Introduction
In this article, we describe why and how insider risk management programs (IRMPs) should consider promoting positive deterrence—a set of evidence-based workforce practices promoting the mutual interests of employees and their organization in ways that reduce insider risk. Positive deterrence complements the command-and-control approach that most IRMPs take.[1] A command-and-control approach pressures employees to act in the interests of the organization through organizational controls on their behavior including rules, regulations, technical constraints, monitoring, and response. In contrast, a positive-deterrence approach promotes internal behavioral drivers that motivate employees to willingly behave in ways reducing insider risk.
We describe a specific type of positive deterrence—practices that bolster employee perceived organizational support (POS) (Eisenberger & Stinglhamber, 2011). POS practices can increase employee commitment to and trust in the organization by increasing the perception that the organization values their contributions, cares about their well-being, supports their socioemotional needs, and treats them fairly. POS practice areas include work flexibility, work/family balance, employee assistance, fair compensation, and constructive supervision. For insider risk management, these positive-deterrence practices defend against intentional (malicious) insider threats by reducing employee disgruntlement, a common motivator of insider sabotage, theft, and espionage.
Why Augment Command-and-Control with Positive Deterrence?
There are four primary reasons why an IRMP should promote positive deterrence as a complement to its existing command-and-control governance:
1. Exclusive reliance on command and control can create a toxic working environment conducive to insider threats by undermining employee goodwill.
Employee goodwill is essential for maintaining acceptable levels of insider risk and for organizational performance generally. Most insider incidents are perpetrated by individuals who started out as loyal employees. But even loyal employees can shift toward acting against the organization’s interests under conditions of professional or personal stress, particularly where the organization mishandles the situation (Shaw & Sellers, 2015). This shift does not imply that the organization is at fault when insider incidents occur; most insider threat incidents are violations of the law or employee compliance agreements prosecutable in court. Nevertheless, a positive psychosocial work environment enabled by POS can reduce employee negative reactions to stress and strain by creating a more supportive, less toxic work environment (Martin, Karanika-Murray, et al., 2016; Seibert et al., 2004, 2011). Organizations can decrease insider misbehavior and its associated costs by implementing practices to directly increase POS, especially in stressful personal and professional situations. (See reason #2 below.)
2. Positive deterrence can reduce insider incident rates over command-and-control approaches alone.
Organizations cannot continue increasing the strength of command-and-control approaches without eventually undermining employee goodwill (Moore et al., 2015). There is a natural limit to the security an organization can achieve through command-and-control approaches alone. At a basic level, this limit is partly due to assumptions an employee makes about their relationship with the employer (Bordia et al., 2008). Employees may respond negatively to limits on their freedom to act and on their privacy in those actions, a phenomenon known as psychological reactance. Positive deterrence—in the form of practices that increase workforce perceptions of organizational support—promotes a sense of organizational justice and shared goals and values, and it helps ensure that individuals act to benefit the organization (Bordia et al., 2008; Eisenberger & Stinglhamber, 2011; Moore et al., 2018; Sulea et al., 2012). Employees who identify with the organization and internalize its goals and values tend to display pro-social organizational behavior, including adhering to organizational rules beyond the levels observed with compliance-based approaches (Kelman, 1958; O’Reilly & Chatman, 1986; Tyler, 2009). Although command-and-control approaches remain essential to IRMPs, inattention to positive deterrence leads to higher base rates of insider incidents and recurrence of damaging incidents over time (Moore et al., 2016).
3. Promoting positive-deterrence practices enhances achieving the IRMP mission.
An exclusive focus on a command-and-control strategy can pit the organization against its workforce, undermining the trust between management and employees (Moore et al., 2015). Positive deterrence creates a work environment that reinforces the bond between the organization and its workforce, contributing to the well-being of both. Positive deterrence can also strengthen the employee view that command-and-control approaches are legitimate and appropriate through the enhanced relationship that POS-boosting practices promote (Martin, Wellen, et al., 2016). The proper balance of positive deterrence and command-and-control approaches creates a net positive for both the employee and the organization. By improving employee well-being and working conditions, an IRMP can move from a “big brother” program to a “good employer” program.
4. Positive deterrence can increase the desirable employee feelings and attitudes that improve general job performance.
Research in organizational psychology demonstrates that while some (prevention-focused or risk-averse) employees respond well to command-and-control approaches, those approaches make other (promotion-focused or gain-seeking) employees feel stifled (Halvorson & Higgins, 2013). Fortunately, evidence-based positive-deterrence practices to improve POS promote employee well-being and positive disposition toward the organization and work—outcomes that reflect a consequential array of employee attitudes and behavior (Eisenberger & Stinglhamber, 2011, Chapter 7). Examples include the following:
-
Employee subjective well-being: job satisfaction, organization-based self-esteem, reduced stress, work-family balance, and positive mood
-
Positive orientation toward the organization and work: organizational commitment and identification, creativity and innovation, work engagement, trust, empowerment, and reduced cynicism
Improved organizational performance and employee well-being, job performance, and retention are primary outcomes shown in organizational psychology research (Pfeffer, 2018a); these outcomes are also the virtuous side effects of positive deterrence.
Although research continues, the existing literature provides a convincing body of evidence that positive-deterrence-related practices should be adopted now to reduce insider risk (Dalal & Gorab, 2016). Next, we describe how to leverage POS practices for positive deterrence.
How to Augment Command-and-Control with Positive Deterrence
Five operational strategies help organizations use positive deterrence as part of insider risk management.
1. Build quality relationships with organizational stakeholders, including line managers and members of human resources (HR) teams.
IRMP leaders cannot implement positive deterrence by themselves; good working relationships with other organizational stakeholders are required. Stakeholder buy-in to the insider risk management mission can be promoted by advocating the value of positive deterrence for improved employee performance and retention with less insider risk. Many aspects of positive deterrence overlap with the work that line managers and HR teams do. Joint action by line managers working with HR practitioners is needed to create the supportive work settings that make positive deterrence a reality.
Proactive threat management must be part of overall IRMP governance. The organization’s leadership should avoid “tying the hands” of the IRMP by restricting its scope to the command-and-control approach. IRMPs must advocate broader recognition of how company employment practices contribute to levels of insider risk. Taking on positive deterrence is not the expansion of scope it might first seem, but it does demand IRMP advocacy of supportive employment practices wherever insider risk exists. Such proactive threat management requires support and promotion from organizational leaders and other key stakeholders.
2. Work with stakeholders to identify and implement workforce management practices that increase perceived organizational support.
An employee’s positive perception of the organization and its practices reduces the risk of employee misbehavior. Here are some examples of workforce management practices that increase employee POS:
-
Organizational justice (e.g., treating employees with dignity and compensating them equitably inside the organization and in line with industry standards)
-
Performance-based rewards and recognition (e.g., using transparent criteria for promotions and other rewards, basing them on performance and other contributions)
-
Honest and respectful communication (e.g., setting clear expectations and offering regular feedback and mentoring)
-
Personal and professional support (e.g., offering employee assistance programs, promoting employee development, and empowering employees on the job)
It is also important to hire employees with values congruent with the organization’s values. For more details about organizational support principles and practices, see Perceived Organizational Support: Fostering Enthusiastic and Productive Employees (Eisenberger & Stinglhamber, 2011, Chapter 8; Moore et al., 2016, Chapter 5).
3. Regularly seek out and assess employee perspectives regarding the IRMP and the work environment, redesigning practices accordingly.
Organizations benefit greatly from keeping up to date on how employees feel about their working environment generally and IRMP practices specifically. To learn more about employee perceptions, organizations can conduct surveys and focus groups. U.S. Federal Government organizations can take advantage of results from the annual Federal Employee Viewpoint Survey (OPM, 2020) and then conduct more in-depth follow-on assessments to probe various issues (e.g., POS or IRMP practices). Private organizations can leverage previously conducted employee climate and job satisfaction surveys in much the same way. Since even small pockets of problematic management practices or supervisory behaviors can increase insider risk, analyzing employee feedback requires drilling down into employees’ negative responses regardless of how well the organization performed overall.
4. Bundle positive deterrence with command-and-control practices to balance organizational defense.
Balanced defense bundles assemble command-and-control and positive-deterrence practices that work well together. “Working well” can mean that the advantages of practices in one area counter the disadvantages of practices in another.[2] Research demonstrates this relationship through analysis showing that positive deterrence moderates the relationship between organizational power and the employee frustration that contributes to workplace deviance (Lawrence & Robinson, 2007, Proposition 4). In addition, evidence suggests that when organizational controls are implemented consistently, with clear messaging and supportive training, it reinforces rather than undermines the positive relationship promoted by organizational support. Motivational focus theory is useful in identifying the appropriate balance of prevention and promotion strategies at an individual or team level (Halvorson & Higgins, 2013). Example balanced defense bundles include the following:
-
Combining practices that empower employees with those that implement employee monitoring - Evidence suggests that employee empowerment can mitigate the dissatisfaction associated with monitoring (Martin, Karanika-Murray, et al., 2016)
-
Bundling sanctions for rule violations with confidential grievance procedures to help ensure organizational justice (Lawrence & Robinson, 2007)
-
Ensuring investigations consider disconfirming as well as confirming evidence to reduce confirmation bias and increase perceptions of fairness (Tetlock, 1985)
These practices are not new for most organizations but explicitly considering their combination in insider risk management is. Importantly, IRMPs associated with introducing positive-deterrence practices into workforce management can increase employee goodwill toward both the IRMP and the organization.
5. Incentivize and train management to deliver positive-deterrence practices effectively.
Positive-deterrence management practices require supervisor training to reinforce needed change in management behavior (e.g., supervisor supportiveness). Such behavioral changes can require shifts in the organization’s management culture. The best way to instill such change is to (1) align supervisors’ goals and incentives with the practice’s intent, and (2) train supervisors on how to execute a new practice effectively (Rousseau, 1990). This process gradually helps supervisors internalize the values and beliefs that are consistent with new behaviors, thus promoting required cultural change (Eisenberger & Stinglhamber, 2011; Heuer, 1999; Skarlicki & Latham, 2005).
Figure 1 depicts a roadmap for establishing positive deterrence as part of an IRMP, which proceeds as follows:
-
Coordinate with HR and other stakeholders to review management practices, including current or planned insider risk management command-and-control practices.
-
Identify existing practices that can be used for positive deterrence; refine to improve their positive-deterrence effect and their compatibility with command-and-control practices.
-
Assess employee attitudes and perceptions regarding workplace environment and management practices.
-
Identify balanced defense bundles to establish a proper balance for the organization.
-
Specify organization-wide goals and incentives to instill positive deterrence as a foundation of insider risk management.
-
Coordinate with stakeholders across the organization to implement identified positive-deterrence practices, and train management to execute them effectively.
-
Periodically assess, monitor, and adjust management practices, revisiting previous steps as appropriate.
This roadmap can be adapted as needed, but an ongoing assessment and refinement are essential to ensure effective implementation.
Bridging the Gap Between HR and Insider Risk with Positive Deterrence
Although some HR groups may resist getting too involved with insider threat initiatives, positive deterrence can be a vehicle to gain their help in establishing management practices that reduce insider risk. Positive deterrence improves employee work life, enables good work-life balance, and is well within the traditional HR mission (See Table 1). However, conventional HR tools may not include important aspects for reducing insider risk (e.g., POS). Business-to-employee (B2E) apps provide a means of supporting employees through a range of electronic self-service systems offering employees help managing their careers as well as providing information about organizational performance and events. But POS must move from simply pushing information to the employee, to customizing the management of the relationship between the employee and the organization.
Analogous to customer relationship management, employee relationship management (ERM) supports the customized relationship between the employee and their management chain (Hans, 2021; Strohmeier, 2013). ERM is not an individual tool or technology; it is a set of practices supported by a range of technologies that help align and reinforce the goals of the organization and the employee. As the Gartner article, Drive Employee Experience for Frontline Workers Using HR Technology, suggests, no one-size-fits-all approach exists because culture, technology, and demographics differ across firms (Grinter, 2021). Instead, it is important to build on the systems that employees use most often to capitalize on the existing technology ecosystem.
POS can be bolstered through practices that increase flexibility, empower workers with greater job control, build a sense of shared purpose, and provide social supports that promote deeper connections among employees (Gartner Newsroom, 2020; Pfeffer, 2018b). A key challenge is supporting the individualization necessary to promote POS including negotiating customized employment conditions to permit valued flexibility (Strohmeier, 2013). Feedback from employees should be used to redesign programs to correct any important gaps (Yang et al., 2011).
Vision for the Future of IRMPs
Traditional IRMPs focus narrowly on command-and-control activities instead of incorporating proactive threat prevention into their efforts. IRMPs should advocate for supportive organizational climates to better balance command-and-control activities with positive-deterrence activities. This article provides the evidence base, framework, and a roadmap for IRMPs to achieve this balance.
Figure 2 illustrates the balanced defense from combining positive-deterrence and command-and-control activities. We create an illustration combining the depiction Straub and Welke (1998) provide of a command-and-control approach with our representation of positive deterrence to show their complementarity. In addition to positive deterrence via POS, organizations can also consider two other organizational psychology concepts:
-
Job engagement—the extent to which employees are excited by and absorbed in their work (OPM, 2020; Schaufeli & Bakker, 2004)
-
Connectedness at work—the extent to which employees trust, feel close to, and want to interact with their co-workers (Brien et al., 2012; Malone et al., 2012)
These well-studied areas convey many of the positive benefits of POS but in different ways (Pfeffer, 2018b). They offer IRMPs additional food for thought in their pursuit of evidence-based approaches to incorporating positive-deterrence practices into their insider risk management. These approaches can help minimize insider risk and employees’ negative perceptions of the command-and-control approach. Organizations that adjust management practices accordingly send the message of advocacy for their workforces and commitment to employee well-being. Such a message is valuable to all employees, particularly those who are turned off by programs focused strictly on discovering insider wrongdoing.
Acknowledgments
The authors would like to thank those who helped develop the area of work involving the positive deterrence of insider threat: Daniel Bauer, Tracy Cassidy, William Claycomb, Matthew Collins, Daniel Costa, Jennifer Cowley, Robert Ditmore, Angela Horneman, Sarah Miller, Susan Moore, David Mundie, Luke Osterritter, Sam Perl, Derrick Spooner, Michael Theis, Randall Trzeciak, and Nathan VanHoudnos. We would also like to thank the SEI technical editors: Barbara White and Sandy Shrum.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT INFRINGEMENT.
DM22-0002
In this article, references to employees includes workforce members who are managed directly by the organization, whether they are full-time, part-time, or are contracted through a third party.
While the potential negative consequences of excessive command-and-control approaches have been elaborated (Moore et al., 2015), positive-deterrence practices can have negative consequences as well. Examples include heightened insider risk due to employees’ empowerment beyond demonstrated competence or over identification with the organization (Veenstra, 2015).