Moore, Andrew   "Modeling the Influence of Positive Incentives on Insider Threat Risk Reduction", 2017 July 16-2017 July 20

Modeling the Influence of Positive Incentives
on Insider Threat Risk Reduction

Andrew P. Moore, apm@ cert.org

The CERT® Division of the Software Engineering Institute
Camegie Mellon University

Pittsburgh, PA 15213
412-268-5465

Abstract

Traditional insider threat practices involve negative incentives that attempt to force employees to act
in the interests of the organization and, when relied on excessively, can result in negative unintended
consequences that exacerbate insider threats. Positive incentives that attempt to encourage employees
to act in the interests of the organization can complement negative incentives. In our research, we
identified and analyzed three avenues for aligning the interests of the employee and the organization:
job engagement, perceived organizational support, and connectedness with co-workers. Based on an
analysis of three insider threat incidents and an exploratory survey of organizations, we developed a
preliminary model of the disgruntled insider threat problem as it relates to dissatisfaction with the
employing organization and the potential benefits associated with positive incentives that improve
perceived organizational support. The system dynamics model is based on previous research results,
published data, and simple (but arguable) assumptions showing how positive incentives can increase a
program's operational efficiency with reduced investigative costs and fewer incidents involving
disgruntled or exploitive insiders. Our incident analysis and survey work provided validation of the
simulation model structure. We will continue to refine and calibrate our model based on future research
and expect to demonstrate similar benefits as our work progresses.

Keywords: insider threat, cybersecurity, modeling and simulation, system dynamics, perceived
organization support, positive incentives

1 Introduction

Insider threat is the threat to an organization's critical assets posed by individuals—including
employees, contractors, and business partners—who are authorized to use the organization's
information technology systems [Cappelli 2012]. Insider threat programs within an organization help
it to manage the risks due to these threats through specific prevention, detection, and response practices
and technologies. Traditional guidance regarding how to defend against insider threats focuses
primarily on negative incentives, which constrain employee behavior or detect and punish misbehavior
These traditional security practices are necessary to reduce insider threats, but their excessive use can.
result in counterproductive constraints on employees’ actions, overreliance on after-the-fact responses
that fail to prevent damage, and alienation of staff that can exacerbate insider threats [Moore 2015].

Fortunately, traditional practices are only part of the suite of management practices that organizations
have available to reduce insider threats. Figure 1 provides an abstract view of the spectrum of insider

® CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Camegie Mellon
Univesity.

threat countermeasures, with more abstract objectives to the right and the means for achieving them to
the left.

The bulk of insider threat research has focused on the bottom two branches: the prevention, detection
of, and response to insider misbehaviors. Security policies and technical measures provide negative
incentives that are intended to prevent, detect, and respond to insider misbehavior. Recent research has
focused on the detection of at-risk behaviors of insiders, such as conflict with co-workers or personal
indebtedness, which have been shown to be pre-cursors of serious insider threat activity (the third
branch).

The research described in this report involves the top branch: positive incentives as a means to reduce
insider threats without the use of monitoring and detection mechanisms. Positive incentives can
complement traditional practices by encouraging employees to act in the interests of the organization
either extrinsically (e.g., through rewards for following security policies) or intrinsically by fostering
asense of commitment to the organization, the work, and co-workers.

Instead of solely focusing on making sure employees don’t misbehave, positive incentives create a
work environment where employees are intemally driven to contribute to the organization only in
positive ways. This approach may seem idealistic, but there is a solid scientific basis for this
perspective. Our research is making inroads into the second branch of Figure 1 by elaborating
conditions within organizations that are conducive to insider threat and a means for transforming
organizations to be more resistant to insider threats. Preliminary evidence suggests that positive
incentives can deter insider misbehavior in a constructive way from the outset of the employee-
organization relationship. In combination with traditional practices, positive incentives offer the
possibility of a more balanced and constructive organizational approach to reducing the insider threat
with fewer negative consequences.

This paper describes the results of a research effort to establish and model the influence of positive
incentives on reducing insider threats. For U.S. Govemment organizations and their contractors that
handle classified information, Executive Order 13587 requires establishing formal insider threat
programs. Many non-govemmental organizations are also establishing insider threat programs as a
means to reduce theirrisk of insider theft, fraud, and sabotage. With organizations starting to recognize
the downsides of negative incentives, the need for this research has never been more pressing [Moore
2015]. It can be a means to prevent employee alienation from their employer that can spur insider
threats, and to complement organizational detection and response capabilities.

The rest of this section provides relevant background on previous research and an overview of our
research in 2016 on positive incentives. Section 2 presents our preliminary system dynamics model
based on the findings from previous research and some key findings from the simulation-based
analysis. We model the disgruntled insider threat problem as it relates to dissatisfaction with the
employing organization and the potential benefits associated with positive incentives that improve
perceived organizational support and justice. We also extend the model ina way that penmits analyzing
potential cost savings associated with fewer insider threat incidents and counterproductive behaviors
generally. Finally, section 3 summarizes our preliminary results and provides an outline of workforce
management practice areas based on positive incentives that promote perceived organizational support
among employees. Our future work will involve extending the basic model presented as we get more
experience piloting workforce management practices in the field. We also present our vision for the
future of insider threat defense and our research plans that move us toward this vision. The

provides an overview of the method and notation associated with system dynamics for readers
unfamiliar with the approach.

Positive deterrence

Prevent using
(i.e,, no detection)

) Positive
Incentives

Detection of
organizational
conditions conducive
to insider threats

Detect and Respond to
At-Risk Organizational
Conditions

Prevent Insider

Misbehavior
Insider z ~~~ Detect and Respond to At-Risk
Threat Insider Behaviors Early detection with
Defense possible positive or
s \\ Prevent Using negative response
Detect and ‘Negative
Respond to Insider Incentives
Misbehavior Negative deterrence
Atoriet (ie., no detection)
negative
incentive
Figure 1: Insider Threat Defense Options

1.1 Background
The subject of our research intersects issues important to both human resources (HR) and cybersecurity

professionals. We identify two types of workforce management practices relevant in our research:
e Negative incentive-based practices (negative incentives, for short): workforce management
practices that attempt to force employees to act in the interests of the organization

e Positive incentive-hased practices (positive incentives, for short): workforce management
practices that encourage employees to act in the interests of the organization
While a balanced approach focuses on a combination of positive and negative incentives, positive
incentives have been studied extensively in the modem era [Levy 2013, Smither 2009]. By far, most
of this research focuses on the benefits of this approach for improved productivity, performance, and
retention, including a relatively recent focus in an area called “positive psychology” [Seligman 2012].
While much of the recent practice-based literature focuses on a concept called “work engagement,”
researchers have noted that this concept is actually a conflation of many previously established social
science theories and domains of research [Meyer 2013].
We believe there are three dimensions along which we can align an employee's interests with their
employer's interests: the employee's job, their organization, and the people they work with.
e Job Engagement involves the extent to which employees are excited by and absorbed in their
work. Strengths-based management! and professional development are practices known to
boost employee job engagement. Measurement scales for employee engagement have a

Strengths-based management focuses primarily on identifying and using an individual's personal and professional strengths in
directing their career and managing their job performance [Buckingham 2009]

considerable history, including their use by both the U.S. Govemment [OPM 2015] and
academic researchers [Schaufeli 2004].

e Perceived Organizational Support involves the extent to which employees believe their
organization values their contributions, cares about their well-being, supports their socio-
emotional needs, and treats them fairly. Here, programs promoting flexibility, work/family
balance, employee assistance, alignment of compensation with industry benchmarks, and
constructive supervision that attends to employee needs can boost perceived organizational
support. Extensively validated measures have been widely used since the 1980s [Eisenberyer
1986], culminating in a seminal publication that summarizes that research in book form
[Eisenberger 2011].

e Connectedness at Work involves the extent to which employees want to interact with, trust,
and feel close to the people they work with. Practices involving team building and job rotation
can boost employees’ sense of interpersonal connectedness. One important scale is the one
associated with Self Determination Theory (SDT), in particular, the relatedness aspects of the
Basic Psychological Needs at Work Scale [Brien 2012]. Another scale is associated with the
Theory of Belongingness [Malone 2012].

Although there has been extensive research in these areas that demonstrate their value in terms of
employee satisfaction, commitment, performance, and retention [Levy 2013], a related body of
research exists that helps to determine their value for reducing insider threats.
Literature with a strong connection to our research includes studies that show that positive employee
attitudes about their work are linked to reduced counterproductive work behaviors. Counterproductive
work behaviors include malicious insider threat behaviors as well as other less egregious, but still
counterproductive, behaviors. A well-established body of research on psychological contracts that
employees (often implicitly) have with their organizations can, if breached, serve as the reason for
negative attitudes and behaviors by employees [Rousseau 1995, Restubog 2015].
Research on psychological contract breaches aligns with modeling research conducted at the SEI that
shows pattems of insider IT sabotage rooted in the insider’s unmet expectations [Cappelli 2012].
Generally, counterproductive work behaviors are found to be negatively correlated with the following:

e job engagement (e.g., [Sulea 2012, Ariani 2013))

¢ connectedness at work (e.g., [Sulea 2012])

¢ perceived organizational support (e.g., [Bordia 2008, Sulea 2012, Shoss 2013])

¢ organizational citizenship behavior (e.g., [Ariani 2013])

¢ _conscientiousness (e.g., [Shoss 2013])

e employee empowenment (e.g., [Afsheen 2013])

Especially significant is that perceived organizational support is strongly correlated with organizational
commitment [Rhoades 2001].

1.2 Our Recent Data Collection and Analysis

Research conducted by the CERT Program at the Software Engineering Institute in 2016 involved both
insider incident analysis and organizational surveys [Moore 2016a]. The incident analysis involved

analyzing several high-profile insider incidents for the levels of job engagement, co-worker
connectedness, and perceived organization support evident during the incident timeline. Perceived
organizational support was found to be extremely negative, while job engagement and co-worker
connectedness were found to be low, but not necessarily in the extreme. These incident case studies
suggested focusing on organizational support in our survey research.

We conducted a survey with members of the Open Source Insider Threat Information Sharing Group
(OSIT), a group of individuals responsible for establishing insider threat programs in organizations.
The organization’ s membership is growing, in part because the executive order that requires
organizations that handle classified information to establish an insider threat program. At present,
there are approximately 100 organizations that are members of OSIT. Supporting and extending
previous research, as shown in Figure 2, the 23 responses to the survey that we received indicate a
significant negative correlation between perceived organizational support and intentional (primarily
malicious) counterproductive work behaviors. A somewhat weaker negative correlation was also
found between organizational justice and these behaviors. The relationships were found to be
statistically significant at the 95% confidence level [Moore 201 6a].

5
1

Slope =-1.04
Statistically significant
95% confidence level

4
1

3
1

2
1

Insider Misbehavior Frequency

1
1

Perceived Organizational Support

Figure 2: Negative Correlation between Perceived Organizational Support and Insider Misbehavior

Tt is somewhat surprising that organizational justice is less negatively correlated than perceived
organizational support. One might expect that unfair treatment would be a strong reason for insider
misbehavior However, perceived organizational support includes aspects of fair treatment as part of
the standard instrument for measurement. It also includes other aspects, such as effective
communication and supervisor supportiveness. A plausible conclusion to draw is that breadth of
coverage across the various aspects of perceived organizational support is more important than in depth
coverage, at least as it relates to organizational justice. While the exploratory nature of our initial
analysis does not permit us to generalize this relationship to the larger population of organizations
establishing insider threat programs, it provides a good basis for developing a simulation model for
what we know so far

2 The System Dynamics Model and Analysis

This section describes a simulation model of the problem associated with employees’ dissatisfaction.
with their employer and how that dissatisfaction may lead to disgruntlement-spurred insider threats
such as insider cyber sabotage, information theft, and unauthorized leakage of classified information.

The preliminary model presented focuses on the primary stock and flow structure and a simulation
that exhibits the relative constancy that other surveys of employee satisfaction has demonstrated over
the years. The purpose is to explore what a simple (stock and flow) model suggests would be the
value of greater employee satisfaction with their employer in terms of reduced insider threat and
associated investigative costs. Our basic model is based on data on the U.S. federal goverment
workforce showing that employee dissatisfaction with their employer remains fairly constant over
time. The model reflects the relationships found in our data, as shown in Figure 2, which illustrates
the threat-reducing value of practices that increase perceived organizational support. We do not
explore in this paper possible or plausible feedback dynamics associated the problem. While
important, such feedback will involve understanding the dynamics associated with workforce
management practices with which we have little practical experience and for which there is sparse
literature. Refinement of the basic model will include feedback dynamics especially as we work with
organizations to better understand the pros and cons of specific positive incentives.

2.1 The Model

The core stocks and flows associated with an employee's changing satisfaction with their employing
organization is shown in Figure 3. We take a simple view that employees are either satisfied with the
organization or not, represented as the two primary stocks involved. We assume that newly hired
employees may be dissatisfied with the organization, perhaps as a result of a negative hiring or
onboarding process.

The user-settable variable percent satisfied at hire represents the percentage of those hired that are
satisfied. Of course, satisfied employees can become dissatisfied at some rate; percent becoming
satisfied represents the percentage per month of satisfied individuals that become dissatisfied.
Likewise, there is a user settable percentage permonth of dissatisfied individuals that become satisfied;
however, we assume there is some percentage of the workforce that is perpetually dissatisfied that is
not included in the flow of employees becoming satisfied.

Tiring
hiringsatisfied |. + aa
ving a ‘ia _* ll bere esili
om - athire “yy

Figure 3: Core Stocks and Flows in the Organizational C ontext

Finally, while employees leaving the organization may be either satisfied or not, we expect a larger
pexventage of dissatisfied employees will leave. The next section discusses factors involved with setting
the variables in the execution of the model based on existing data and our project analysis.

Figure 4 extends the model to include the potential for dissatisfied employees to become disgruntled
and potentially become insider threat actors. We separate the stocks of dissatisfied employees,
disgruntled employees, and insider incidents as coflows so that we don’t have to duplicate the
termination flows and artificially estimate termination rates from every stock. Notice that once
someone causes an incident, there is no tuming back; they may be stopped from causing further harm,
but they will forever be seen as insider threat actors by their employers.

However, those that are only disgruntled may get pulled back from the brink either through their
departure from the organization or by their re-engagement in the mission of the organization. We make
the following simplifying assumptions:

e The rate of re-engagement is proportional to the rate of dissatisfied employees becoming

satisfied.

e The rate of departure is proportional to the rate of termination of dissatisfied employees.
While these assumptions are debatable, they seem reasonable for an initial approximation. We discuss
the interpretation and measurement of various aspects of the model in the next section.

sqepTUy
yea EPI]

& eur $E e
3 mn
TUL, Dyk + TESST} ° : +

ao Burt ap UE + rT
+ ae I : ‘4 i NOTEZU

[+ op 0

4
permis
Sapuooey jeord ‘OTeZ TEI peysnessip
TAM pegsnessiq ssatocuy, Saruoceg ssaoycua

ame

seekopiua pe ae | seekopiua

peystessip funy sofoua = * ‘poystes Grey
Saree

Emerging Physics of Organization Dissatisfaction and the Disgruntled Insider

Figure 4:

Model Execution

The model described in the previous section raises the question of what the values should be for all of the input
variables during model execution. We used the following values in model execution, at least initially:

© percent satisfied at hire =90%

* percent satisfied at termination =20%

+ pexcent becoming satisfied = 10%/month

+ percent becoming dissatisfied = 10%/month

* percent of workforce perpetually dissatisfied =5%

* percent becoming disgruntled = 10%/month

+ pexcent disgruntled starting to attack = 0.2%/year

So how did we derive these values? We started by determining values from previous research that we
could use with sufficient confidence and then directed our research to determine reasonable values for
other variables of interest. We developed a preliminary version of this model prior to conducting the
research described in this report and used it to decide what additional data to collect.

As a Starting point, we reviewed several studies that are regularly conducted to assess employee
attitudes. Because of our focus on the U.S. Govemment, a very important study for us is the Federal
Employee Viewpoint Survey Results [OPM 2015]. This report shows that employee satisfaction within
their organization has been steady at about 55% over the past several years. For simplicity, we assume
these survey results mean that 55% of the employees are satisfied with their organization and 45% are
dissatisfied.

Finally a Gallup study has fairly consistently found that about 18% of the workforce is actively
disengaged, which means that the employee is “more or less out to damage their company” [Gallup
2013]. This actively disengaged employee is also what we refer to as the disgruntled insider in the
model. The values for the input variables listed above were derived by a combination of identifying
plausible values and getting the percentages in the previous paragraph to work out as a result. We'll
describe the application of sensitivity (Monte Carlo) simulation in the next section to analyze the
behavior of the model over a range of parameter values that represent the uncertainty associated with
those values.

Simulation results are described with respect to a model equilibrium, which is shown in simulation
graphs as a “baseline” simulation run. The equilibrium of the model described in this paper ensures
that the rate of change of all stocks remains at a constant value (possibly zero). In equilibrium, a model
is easier to experiment with since the analyst can more easily determine how small changes in input
affect the overall behavior of the simulation. Any change in behavior (as seen in the behavior over
time graphs) can be attributed to that single changed input and only that change. It is analogous in
scientific experiments to keeping all variables constant (i.e., the independent or controlled variables)
except the ones being studied (i.e., the dependent variables).

The baseline run of our model represents an organization with the percentages of the total workforce
described above: specifically, about 55% of the employees are satisfied with the organization and 45%
are dissatisfied. In addition, 18% of the total workforce are disgruntled. These simulation results are
shown in Figure 5 and Figure 6. The simulated size of the organization is somewhat arbitrary, but in
this execution is about 1,000 people. It is important to remember that the equilibrium of the baseline
mun fits the data that we have from the Gallup study [Gallup 2013].

9

Employee Satisfaction Levels

500
375
®
250
125 ii
0
0 24 48 72 8 120 144 168 192 216 240
Time (Monthy)
Enployees Satisfied with Or i : baseline
Enployees with Or ion : baseline
oe baseline +
Figure 5: Employee Satisfaction Levels”
Employee Satisfaction Fractions
1
1
Es
25,
0
0 24 «48 72 9% 120 144 168 192 216 240
Time (
cd: baseline
: baseline
1 : baseline
Figure 6: Employee Classification Levels

Figure 7 shows the accumulation of insider threat incidents under the above conditions. The baseline
run shows about six incidents occurring over a 20-year period. The major factor here, given our
assumptions, is the variable percent disgruntled starting to attack This variable is set at 0.2% per year.
Put another way, every year 0.002 Disgruntled Insiders are responsible for insider threat incidents. In
equilibrium, there are about 150 disgruntled insiders, so this is about one incident every 3-1/3 years,

accumulating to about six over 20 years.

2 In this behavior-over-time graph, the X-axis for the graphs is specified in months (240 months—twenty years—is the duration of this
simulation), The legend below the graph shows each variable and the name of the simulation run graphed in the format “variable:
simulation run”. The variable simulation runs are distinguished with a number label (1 and 2 in Figure 6) and in color copies also

specified in the legend below the graph.

10

Insider Threat Incidents

et

0 24 48 72 96 120 144 #168 192 216 240
Time (Month)
Insider Threat Incidents : baseline +
Insider Threat Incidents : 50% satisfaction

Figure 7: Individuals Responsible for Insider Threat Incidents

The simulation run named “50% satisfaction improvement” shows that the number of insider threat
incidents drops in half over the twenty-year timeframe of the simulation when the rate of employees
becoming dissatisfied drops by 50% and the rate of employees becoming satisfied increases by 50%.
This change, possibly due to workforce management practices to improve employee attitudes about
their satisfaction with the organization, takes place in the simulation at month three, moving the
accumulation of insider threat incidents off its baseline trajectory to fewer such incidents. This should
not be surprising given the linear nature of our basic model. While this illustrates what might be
possible, there is likely to be policy resistance to the incorporation of positive incentives that we will
need to explore in future refinement of the model.

As we might expect in our simple model, the actual decline is sensitive to both the percentage
improvement as well the percentage of disgruntled employees starting to attack. Figure 8 shows the
potential decline in incidents for various values of these two variables in three dimensions.

Number of Insider Incidents After 20 Years

4
2 =
o oa SE
20% 30% 40% sox 0% SS
% 60% 70% gm Oe
Precent Satisfaction Improvement tg

mO-2 m2-4 4-6 m6-8 m8-10 m10-12 12-14 m14-16

Figure 8: Sensitivity Simulation Results on Insider Threat Incidents

11

2.2 Extension of the Model

We can now extend the model to better understand the potential cost savings from efforts to improve
employees’ satisfaction with the organization. In the upper right comer of the model extension shown
in Figure 9, we include model variables to estimate the number of counterproductive work behaviors
of satisfied employees and a multiplier of that number of behaviors for dissatisfied employees. Costs
are estimated both as a cost per counterproductive work behavior, in terms of lost productivity, and the
costs associated with insider threat incidents.

The following values are assumed for these variables in our analysis:

« CWBpersatisfied = 0.5 CWB/month

© noultiplier CWB rate per dissatisfied = 4.0

«cost per CWB =$500

* cost per incident = $1M

We calculate the yearly costs as the simple sum of the costs of productivity loss due to CWBs and the
costs due to disgruntled insider threat incidents. We form a yearly cost index based on the costs
associated with no satisfaction improvement (i.e., where percent satisfaction improvement at month 3
is 0).

Figure 10 shows the decrease in relative cost from the baseline due to various levels of satisfaction
improvement. For example, with the 50% satisfaction improvement that we analyzed previously, we
get a 25% reduction in yearly costs associated with egregious insider threat incidents and other
counterproductive work behaviors. In our hypothetical organization, this level of improvement takes
a program that spends $6 million per year to one that spends $4.5 million per year in investigation
costs and lost productivity.

12

Model Extension to Estimate Potential C ost Savings

9:

Figure

13

1.00
yearly °°
cost 0.60

index

percent satisfaction improvement

Figure 10: Decrease in Y early Costs Due to Satisfaction Improvement

3 Conclusions

Our research raises many questions about how an insider threat program can or should incorporate
positive incentives that improve employees’ perceptions of support by the organization. The model that
we present develops a simple (stock and flow) model suggesting the value of greater employee
satisfaction with their employer in terms of reduced insider threat, associated investigative costs, and
counterproductive work behaviors. Our basic model is based on data on the U.S. federal goverment
workforce showing that levels of employee dissatisfaction with their employer remain fairly constant
over time. The model also reflects the negative correlation found in our research that illustrates the
threat-reducing potential of practices that increase perceived organizational support.

Our modeling work motivates future work to refine the feedback dynamics associated with
incorporating positive incentive-based workforce management practices into organizations in order to
reduce the threat. The next section elaborates practice areas specifically intended to increase
employees’ perceptions of organization support. These practice areas will be the focus of our future
work with organizations to better understand the pros and cons of specific positive incentives.

3.1 Practice Areas for Organizational Supportiveness

Figure 11 provides a breakdown of practice areas relevant to developing and retaining staff to achieve
an organization's mission, with a particular focus on positive incentives. The first two branches off the
root node at the left side of the figure involve workforce management practices, including hiring and
retaining the appropriate staff with the right job responsibilities and ensuring that they are positively
motivated to execute responsibilities that support achieving the organization's mission.

The third branch acknowledges the fact that employees can act counter to the organization’s mission.
even if they perform their job well in other respects. This branch, which traverses the red node in the
figure, makes this partitioning particularly appropriate for guiding the development and refinement of
insider threat programs. The second and third branches, in combination, show that practices can benefit
the organization in terms of employee satisfaction, performance, and retention as well as reducing the
insider threat.

14

Establish values congruence criteria
it f

individuals wit

and
alignment with job description

Needs assessment by hiring
group to develop job description
linked to mission

Staff feel the org is
fi at

action when employee values
becomes misaligned with
organization values

Staff feel the org
rewards well
Attract new staff to

ieee od repens Stat el supported by

the org in executing
their job description
Attract and Retain staff positively
retain staff to motivated to execute job <
—~ Staff engaged in
achieve mission responsibilities XY gage

their jobs 2s
described
Unless staff actions
threaten achieving Staff feel the org
‘org mission communicates well
Staff connected with
/ coworkers they need
/ Insider to work with
/ compromise is
/ prevented
/ ;
/ /
/ / Insider compromise
/ \ prevented through Staff feel that
/ / sitive incentives supervisors support
yf po:
them well
v / Sy Insider compromise
Insider compromise / i. prevented throug
Edsel v \ \ perceived org support
mitigated aban nadee Insider compromise \
behaviors are detected jésinegs ae ‘eae pean Staff feel that the
ad mitigated te negative Incentives Insider compromise Pistheieeioiin
Ben excises prevented through other eon
B positive incentives ae
Figure 11: T of Positive ive Workforce M Practice Areas

The taxonomy presented in the figure is elaborated in our full report [Moore 2016a].

3.2 Vision for the Future

We believe that continuing the research started in this report is critical to establishing and managing
effective insider threat programs. Our vision is the extension of the traditional security approach shown
in Figure 12. The right side of the figure depicts the traditional approach focused on negative incentives
that restrict employees to prevent abuse and detects and punishes abuse when it occurs. This approach
is based on a negative form of deterrence as promulgated in Deterrence Theory, which says that people
obey rules because they fear getting caught and being punished. Restricting, detecting, and punishing
employees reinforces the deterrence (negative) of abuse.

Our extension of security through positive incentives is shown on the left side of the figure. In its
current form, as supported by our research, organizational support (including organization justice) is
shown as the foundation of positive deterrence. With this foundation in place, connectedness with co-
workers and job engagement serve to strengthen an employee’s commitment to the organization.
Organization support and connectedness also strengthen overall engagement in a feedback effect.

This form of positive deterrence complements the use of negative deterrence by reducing the baseline
of insider threat in a way that can improve employees’ satisfaction, performance, and commitment to
the organization. As illustrated in ourmodeling effort, fewer incidents and counterproductive behaviors

15

reduces costs through fewer investigations and greater staff productivity. Employing the right mix and
ratio of positive and negative incentives in an insider threat program can create a net positive for both the
employee and the organization—moving an insider threat program from a “big brother” program to a “good
employer” program that actually improves employees’ work life.

Security Through Positive Incentives | Traditional Security Approach (Negative Incentives)

in Engagement Feedback [7 Deterrence Feedback
Engagement | Deterrence |
‘Connectedness Restriction
Monitoring

Organizational
Sancti
sess Supportiveness Detdred enerOns
Connected Abuse Prevented
Employees Abuse Detected
Supported Abuse Punished
Employees Abuse

- =) Balanced (=

Deterrence 4 Deterrence

Figure 12: Extending the Traditional Information Security Paradigm

4 Acknowledgements

The authors are very grateful to the SEI Director’s Office for its support in making this research a truly
multi-disciplinary effort of researchers and practitioners across the SEI. The authors would also like to
thank members of the SEI: Samuel Perl for insights into organizational behavior, Jennifer Cowley and
Nathan VanHoudnos for designing, conducting, and analyzing the organizational survey; Matthew
Collins and Tracy Cassidy for help conducting the incident analysis; Palma Butiles for insights on
socio-cultural considerations; Daniel Bauer, Allison Parshall, Jeff Savinda, Elizabeth Monaco, and
Jamie Moyes for help understanding positive incentive-based practices; Dr David Zubrow for his help
in developing our research design; and William Novak for help in identifying and documenting
negative unintended consequences of insider threat programs. Special thanks to Professor Denise
Rousseau of the CMU Heinz College and Tepper School of Business for her incredible insights into
organizational behavior and evidence-based management practices; and to the Open Source Insider
Threat (OSIT) Information Sharing Group for their responses to our survey. Finally, we thank Sandra
Shrum and Barbara White for their excellent technical editing of this paper.

Copyright 2017 Camegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-
0003 with Camegie Mellon University for the operation of the Software Engineering Institute, a federally funded research
and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE
MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO

16

WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, ASTO ANY MATTER INCLUDING, BUT
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR
RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR

COPY RIGHT INFRINGEMENT.

[Distribution Statement M This material has been approved for public release and unlimited distribution. Please see
Copyright notice for non-US Govemment use and distribution.

Camegie Mellon® and CERT® are registered marks of Camegie Mellon University.
DM-0004591

17

References

[Afsheen 2013]

Afsheen, Fatima; Iqbal, Muhammad Zahid & Imran, Rabia. Organizational Commitment and Counterproductive
Work Behavior: Role of Employee Empowerment. Pages 665-679. In Proceedings of the Sixth International
Conference on Management Science and Engineering Management. London. 2013.

http://link. springer.com/chapte/10.1007%2F978-1-4471-4600-1_57

[Ariani 2013]

Ariani, D. W. The Relationship between Employee Engagement, Organizational Citizenship Behavior, and
Counterproductive Work Behavior. International J ournal of Business Administration. Volume 4. Number 2. March
1, 2013. Page 46.

[Bordia 2008]

Bordia, P.; Restubog, S. L. D.; & Tang, R. L. When Employees Strike Back: Investigating Mediating Mechanisms
between Psychological Contract Breach and Workplace Deviance. Journal of Applied Psychology. Volume 93.
Number 5. September 2008. Page 1104.

http://psycnet.apa.org/joumals/apl/93/5/1104/

[Brien 2012]

Brien, Maryse; Forest, Jacques; Mageau, Geneviéve A.; Boudrias, Jean- Sébastien; Desrumaux, Pascale; Brinet,
Luc; & Morin, Estelle M. The Basic Psychological Needs at Work Scale: Measurement Invariance Between Canada
and France. Applied Psychology: Health and Well-Being. Volume 4. Number 2. July 1, 2012. Page 167.

[Cappelli 2012]
Cappelli, Dawn M.; Moore, Andrew P.; & Trzeciak, Randall F. 2012. The CERT Guide to Insider Threats: How to
Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley.

[Eisenberger 1986]
Eisenberger, R.; Huntington, R.; Hutchison, S.; & Sowa, D. Perceived Organizational Support. Journal of Applied
Psychology. Volume 71. Number 3. 1986. Page 500.

[Eisenberger 2011]

Eisenberger, R. & Stinglhamber, F. 2011. Perceived Organizational Support: Fostering Enthusiastic and
Productive Employees. American Psychological Association. ISBN 978-1-4338-0933-0.
http://www.apa.org/pubs/books/4316128.aspx

[Gallup 2013]
Gallup. State of the American Workplace: Employee Engagement Insights for U.S. Business Leaders. Gallup. 2013.
http:/Awww.gallup.comyservices/178514/state-american-workplace.aspx

[Levy 2013]
Levy, P. Industrial/Organizational Psychology: Understanding the Workplace. Worth Publishers. 2013. ASIN
BOOHTK33PS.

[Malone 2012]

Malone, Glenn P.; Pillow, David R.; & Osman, Augustine. The General Belongingness Scale (GBS): Assessing
Achieved Belongingness. Personality and Individual Differences. Volume 52. Number 3. February 2012. Page 311.
http:/Awww.sciencedirect.comyscience/article/pii/SO19188691100482X.

18

[Meyer 2013]
Meyer, John P. The Science- Practice Gap and Employee Engagement: It’s a Matter of Principle. Canadian.
Psychology/Psychologie Canadienne. Volume 54. Number 4. November 2013. Page 235.

[Moore 2016a]

Moore, A.P.; Ped, SJ.; Cowley, J.; Collins, ML., Cassidy, T.M.; VanHoudnos, N.; Buttles P.; Bauer, D.; Parshall,
A.; SavindaJ.; Monaco, E.A.; Moyes, J.L.; Rousseau, D.M. “The Critical Role of Positive Incentives for Reducing
Insider Threat,” SEI Technical Report CMU/SEI-2016-TR-014, December 2016.
http://resourves.sei.cnm.edu/asset_files/TechnicalReport/2016_005_001_484929.pdf

[Moore 2016b]
Moore, A.P.; Kennedy, K.; & Dover, T. Introduction to the Special Issue on Insider Threat Modeling and
Simulation. Journal on Computational and Mathematical Organization Theory, September 2016.

[Moore 2015]
Moore, A.P.; Novak, W.E.; Collins, M.L.; Trzeciak, RF; & Theis, M.C. Effective Insider Threat Programs:
Understanding and Avoiding Potential Pitfalls. White paper. Software Engineering Institute, 2015.

[OPM 2015]
Office of Personnel Management (OPM). Federal Employee Viewpoint Survey Results: Employees Influencing
Change. U.S. Office of Personnel Management. 2015. https://www.fedview.opm.gov/2015/

[Restubog 2015]

Restubog, Simon Lloyd D.; Zagenczyk, Thomas J.; Bordia, Prashant; Bordia, Sarbari; & Chapman, GeorgiaJ. If
You Wrong Us, Shall We Not Revenge? Moderating Roles of Self-Control and Perceived Aggressive Work Culture
in Predicting Responses to Psychological Contract Breach. Journal of Management. Volume 41. Number 4. May
2015. Page 1132. http://jom.sagepub.com/content/41/4/1132.short

[Rhoades 2001]
Rhoades, L.; Eisenberger, R.; & Anmeli, S. Affective Commitment to the Organization: the Contribution of
Perceived Organizational Support. Journal of Applied Psychology. Volume 86. Number 5. October 2001. Page 825.

[Rousseau 1995]

Rousseau, Denise. Psychological Contracts in Organizations: Understanding Written and Unwritten Agreements.
Sage Publications. 1995. ISBN 978-0803971042.
https://us.sagepub.com/en-us/nanypsychological-contracts-in-organizations/book5077

[Schaufeli 2004]

Schaufeli, Wilmer B. & Bakker, Amold B. Utrecht Work Engagement Scale: Preliminary Manual. Occupational
Health Psychology Unit, Utrecht University. 2004.

http://www. wilmarschaufeli xnl/publications/Schaufeli/Test%20Manuals/Test_manual_ UWES English.pdf

[Seligman 2012]

Seligman, Martin E. P. Flourish: A Visionary New Understanding of Happiness and Well-Being. Reprint Edition.
Attia Books. 2012. ISBN 978-1439190760.
http://www.simonandschuster.com/books/Flourish/Martin-E-P-Seligman/9781439190760

19

[Shoss 2013]

Shoss, Mindy K.; Eisenberger, Robert; Restubog, Simon Lloyd D.; & Zagenczyk, Thomas J. Blaming the
organization for abusive supervision: The Roles of Perceived Organizational Support and Supervisor's
Organizational Embodiment. J ournal of Applied Psychology. Volume 98. Number 1. January 2013. Page 158.

[Smither 2009]

Smither, James W. & Manuel London, eds. Performance Management: Putting Research into Action. First Edition.
Wiley. 2009. ISBN 978-0470192320.

http:/www.wiley.conyWileyCDA/WileyTitle/productCd-0470192321 html

[Sulea 2012]

Sulea, C.; Virga, D.; Maricutoiu, L. P.; Schaufeli, W.; Dumitru, C. Z.; & Sava, F. A. Work Engagement as Mediator
between Job Characteristics and Positive and Negative Extra-Role Behaviors. Career Development International.
Volume 17. Number 3. June 2012. Page 188. http://www.emeraldinsight.com/doi/full/10.1108/13620431211241054.

20

Appendix : System Dynamics Modeling Overview

System dynamics helps analysts model and analyze critical behavior as it evolves over time within

complex socio-technical domains. It is one of several

ing methods applicable to insider threat

modeling
and has been used extensively in that domain [Moore 2016b, Cappelli 2012]. Figure 13 summarizes

the notation used in our system dynamics model.

Var1 Variable - anything of interest in the problem being
modeled
<WVarl> Ghost Variable - variable acting as a placeholder

for a variable occurring somewhere else
Positive Influence - values of variables move in the

Var1 —_* 4 Var2 same direction (e.g., source increases, target
increases)
. Negative Influence - values of variables move in
Varl —————-> Var2 the opposite direction (e.g., source increases, the
target decreases)
Stock1 Stock - special variable representing a pool of
materials, money, people, or other resources
YZ Flow - special variable representing a
Stock1 7. Stock2 process that directly adds to or subtracts from
Flow1 a stock
Oo Cloud - source or sink (represents a stock
outside the model boundary)
Figure 13: System Dynamics Notation

The primary elements are variables of interest, stocks (which represent collections of resources, such.
as dissatisfied employees), and flows (which represent the transition of resources between stocks, such
as satisfied employees becoming dissatisfied). Signed arrows represent causal relationships, where the
sign indicates how the variable at the arrow’s source influences the variable at the arrow’s target. A
positive (+) influence indicates that the values of the variables move in the same direction, and a
negative (—) influence indicates that they move in opposite directions.

A comnected group of variables, stocks, and flows can create a path that is referred to as a feedback
loop. At this stage in our modeling effort, we have not identified any significant feedback loops.

As a convention in our model, we format model input variables with italics, bold, and underline since
these variables can be dynamically manipulated during model execution.

21