Accurate prediction of insider acts remains a challenge for both substantive and statistical reasons. The substantive challenges concern identifying those personality, psychosocial, occupational, stress-related factors and immediate process variables that contribute to the likelihood or risk of committing a malicious insider act. The statistical challenge is the well-known difficulty in predicting a low base-rate or statistically infrequent event. It is highly likely that multiple psychological, psychosocial, contextual, and stressor-related factors contribute to the emergence of malicious insider acts. There is no single type of person that commits an insider act, there is no single set of circumstances that facilitates an insider act, and there is no single, inexorable pathway to insider actsi that is followed by all inside actors. The Critical Pathway to Insider Risk (CPIR) (Shaw & Sellers, 2015) framework proposes a multifactorial model that takes many of these factors flexibly into account and operationalizes the amalgam of factors as an index of risk for insider acts.
The CPIR has been the focus of work and review over the past 20 years (Band et al., 2006; Shaw, 2006; Shaw et al., 2009; Shaw & Fischer, 2005; Shaw & Stock, 2011) and was described in detail in 2015 (Shaw & Sellers, 2015). Since 2015, the CPIR has been frequently incorporated into discussions of insider actions and detection of insider risk (Baweja et al., 2019; FBI Insider Threat Office, 2019; Myers & Trent, 2019). Based on feedback we have received, it is seen as a useful heuristic and enjoys acceptance among analysts because it frames a process or tells a story of insider risk that makes sense in light of field experience (i.e., content validity). It can be described briefly as a multifactorial model of accumulating risk in a person over time, incorporating predisposing factors, stressors, concerning behaviors, and maladaptive organizational response as well as mitigating factors (Shaw & Sellers, 2015; see Figure 1). Although our conceptual schematic (Figure 1) portrays domains of relevant risk enhancing factors in a linear fashion (e.g., maladaptive organizational response is depicted later in the sequence), we emphasize that factors such as stressors and maladaptive organizational response can impact the individual on the critical path at many junctures. In fact, one could conceive of maladaptive organizational responses and/or stressors as being impactful all along the critical path, including early in someone’s trajectory. For example, the failure to screen out an employee with demonstrated personal predispositions could occur even prior to employment.
The general developmental framework underpinning the CPIR is reflective of the well-known diathesis-stressor model (e.g., Ingram & Price, 2010; Monroe & Simons, 1991) that is used in many areas of clinical science, notably experimental and developmental psychopathology. Each sub-component of the CPIR represents a set of constructs that can be defined explicitly and measured empirically, supported by psychological science and/or counterintelligence/insider risk literatures. For example, the predisposing factors component of the CPIR consists of well-known forms of psychopathology and personality features (traits) that have been defined in the clinical psychological science and psychiatric literature (e.g., DSM-5, APA, 2013) and are known to occur among insider actors and spies (e.g., Cappelli et al., 2012; Carmicheal, 2007; Fischer, 2000; Gelles, 2012; Herbig, 2008a, 2008b, 2017; Krofcheck & Gelles, 2005; Lenzenweger et al., 2014, 2019, 2021; National Counterintelligence Center & Rafalko, 2011; Robarge, 2003; Sarbin et al., 1994; Schwartz, 2007; Shechter & Lang, 2011; Sulick, 2014, 2020). Each component of the CPIR serves to generate empirical data and, therefore, the general framework represents not only a model, but also a data collection method. The CPIR, by allowing for empirical data collection, provides counterintelligence and insider risk professionals with an analytic framework and a method for assembling and combining data in a manner that ultimately allows for specification of a hypothetical level of insider risk. We have refined and expanded the CPIR to ensure adequate coverage of psychological and behavioral domains relevant to insider risk, including espionage, such as a full consideration of commonly observed personality disorder features (Lenzenweger et al., 2007), drawing upon the DSM-5 (American Psychiatric Association, 2013) as well as other approaches (e.g., psychopathy, Patrick et al., 2009; narcissism, Pincus & Lukowitsky, 2010). This refinement process has been carried out through our work as clinical psychologists working cases and consulting with multiple government and corporate insider threat teams, collegial feedback from insider threat professionals, review of relevant psychological science literature, and ongoing work with web app developers that are creating software to operationalize a preliminary measure based on the CPIR, the Insider Threat Risk Index (Lenzenweger & Shaw, 2015). Over 500 international professionals have received training and certification in its use in risk assessment. Finally, in this context, we note that while case studies have informed our work in the development of the CPIR, we have proceeded mindfully in light of well-known cognitive considerations that can impact the derivation of insights from criterion cases, such as confirmation bias and hindsight bias (see Gilovich et al., 2002; Kahneman, 2011), and we have sought to minimize their potential impact by consulting the empirical literature in both insider risk research and psychological science, more broadly.
Critical reflections on the CPIR approach
The CPIR, in brief, is a description of many characteristics of persons in many different situations who have committed insider acts and describes these characteristics as predisposing factors (personality traits, previous violations, social behaviors, personality disorder features, other forms of psychopathology) and stressors that impact the individual. In short, this is the guiding framework for most psychopathology research, namely the well-known diathesis-stressor model. To the extent that one might say that the CPIR has a primarily descriptive nature, we would embrace that feature of the model. That is so, because one needs to begin somewhere with respect to what the insider brings to his/her actions in terms of individual differences and experiences. While there has been considerable discussion over the years as to the personality make-up of those that commit insider acts (e.g., spies), the range of relevant personality and psychopathology features remains to be fully specified and how they relate to stressors and other factors remains to be illuminated. An implicit implication here is that the CPIR remains to be fully validated against agreed upon criteria (e.g., documented insider actors vs. a variety of controls). The risk construct that the CPIR seeks to assess and combine into a useful predictive tool must be fully validated through classic concurrent and predictive criterion validity operations. For example, continued study of how the CPIR risk construct is related to actual insider actions, both concurrently and predictively, is paramount. Does the CPIR risk assessment point to concurrent behaviors that represent insider actions or threats? Does the CPIR risk assessment correlate with (predict) actual full-fledged insider attacks over time? This is the aim of classic criterion validation (Cronbach & Meehl, 1955) and represents an active area of research for the CPIR.
Portions or domains of the CPIR are already well supported by the empirical literature. For example, the personal predispositions domain of the CPIR is robustly supported by evidence suggesting problems and/or deviations in this domain are found in insiders of various sorts. For example, research supports the importance of personality dysfunction (Lenzenweger et al., 2014; PERSEREC, 2019) as well as elevated rates of alcohol and substance abuse in spies (Heurer, 2010), while it is also known that elevated levels of substance abuse are related to higher rates of criminality (e.g., Ilgen & Kleinberg, 2011). Similarly, personality and social skill deficits have been related to counterproductive work behaviors (Whitty, n.d.) and increased rates of prosecution for insider violations (Randall, 2013). Finally, elevated levels of personality pathology, as manifested in psychological testing, has been established using the recently harmonized SLAMMER dataset from the FBI (Lenzenweger et al., 2019). Other aspects of the CPIR are based on the established empirical literature, particularly in the domains related to prior violations (US Sentencing Commission Report), social network risks (Rokven et al., 2018), and family risks for criminality (West & Farrington, 1973).
However, as with most complex theoretical models in psychological science, the CPIR includes constructs that themselves remain under study and for which there remains active discussion and no definitive consensus in the scientific literature. For example, consider the issue of stressors (Dohrenwend et al., 1978; Dohrenwend & Dohrenwend, 1974; Slavich & Shields, 2018) and the role stressors play in the CPIR. The CPIR allows for stressors to contribute to the development of risk for an insider act. Many individuals that might be of interest to a counterintelligence or insider risk investigator will be in their adult years and will have lived a good deal of life. During that time the person of interest will have encountered various stressors at various junctures across the lifespan. Some stressors will have occurred well before a period of employment, some several years prior to an insider act, and some immediately proximal to an insider attack. Which stressors are the most relevant to the development of insider risk? How should they be accounted for in the CPIR? For example, consider the convicted spy Aldrich Ames who grew up with a father impaired by severe alcohol dependence, was arrested three times by his early 20’s, failed out of school just before joining CIA, and had financial, marital, and professional problems while at the Agency and leading up to his espionage actions. How best to account for all these stressors impacting Ames’s life course? We have pondered questions regarding stressors such as: What time frame should be specified for the assessment of stressors? Does the effect of stressors wear off over time and if so, what is the half-life of common stressors? Is it the case that some stressors never lose their impact (e.g., death of a child)? How best to account for stress across the lifespan (Slavich & Shields, 2018)? The stress literature is rich and vibrant, yet it continues to develop and necessarily remains opaque on many such issues. In this area, we have had to mindfully extend our model conceptualization beyond what is available to us in the psychological science literature (e.g., how we count stressors over time and weight more recent versus past stressful life events properly) and we wish to be forthright about that aspect of some components of the CPIR (i.e., there are places in the model where rational and defensible assumptions must be made even though a definitive scientific literature is not in place).
The study of insider risk and insider behavior has grown up, in part, from a consideration of individuals that have been caught engaging in such behavior. Indeed, insiders have been detected and caught in a wide variety of occupational roles and a wide range of employing organizations. Moreover, insiders cover a wide range of bad actors such as leakers, spies, those perpetrating workplace violence, those seeking to exploit inside knowledge or leverage for reward (e.g., ransomware attackers / extortion), and so on. Combining both the nature of the insider actions and the place of employment immediately suggests a high degree of heterogeneity across insiders who perpetrate malicious actions. Adding to that heterogeneity is the statistical reality that the sample of such persons (and the correlations amongst variables found in such samples) is inherently shaped a priori by those persons studied, namely the ones that “got caught.” In short, the sample we have worked from in developing the CPIR is highly heterogeneous both in terms of people and actions, but the entire sample is conditioned upon having been investigated, apprehended and (typically) prosecuted. One can think of such statistical conditioning as a form of bias, not unlike the well-known Berkson’s bias in epidemiology (i.e., the study of hospitalized cases necessarily shapes aspects of the subject pool characteristics and the obtained research findings). Quite apart from the reality that the study of cases where a perpetrator of an inside action has been caught can limit one’s scope, we must accept the fact that heterogeneity in features and histories across insider actors is going to be more common than not. Certainly, an assumption of homogeneity within this class of persons is untenable. Our view of heterogeneity across the class of inside actors is consistent with the reality of the amount of heterogeneity one sees in other complex phenotypes. For example, consider the diagnosis of borderline personality disorder (BPD), where the single diagnosis is consistent with 256 different combinations of symptoms and those persons within the BPD category are famously heterogeneous. We seek to embrace the heterogeneity observed across inside actors – our embracing posture vis a vis the CPIR is both necessary (the reality of insiders) and we view it as a potential strength of the model (namely, a flexible framework), albeit challenging. In addition to the general risk framework provided by the CPIR, we see considerable merit in seeking to refine specific pathways that might be linked to specific insider actions (e.g., leakers vs. IT theft/corruption vs. espionage). Future work would benefit from data sources sufficiently robust to breakdown insiders by type of act, experience, organizational setting and other more specific factors (Cappelli et al., 2012; Herbig, 2017).
Not unrelated to the issue of heterogeneity and the forces that shape the characteristics of those whom we study, we note the CPIR is something of an anomaly-based framework. By this we mean that we are seeking to detect persons that might, for one reason or another, begin to emerge as noteworthy in terms of likely risk. Thus, the CPIR is particularly sensitive to persons that might be thought of as outliers (i.e., deviant or atypical in some general sense), meaning they are emitting signals that we are detecting in assessing risk. The potential downside of an anomaly-based framework is that it could miss what me might term “non-outliers,” or persons moving quietly along towards an insider attack and providing little to no clues of their trajectory. In other words, the CPIR assumes many cases or potential insiders will emit some signals of escalating risk; but some people may not reveal much signal. This problem, we note, is not unique to the CPIR, rather it is a consideration for any predictive framework that assumes those persons en route to an insider action will generate a signal of their elevated risk.
The CPIR has been designed to be a conceptual model that unifies those factors thought to contribute to risk for an insider act, based on a wealth of observations, case studies, and empirical/statistical simulations (for example, Band et al., 2006; Cappelli et al., 2010, 2012; Caputo et al., 2009; Carmicheal, 2007; Fischer, 2000; Hanley et al., 2011; Jaros et al., 2019; Keeney et al., 2005; Moore et al., 2011; O’Brien, 2005; Olive, 2010; Randall, 2013; Randazzo et al., 2005; Shaw et al., 2013a, 2013b, 2017; Shaw & Fischer, 2005; Weaver, 2010; Wood & Wiskoff, 1992). The notion guiding the assessment of risk is that it provides some quantitative metric for determining whether a person under study is showing elevated propensity for action or not. It is, in fact, a probabilistic statement – it might be right, it might be wrong, but it places a bet, so to speak. The CPIR can be thought of as the framework that organizes those factors we see as central to risk and the model, therefore, also implicitly functions as a screening tool to tap risk. The challenge faced by the CPIR, as a model and risk tapping methodology, is that the criterion behavior that is being predicted has a relatively low base-rate or, in other words, it is statistically infrequent. The person that engages in insider actions is truly the proverbial “needle in the haystack.” As is well-known prediction of low base-rate phenomena (consider the prediction of completed suicide, plane crashes, being struck by lightning, or a terrorist attack) is always going to be faced with both false-positive and false-negative predictions, despite the use of a valid and highly efficient prediction tool or algorithm that might be used. Even an instrument that has both excellent sensitivity and specificity will generate false-positive and false-negatives in the context of a low base rate criterion. The CPIR was developed mindful of this perennial challenge in prediction. One potential issue related to false-positive predictions using the CPIR (or any other insider risk screening approach) concerns the potential for negative impact related to identifying someone at risk but who has no intention of committing an insider act. Therefore, in discussing the CPIR we stress the need to use it in conjunction with all available data and to accord considerable weight to the quality of data used to generate CPIR assessments as well as the need for multiple corroborative sources of information.
An implicit feature of the CPIR is that it is highly amenable to developmental process-oriented thinking (i.e., growth, change). The CPIR clearly allows for the conceptualization of risk in a cross-sectional manner when applied at a single point in time, but importantly it also allows for updating a case assessment and inclusion of new information as time proceeds. We envision that the potential insider is, in fact, traversing a pathway that unfolds over time. The model embraces the concept of change that can occur over time and we have encouraged our colleagues to think of the CPIR as generating snapshots of an individual at selected time points, but to also keep in mind that those snapshots are very likely part of an individual’s growth trajectory. This view is consistent with modern longitudinal analysis. In longitudinal research in contemporary personality or personality disorder, for example, the unit of analysis in many studies is what is known as the individual growth curve (Lenzenweger et al., 2004; Rogosa & Willett, 1985) in which a variable of interest is assessed over time and change or stability in that variable is defined as a function of time. In such an analytic framework, one can easily distinguish between a person’s initial level (or starting value) on the variable of interest and their rate of change (or slope) in the variable of interest over time. Such an approach allows one to assess, for every individual under study, whether, for example, they are increasing or decreasing on a variable of interest over time as well as the specific rate of change for that individual. Using this approach to stability and change, we conceptualize the CPIR as tapping a person’s insider risk level that can be tapped repeatedly over time and those will allow us to determine if their risk is increasing or decreasing (as well as the rate of change) using an individual growth curve approach. We note the flexibility of the CPIR framework in that it allows for heterogeneity of growth, which means it does not expect all insiders to show the same features, progression, and/or rates of change. Relatedly, the CPIR allows for equifinality (Cicchetti & Rogosch, 1996) of outcome, which means that there are different paths by which one can arrive at a common endpoint, namely an insider act.
Finally, the CPIR assesses a wide range of personality, personality disorder, social, behavioral, and psychiatric factors within the section of the model known as “predisposing factors” and, of course, disgruntlement is one such personality feature. We are mindful of the importance attached to disgruntlement in relation to insider risk, however we emphasize that we understand escalating disgruntlement characterizes a subset of those who commit insider acts, but not all. Thus, the CPIR allows disgruntlement to play a role, but does not define insider acts solely in terms of disgruntlement.
Efforts to advance the empirical corpus supporting the CPIR
As noted above the continued development of the CPIR is essentially a classic exercise in criterion and construct validation research. We need to compile more criterion-related validity data, using both concurrently available data as well as data that can be predictive in nature (predictive studies necessarily require the passage of time). Thus, both cross-sectional and longitudinal studies will be required. The entire enterprise is an exercise in construct validation for both the model and the methodological approach that we are advocating with the CPIR. The ideal concurrent criterion-validation study, in support of construct validation, will necessarily involve a careful cross-sectional study of persons with varying CPIR risk levels defined by a grouping strategy that has at least three groups of subjects: a). control cases [persons with no history of insider behaviors], b). persons suspect of insider acts or plans, but cleared, and c). cases of insider actions that were charged, prosecuted cases, and (if possible) convicted. One would expect the CPIR to tap meaningful differences across such divergent groups and CPIR risk scores should reflect those differences in a compelling manner. We have conducted a pilot study that compared “known good” cases vs. cases “referred for investigation” vs. archival “known bad” cases. In that preliminary study, the mean levels of the obtained CPIR scores were “good” (14.8), “referred” (27.0), and “known bad” (51.7), a pattern suggestive of higher CPIR scores found as insider risk/behavior increased across the groups. These data are, of course, preliminary and a full report will be forthcoming. Longitudinal studies will also be required to illuminate the developmental unfolding of risk with the passage of time. Such studies would emphasize the nature and rate of change seen in persons who are assessed repeatedly using the CPIR framework. We have begun to assess individual cases repeatedly over time, assessing their CPIR scores multiple times as they move toward actual execution of an insider act. In that pilot study, we have observed a clear pattern of increase of CPIR scores with the chronological passage of time toward the actual act. What is particularly noteworthy in these initial pilot studies is a pattern of a steady accumulation of stressors, concerning behaviors, contextual risks as one would expect. But, we have also seen predisposing factors (e.g., personality traits such as hostility or anger) begin to reveal themselves in more amplified or accentuated observable behaviors over time (e.g., angry outbursts increasing; more frequent bouts of irritability) as well as emerging with greater severity and clarity (e.g., what appeared initially as some level of mistrustfulness emerges clearly as full-blown paranoia over time). In this example, the personality trait level of anger (the dispositional or predisposing factor) may begin to reveal itself through deteriorating behavior over time and such deterioration would be picked up as a concerning behavior though a CPIR coding. Another area of interest and focus of ongoing work is the establishment of norms for the CPIR risk scores. Just as is the case with any psychometric instrument, having reliable high-quality norms for the instrument derived from the population for which the instrument is to be used or deployed is critical. We are currently in the process of generating a large database of CPIR scores that will move us in the direction of a normative reference sample for our particular organization; similar norms would need to be developed for other organizations or settings. Such empirical data will allow us to empirically evaluate the validity and sufficiency of the component parts of the CPIR model, revise as needed, and build upon earlier insights derived from case studies and simulation research.
Challenges ahead for CPIR development
One intention of the current update is to share with our colleagues in the insider risk community the current CPIR model, but another clear intention is to highlight areas that need continued development with either the substantive portion of the model or the risk index (assessment) portion of the model. Our goal is really to stimulate discussion and cross-fertilization of ideas in the insider risk community. We acknowledge here some of what we (and others) see as the limitations of the CPIR approach (presented in no particular order).
A). Subjects with high scores on CPIR scale who never go on to commit an insider act (i.e., false-positives). This group of individuals is of keen interest to us as they can help to shed light on those variables within the CPIR that are perhaps less predictive of malicious insider acts. In short, such cases would be of great help in the revision of the CPIR. It is conceivable that we can learn how to weight CPIR variables, which may advance our understanding of this problem as we seek to better understand the most important risk factors and tipping points in the direction of insider actions (see excellent work by Claycomb et al., 2012).
B). What specific variables or processes serve to reduce risk or, alternatively, take one off the critical path? One of the important personnel management and security management implications of the CPIR conceptualization of risk is the likelihood that risk often increases over time. In other words, as one progresses down the critical pathway to an insider action, the risk level demonstrated is hypothesized to increase with time. A related implication is how can one use CPIR information to help reduce risk and intervene to lower one’s propensity for insider action. Are there specific, high-potency factors that dramatically cut risk or take one off the critical pathway? For example, consider perhaps the formation of a meaningful romantic attachment allows one to feel greater connection to another person and diminishes a sense of aloneness that might have been contributing to risk. Or the possible effectiveness of the intervention of a supervisor who understands and communicates with a subject about their risk issues, provides resources, but also sets limits. Risk reducing variables might be found to center around stress reduction, enlightened management, and/or practices that serve to mitigate other liabilities and enhance resilience (see H. below for more detailed discussion of mitigators).
C). Many people working in organizations and agencies have been working there for some time and how does this affect risk, if it does? What is the relationship between time on the job and insider acts? What role does age play? Can longer time in a position be a positive or negative factor in predicting insider acts or assessing risk? How do we best account for life-time stress, which is known to accumulate over time, and how does that life-time stress level interact with occupational performance and, possibly, escalating insider risk (Slavich & Shields, 2018).
D). What is the nature of the process and empirical function by which risk accumulates over time? Currently our model is additive in nature for the most part, which means that we see risk as accumulating in a simple linear manner that reflects the summation of risk over time. However, this is an assumption on our part with respect to the nature of risk. Currently, we do not currently emphasize a sophisticated weighting strategy in our model other than weighting more recent over older stressors, rather we use simple unit weights in most cases where variables are summed informed by Dohrenwend et al. (1978). We mean this both conceptually and mathematically. We do not, to be clear, use regression weights, for example, in the combination of variables in our model. We simply add up the values that any given person has received on the variables we assess. Alternative approaches to understanding a risk measure might emphasize a). complex regression-based weighting, b). interactive or multiplicative combination of variable values, or C). some exponential form (or power function) that characterizes the change in risk index levels to better capture the nature of increasing risk associated with certain variables over time. Illustrative discussions of how factors might interact to confer, produce, or modify risk have emerged and appear promising (e.g., Claycomb et al., 2012; Greitzer & Purl, 2022). For example, Greitzer and Purl (2022) report that their “Results suggested that the impact of an indicator on expert judgment of threat tends to decrease over time and that increments in threat value when indicators are aggregated are not simply a linear combination of the individual threat values (p. 1).” Claycomb and colleagues (2012) provide preliminary results on their attempts to model when risk for insider actions, which they observe grows over time, reaches a tipping point, or what is termed a threshold in diathesis-stressor models. In this context, we note the CPIR conceptualizes risk as increasing over time as relevant factors accumulate and contribute to risk, the CPIR model does not suggest that risk increases simply with the passage of time per se.
E). How best to capture problematic or maladaptive organizational response in the CPIR? Clearly, the focus of the CPIR is on the individual and his/her unique configurations of personal predispositions, stressors, concerning behaviors, degree of attachment to one’s organization, degree of acculturation, as well as other factors that lead to risk. However, a crucial aspect of how an individual manages his/her work-related attitudes and behaviors is connected to how he/she is treated by the employing organization or agency. When things begin to take a turn for the worse in the workplace and an individual is beginning to progress down the critical pathway toward an insider act, what are the responses of an organization that can make the situation better (or resolve) vs. what are the responses that can actually make things worse (i.e., the problematic organizational response). When an organization reacts in some manner that fails to address an elevated insider risk situation, the organization may in fact help to increase the likelihood that an individual will progress to an insider act. How is the impact of the organizational response to be understood? How does it contribute to the elevation of insider risk? Does the problematic organizational response simply add to risk in the additive manner as discussed above or does it serve as something of a spark that lights a fire or lowers the threshold for action by the emerging insider? Does the experience of maladaptive organizational response early on in a person’s career augment the likelihood for a later insider act? There is a dearth of systematic studies of how organizations increase risk in case management, we see this as a critical area for research and of considerable importance to how we conceptualize risk in the CPIR model.
F). The precise interaction of stressors and concerning behaviors with personality-based predisposing factors in determining risk – what is its nature?
The impact of stress on psychological functioning is established fact in psychological science (Dohrenwend et al., 1978; Dohrenwend & Dohrenwend, 1974; Slavich & Shields, 2018), which argues strongly for the inclusion of stressors in the CPIR. Moreover, it is established that workplace stressors precede insider attacks (Keeney et al., 2005) and Landau (1997) described how crime patterns are related to subjective social stress and support indicators. What remains to be worked out in the CPIR (and similar approaches) is the manner by which the stressors interact with both predisposing factors as well as emerging concerning behaviors. One can think of this as the classic challenge of specifying how stressors interact with a diathesis, a substantive discussion with a long history in psychopathology research (c.f., Monroe & Simons, 1991). Relatedly, how do we take into account the base-rate of some common forms of psychopathology, such as personality disorders that affect 1 in every 10 Americans (Lenzenweger et al., 2007), when we model stressor x predisposing factor interactions in the CPIR. It seems reasonable to us to suggest that far more people suffer from a personality disorder than go on to perpetrate an insider attack in their workplaces, thus simply identifying the presence of personality pathology does not automatically suggest a highly toxic interaction with stressors nor the certainty of an insider attack. Finally, as suggested above, does the predisposing factors x stressor x concerning behavior matrix, as it emerges over time, suggest points for intervention. This is a critical matter of central importance in terms of managing those showing elevated risk as well as intervention by employee assistance. In other words, can the CPIR point to action steps that might help remove people from the pathway to insider action via employee assistance mechanisms, perhaps? We conceptualize the individual differences and stressors detected through the CPIR as well as being “movers to action,” that is they have some potency and force in directing behaviors (i.e., they are not merely descriptive). As such, we see the development of CPIR action steps – to remove persons from the critical path – as very high priority as we develop the model further. That said, we maintain a sober posture vis a vis the CPIR as we know it will generate some false negatives despite its rich array of assessment foci – there will be some actors that will keep things relatively quiet, keeping themselves together so to speak, and operate below the radar (e.g., Ana Montes). Similarly, we seek to build into the CPIR additional moderating variables such as “recruits vs. volunteers” or “dispatched vs. disgruntled moles” to refine predictive accuracy of the CPIR risk assessments.
Are there particular predisposing factors that seem especially salient and worthy of a crisp focus? Yes, we see disgruntlement in that light. As we have noted, the CPIR assesses a wide range of personality, personality disorder, social, behavioral, and psychiatric factors within the section of the model known as “predisposing factors” and, of course, vulnerability to disgruntlement is one such personality feature. We are mindful of the importance attached to disgruntlement in relation to insider risk, however we emphasize that we understand escalating disgruntlement characterizes a subset of those who commit insider acts, but not all. Our emphasis on disgruntlement as a factor driving subjects down the pathway is based on empirical research indicating that higher rates of the components of disgruntlement—anger, blame, victimization—distinguish unhappy employees from those who go on to commit insider acts (Shaw et al., 2013a, 2013b, 2017). Our experience suggests that personality factors make many subjects more vulnerable to disgruntlement, especially in response to stressors and problematic organizational responses. Thus, the CPIR allows disgruntlement to play a role, but does not define insider acts solely in terms of disgruntlement. Future work could help characterize the pathway of other subjects motivated by greed, ideology or other factors. However, we have rarely found subjects with these motives who had not also become disgruntled during their workplace experience, especially if one looks beyond more obvious factors.
In sum, we clearly see disgruntlement as a potentially powerful moderator of risk and it may have some unique predictive effectiveness, however it is important to be mindful that not all insider actors are disgruntled, just as not all spies are disgruntled (e.g., Clyde Conrad, US Army). We believe the role of disgruntlement will need to be specified in the interaction of the predisposing factors x stressors x concerning behaviors matrix we are concerned with in the CPIR. Finally, in this context, it is also worth pointing out that some people who commit infractions can avoid detection and/or punishment simply by virtue of some aspect of their personality (e.g., charisma; Welsh & Lenzenweger, 2021), which adds yet another complexity to risk assessment for potential insider actions.
G). The structure of risk – levels, thresholds, emergent phenomena?
A theoretical issue that we are grappling with concerns the nature of how risk is structured as assessed by the CPIR. This is an issue that goes beyond the CPIR and is worthy, in our view, of a broader discussion in the insider risk research community. The CPIR clearly embodies a multifactorial model and these multiple factors are hypothesized to contribute to a potentially negative outcome and the model implicitly estimates risk. However, the precise relationship between risk and final outcomes remains opaque. By that we mean, at this time we do not know the form of the underlying risk function in relation to outcome. Does risk simply accrue in a monotonic linear function or does risk reveal thresholds or jags suggestion of meaningful break points in the risk continuum? If thresholds exist, we should come to know them as they would be useful in the application of the CPIR at the level of individuals for intervention or assistance. As alluded to above, does risk simply accumulate as more factors pile up in the CPIR or are there interactions amongst the CPIR domains that enhance risk in more of a multiplicative manner? This concern with the nature and form of the underlying risk function and final outcomes is of general interest to this area of research and is not unique to the CPIR.
Related to the question of potential multiplicative interactions amongst indicators is the question: Is the insider actor phenotype representative of an emergent phenomenon? As discussed by Lenzenweger and Depue (2020), briefly, the concept of emergence and resultant emergent properties, when they arise, speak to the development or appearance of some novel condition or phenomenon that is coherent and integrated. An emergent phenomenon cannot be explained only by reference to its constituent parts or contributing components. Stated differently, the emergent entity or phenomenon along with its properties cannot be predicted from the elements that make up the entity. In short, importantly, the emergent phenomenon is more than the simple sum of its parts. We note that the concept of emergence, as a descriptive organizing concept and process, plays a critical role in many areas of science, in psychology and beyond. For example, emergent processes and properties figure centrally in fields as divergent as condensed matter and material physics to animal behavior to meteorology to contemporary cognitive neuroscience. There are many common examples of emergent phenomenon, such as bird flocking, the game of chess, hurricanes, and ant colonies. In psychological science, for example, one might think of the experience of consciousness or visual imagery as emergent properties of the brain (or, more specifically, neural circuits, neurobiological systems, and structures within the brain). Furthermore, one could think of “rigidity” or “contour” as emergent properties of an object without reference to the physical components that make up an object. We consider the situation of insider risk and the inside actor as potentially similar. Thus, we suggest that the concept of emergence is critically relevant to the understanding of insider risk and we assume that most forms of insider behavior could represent complex configural outcomes of multiple interacting systems. An example of a dynamic conceptualization that is congenial with our emphasis on potential interactions amongst CPIR factors and the likelihood that inside actors represent an emergent phenomenon can be found in Greitzer and Purl (2022).
H). Mitigators of risk in the CPIR – what are they and how best to account for them?
Much of the CPIR is focused on those domains that point in the direction of increasing risk for an insider action. However, as has become clear to us based on field experience, contact with investigators and analysts, and what is known about stressor effects on psychological functioning generally, the issue of mitigators has risen to the forefront in the further development of the CPIR. Just as one considers both liabilities and assets when conceptualizing risk for psychopathology, it makes sense to us to consider those factors that might help to reduce risk or slow the accumulation of risk for insider actions. We believe there are psychological factors (e.g., resilience), psychosocial processes (e.g., hobbies, health related practices), social processes (e.g., engagement with civic and/or religious/spiritual life), and specific health enhancing activities (e.g., psychotherapy, substance abuse counseling, financial counseling) that serve to mitigate risk as conceptualized by the CPIR. Thus, an area of great interest to us is the impact of what we term “mitigators,” or risk reducing variables that can impact one’s trajectory on the critical path. Future research will be directed at understanding how mitigators function and how they exert their influence on risk (i.e., lowering it) and the trajectory of the individual on the critical path. Relatedly, we have a keen interest in better understanding the impact of maladaptive organizational responses to employee behaviors, mindful that maladaptive organizational responses may not only fail to thwart insider acts but could also serve to initiate or precipitate an insider act (perhaps even planting the seed for an insider act early on). We are exploring constructs possessing heuristic potential for inclusion in the CPIR that derive from the organizational psychology literature, especially regarding counterproductive work behaviors, with an eye toward refining both the maladaptive organizational response and mitigators sections of the CPIR (Fox et al., 2001; Spector, 2011; Spector & Fox, 2002).
We have presented the CPIR in brief overview and placed the model within the context of its current level of development as well as the feedback that we have received from investigator and analysts in the field as well as colleagues in insider risk communities. The CPIR is a flexible framework for integrating information regarding predisposing factors, stressors, concerning behaviors, social networks and contextual risk setting, maladaptive organizational response, and mitigating factors within a broad diathesis-stressor framework. The CPIR thus represents simultaneously a model of the development of insider risk as well as a method for the assessment of the domains/constructs that we view as essential for a valid assessment of insider risk. The CPIR remains a model in development, which we view as an iterative process, and we review what we see as open questions with respect to the CPIR as well as a number of issues we see as awaiting resolution with respect to insider risk assessment. We do not present the CPIR as a complete and definitive model, rather we see it as a working model that is continually in refinement and as a heuristic that has considerable generative value.
We note, consistent with contemporary personality science, personality traits reside within the person and are linked to underlying neurobehavioral systems as well as are genetically influenced. Thus, a trait reflects a system that is harbored within the person, is part of one’s nature, and has an impact (i.e., causal influence) on observable behavior – it is dispositional and creates a predisposition for responses/behaviors. Furthermore, personality traits and observable behaviors are dissociable (i.e., not fungible) and are treated as different levels of analysis, whereby observable behaviors are linked to underlying traits but they are not the same things. One could harbor a high level of trait aggression that may or may not manifest itself in behaviors in a concerning manner yet the level of trait anger remains a dispositional (and predisposing) factor. Alternatively, a person might begin to display disgruntlement and irritability at work (concerning behaviors), yet one would not have considered the person to have a high level of trait aggression (perhaps too many maladaptive organizational responses have engendered the disgruntlement and irritability). When aggressive behaviors emerge that impact a person’s social and/or occupational functioning, such behaviors may be designated concerning behaviors within the CPIR. Traits, of course, interact with situational inputs.
It should be noted that the authors’ home organization (Insider Risk Group, LLC) conducts training and certification in the use of the CPIR for this purpose for which they receive compensation.