider threats by reducing employee disgruntlement, a common motivator of insider sabotage, theft, and espionage.

A Note on Terminology

Positive deterrence, as characterized in this article, is seldom considered an insider risk defense strategy in the field of counter-insider threat research and practices. However, criminal justice research regarding adherence to rules and regulations has identified two primary strategies that promote rule following: command-and-control and self-regulation (Tyler, 2009). This research highlights three processes that influence behavior and attitude change with respect to rules and regulations:

compliance to gain specific rewards or avoid specific punishment
identification with the organization to maintain a satisfying relationship
internalization of the organization’s goals and values, resulting in employee-organization alignment of interests.

Compliance underlies command-and-control strategies, whereas identification and internalization underlie self-regulation (Kelman, 1958; O’Reilly & Chatman, 1986).

In the context of insider risk management, we adopt the term command-and-control to describe those aspects of the risk management defense strategy that rely on organizational (external) controls for prevention, detection, and response. These aspects include most traditional forms of security controls, including organizational rules, technical constraints, detection and response measures, and education and training on these aspects. We chose to avoid using the terms compliance and regulation since they commonly refer to abiding by the laws and rules of an authority outside the organization, which is much more limited than what we intend. We specifically do not intend the term command-and-control to apply only in a military context. We view this set of controls as applicable (and necessary) in any setting, though the needed balance of the command-and-control and positive-deterrence approaches may differ.

We choose the term positive deterrence, rather than self-regulation, since the former builds on the evidence-based foundations of positive psychology while specifically focusing on practices that deter insider threat. Various organizational factors are relevant to insider risk (Greitzer et al., 2018). Positive deterrence encompasses workforce management practices that positively influence the organizational factors and result in reduced insider risk. Positive deterrence should not be confused with positive reinforcement—a form of a command-and-control approach that relies on external controls. Positive deterrence promotes the employee’s fundamental motivation to act in the interests of the organization; this motivation relies on intrinsic drivers rather than extrinsic drivers. Although it does not rely on external controls, positive deterrence does influence employees’ behavior through workforce management practices.

Why Augment Command-and-Control with Positive Deterrence?

There are four primary reasons why an IRMP should promote positive deterrence as a complement to its existing command-and-control governance:

1. Exclusive reliance on command and control can create a toxic working environment conducive to insider threats by undermining employee goodwill.

Employee goodwill is essential for maintaining acceptable levels of insider risk and for organizational performance generally. Most insider incidents are perpetrated by individuals who started out as loyal employees. But even loyal employees can shift toward acting against the organization’s interests under conditions of professional or personal stress, particularly where the organization mishandles the situation (Shaw & Sellers, 2015). This shift does not imply that the organization is at fault when insider incidents occur; most insider threat incidents are violations of the law or employee compliance agreements prosecutable in court. Nevertheless, a positive psychosocial work environment enabled by POS can reduce employee negative reactions to stress and strain by creating a more supportive, less toxic work environment (Martin, Karanika-Murray, et al., 2016; Seibert et al., 2004, 2011). Organizations can decrease insider misbehavior and its associated costs by implementing practices to directly increase POS, especially in stressful personal and professional situations. (See reason #2 below.)

2. Positive deterrence can reduce insider incident rates over command-and-control approaches alone.

Organizations cannot continue increasing the strength of command-and-control approaches without eventually undermining employee goodwill (Moore et al., 2015). There is a natural limit to the security an organization can achieve through command-and-control approaches alone. At a basic level, this limit is partly due to assumptions an employee makes about their relationship with the employer (Bordia et al., 2008). Employees may respond negatively to limits on their freedom to act and on their privacy in those actions, a phenomenon known as psychological reactance. Positive deterrence—in the form of practices that increase workforce perceptions of organizational support—promotes a sense of organizational justice and shared goals and values, and it helps ensure that individuals act to benefit the organization (Bordia et al., 2008; Eisenberger & Stinglhamber, 2011; Moore et al., 2018; Sulea et al., 2012). Employees who identify with the organization and internalize its goals and values tend to display pro-social organizational behavior, including adhering to organizational rules beyond the levels observed with compliance-based approaches (Kelman, 1958; O’Reilly & Chatman, 1986; Tyler, 2009). Although command-and-control approaches remain essential to IRMPs, inattention to positive deterrence leads to higher base rates of insider incidents and recurrence of damaging incidents over time (Moore et al., 2016).

3. Promoting positive-deterrence practices enhances achieving the IRMP mission.

An exclusive focus on a command-and-control strategy can pit the organization against its workforce, undermining the trust between management and employees (Moore et al., 2015). Positive deterrence creates a work environment that reinforces the bond between the organization and its workforce, contributing to the well-being of both. Positive deterrence can also strengthen the employee view that command-and-control approaches are legitimate and appropriate through the enhanced relationship that POS-boosting practices promote (Martin, Wellen, et al., 2016). The proper balance of positive deterrence and command-and-control approaches creates a net positive for both the employee and the organization. By improving employee well-being and working conditions, an IRMP can move from a “big brother” program to a “good employer” program.

4. Positive deterrence can increase the desirable employee feelings and attitudes that improve general job performance.

Research in organizational psychology demonstrates that while some (prevention-focused or risk-averse) employees respond well to command-and-control approaches, those approaches make other (promotion-focused or gain-seeking) employees feel stifled (Halvorson & Higgins, 2013). Fortunately, evidence-based positive-deterrence practices to improve POS promote employee well-being and positive disposition toward the organization and work—outcomes that reflect a consequential array of employee attitudes and behavior (Eisenberger & Stinglhamber, 2011, Chapter 7). Examples include the following:

Employee subjective well-being: job satisfaction, organization-based self-esteem, reduced stress, work-family balance, and positive mood
Positive orientation toward the organization and work: organizational commitment and identification, creativity and innovation, work engagement, trust, empowerment, and reduced cynicism

Improved organizational performance and employee well-being, job performance, and retention are primary outcomes shown in organizational psychology research (Pfeffer, 2018a); these outcomes are also the virtuous side effects of positive deterrence.

Although research continues, the existing literature provides a convincing body of evidence that positive-deterrence-related practices should be adopted now to reduce insider risk (Dalal & Gorab, 2016). Next, we describe how to leverage POS practices for positive deterrence.

IRMP Practitioner Perspectives

In 2015, the CERT Division of the Software Engineering Institute (SEI) began a study of positive deterrence in IRMPs with a survey of organizations from the Open Source Insider Threat (OSIT) Information Sharing Group (Moore et al., 2016). Members of this group are IRMP practitioners who meet regularly to discuss operational issues related to insider threat mitigation. The goal of the survey was to understand how POS influences insider cyber misbehavior in organizations. We used questions from a validated measure of POS and derived our own questions on insider misbehavior from CERT insider incident data. Our findings indicate that organizations with higher levels of POS among its workforce display lower levels of insider misbehavior.

CyLab, Carnegie Mellon University’s (CMU’s) Security and Privacy Institute, conducted an exploratory follow-up survey of OSIT Information Sharing Group members, concluding that “Management needs to find the right balance of holding people accountable for their actions while recognizing when the workplace context (including culture, policies, and practices) has the potential to exacerbate the threat” (Moore et al., 2021). That study found that collaboration and data sharing across organizational departments are important challenges IRMPs face. It also found significant levels of concern regarding possible side effects from over-reliance on command and control practices: infringing on workforce member rights and civil liberties, inhibiting productivity, undermining workforce trust, and reducing retention of valued employees. These negative consequences often arise in areas where command-and-control tactics are improperly applied—areas where organizational supportiveness can pay big dividends. The accumulated evidence for positive deterrence in IRMPs is sufficient to support including positive deterrence practices in the SEI’s insider risk management practitioner guidance (CERT National Insider Threat Center, 2018, Practice 21).

For organizations, these findings mean that insider risk management governance matters. Good governance requires executive support and promotion of the IRMP, particularly inter-department collaboration and data sharing. Governance also pertains to the tools program administrators use to manage risk, including command-and-control and positive-deterrence practices. Stakeholders (including employees) must perceive these tools as fair and legitimate. As with any organizational effort, IRMPs should set attainable goals and measure performance with regular monitoring. We advise insider risk management to take foundational steps to administer and audit the performance of program activities while incorporating feedback from key stakeholders.

How to Augment Command-and-Control with Positive Deterrence

Five operational strategies help organizations use positive deterrence as part of insider risk management.

1. Build quality relationships with organizational stakeholders, including line managers and members of human resources (HR) teams.

IRMP leaders cannot implement positive deterrence by themselves; good working relationships with other organizational stakeholders are required. Stakeholder buy-in to the insider risk management mission can be promoted by advocating the value of positive deterrence for improved employee performance and retention with less insider risk. Many aspects of positive deterrence overlap with the work that line managers and HR teams do. Joint action by line managers working with HR practitioners is needed to create the supportive work settings that make positive deterrence a reality.

Proactive threat management must be part of overall IRMP governance. The organization’s leadership should avoid “tying the hands” of the IRMP by restricting its scope to the command-and-control approach. IRMPs must advocate broader recognition of how company employment practices contribute to levels of insider risk. Taking on positive deterrence is not the expansion of scope it might first seem, but it does demand IRMP advocacy of supportive employment practices wherever insider risk exists. Such proactive threat management requires support and promotion from organizational leaders and other key stakeholders.

2. Work with stakeholders to identify and implement workforce management practices that increase perceived organizational support.

An employee’s positive perception of the organization and its practices reduces the risk of employee misbehavior. Here are some examples of workforce management practices that increase employee POS:

Organizational justice (e.g., treating employees with dignity and compensating them equitably inside the organization and in line with industry standards)
Performance-based rewards and recognition (e.g., using transparent criteria for promotions and other rewards, basing them on performance and other contributions)
Honest and respectful communication (e.g., setting clear expectations and offering regular feedback and mentoring)
Personal and professional support (e.g., offering employee assistance programs, promoting employee development, and empowering employees on the job)

It is also important to hire employees with values congruent with the organization’s values. For more details about organizational support principles and practices, see Perceived Organizational Support: Fostering Enthusiastic and Productive Employees (Eisenberger & Stinglhamber, 2011, Chapter 8; Moore et al., 2016, Chapter 5).

3. Regularly seek out and assess employee perspectives regarding the IRMP and the work environment, redesigning practices accordingly.

Organizations benefit greatly from keeping up to date on how employees feel about their working environment generally and IRMP practices specifically. To learn more about employee perceptions, organizations can conduct surveys and focus groups. U.S. Federal Government organizations can take advantage of results from the annual Federal Employee Viewpoint Survey (OPM, 2020) and then conduct more in-depth follow-on assessments to probe various issues (e.g., POS or IRMP practices). Private organizations can leverage previously conducted employee climate and job satisfaction surveys in much the same way. Since even small pockets of problematic management practices or supervisory behaviors can increase insider risk, analyzing employee feedback requires drilling down into employees’ negative responses regardless of how well the organization performed overall.

4. Bundle positive deterrence with command-and-control practices to balance organizational defense.

Balanced defense bundles assemble command-and-control and positive-deterrence practices that work well together. “Working well” can mean that the advantages of practices in one area counter the disadvantages of practices in another.^[2] Research demonstrates this relationship through analysis showing that positive deterrence moderates the relationship between organizational power and the employee frustration that contributes to workplace deviance (Lawrence & Robinson, 2007, Proposition 4). In addition, evidence suggests that when organizational controls are implemented consistently, with clear messaging and supportive training, it reinforces rather than undermines the positive relationship promoted by organizational support. Motivational focus theory is useful in identifying the appropriate balance of prevention and promotion strategies at an individual or team level (Halvorson & Higgins, 2013). Example balanced defense bundles include the following:

Combining practices that empower employees with those that implement employee monitoring - Evidence suggests that employee empowerment can mitigate the dissatisfaction associated with monitoring (Martin, Karanika-Murray, et al., 2016)
Bundling sanctions for rule violations with confidential grievance procedures to help ensure organizational justice (Lawrence & Robinson, 2007)
Ensuring investigations consider disconfirming as well as confirming evidence to reduce confirmation bias and increase perceptions of fairness (Tetlock, 1985)

These practices are not new for most organizations but explicitly considering their combination in insider risk management is. Importantly, IRMPs associated with introducing positive-deterrence practices into workforce management can increase employee goodwill toward both the IRMP and the organization.

5. Incentivize and train management to deliver positive-deterrence practices effectively.

Positive-deterrence management practices require supervisor training to reinforce needed change in management behavior (e.g., supervisor supportiveness). Such behavioral changes can require shifts in the organization’s management culture. The best way to instill such change is to (1) align supervisors’ goals and incentives with the practice’s intent, and (2) train supervisors on how to execute a new practice effectively (Rousseau, 1990). This process gradually helps supervisors internalize the values and beliefs that are consistent with new behaviors, thus promoting required cultural change (Eisenberger & Stinglhamber, 2011; Heuer, 1999; Skarlicki & Latham, 2005).

Figure 1.Roadmap to Incorporate Positive Deterrence in IRMP

Figure 1 depicts a roadmap for establishing positive deterrence as part of an IRMP, which proceeds as follows:

Coordinate with HR and other stakeholders to review management practices, including current or planned insider risk management command-and-control practices.
Identify existing practices that can be used for positive deterrence; refine to improve their positive-deterrence effect and their compatibility with command-and-control practices.
Assess employee attitudes and perceptions regarding workplace environment and management practices.
Identify balanced defense bundles to establish a proper balance for the organization.
Specify organization-wide goals and incentives to instill positive deterrence as a foundation of insider risk management.
Coordinate with stakeholders across the organization to implement identified positive-deterrence practices, and train management to execute them effectively.
Periodically assess, monitor, and adjust management practices, revisiting previous steps as appropriate.

This roadmap can be adapted as needed, but an ongoing assessment and refinement are essential to ensure effective implementation.

Bridging the Gap Between HR and Insider Risk with Positive Deterrence

Although some HR groups may resist getting too involved with insider threat initiatives, positive deterrence can be a vehicle to gain their help in establishing management practices that reduce insider risk. Positive deterrence improves employee work life, enables good work-life balance, and is well within the traditional HR mission (See Table 1). However, conventional HR tools may not include important aspects for reducing insider risk (e.g., POS). Business-to-employee (B2E) apps provide a means of supporting employees through a range of electronic self-service systems offering employees help managing their careers as well as providing information about organizational performance and events. But POS must move from simply pushing information to the employee, to customizing the management of the relationship between the employee and the organization.

Analogous to customer relationship management, employee relationship management (ERM) supports the customized relationship between the employee and their management chain (Hans, 2021; Strohmeier, 2013). ERM is not an individual tool or technology; it is a set of practices supported by a range of technologies that help align and reinforce the goals of the organization and the employee. As the Gartner article, Drive Employee Experience for Frontline Workers Using HR Technology, suggests, no one-size-fits-all approach exists because culture, technology, and demographics differ across firms (Grinter, 2021). Instead, it is important to build on the systems that employees use most often to capitalize on the existing technology ecosystem.

POS can be bolstered through practices that increase flexibility, empower workers with greater job control, build a sense of shared purpose, and provide social supports that promote deeper connections among employees (Gartner Newsroom, 2020; Pfeffer, 2018b). A key challenge is supporting the individualization necessary to promote POS including negotiating customized employment conditions to permit valued flexibility (Strohmeier, 2013). Feedback from employees should be used to redesign programs to correct any important gaps (Yang et al., 2011).

Table 1.Practical Guidance for Nascent and Mature IRMPs

Recommendation	Guidance for Nascent Programs	Guidance for Mature Programs
1. Build Relationships with Stakeholders	Establish a relationship with HR. Establish a relationship with executive leadership. Establish relationships with organizational managers. Develop value-proposition material for communicating with stakeholders.	Establish relationships with external HR consultants. Refine the material for communicating with workforce members.
2. Survey Existing POS Practices	Inventory existing organization-sponsored positive-deterrence practices, identifying in-person-based versus remote-based practices. Survey workforce members about their awareness of these positive-deterrence practices (reframed to be “employee engagement offerings”) to determine their effective implementation.	Generate new ideas for positive-deterrence practices, such as in-person and remote-based positive-deterrence practices (e.g., offering on-site relaxation/ entertainment spaces or offering discounts to a meditation service like Headspace). Identify and implement quick-win positive-deterrence practices. Consider flexible work arrangements (e.g., remote work, 9/80 schedules).
3. Survey Workforce Perspectives	Partner with HR to support a periodic workforce perspective survey. Partner with HR to conduct workforce listening sessions (e.g., focus groups). Develop data-collection criteria to identify workforce member challenges related to engagement, satisfaction, and organizational supportiveness.	Tune data collection for employee engagements to cover commitment, identification, and energization topics (Stein et al., 2021). Hire a third party to manage the collection of workforce perspectives to minimize potential bias from data collection. Share the results from the inventory of workforce perspectives with the workforce to improve buy-in through transparency.
4. Bundle Practices	Establish people-centric organizational goals. Inventory positive-deterrence practices to ensure that, for each insider threat scenario, there is a bundled set of positive-deterrence and command-and-control practices.	Create performance measures for managers and divisions based on employee engagement. Advocate for positive-deterrence-style governance tools for general organizational governance tactics (e.g., for employee performance management).
5. Train and Incentivize Management About Positive Deterrence	Offer leadership training for all managers. Encourage managers to hold routine one-on-one meetings with their direct reports.	Require all managers to attend leadership training regarding how to improve organizational support for employees. Create non-pay-based incentive programs for workforce members to de-stress (e.g., additional time-off or time-savings via discounts for childcare or housecleaning services).

Vision for the Future of IRMPs

Traditional IRMPs focus narrowly on command-and-control activities instead of incorporating proactive threat prevention into their efforts. IRMPs should advocate for supportive organizational climates to better balance command-and-control activities with positive-deterrence activities. This article provides the evidence base, framework, and a roadmap for IRMPs to achieve this balance.

Figure 2.Extending the Traditional Security Paradigm with Positive Deterrence (Adapted from Moore et al., 2018)

Figure 2 illustrates the balanced defense from combining positive-deterrence and command-and-control activities. We create an illustration combining the depiction Straub and Welke (1998) provide of a command-and-control approach with our representation of positive deterrence to show their complementarity. In addition to positive deterrence via POS, organizations can also consider two other organizational psychology concepts:

Job engagement—the extent to which employees are excited by and absorbed in their work (OPM, 2020; Schaufeli & Bakker, 2004)
Connectedness at work—the extent to which employees trust, feel close to, and want to interact with their co-workers (Brien et al., 2012; Malone et al., 2012)

These well-studied areas convey many of the positive benefits of POS but in different ways (Pfeffer, 2018b). They offer IRMPs additional food for thought in their pursuit of evidence-based approaches to incorporating positive-deterrence practices into their insider risk management. These approaches can help minimize insider risk and employees’ negative perceptions of the command-and-control approach. Organizations that adjust management practices accordingly send the message of advocacy for their workforces and commitment to employee well-being. Such a message is valuable to all employees, particularly those who are turned off by programs focused strictly on discovering insider wrongdoing.

Acknowledgments

The authors would like to thank those who helped develop the area of work involving the positive deterrence of insider threat: Daniel Bauer, Tracy Cassidy, William Claycomb, Matthew Collins, Daniel Costa, Jennifer Cowley, Robert Ditmore, Angela Horneman, Sarah Miller, Susan Moore, David Mundie, Luke Osterritter, Sam Perl, Derrick Spooner, Michael Theis, Randall Trzeciak, and Nathan VanHoudnos. We would also like to thank the SEI technical editors: Barbara White and Sandy Shrum.

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT INFRINGEMENT.

DM22-0002

In this article, references to employees includes workforce members who are managed directly by the organization, whether they are full-time, part-time, or are contracted through a third party.
While the potential negative consequences of excessive command-and-control approaches have been elaborated (Moore et al., 2015), positive-deterrence practices can have negative consequences as well. Examples include heightened insider risk due to employees’ empowerment beyond demonstrated competence or over identification with the organization (Veenstra, 2015).