In anticipation of the Australian Cyber, Fraud and Risk Management Summit this year, I wrote this as an introduction to the way we think about insider threats. While I wanted to cover a veritable blizzard of ideas, I decided to try to stick to a single take-home message.
So here it is: if you wish to improve your fraud and risk management, ensure that your managers have high integrity and are excellent with handling people.
The problem with this take-home message is that it is not very sexy. I’m not advocating a new piece of technology or a two-day training package or even a three-step way of “revolutionising culture from the board to the floor”, but it is most likely the only advice that will work.
Fraud Prediction
I am drawn to trying to understand why people do things and what influences their behaviour. Prediction and influence, the science of psychology centres around these two ideas. What should we measure? What can we change? These ideas relate directly to insider threat and fraud.
Fraud and risk management is like an algorithm where various factors are needed to be understood in combination.
There are ‘organisational’ factors such as workplace culture, the behaviour of top management, policies and procedures, the effectiveness of immediate managers and the opportunity to commit fraud.
Then there are ‘individual’ factors which are the person’s personality, values, attitude & situations that leave the individual at risk of perpetrating fraud.
Various analyses of fraudulent behaviour pointed out that a combination of opportunity, organisational and personal factors can cause fraud. The rise of the Internet has simply augmented these issues rather than lessen the fundamental nature of the behaviour.
These factors also allow you to form a rough typology of insider risk.
Three Types of Risk
In my rough typology to understand risk, there are four types of insider risk.
The first – and one I won’t cover here – is that of the bad barrel. This is the business where fraud appears to part of the place, almost a necessary component of one’s conduct. Enron is a popular example of this type of organisation.
The other three types are the ‘benign’ insider, the ‘bad apple’ and the embittered employee.
The ‘benign’ insider is an individual who exposes an organisation to risk without attempting to profit from it themselves. This is the individual who brings the in USB stick from home not knowing it’s infected, who clicks on the link, and who uses ‘password’ as their password.
However, this risk is less of a focus when it comes to the issue of fraud and creating exposure or opportunity for malignant others to exploit.
The ‘bad apple’ risk is someone who is intrinsically motivated to use deceit for personal gain. These are individuals who, when presented with the opportunity, need very little encouragement to pursue it. They fit in with the long research history on the criminal personality.
Then there is the embittered employee risk. This is the individual who feels poorly treated by an organisation and probably by a bad manager. They have reached a moral tipping point and their sense of poor treatment becomes the catalyst for revenge.
By laying out all three types of insider risks, managers with high integrity and people skills now have the opportunity to detect and prevent risky behaviour.
A Few Good Managers
From a fraud mitigation perspective, managers are in a unique position to see organisational issues, potential opportunities and individuals with access to such opportunities.
Managers also have advantages they can use to reduce risk. For one, managers can work with HR to develop structured interviews and psychometrics around hiring to establish a baseline for behaviour.
This lessens the tendency to hire staff that are more likely to be a risk while emphasising those who come with talent but who require a watchful eye. Since psychometrics can tell what to expect over time, an alert manager can easily spot staff that are acting differently.
Managers can also establish the working rules and culture of the team under their influence. Culture is known to effectively predict the number of workplace behaviours, including those considered counter-productive.
A frequent problem with insider threats is the embittered or opportunistic employee rationalising their behaviour. Managers can offset this risk through effective personnel management, keeping staff engaged and creating a rewarding and psychologically safe working environment.
Another way to reduce risk in the workplace is by setting an example around safety and security-related behaviour. With this, managers can demonstrate to their employees that they “walk the walk”.
This action will work as a pre-emptive deterrent. If you see the boss consistently watching that the rules are followed, it decreases the risk opportunity and increases the likelihood of detection and punishment.
Having managers with high integrity will also reduce risk as this prevents the managers themselves from acting fraudulently.
The Take-Home Message
In summary, managers are probably your best form of defence. Good managers are capable of detecting problematic behaviour in employees, model appropriate behaviour in the workplace, monitor workplace controls and processes and establish rewarding relationships with staff.
In addition, managers can also moderate other means of fraud prevention such as improved policies and procedures, the attitude of top management, workplace culture, appropriate controls and checks.
The upcoming conference will have national and international experts talk about issues of fraud and risk management in the cyber world. Problems will be dissected and solutions will be generated. The risk with this – as with all such events – is that you receive great ideas that you end up struggling to implement.
However, this take-home message can be done now by simply having managers that have high integrity and good personnel skills.
Dr Tim Doyle is currently the Principal Psychologist and founder of Proof of Character in East Melbourne, Australia.
Graduating with a Major in Psychology at the University of Melbourne in 1997 and completing his post-graduate Doctorate of Clinical Psychology at Deakin University in 2005, Dr Tim Doyle has established himself within the ranks of the psychology field. Dr Doyle transitioned to private practice after establishing a name within the public health service industry.
He is currently the Principal Psychologist and founder of Proof of Character in East Melbourne, Australia, assisting businesses in selecting, developing and driving talent.
