Multiple Approach Paths to Insider Threat (MAP-IT): Intentional, Ambivalent and Unintentional Insider Threats

Jordan Richard Schoenherr; Kristoffer Lilja-Lolax; David Gioe

Schoenherr, J. R., Lilja-Lolax, K., & Gioe, D. (2022). Multiple Approach Paths to Insider Threat (MAP-IT): Intentional, Ambivalent and Unintentional Insider Threats. Counter-Insider Threat Research and Practice, 1(1).

Download all (4)

Figure 1. Multiple Approach Pathways to Insider Threat (MAP-IT).
Download
Figure 2. Multi-level analysis of InT Behavior.
Download
Figure 3. The function of cognitive dissonance in creating insider risk.
Download
Figure 4. UMISPC threat perception model for information systems security.
Download

View more stats

Abstract

Insider threats (InT) are a growing concern for private and public institutions, resulting in a shift of emphasis from perimeter-based defences to internal detection mechanisms. Many approaches that address InT assume that these are pathological behaviors, perpetrated by misanthropic ‘malicious insiders’. We present a novel interdisciplinary framework (Multiple Approach Paths to Insider Threat, or MAP-IT) that emphasizes the importance of both individual motivation and social context. Rather than assuming InTs reflect a homogenous ill-intentioned group of individuals that deviate from organizational norms, we consider the importance of general social psychological and personality factors for detecting and responding to InT, especially within the Western intelligence and security context. MAP-IT is based on the premise that InTs can be separated into three motivational pathways (intentional, unintentional, or ambivalent) and that the intentional pathway can be further subdivided into prosocial, asocial, and antisocial motivation.

1.0. Introduction

On November 5, 2009, Major Nidal Hassan, a US Army psychiatrist, dressed in his service uniform, flashed his access card to enter Fort Hood in Texas and killed 13 fellow soldiers with a handgun, wounding more than twice that number in his rampage. Hassan was motivated to kill his victims after being radicalized online by an Islamist extremist (Rempfer, 2019). The following year, another Army soldier, then-Private Bradley Manning, encouraged by activist Julian Assange, used his (subsequently her^[1]) position of access as an intelligence specialist to leak hundreds of thousands of classified government documents to Wikileaks. On July 30, 2013, Manning was convicted in a court martial of violating the espionage act (amongst other charges) and sentenced to 35 years imprisonment (Tate, 2013). However, in June 2013, a month before Manning’s conviction and two months before Hassan was sentenced to death for his crimes, National Security Agency contractor Edward Snowden, made off with perhaps the largest haul of secret documents ever obtained by an insider (Gioe, 2014). Three months after Snowden landed in Russia, a mentally disturbed former Navy sailor Aaron Alexis entered his workplace at the Navy Yard in Washington, D.C., and executed 12 Department of the Navy civilians and contractors (Shear & Schmidt, 2013).

The list of once trusted insiders is extensive and shows no signs of abating. However, we cannot assume that the violation of trust evidenced in each of these cases necessarily reflects the same underlying motivation, personal characteristics, or social circumstances. Effective frameworks for personnel security and counterintelligence require understanding the dynamic interaction between these sets of factors, including multiple motivations to harm an organization (antisocial), to help themselves (asocial), or to help others (prosocial). In the academic and grey literatures,^[2] research has often assumed that individual characteristics (e.g., personality traits, motivations) are associated with ‘malicious’ insider behavior. As we explore below, prominent Insider Threat (InT) cases in the U.S., such as that of Chelsea Manning and Edward Snowden, raise issues concerning the influence of personality traits and values, social and cognitive processes, and organizational structure and climate (Cole, 2015; Fidler & Ganguly, 2015; Hu et al., 2011; Scheuerman, 2014; Verble, 2014). Crucially, organizations such as the National Insider Threat Task Force (NITTF) acknowledge that single indicators are inadequate in predicting InT and that “… an individual may have no malicious intention,” (National Insider Threat Task Force, 2022). For instance, use of prosocial (‘whistleblowers’) and antisocial (‘traitor’) insider categories when referring to these individuals illustrates how stereotypes threaten to override measured consideration of the motivations and social-cognitive processes that give rise to InT behaviors, possibly complicating InT detection.

Rather than viewing InTs as the result of psychopathologies or exclusively considering these behaviors from an organization’s perspective, we propose a novel approach to intelligence and security studies of InT that incorporates research, methods, and perspectives from social and industrial-organizational (I/O) psychology and apply them to InT (Cappelli et al., 2012; Greitzer, 2019; Greitzer et al., 2019; Shaw et al., 1999). In this way, we suggest that InTs can be caused by normal interpersonal processes. Here, we define InT broadly as any action (i.e., presence or absence of a behavior) or person (e.g., malicious insider, spy), that threatens the security of any organization to which they belong or have access to, within and beyond the intelligence community. We argue that, rather than a critical path to InT that reflects deviation from group norms (e.g., Shaw et al., 1998; Shaw & Sellers, 2015; Shaw & Stock, 2011), multiple motivational pathways exist. We propose the Multiple Approach Pathway to Insider Threat (MAP-IT) framework that builds on the basic distinction between intentional and unintentional behavior, by considering clusters of personality traits that might motivate the commission or avoidance of InT behaviors (Greitzer & Purl, 2022; Moody et al., 2018). The processes that support social cognition (e.g., S. T. Fiske & Taylor, 2013) are then considered to better illustrate how ambivalence can arise due to multiple, conflicting motivations including individual characteristics, identity maintenance, group dynamics, and situational factors (e.g., Funder & Colvin, 1991; Furr & Funder, 2018; Mischel & Shoda, 1995). We then use cases of InT to illustrate how these factors might contribute to InT more generally. We conclude by noting that implementation of the MAP-IT framework requires changes to how InT is perceived and addressed at an organizational level.

2.0. Insider Threat: Normal or Abnormal?

The catch-all term, InT, can be used to describe everything from gun violence to abuse of network security privileges to transmit classified information to an unauthorized recipient with the intent of making the information public (e.g., Cappelli et al., 2012; INSA, 2019; Wilder, 2017). Demonstrating this breadth, the definition of the U.S. Department of Homeland Security’s (DHS) Insider Threat Program (ITP) applies to all personnel, regardless of security clearance, with past or present access to DHS resources. Unlike previous definitions, this definition suggests that InT behavior is not limited to the unlawful disclosure of information by employees with a security clearance. With such a broad scope, research and evidence is required to identify what differentiates a typical insider from one who might pose a threat to an organization.

Understanding InT requires data. Studies of InT are made more problematic given the limited availability of data sets due to a variety of issues including defining what constitutes an InT (definition), identifying those behaviors within a population (detection and identification), the difficulty in obtaining accessible available data sets (accessibility; i.e., ‘black data’, Schoenherr & Thomson, 2020) and the creation of effective ontologies (Costa et al., 2016; Greitzer et al., 2019; Greitzer & Purl, 2022; Oltramari et al., 2015). Nevertheless, insights can be drawn from other domains in the study of deviant behavior in other settings. For instance, Steneck (2006) suggested that research misconduct is normally distributed with severe forms of misconduct (e.g., fabrication and falsification of data) being relatively rare whereas questionable research practices (e.g., inappropriate authorship, unfastidiousness) were quite common.

Similar observations have been made in the context of organizational deviant behavior: While workplace violence might be rare, uncivil behavior is common (Cortina et al., 2001) relative to workplace bullying (Nielsen et al., 2010).^[3] Crucially, workplace incivility (Andersson & Pearson, 1999)^[4] is associated with counterproductive workplace behaviors (CWBs) in that it can reduce productivity and increase stress, leading to organizational exit (Penney & Spector, 2005; Sakurai & Jex, 2012). InTs can be conceived along a continuum, with specific InTs varying in terms of their frequency. For instance, few individuals will unfailingly comply with organizational security norms or systematically violate these norms. Rather, most behavior reflect moderate levels of compliance.^[5] For instance, a survey by Ponemon Institute (2022) found that 56% of incidents were attributable to insider negligence whereas 26% were attributable to malicious insiders. These observations demonstrate that prevalence of InT is less important than understanding insiders’ motivations as this reflects the ultimate cause of InT behavior.

MAP-IT assumes three primary motivational pathways (see Figure 1), two of which (intentional and unintentional) reflect attractor states^[6] that result from the maintenance of group identities within, and outside of, a target group (e.g., family, organization, country). First, we assume that unintentional InT behaviors will likely be the most common and define the default path for most cases of InT. For instance, one survey found that 91% of employees indicated that they have not intentionally violated organizational policies when sharing information (Opinion Matters, 2019). We attribute this high prevalence to a desire to remain in the group for practical (e.g., resource availability) and symbolic (e.g., ‘belonging’, status) support. However, group members imperfectly adhere to group norms. Namely, people will want to adhere to organizational norms to be perceived by others (e.g., co-workers and employers) as good group members to remain and advance within that social network. Indeed, studies examining a ‘belief-in-a-just-world’ demonstrate that even disadvantaged group members will accept and rationalize inequalities within a group (e.g., Choma et al., 2012; Lipkus & Siegler, 1993).

Figure 1.Multiple Approach Pathways to Insider Threat (MAP-IT).

Motivational pathways reflect employees who are otherwise committed to the group but fail to adhere to established and promulgated security policies (unintentional path), those that have mixed motivations toward their group or divided loyalties between groups (ambivalent path), and individuals who intentionally harm an organization (intentional path). See Table 2 for a detailed list of factors.

Despite the availability of effortful cognitive processes, people will also attempt to use mental shortcuts (or heuristics) due to perceived limitations on personal resources, e.g., time (Evans & Frankish, 2009; Kahneman & Klein, 2009; Stanovich, 2010; Todd & Gigerenzer, 2012). Moreover, factors will also affect the extent to which they perceive threats and develop intentions to mitigate them (for a review, see Moody et al., 2018). Unintentional InTs occur because these shortcuts will frequently fail when the environment changes, e.g., changes to policies, novel threats, change in roles/responsibilities. These include failing to change passwords, checking to verify that physical entrances are closed, logging-off of a computer, updating software, opening emails or attachments from unknown senders, and failing to report certain international trips or contact with foreign nationals. In that cybersecurity threats evolve rapidly, reliance on heuristics is likely to lead to frequent, minor violation of security policies. Given the general tendency for individuals to rationalize moderately questionable behavior (e.g., Mazar et al., 2008; see Figure 3), this will further increase the prevalence of these behaviors (for related findings in computer security, see Posey, Bennett, & Roberts, 2011).

Second, we assume that intentional malicious insider behavior represents an extreme deviation from the group norms, i.e., intentional, high-frequency transgressors, and/or high severity violations.^[7] Consequently, intentional insider behavior defined by intentional and/or systematic transgressions against an organization will likely be extremely low in frequency in an organization. Three motivational subtypes can further be identified: individuals who are only concerned with their own outcomes (asocial intentional path), individuals who seek to harm an individual or group (antisocial intentional path), or individuals who wish to help an individual or group outside a target organization (prosocial intentional path).

Finally, due to a combination of atypical personal and situational factors, the number of ambivalent insiders will also be relatively uncommon, but significantly greater than malicious behavior. For instance, information could be leaked if highly narcissistic individuals believe it will enhance their self-image or, alternatively, if an individual is actively seeking to leave their organization due to stressors attributed to their workplace, e.g., high stress, low institutional support. Supporting this, studies have found that personal grievances and revenge are important motivators of InT behavior (Cappelli et al., 2012; Keeney et al., 2005). These behaviors arise when there is a threat to, or dissolution of, one or more collective identities, i.e., perceived exclusion from one group. For these reasons, our framework also incorporates ambivalence: individuals might wish to stay in an organization due to continued income and job security, however, if they are experiencing personal stressors they might engage in lower-frequency and lower-intensity behaviors to reconcile their divided loyalties, e.g., small leaks of information deemed to be of limited importance.

Motivational pathways can, and likely do, shift over time. For instance, individuals develop national (e.g., U.S. citizen) and professional identities (e.g., programmer, soldier) and enter an organization with motivations to do well (e.g., Franke, 1999). However, in addition to these collective identities, individuals will also have individual and relational identities with associated values and obligations (e.g., Gaertner et al., 2012; Sedikides & Brewer, 2015). Thus, changes in organizational climate and policies, external geopolitical events, or life events can change an individual’s commitment to an organization (Posey et al., 2015; Shropshire, 2009). Supporting this, surveys have found that 45% (Tessian, 2020) to 63% (Code42, 2019) of employees report exfiltrating data from their old employer to a new employer. Thus, when there are perceived threats to group membership, individuals are likely to experience ambivalence, making them more susceptible to persuasive tactics from other groups and self-deception. As ambivalence is an unstable state, it will likely lead to the intentional or unintentional pathways. In the remainder of the paper, we elaborate these social cognitive processes within organizational environments that lead to InT and related behaviors like workplace incivility and CWB.

3.0. Multi-Level Analysis: From Individual to Organization

To understand how individuals are attracted to the respective motivational pathways, individual differences, social cognitive processes, and social and organizational factors must be taken into account (e.g., Greitzer, 2019; Shaw et al., 1999). Intelligence, as both an academic field of inquiry as well as a profession, must be informed by evidence and theories adopted from the behavioral and social sciences (National Academies of Science, Engineering, and Medicine, 2019). In developing MAP-IT, we consider three sources of evidence to understand insider behavior: psychological studies of prosocial and antisocial behavioral factors such as individual differences (e.g., personality traits) and social cognitive processes (e.g., persuasive communication), interdisciplinary studies of InT, and case studies from within the intelligence community. Figure 2 contains a general overview of these factors.^[8]

Figure 2.Multi-level analysis of InT Behavior.

Examples of behaviors that are associated with CWB, norm violations, and incivility that likely have a relationship with InT.

In contrast to previous InT frameworks (e.g., Shaw et al., 1998; Shaw & Sellers, 2015; Shaw & Stock, 2011), MAP-IT attempts to differentiate multiple motivational pathways (e.g., self perception, self presentation; Petty & Briñol, 2011; Todorov et al., 2002) to better understand and ultimately mitigate InTs. Rather than being restricted to threat perception (Moody et al., 2018), we assume that motivations are the result of competing roles and responsibilities associated with different social identities (e.g., Gaertner et al., 2012; Sedikides & Brewer, 2015).

Figure 3.The function of cognitive dissonance in creating insider risk.

When an individual becomes aware of discrepancies between attitudes and behaviors (A₁/B₁, A₂/B₂), any perceived differences (B₂ ≠ A₁) produce a negative affective response (cognitive dissonance) due to an inconsistency in maintaining a coherent self-image. Dissonance reduction strategies are adopted to reduce discrepancy, leading to attractor states inside or outside an organization.

Typically, a group member (insider) will want to perceive themselves as acting in a manner that is morally justifiable to themselves and their group. They will want to resolve any discrepancies between their ideal and actual behavior (Higgins et al., 1994). However, multiple social identities (e.g., partner, friend, citizen, soldier) can develop independently, leading to the maintenance of contradictory attitudes and behaviors across situations (Gaertner et al., 2012; Sedikides & Brewer, 2015). When individuals become aware of inconsistencies in multiple values, attitudes, or behaviors they maintain, they experience negative affect (or, cognitive dissonance), which people attempt to reduce or eliminate.^[9] Individuals have a few dissonance reduction strategies (i.e., change behavior, change how they perceive a behavior, or change an attitude) to maintain a perception of consistency (Festinger, 1957; for a recent review, see Gawronski, 2012). If individuals identify with multiple roles and corresponding sets of values, they might adopt maladaptive strategies which result in InT behaviors. For instance, despite valuing their role in an organization, an individual might share information with another due to financial hardship, rationalizing a need to support their family thereby devaluing the organization. Avoidance of reputational harm (e.g., blackmail) can also be understood in these terms. Figure 3 shows this basic process from identifying a discrepancy between attitudes and behaviors to resolving it by strengthening or weakening an individual’s association with a group.

Early formulations of InT are consistent with the concept of ‘organizational deviant behavior’, i.e., violations of workplace norms are viewed as threats to an organization (Bennett & Robinson, 2000; Giacalone & Greenberg, 1997; Robinson & Bennet, 1995). This approach assesses behaviors relative to the goals of an organization rather than in terms of the individual’s perception of a situation.^[10] For instance, insiders who deviate from norms and conventions are referred to using maledicta such as a ‘traitor’, ‘leaker’, or ‘snitch’. By using terms that reflect oversimplified stereotypes of deviants, personnel security and counterintelligence operations risk falsely identifying InTs or missing InTs posed by individuals that share more typical characteristics with other group membership.

To be sure, an insider must be perceived as a member of a group. They must share some, but not necessarily all, features with others. This will include a common social identity, i.e., a fellow employee, soldier, citizen. An implicit, necessary assumption is that group members are trusted with financial, human, material, and informational resources, even if trust is relative to a domain or activity, e.g., access control security policies, varied levels of security clearance. However, organizational and social factors have not always been systematically or comprehensively addressed within the InT literature as causal mechanisms (Greitzer, 2019; Maasberg et al., 2015; Min et al., 2019). For this reason, research in I/O psychology can shed light on interpersonal processes associated with InT such as organizational climate and culture (Hu et al., 2011; Schneider et al., 2013) and social cohesion (Siebold, 2007) on employee performance and retention (Sheridan, 1992). For instance, the need to compete for limited resources can adversely affect social cohesion (Zarate et al., 2004) which might in turn lead employees to seek out resources outside an organization. If employees are highly competitive and resources are limited (e.g., raises, praise, status), this can increase the probability of InT behavior.

Given the importance of social cohesion within a group, InT must be considered within a specific context. Organizational cultures can differ significantly, leading to differences in organizational climates and job satisfaction (Johnson & McIntye, 1998; Kalemci et al., 2019). Moreover, when individuals believe social norms are violated, they feel permitted to engage in antisocial behavior toward the offending party (i.e., virtuous violence; A. P. Fiske & Rai, 2014). When employees believe that the (often implicit) social contract of a workplace is violated by their employer, they can retaliate against an organization, including engaging in acts of sabotage and other CWBs (Ambrose et al., 2002; Hanley et al., 2009). The case of Reality Winner (discussed later) illustrates this point.

Concurrently, perceptions of incivility (Andersson & Pearson, 1999; Cortina et al., 2001) are also associated with negative workplace outcomes such as loss of interpersonal and organizational cohesion, which could be exploited by external parties (e.g., Estes & Wang, 2008; Lim et al., 2008). By assessing the workplace environment, analysts might be able to identify areas where InTs are more likely to occur even if they cannot identify a specific individual (Schoenherr & Thomson, 2020). Organizations that perform national security functions likely face additional concerns in that the descriptive norms and climate of the organization (e.g., loyalty, surveillance) might be seen as in conflict with the prescriptive values of society (e.g., freedom, privacy), as evident in the case of Edward Snowden.

Finally, if perceived moral transgressions within an organization motivate specific forms of InT, then theories of ethical sensemaking can be used to inform InT frameworks (e.g., Mazar et al., 2008). Ethical sensemaking corresponds to an individual’s ability to identify and understand the ethical features of a situation. It requires considerations of an individual’s developmental stage, the attentional demands of the situation, and contextual factors (Greene, 2013; Chapter 5, Schoenherr, 2022a). For instance, theories of moral reasoning (e.g., Rest, 1992) suggest that individuals are motivated by the receipt of reward and avoidance of punishment, conformity to norms of an immediate group or society, or moral principles based on outcomes or intentions. While individuals are motivated to maintain a positive self-image (Gregg et al., 2011), their attention must be directed to moral norms (Cialdini et al., 1991) or distraction can lead to a reduction in moral behavior (Batson et al., 1978; Darley & Batson, 1973).

Extending theories of ethical sensemaking, InT might result from reduced perception of punishment or perceived norms of a group. Capturing these features, researchers have suggested that ethical sensemaking requires that 1) individuals want to see themselves as a good person, 2) when they are aware of the appropriate social norms and conventions, they attempt to adhere to them, but 3) they allow themselves to deviate from norms without experiencing cognitive dissonance (Mazar et al., 2008). Such ‘ethical flexibility’ is often considered to be a characteristic that can lead individuals to engage in InT (e.g., Shaw et al., 1998; Shaw & Sellers, 2015). However, rather than being pathological, it is a product of comparatively normal interaction of social cognition, organizational climate, and sociocultural norms (e.g., Hu et al., 2011; Tsai et al., 2016).

Along with multiple identities, multiple relational models define interpersonal relationships and patterns of exchange. For instance, A. P. Fiske (1991; A. P. Fiske & Rai, 2014) identified four relational models (idealized exchange norms) that translate into different moral motivations (Haidt & Graham, 2009). If individuals and their group do not share these norms, interpersonal conflicts can result wherein the individual feels justified in actions that are discrepant from those of the group. Studies have also found that these motivations are differentially associated with different political orientations. For instance, individuals high in liberalism tend to prioritize equality and harm avoidance whereas those high in conservatism perceive these values along with purity, loyalty, and reciprocity to be of relative equal importance (Haidt & Graham, 2007). Thus, in groups defined by individuals with heterogeneous sets of norms, interpersonal conflicts are more likely.

These observations can also be directly aligned with evidence from studies of InT. Using archival methods, a study of 209 InT cases that occurred between 1947 and 2015 in the U.S. found that divided loyalties have increased as a strong motive for InT, evident in 35% of cases since 1990 (Herbig, 2017). In ambivalent cases, maintaining relationships within multiple groups can create multiple obligations, leading to conflicts and vacillation between commitments. Taken together, these InTs reflect an interaction between individuals’ motivations that promote individual or collective goals, such as financial compensation or political gain, and group-factors such as organizational climate and social norms. Successful InT frameworks will need to accurately identify situational factors that will increase the probability of InTs. Rather than considering only a single motivation pathway (e.g., Shaw et al., 1998; Shaw & Sellers, 2015; Shaw & Stock, 2011) or prioritizing threat perception (Moody et al., 2018), MAP-IT assumes that there are multiple motivational pathways that reflect the influence of individual differences and that these interact with a general motivation to maintain a positive self-image.

3.3. Personality and Individual Differences

Threats are in the eye of the beholder. Studies of workplace incivility demonstrate that specific personality traits (e.g., agreeableness, emotional stability) decrease the perception of incivility whereas other traits (e.g., trait anger) increased perceptions of incivility (Sliter et al., 2015). In that perception of workplace incivility might lead to ambivalence, personality characteristics will affect perceptions of the workplace climate and culture (Choma et al., 2012; Lipkus & Siegler, 1993; Sliter et al., 2015) and this can impact information security behaviors (Hu et al., 2011). Moreover, a constellation of individual differences would also seem to be relevant to the most malicious forms of InT, collectively referred to in psychology as the Dark Triad (Furnham et al., 2013; Jones & Figueredo, 2013; Paulhus, 2014): psychopathy, Machiavellianism, and narcissism.

Researchers have often speculated about how these ‘dark’ traits relate to InTs (Kandias et al., 2013; Maasberg et al., 2015; Schoenherr & Thomson, 2020), based on studies of how they affect workplace behavior (Boyle et al., 2012). For instance, in their meta-analysis of studies of the Dark Triad in the workplace, O’Boyle et al. (2012) found that while individuals high in Machiavellianism and psychopathy were more likely to demonstrate poor performance, together all three traits were strongly associated with CWBs, e.g., harassment and bullying, loafing, withdrawal, and sabotage. Research in I/O psychology has suggested that while psychopathy is most strongly related to behaviors like bullying, narcissism and Machiavellianism are also related to this behavior (Greitzer et al., 2013; Nurse et al., 2014). Moreover, individuals high in Machiavellianism and narcissism are more likely to use ‘soft tactics’ (e.g., compliments) to manipulate those around them whereas individuals high in psychopathy are more likely to use ‘hard tactics’ (e.g., aggression; Jonason et al., 2012).

In addition to the Dark Triad, sadism has also been widely studied. Sadism (a Dark Tetrad characteristic) is associated with desire to cause harm (Buckels et al., 2013; Chabrol et al., 2009; Reidy et al., 2011). Sadism has been found to describe unique sources of variation in CWB, with individuals high in sadism engaging in more incivility, cyberbullying, and other forms of mistreatment (Min et al., 2019). However, whether these individual differences will result in InT behavior will ultimately depend on the norms of a working group, organizational resources, and perceived opportunities (e.g., Smith & Lilienfeld, 2013). For instance, someone with high levels of these dark traits might not leave or betray an organization if they do not believe their prospects of employment are any better elsewhere.

Individual difference also provided the basis for unintentional InTs where explicit motivation is absent (Greitzer, Strozer, Cohen, Bergey, et al., 2014; Greitzer, Strozer, Cohen, Moore, et al., 2014; Khan et al., 2021). Recent studies have also highlighted the involvement of general personality traits in the commission of unintentional InT (Gratian et al., 2018). For instance, studies have found that high conscientiousness and agreeableness are associated with greater adherence to cybersecurity practices (McCormac et al., 2017). In two recent studies examining the relationship between personality and cybersecurity behaviors, individuals low in conscientiousness (Schoenherr & Thomson, 2021) and emotional stability (Schoenherr, 2022b) were more likely to report engaging in poor cybersecurity practices that could lead to InT. Crucially, factors associated with unintentional behaviors and intentional disclosure appear to be partially dissociable (Schoenherr, 2022b). These results suggest that there are multiple motivational pathways that can create InTs.

4.0. Insider Threat Frameworks

Most frameworks for understanding and mitigating InT reflect theoretical instruments that are based on adapting concepts from the behavioral and social sciences, case studies, and ‘common sense’. In addition to efforts to standardize terminology used to identify relevant aspects of cybersecurity and InT (i.e., ontologies; Costa et al., 2014, 2016; Greitzer et al., 2019; Greitzer & Purl, 2022; Obrst et al., 2012; Oltramari et al., 2014, 2015; Raskin et al., 2010), InT frameworks reflect three broad approaches focusing on 1) taxonomies of InT behavior or motivational categories of InTs, 2) dimensional accounts that decompose motivational factors, and 3) causal ‘critical pathway’ frameworks that attempt to identify how factors conjointly result in InT behavior. Following a critical review of these frameworks, we present a multi-level framework that considers individual, social, and organizational factors that create three pathways to InT determined by different kinds of motivation (e.g., Boss et al., 2015; Burns et al., 2019; D’Arcy & Lowry, 2019; Van Schaik et al., 2017; cf. Shaw et al., 1998; Shaw & Sellers, 2015; Shaw & Stock, 2011).

Motivational Taxonomic Approaches. Taxonomic approaches to InT typically identify diagnostic categories of InTs. Common kinds of InT behavior include sabotage, fraud, intellectual property theft, unauthorized disclosure of information, workplace violence, and espionage (CISA, 2022; INSA, 2019). A basic distinction is also typically made in terms of ‘intentional’ or ‘unintentional’ InT resulting from malicious intent or negligence, respectively.

Motivational taxonomies are often represented as insider archetypes or ‘profiles’. For instance, IBM (2022) differentiates insiders in terms of motivational categories: the Pawn (an employee that is manipulated and used), the Goof (an employee who fails to comply with security policies), the Collaborator (an employee who coordinate with outsiders), and the Lone Wolf (an employee acting independently for their own self interest; see also Kaspersky, 2022).^[11] Wall (2013) also differentiates non-malicious insiders in terms of Underminers (employees ignoring security protocols to make their access easier), Over-Ambitious (risk-takers who are focused on goals to the exclusion of other considerations), Socially Engineered (employees who are duped into sharing information with outsiders), and Data Leakers (whistleblowers who have ethical or unethical motivations).

Providing an empirically grounded motivational taxonomic approach, Searle and Rice (1999) used interviews of individuals involved in a critical incidence to identify five classes of InTs: omitters, slippers, retaliators, serial transgressors, and passive insiders. For instance, omitters were defined as individuals who engage in CWB because of failures of self-regulation, failing to consider the consequences of their actions in the absence of others. In contrast, slippers infrequently engage in CWB that might adversely affect an organization. While infrequent, the failure to conform to normal workplace behavior can results in threats at critical times, e.g., what intelligence and security agencies would refer to as ‘spillage’ resulting from sensitive documents being removed and left in an insecure area. Like omitters, slippers do not likely have the intention to harm an organization and might self-report the spillage. Finally, although not formally provided as part of their typology, Searle and Rice also identify passive insiders as those who create threats due to a failure to identify or correct the behaviors of other malicious insiders.

The notion of a passive InT is particularly interesting in that this behavior might be quite common. For instance, unless an employee is familiar with a working group’s dynamic and the roles and responsibilities of its members, they might be reluctant to accuse another of InT behavior for fear of reducing social cohesion and alienating other group members or themselves. As studies of workplace incivility illustrate, understanding employee motivation is key to understanding CWB (Andersson & Pearson, 1999; Cortina et al., 2001). Thus, while typologies help classify individuals for the purposes of monitoring the prevalence and incidence of InT and inter-organizational communication, categories are ultimately products of individual factors, their associated motivations, and their interactions within an organizational context (Funder & Colvin, 1991; Furr & Funder, 2018; Mischel & Shoda, 1995). A more nuanced understanding of motivation is required to effectively understand InT.

Factorial and Dimensional Approaches. In that some forms of InT are related to financial gain, Cressey’s (1953; see also Riemer, 1941) embezzlement framework can also provide insight into insider motivations. He suggested that trusted insiders will commit an act of fraud when they perceive financial hardships, situational factors create an opportunity, and they can justify their behavior. These causal factors reflect a ‘Fraud Triangle’ consisting of motivation (i.e., pressure and incentives), opportunity, and rationalization. Much like Ariely and colleagues’ theory of dishonesty (Gino et al., 2009, 2013; Mazar et al., 2008), individuals can maintain a positive self-concept by rationalizing questionable behavior. In a recent review, Homer (2019) provides support for the contributions of these three factors, with 27 of the 33 available studies providing evidence for all three factors. Reviewing 13 cases of fraud, Schuchter and Levi (2016) extended the Fraud Triangle by suggesting that the impulse to engage in fraud when an opportunity was identified was initially inhibited. However, this inhibition decreased over time until the perpetrator engaged in fraud. This pattern is consistent with the process of cognitive dissonance reduction (see Figure 3).

Despite promising support for the Fraud Triangle, studies of InT that have supported financial gain as a motivator of InT behavior (Kowalski et al., 2008), and the Fraud Triangles use in InT training, frameworks based solely on financial misconduct might not generalize to other InT behaviors. Specifically, as an abstract concept, monetary and financial motivations might differ from other sources of motivation (Lodder et al., 2019). For instance, theft of money or financial information likely differ from information related to personnel security (e.g., the identity of undercover personnel) and physical attacks toward other group members. Consequently, InT frameworks must go beyond considerations of financial misconduct.

Using research from I/O psychology, Schoenherr and Thomson (2020) proposed a conceptual model for InT detection, SIEVE. Reviewing research on organizational deviant behavior (Bennett & Robinson, 2000; Robinson & Bennet, 1995) and incivility (Andersson & Pearson, 1999; cf. Hershcovis, 2011) they suggested that violations of workplace norms which include InT can be distinguished on the basis of the severity of the norm violation (S), the insider’s intentionality (I), and the type of employee norm violation (EV). However, some apparent norm violations which might appear to be antisocial behavior to an organization (i.e., harming the group or supervisor) can be a result of attempts to correct perceived violation of social norms and conventions (A. P. Fiske & Rai, 2014). Thus, they suggest that perceived ethicality of the violation (E) must also be considered. For instance, a whistleblower^[12] might believe that harming their organization benefits other groups (e.g., society, global community; Appelbaum et al., 2007). This reflects a prosocial motivation. In contrast, leakers might simply wish to harm an organization (an antisocial motivation) or help themselves (asocial motivation). Based on this review, dimensional approaches appear to represent an improvement over taxonomies. By focusing on dimensions, taxonomies of InT are seen as by-products of social cognitive, cultural, and organizational factors.

The Critical-Path Approach. In contrast to taxonomies or dimensions, InT frameworks have also considered causal factors that reflect a ‘critical path’ that leads to InT behavior. This approach is exemplified by the Critical-Path to Insider Risk (CPIR) framework developed by Shaw and colleagues (Shaw et al., 1998; Shaw & Sellers, 2015). In their work, Shaw and colleagues consider InT as a pathological response rather than a result of normal cognitive, social, and organizational processes, claiming that “[n]ormal and well-adjusted people do not commit hostile insider acts” (italics added) rather a “…troubled employee [can turn] into a danger to the organization and the people who worked in it,” (Shaw & Sellers, 2015). Thus, in contrast to MAP-IT which emphasizes the influence of social cognitive processes, the CPIR approach reflects a variant of the organizational deviant behavior approach (Bennett & Robinson, 2000; Giacalone & Greenberg, 1997; Robinson & Bennet, 1995).

Highlighting the employee’s deviant behavior relative to the organization, three of the four factors included in CPIR focus on factors adversely affecting the individual: personal predispositions of the insider, stressors, and ‘concerning behaviors.’ Personal predisposition consists of psychopathologies, maladaptive personality traits, social skills and vulnerable relationships, and judgment and decision-making. In their account, rather than reflecting features of an organizational environment, stressors have many similar features, consisting of personal, professional, and financial factors. Finally, their variables reflecting ‘concerning behaviors’ consist of behaviors that deviate from the employee’s normal behavior or otherwise deviate from a typical employee, e.g., unusual travel patterns, interpersonal behaviors, or security practices.

Organizational factors are also considered in CPIR in terms of problematic organizational responses. These problematic responses, however, are considered in terms of failures to effectively monitor or regulate behavior of potential malicious insiders. For instance, these factors include inattention, no risk assessment process, inadequate investigation, and summary dismissal or other actions that escalate the threat. Although CPIR rightly assumes causal connections between InT behavior and individual and situational factors, it is not clear that these factors are clearly distinguished or that they account for general social cognitive processes (e.g., cognitive dissonance, moral flexibility) or interpersonal processes observed within organizational environments (Andersson & Pearson, 1999; Cortina et al., 2001; Sliter et al., 2015).

InTs can also be understood in terms of risk perception: an individual might be generally motivated to avoid InTs behaviors but might not perceive a risk at a given moment (e.g., Boss et al., 2015; Burns et al., 2019; D’Arcy & Lowry, 2019; Van Schaik et al., 2017, 2018). Using multi-level modelling, Moody et al. (2018) developed the Unified Model of Information Security Policy Compliance (UMISPC), developed following a review and comparison of 11 motivational theories from the social sciences that range in their scope of general motivation, criminal deterrence, to health beliefs. UMISPC is directed toward understanding threat perception in the context of information systems security. The resulting model is presented in Figure 4.

Figure 4.UMISPC threat perception model for information systems security.

UMISPC assumes that the effectiveness of risk mitigation behaviors (response efficacy) is a result of fear from a perceived threat (e.g., Boss et al., 2015). Moreover, an individual’s role and corresponding values and habits contribute to the intention to adopt appropriate security protocols (Tsai et al., 2016). However, a group member might identify grounds to dismiss a potential threat (neutralization) which reduces the probability of an effective response, i.e., reactance (see Liang & Xue, 2009). Thus, while noting several contributing factors, UMISPC considers threat perception and the corresponding experience of fear as primary motivators with social factors limited to an individual’s role within an organization.

5.0. Virtue, Vice, and Vacillation. Multiple Approach Paths to Insider Threat (MAP-IT)

Combining features of the dimensional and pathway approaches reviewed above, we developed the Multiple Approach Paths to Insider Threat (MAP-IT) framework that considers how differences in motivation, social processes, and organizational structure can directly or indirectly lead to InT behavior. By moving beyond the assumptions of organizational-deviant behavior, MAP-IT assumes that InT behaviors are the result of three motivational pathways (unintentional, ambivalent, or intentional motivations), defined by social and asocial motivations that interact with the organizational environment.

Three Levels of Analysis. In developing MAP-IT, our review has highlighted individual, social, and organizational factors (Table 1) that must be considered to classify the motivations of InT behavior (see Figure 1). First, we assume that InTs vary in terms of their intentionality based on a heterogenous set of individual differences. Intentional InTs are those who wish to harm an organization (e.g., reputational or financial harm), directly harm an individual or group within an organization (e.g., supervisor, co-worker), or harm an organization incidentally in the pursuit of their personal goals (e.g., financial or material gain, self-image). They can also include a desire to help others outside a primary organization (i.e., prosocial motivation) or can be restricted to personal gain or loss avoidance (i.e., asocial motivation).^[13] In contrast, unintentional InTs reflect individual differences (e.g., low conscientiousness, low emotional stability) that increase or decrease an individual’s consideration of, or ability to adhere to, appropriate workplace behaviors and security protocols that are relevant to physical and information security.

Second, differences in interpersonal norms and interpersonal processes can also lead to increases in the likelihood of norm violation within any group. Moreover, group norm violation and identification with other groups are likely defined by a bi-directional process. Individuals might perceive that group members, or the group as a whole, have violated a norm or interpersonal commitment, resulting in the employee wishing to exit an organization and associate with another organization. For instance, studies of soldiers involved in non-combatant kills have found that they were more verbally and physically aggressive toward other members of their group (Killgore et al., 2008) whereas studies of the workplace demonstrate that perceived social contract violation result in more CWBs (Penney & Spector, 2005; Sakurai & Jex, 2012).

Perception of norm conflicts between individual and group norms can also be facilitated by means of persuasive communication strategies (Cialdini, 2016), with acts that are antisocial toward one group reframed as beneficent acts toward another (A. P. Fiske & Rai, 2014). In environments saturated with misinformation and disinformation and conflicts of values, individuals will likely be more susceptible to such persuasive strategies. This can be the results of the influence of an external party or a process of rationalization. For instance, Burkett (2013) has argued that in the context of espionage case officers can exploit various persuasion techniques, e.g., reciprocity, scarcity, commitment, and consistency. Alternatively, employees might justify violating workplace norms that advanced their own self-interests and realign themselves with another group to maintain a positive self-image, i.e., a self-serving bias that reframes an opportunistic behavior as a virtuous act of helping oneself, family, or friends.

Third, although organizations might consider InTs in terms of perimeter-based defence to prevent masqueraders or monitoring mechanisms to prevent leakers, they might overlook the contributions of organizational leadership and culture. For instance, the DHS ITP appears to omit any mention of organizational culture or leadership in its mandated information sources.^[14] In such organizations, a failure to provide adequate training in physical or cyber security could lead employees to interpret guidelines in an ad hoc manner increasing the probability of unintentional InT and rationalization of lapses in security. Alternatively, if employees believe that they are not trusted by an organization, that organizations do not adequately address employees concerns internally, or that the organizational leadership does not reflect their values and is not held to the same standards (Schneider et al., 2013), psychological and organizational exit would likely increase leading to increases in InT behaviors. For instance, in the recent case of Joshua Shulte, who is accused of leaking information (so-called Vault 7) from the Central Intelligence Agency to WikiLeaks in 2017, his work unit has been described as defined by “tiresome high jinks… juvenile name-calling and recrimination” including frequent “Nerf-gun fights” and “lax security” (Keefe, 2022). Thus, interactions between these factors will likely be a significant determinant of InT behaviors.

Multiple Motivational Path-Ways to InT. In that many individual, social, and organizational factors can result in numerous possible pathways to InT, we sought to identify three fundamental motivational pathways (Figure 1). Much like a physical path, individuals can cross between these three paths as individual or situational factors change. Consequently, each one of these pathways can be considered an attractor state within a dynamical system defined by the interaction of individual, social and cultural factors, the strongest being the intentional and unintentional motivational pathways due to a desire to maintain consistency and act in a manner that conforms to how one perceives oneself (Figure 3).

An overview of some of the factors that create these pathways is presented in Table 1. In most cases, we assume that these factors interact (e.g., person-situation interactions; Furr & Funder, 2018). For instance, low conscientiousness can lead to unintentional InTs whereas high conscientiousness and high motivation (e.g., for retribution or personal gain) can lead to intentional InT. Environmental stressors and group cohesion can mediate these effects, i.e., co-workers could provide support to reinforce norms when deviation is observed. The list of factors is not exhaustive and is meant to be interpreted probabilistically rather than deterministically.

Table 1.Proposed general motivational InT pathways.

Unintentional	Ambivalent	Intentional
Low conscientiousness, Low agreeableness, Low openness, High neuroticism, High organizational/group commitment, High concern w/ self-presentation/perception, High stress / attentionally demanding environments	Multiple roles/loyalties, Personal or financial instability, Persuasive techniques used by outsiders, Toxic workplace, Perceived moral injury, Rationalization, Large-scale conflict and inequality (e.g., social, political), Coercion	High conscientiousness, High social competence, High Dark Tetrad, Rejection / negative evaluation by in-group, positive evaluation by out-group members, Conversion to belief system that occupies non-dominant position within society

Risk factors reflect hypothetical relationships. Dark Tetrad traits are listed in intentional and unintentional given that they might motivate specific behavior consciously or unconsciously.

In the case of ambivalent InTs, their mixed motivation means that they can be influenced by factors associated with both the unintentional and intentional pathways. Shifts in an insider’s path can occur as the result of persuasion or rationalization (see Figure 3). For instance, the actions of an unintentional InT might be observed and exploited by an external party through coercion or blackmail. Ambivalent insiders are likely most susceptible to persuasion given motivation for consistency or through observation of changes in the sociocultural environment, e.g., changes in organizational or national leadership, economy downturns, foreign policy. Consequently, the ambivalent path likely reflects the weakest attractor state of the three paths, with individuals being drawn back into highly cohesive groups or pushed or pulled into other groups. To further differentiate these motivational pathways, we follow previous frameworks (e.g., Nurse et al., 2014) and provide case studies to illustrate the kinds of motivational processes that differentiate intentional, unintentional, and ambivalent pathways to InT.

5.1. Unintentional Insider Threat: A Common Path

A central premise of MAP-IT is that the many InTs reflect the outcome of normal social cognitive processes. Consequently, in contrast to the assumptions that pathological psychological processes are the primary contributor to InT (e.g., Shaw et al., 1999), we suggest that this reflects a ‘common path’ to InT resulting from interactions between individual differences (e.g., lacking extreme political orientations, personality traits) and social cognitions (e.g., attribution, social cohesion, conformity bias, impression formation and management). Unintentional InTs believe that they are entering into a social contract with a group and its members, that they can adequately perform required activities as a group member, agree with the general norms and conventions of the group, and derive rewards from their group membership (e.g., material, financial, psychological). In these cases, any threats are likely not perceived and can be attributed to unfastidiousness in adopting appropriate security behaviors (e.g., failing to change passwords, removing sensitive files (e.g., McCormac et al., 2017; Schoenherr, 2022b; Schoenherr & Thomson, 2020).

Unintentional Motivation Case Studies. Unintentional InTs are evidenced in a wide variety of events varying from technologically sophisticated methods such as phishing attacks to simple involuntary disclosures in public fora (Cho et al., 2016; Greitzer et al., 2019; Halevi et al., 2013). For instance, a spear phishing attack that targeted Sony employees in 2019 resulted in a loss of over 100 terabytes of data whereas business email compromise (BEC) campaigns targeting Facebook and Google led to employees making numerous erroneous payments to hackers posing as vendors. Each of these events is believed to have resulted in a loss in excess of $100 million with the FBI suggesting that these scams cost over $1.7 billion. Similar situations can arise with the transmission of other organizational resources (e.g., money) as well as accidentally downloading malware. For instance, a report by Verizon (2020) suggests that 30% of breaches were caused by insiders, with phishing (22%) and a variety of malware attacks including password dumpers and spyware being quite common (18 and 30%, respectively).

Case studies in intelligence provide similar demonstrations. In 2012, Benjamin Pierce Bishop, a US defense contractor, disclosed classified information to his girlfriend as well as illicitly retained classified documents in his home (Herbig, 2017; Zimmerman, 2014). Bishop (59-year-old) met his girlfriend (27-year-old) at a conference in 2011, divorcing his wife in 2012 while concealing the fact that his girlfriend was a Chinese foreign national. Bishop claims that he provided his girlfriend with classified information to support her graduate studies, out of love for her, and that he had no intention of harming the United States. If one accepts Bishop’s justification at face value his motivational pathway towards InT appears largely unintentional, presumably the product of personality traits and life circumstances which might have made him susceptible to amorous manipulation.

In these cases, individuals might not be aware of the inconsistencies in their attitudes and behaviors and are therefore incapable of aligning them with adaptive group norms (e.g., Figure 3). However, unintentional and ambivalent InTs pathways are not necessarily well-defined. For instance, if persuasive communications were directed toward Bishop (in conjunction with self deception) and he was more acutely aware of the fact that his actions were in conflict with his security and intelligence commitments to his employer, Bishop’s motivational pathway might instead reflect unstable ambivalent motivations.

5.2. Ambivalent Insider Threats: The Middle Path

An ambivalent path frequently reflects a conflict of loyalties resulting from maintaining multiple relationships or positions in multiple social networks. People can maintain multiple social identities (e.g., individual, relational, and collective; Sedikides & Brewer, 2015), defined by different exchange norms (A. P. Fiske, 1991; A. P. Fiske & Rai, 2014), and experience different kinds of social cohesion within a group, e.g., horizontal (peer), vertical (leaders/supervisors), and organizational (collective; Siebold, 2007). These multiple dimensions of social identity, values, and interpersonal cohesion have the potential to create many conflicts (e.g., Sakurai & Jex, 2012).

An individual’s personality traits might also make them vulnerable to manipulation (e.g., Greitzer et al., 2021; Halevi et al., 2013), stressors, or perceptions of incivility (Penney & Spector, 2005). For instance, an individual who feels entitled to greater recognition or status than they currently have within an organization (e.g., due to narcissism, or failures of leadership to reward productivity), might have strong reactions to criticism, leading them to experience reduced social cohesion with their immediate group or the organization. Despite this negative perception of the group, they might otherwise enjoy their work (e.g., task cohesion), material rewards (e.g., pay), or other features of the workplace (e.g., specific coworkers, the mission statement of an organization, affiliation with a prestigious group). This leads to an ambivalence wherein an employee is both attracted to and repulsed by a working group or an organization.

Ambivalence is likely a common feature of most workplaces. For instance, due to concurrence seeking, group decision-making tends to result in groupthink, defined by confirmatory information-seeking behavior, beliefs in the invulnerability of the group, and reduction in consideration of alternative options (Janis, 1971, 1982). In that group members are unlikely to agree on all norms and conventions in the workplace, interpersonal conflict will likely result due to a failure to express opinions that might be deemed counter-normative (Jehn et al., 1997). Consequently, group cohesion can decline, leading to the risk of incivility, CWB, as well as psychological and organizational exit. All these conditions increase the risk of InT due to reduced commitment to the group (e.g., Posey et al., 2015). For instance, reduced motivation for concurrence seeking might lead to compliance failures (e.g., infrequent password changes) or a failure to detect or respond to anomalous behavior of other co-workers (e.g., ‘passive insiders’; Searle & Rice, 1999). Due to a desire to eliminate cognitive dissonance (Festinger, 1962; Harmon-Jones, 2019), individuals will seek to reduce ambivalence to maintain perceived consistency with one’s prior beliefs (Figure 3; Harmon-Jones, 2000; McGrath, 2017).

Ambivalent Motivation Case Studies. In 2017, National Security Agency contractor Reality Winner pleaded guilty to leaking a classified NSA report about Russian interference in the 2016 U.S. elections (Volz, 2018). Howley (2017) presents a profile of a woman who felt obligated to help people, who daydreamed about making a difference, and who expressed helplessness, frustration, and anxiety in response to her inability to do so. In addition to failing to consider the consequences of her actions, this description reflects someone who experiences ambivalence within her immediate work environment. Accordingly, Winner was described as unhappy and dissatisfied with her job, prompting her unsuccessful application for more fulfilling fieldwork abroad. Significantly, Winner also filed an official complaint that the workplace televisions were continually tuned to Fox News, and she openly derided then-President Donald Trump on her social media accounts, whilst gradually becoming more agitated (Berman & Bever, 2017; Ortiz, 2017).

According to this depiction of Winner and the circumstances which preceded her actions, Winner appears to have followed an ambivalent motivational pathway towards InT, where social and political issues as well as workplace environments seems to have conflicted with her professional commitment to abide by U.S. government security policies. By understanding Winner’s motivational pathway as ambivalent, rather than as intentional and malevolent, we can highlight not only relevant individual factors, but also the important organizational and sociocultural factors. Applying this perspective could have altered Winner’s pathway away from unauthorized disclosure of classified information, thereby potentially eliminating an InT.

More generally, cases of ‘whistleblowing’ also represent ambivalent InT. Whistleblowers can be defined as those individuals whose primary and principal motivation is to protect a larger group, i.e., the public, society (Dworkin & Baucus, 1998; Hersh, 2002). These individuals ostensibly work within an existing organizational structure but, due to structural features (e.g., time constraints, lack of reporting mechanisms, apathetic/antagonistic management), believe that these mechanisms are inadequate in addressing a perceived issue. In that they seek to adhere to existing social norms, they then seek out formal mechanisms outside the organizational structure. Evidence drawn from studies of organizational (Bjørkelo et al., 2011) and scientific (Lubalin & Matheson, 1999) whistleblowers suggest that these individuals are treated poorly by their workplace peers. In the absence of sharing an understanding of the motivation or situational factors, these individuals are likely to be classified as InTs or traitors within an organization. However, in addition to legitimate acts of whistleblowing, the existence of the whistleblower role within a society could be exploited in persuasion strategies to mislead individuals into leaking information, framing their actions as a prosocial act of ‘whistleblowing’ rather than antisocial threats to the interests of an organization or nation, i.e., unauthorized disclosures of sensitive information.

Conflict of loyalties can also arise when one experiences strong group cohesion and social identity while also perceiving aggressive threats from powerful, external parties. For instance, in 2007, Deniss Metsavas, an Estonian army officer, was coerced into spying for Russia after he was confronted with video footage of his sexual relations the night before (Weiss, 2019). Metsavas was accused of rape and threatened with 15 years in Russian prison. In 2013, when Metsavas allegedly wanted to stop spying, GRU^[15] handlers recruited his father, ensuring that he continued cooperating. Accordingly, despite Metsavas’ traitorous actions, his motivational pathway appears ambivalent rather than malicious. Caught between loyalties towards colleagues and country and an imminent threat to his and his family´s well-being, Metsavas’ betrayal presents as the result of coercion and persuasion. By highlighting these ambivalent motivations, we counteract the oversimplified stereotype of the malicious traitor, the preconceived notions of which might hinder threat detection and threat mitigation.

Perhaps no one is more synonymous with the attributions of intentional InT within recent U.S. history than Edward Snowden, although this assessment is likely oversimplified. For instance, the U.S. House Permanent Select Committee on Intelligence describes Snowden as an “serial exaggerator and fabricator” with a history of lying and embellishing his credentials when applying for positions in both the CIA and the NSA (House Permanent Select Committee on Intelligence, 2016). In this report, Snowden’s co-workers described him as an arrogant introvert who “frequently jumped to conclusions” and his supervisor stated that he failed to accept feedback and advice, did not respect the chain of command, or embrace the culture of the CIA, resulting in Snowden being involved in numerous workplace spats. It also documents instances where Snowden misused his network administrator privileges to alter a performance evaluation for his own benefit and illicitly accessed answers to questions prior to an examination. The report also states that Snowden appeared frustrated over his limited access, that he manipulated co-workers to access and copy classified information, and that he was not only searching for information on surveillance programs, evident for example by the fact that he searched the personal drives of people involved in the hiring of a position he had applied for.

In understanding this case, Snowden’s motivations must also be considered. For over a decade, he denounced “pervasive government secrecy” on social media. Consistent with this, he noted following the leak that he could not “in good conscience allow the US government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building,” (Greenwald et al., 2013). Consequently, Snowden represents himself as an ambivalent insider who was cognizant of the damages that his action would cause but believed they were necessary to create awareness of the violations of social norms and values.^[16] Here, there might be a conflict between values of privacy and security and specific feature of surveillance activities, e.g., toward non-deviant group members rather than deviant out-group members. This case therefore illustrates the concept of an attractor state in MAP-IT: Snowden might have experienced an initial ambivalence resulting in the adoption of several dissonance reduction strategies (Figure 3) including leaking (change in behavior) and malicious intentions toward the NSA (change in attitude) while maintaining or amplifying prosocial motivation toward specific values (e.g., privacy, autonomy) and American society (change in attitude).

The Snowden incident also illustrates the difficulties associated with using information obtained from case studies alone, especially when researching an intelligence dimension. Humans tend to engage in hindsight bias (Guilbault et al., 2004) and interpret events in their favor. This is clear from both the House account and Snowden’s personal account. For instance, others reviewing the Snowden case have claimed that he was “hardly unusual” and seemed to be “a perfect fit for a secretive organization” that reflects “a very eccentric group of individuals with some really far-out ideas about the world,” (Bengali, 2013). This point illustrates the importance of relying on stereotypes as well as post hoc rationalization of behavior to fit an unambiguous intentional InT.

Given these conflicting accounts and perspectives, Snowden likely initially experienced ambivalence and was later attracted toward a more intentional pathway to InT behavior. Similar observation can be made about Schulte, who, using an anonymous Twitter account, stated that individuals like Manning and Snowden should be executed while also claiming in a blog post that “privacy and individual security are antithetical,” such that “increasing one ultimately decreases the other,” (Keefe, 2022).

Our point in studying and presenting these cases is not to definitively determine a specific motivational pathway, this would require in situ measurements that are unavailable. Rather, these cases illustrate the mixed motivations and vacillation between different pathways due to changing values, information, and circumstances. The intricacies of betrayal-of-trust behaviors make them difficult to label. In these ambivalent cases, MAP-IT highlights the need for a multilevel analysis that considers not only individual factors, such as personality traits and stressors, but also cognitive, organizational, and sociocultural factors, which together constitute the motivational foundation behind InT. Accordingly, viewed through the MAP-IT framework, considering all evident factors and indicators, perhaps Snowden’s progress towards betrayal might have been detected and subsequently halted.

5.3. Intentional Behavior: The Intentional Path

Finally, there will likely always be a subset of individuals within an organization or country that intentionally act against it. This motivational pathway can be further subdivided based on three motivations: prosocial motivations associated with helping an external group (e.g., ‘society’, ‘humanity’), asocial motivation associated with the insider helping themselves without regard to the harm experienced by others (e.g., personal gain, loss avoidance), and antisocial motivations associated with retribution, disregarding the harms caused to themselves or others (e.g., reciprocal harm). Here, we focus on those with asocial or antisocial motivations.

In the case of asocial and antisocial motivations, while highly impulsive individual would be relatively easy to detect, high levels of some ‘dark traits’ might allow them to go undetected if their actions advance an organization’s interests in conjunction with their own (Boddy et al., 2010; Spurk et al., 2016; cf. Smith & Lilienfeld, 2013). These individuals might be highly socially competent, allowing them to masquerade as a typical group member, manipulating others (e.g., high levels of Machiavellianism) or experience little empathy toward those that they deceive or otherwise harm (e.g., high psychopathy). Organizations might only detect them when their interests no longer align. For instance, in the case of a spy, individuals are more likely to demonstrate typical personality traits making them more difficult to detect. Rather than ambivalence, they perceive their actions as moral as they are deemed prosocial by another group. If they are trusted and continue to access the same resources (e.g., material, informational), the use of techniques like anomaly detection might be especially problematic.

Intentional insider behavior could also result from organizational or social changes that occur abruptly, shifting an individual from a common or ambivalent path into an intentional path. For instance, radical organizational changes that are associated with change in organizational values (e.g., a takeover, or change in political leadership) could act as a catalyst for a formerly loyal member of an organization to become disloyal relative to the new organizational structure (Bordia et al., 2011; Naus et al., 2007). In this case, organizations must be mindful of change management to reduce the likelihood of InT. Importantly, while some broad organizational initiatives (e.g., training and education) might provide the foundation for this system, organizations should nevertheless develop coaching and conflict resolution resources to facilitate these transitions. However, when employees’ motivations correspond to a form of retaliation (virtuous violence), such organizational initiatives are unlikely to dissuade malicious insiders.

In that InTs occur within the confines of an organization, insight can be gained from research on occupational crimes, a class of offenses committed by persons against a governmental or nongovernmental organization (Benson & Moore, 1992; Holtfreter, 2005; Weisburd et al., 1991). Importantly, much of the research on InT appears to tacitly focus on employees in intermediate positions (i.e., middle management) or other employees (e.g., technicians, contractors). However, white-collar crimes tend to be perpetrated by individuals in high-status positions defined by high levels of education who have access to critical information (Benson & Moore, 1992). These individuals tend to commit acts of fraud. Moreover, crimes such as misappropriation and corruption tend to be associated with “middle-class” individuals (Weisburd et al., 1991). The influence of stereotypes on detection is also evidenced in sex- and gender-based discrimination. For instance, there is a “gender punishment gap” leading to more females being fired for misconduct rather than males (Egan et al., 2022).^[17] Thus, an intentional path will differ depending on factors such as status, gender, and individual differences.

Intentional Case Studies. The cases of Jerry Chun Shing Lee and Brian Scott Orr present clearer cases of intentional motivational pathways towards InT. Former CIA operations officer Jerry Chun Shing Lee conspired to commit espionage on behalf of the People’s Republic of China (PRC; Department of Justice, United States, 2019). In 2007, Lee “left the agency disgruntled after his career plateaued,” (Goldman, 2018) and in 2010 he was approached by Chinese intelligence and offered financial rewards for his cooperation. He subsequently disclosed classified information which, according to the New York Times, resulted in the killing or imprisonment of more than a dozen CIA assets and a catastrophic dismantlement of the U.S. intelligence network in China (Mazzetti et al., 2017).

Similarly, Brian Scott Orr attempted to disclose classified information to the PRC (Federal Bureau of Investigation, 2014). Orr left the U.S. Air Force in 2011 after he lost his classified access and upon leaving, he extracted classified information which could be used to destroy or disrupt U.S. military satellites. In his contact with an undercover FBI agent posing as an agent of the PRC, Orr stated that he was the “foremost expert on attacking the computer network” and that he could destroy U.S. military satellites for a financial reward. While it is not clear whether Lee and Orr were driven by prosocial, antisocial, or asocial motives, the intentional motivational pathway towards InT appears obvious given the undoubtedly catastrophic harm to U.S. national security their actions might lead to.

6.0. Conclusions

Addressing InTs requires an understanding of human factors (Greitzer, 2019; Schoenherr & Thomson, 2020). Schneier (2015) succinctly summarizes this issue in his analysis of the Snowden affair: “while cryptography is strong, computer security is weak. The vulnerability is not Snowden; it’s everyone who has access to the files.” Unsurprisingly, there is growing recognition that InT does not represent a single critical path defined by malicious intent (cf. Shaw et al., 1998; Shaw & Sellers, 2015; Shaw & Stock, 2011). Rather than adopting an organization-centered approach that considers all employees potential InTs, using results from psychological studies, we have argued that multiple motivations can be identified and associated with specific kinds of InT behavior.

Here, we have described three general motivational pathways: unintentional path, ambivalent path, and intentional path. These paths are determined by individual differences, social processes, and social and organizational structures. By differentiating between these three motivational pathways, organizations can identify more systematic and effective means to address InT. In the case of unintentional InTs, this might consist of training to address vulnerabilities in employee’s knowledge. In the case of ambivalent InTs, additional organizational resources should be created to address employees concerns and provide them with support, i.e., employee assistance programs. In the case of intentional InT, this requires more effective means to identify individuals and behaviors related to leaking and espionage behavior.

Using methods and research contributions from the behavioral and social sciences, we note the utility of considering InT behavior in terms of normal social cognitive processes. Specifically, unintentional InTs reflect the most common path given that they likely reflect low-intensity/high-frequency behaviors, e.g., unfastidiousness in terms of adherence to network security protocols, spear-phishing scams, and involuntary disclosure. However, employers should be cautious in treating or classifying employees as ‘threats’ as it might create distrust that could lead to ambivalence toward the organization and a self-fulfilling prophecy (e.g., Posey, Bennett, & Roberts, 2011; Posey, Bennett, Roberts, et al., 2011). The frequency of occurrence of specific InTs will need to be studied more extensively, and the properties of the distributions will no doubt differ depending on organizational characteristics, roles and responsibilities of employees, and stressors.^[18]

Here, an understanding of the social context of insider behavior is central to predicting the likelihood of InT. Specifically, workplace or interpersonal incivility will reduce group cohesion making individuals in these settings more susceptible to influence from external parties. We additionally suggest that these individuals will eventually seek to reduce the cognitive dissonance they experience through rationalization (Figure 3), leading them to re-affirm their commitment to their group or shift toward malicious behavior that either benefits them directly (i.e., material gain) or symbolically (i.e., membership in another group). Consequently, the ambivalent motivational pathway represents the weakest attractor state of the three. For instance, ‘whistleblowers’ reflect individuals with prosocial intentions, however, they likely experience ambivalence prior to, during, and following the act of disclosure.

Finally, we considered an intentional InT path. We further differentiate intentional InTs that are motivated by asocial motivation, antisocial motivation (e.g., revenge) and prosocial motivation (e.g., whistleblowing). Herein, individuals are motivated by personal gains, harming an organization or personnel within an organization (i.e., revenge or retaliation), correcting perceived imbalances or transgressions (e.g., whistleblowers) and promoting gains for another group (e.g., spies). In all these cases, InT behaviors will be high in terms of intensity and/or frequency, reflecting a deliberate and/or systematic effort to harm an organization or social institution. Despite the intentionality, the exact motivation will also greatly impact the manifestation of the InT behavior. Individuals with asocial motivations will likely have high levels of certain individual differences (e.g., Dark Tetrad) wherein their behavior is not directed by group norms. Antisocial insiders who seek to harm a group could target specific individuals that have transgressed against them (e.g., a disrespectful manager, co-worker) or the organization to undermine trust in the institution. In contrast, prosocial InTs that seek to help other groups, will likely be motivated by the norms of another group or the safety of members of that group. For instance, from an organizational perspective, whistleblowers reflect an InT while from the insider’s perspective, they are adhering to the norms of society. Ideally, as whistleblowers are motivated to reduce harm or promote public good with any personal gain or public fame (or defamation) being incidental, they will adhere to the available mechanisms of a society to address their concerns (e.g., ombudsman, integrity commissioners, legal system).

Implications for Detection Methods. The MAP-IT framework highlights the need to identify how specific motivational factors will result in different pathways to InT (cf. Moody et al., 2018; Shaw et al., 1998). Different paths also suggests that a variety of detection methods are required. Arguably, the majority of InT detection methods are based on the assumption that intentional (malicious) behavior should be the primary focus of surveillance and security strategies. Superficially, this approach reflects common sense in that it moves away from considering all members of an organization as potential InTs. However, such a singular focus likely explains the conclusion of the U.S. Defense Science Board^[19] that no effective prediction techniques are possible for violent attacks.

Here, we have presented several case studies to illustrate the three motivational pathways. In that MAP-IT was developed based on findings from the industrial-organizational and social psychology literatures that consider normal interpersonal processes (see also Moody et al., 2018), it does not assume that most or all InTs reflect pathological processes or individuals (i.e., CPIR). Instead, its key contribution is its focus on the importance of InT behaviors that are unintentional or the results of competing motivations. MAP-IT also underscores the importance of assessing organizational structure and climate as well as the prevalent values of society and critical sociocultural events. Although undoubtedly important, our emphasis on the ambivalent pathway highlights the complex set of motivations beyond threat perception and social role as the principal motivators for adhering to security policies and protocols (e.g., Moody et al., 2018). Thus, before and after a critical incident, insider threat programs should assess the perceptions of organizational culture, perception of social issues, and incivility held by employees.

Finally, rather than focusing on threat detection alone (Moody et al., 2018; Shaw et al., 1998), MAP-IT emphasizes the importance of prevention and intervention. Specifically, we suggest that assessing and evaluating employees, organizational leadership, and organizational culture on an ongoing basis can mitigate threats. In other words, InT programmes should study and improve organizational culture and employee competencies, as this has considerable potential to reduce a variety of InT behaviors. By identifying employees that have characteristics associated with unintentional InT (e.g., low conscientiousness, high neuroticism), insider threat programmes can more effectively develop and target training programs. By creating and expanding employee assistance programs (including conflict resolution units, counselling services, internal disclosure procedures), the risk of ambivalent and intentional prosocial InTs associated with divided loyalties, personal stressors, etc. can be reduced. To this end, InT detection requires that we take a sociotechnical perspective (e.g., Greitzer et al., 2019) and consider how humans, technology, and social organizations interact to address these concerns more effectively.

Arguably, the MAP-IT approach to InT prevention and detection is viable in all organizations that seek to address InT, be it within the intelligence community or the public sector. Nevertheless, the demands for implementing will necessarily differ due to organizational structure and mandate. For instance, intelligence communities are more segregated from civil institutions used for conflict resolution due to the sensitive nature of the information they are responsible for. They nevertheless must be proactive in developing specific internal mechanisms that facilitate addressing and resolving problems associated with incivility, CWB, and employee concerns that can lead to InT behaviors. Developing an expert community of specialists that are accessible to organizations will be critical to addressing InTs.

Disclaimer

This analysis is the authors’ alone and does not represent any official
position of the US Department of Defense or any government.

Bradley Manning transitioned into Chelsea Manning.
Grey literature refers to non-academic sources such as research conducted by private organizations wherein datasets are not always transparent, and their methodologies are not always clearly described.
For example, the Canadian Public Service Employee Survey consistently finds relatively low self-reported levels of physical violence (2%) and threats (13%), intermediate levels of self-reported yelling and shouting (25%), personal attacks (38%) and aggression (39%), and high reported levels of humiliation (43%), exclusion (47%), and offensive remarks (54%). Examples provided from 2020 data. Website: https://www.tbs-sct.canada.ca/pses-saff/2020/results-resultats/en/bq-pq/org/83#s7
Persistent, ambiguous behavior that violates workplace norms but falls short of harassment and violence.
How researchers define and operationalize ‘insiders’ (e.g., current or former employees, FTE or PTE), ‘threats’, and motivations will determine the prevalence of the behavior.
A discrete, stable state that can be shifted to another state as a result of changes in internal or external factors.
Observations in the behavioral and social sciences that are greater than or equal to three standard deviations are typically considered ‘outliers’, i.e., abnormal behavior that do not reflect typical behavior. Here, we use a normal distribution but assume that the parameters of the actual distribution will differ depending on the kind of InT being considered.
For a more comprehensive list of factors associated with workplace deviance, see Elias (2013).
This contrasts with models of cybersecurity that prioritize negative affective responses associated with risk perception (discussed below).
More generally, Andersson and Pearson (1999) note that such an approach in I/O psychology ignores motivation.
Kaspersky (2022) distinguishes between the Naïve Insider, Saboteur, Disloyal Insider, Moonlighter, and the Mole.
Here, the term ‘whistleblower’ is based on the motivations of the employee rather than whether their actions meet the formal definition of whistleblower, i.e., using internal disclosure procedures appropriately.
For instance, Regulatory Focus Theory (e.g., Higgins et al., 1994) assumes that people can approach a situation in terms of losses or gains, and this can alter their behavior and performance in a task.
U.S. Department of Homeland Security, “Privacy Impact Assessment Update for the Insider Threat Program” (DHS/ALL/PIA-052(b)), 2.
Russian Military Intelligence
On attempting to evaluate claims of damage to national security, see Gioe and Hatfield (2020).
This pattern is in contrast to the criminal justice systems (Goulette et al., 2015).
Whether intentional or unintentional, InTs can also be understood in terms of a Paretto Distribution, wherein a small number of individuals accounts for the majority of InTs, i.e., low conscientious personnel will likely engage in unintentional InT behavior whereas insiders with asocial or antisocial motivations will likely engage in intentional InT behavior.
Defense Science Board (2012), Predicting Violent Behavior. website: https://fas.org/irp/agency/dod/dsb/predicting.pdf

Submitted: May 23, 2022 PDT

Accepted: July 11, 2022 PDT

References

Ambrose, M. L., Seabright, M. A., & Schminke, M. (2002). Sabotage in the workplace: The role of organizational injustice. Organizational Behavior and Human Decision Processes, 89(1), 947–965. https://doi.org/10.1016/s0749-5978(02)00037-7