One take-home message
In anticipation of the Australian Cyber, Fraud and Risk Summit, I wrote this blog as an introduction to the way we think about insider threat. While I wanted to cover a veritable blizzard of ideas, I decided to try to stick to a single point, one take-home message.
So here it is: if you only do one thing to improve your risk management of fraud, ensure your managers have high integrity and are excellent with people.
The problem with this take-home message is that it is not very sexy. I’m not an advocating a new piece of technology, a two-day training package or three-step way of “revolutionising culture from the board to the floor”. But it is the best single thing to do and the most likely thing that will work.
If you only make one adjustment, make sure your managers are of high integrity and are people-managers…and if they are not, do something about it pronto!
I am drawn to trying to understand why people do things, and, what allows you to influence their behaviour. Prediction and influence. The science of psychology centres around these two ideas. What should we measure; what can we change? This relates directly to insider threat and fraud.
Fraud risk is like an algorithm insofar as there are various factors that need to be understood in combination. There are ‘organisational’ factors, i.e., workplace culture, the behaviour of top management, policies and procedures, the effectiveness of immediate managers and the opportunity to commit fraud. There are ‘individual’ factors, including the personality, values, attitude & situational pressure affecting the individual at risk of perpetrating fraud.
Various analyses of fraudulent behaviour point out that there is a combination of opportunity, organisational and personal factors behind fraud. This interaction allows you to form a rough typology of insider risk. If anything, the rise of the Internet has simply augmented issues of opportunity and scale rather than the fundamental nature of the behaviour.
Three Types of Risk
I use a rough typology to understand risk. To my way of thinking, there are four types of insider risk. The first – and one I won’t cover here – is that of the bad barrel. This is the business where fraud appears to part of the DNA of the place, almost a necessary component of one’s conduct. Enron is one popular example of this type of organisation. The other three types are the ‘benign’ insider, the ‘bad apple’ and the embittered employee.
Now the benign insider is an individual who exposes an organisation to risk without themselves attempting to profit from it. This is the individual who brings the USB stick in from home not knowing it’s infected, who clicks on the link, who uses ‘password’ as their password. This is discussed more in our presentation and is less a focus when it comes to the issue of fraud and creating exposure or opportunity for malignant others to exploit.
The bad apple is someone intrinsically motivated to use deceit for personal gain. These are individuals who, when presented with the opportunity, need very little encouragement to pursue it. They fit with the long research history regarding the criminal personality.
Then there is the embittered employee. This is the individual who feels particularly poorly treated by an organisation and probably a bad manager in particular. They reach a moral tipping point…and tip over. Their sense of poor treatment acts as the catalyst for revenge.
With all three types of insider, the high integrity people manager has the opportunity to prevent and detect behaviour associated with risk.
A Few Good Managers
From a fraud mitigation perspective, managers are in a unique position because they can see the organisational issues, the potential opportunities and the individuals with access to such opportunities.
They have the following advantages:
- A manager can work with HR around developing structured interviews and psychometrics around hiring. This can go some way to hiring staff less likely to be a risk, or, highlighting staff who come with particular talents but who also require a more watchful eye. It also establishes a baseline for behaviour. Psychometrics should tell you what to expect over time, and the alert manager can spot staff acting quite differently to that expectation;
- Managers can establish the working rules and culture of the team or teams under his/her influence. Culture is known as an effective predictor of the number of workplace behaviours including those considered counter-productive;
- A frequent problem behind insider threats is that of the embittered or opportunistic employee rationalising their behaviour. Effective person management can offset this risk by keeping a greater number of staff engaged and creating both rewarding and psychologically safe working environment;
- Managers can themselves set the example around safety and security related behaviour. In this way they can demonstrate that they “walk the walk”. Doing so acts as a pre-emptive deterrent: if you see the boss consistently watching that the rules are followed it decreases opportunity and increases likelihood of detection and punishment;
- Having high-integrity managers reduces the risk of the managers themselves acting fraudulently;
- High-integrity managers may be more likely to act on seeing other managers or superiors engaging in fraud.
In summary, managers are probably your best form of defence. Good people managers are more able to detect problematic behaviour in employees, model appropriate behaviour in the workplace, monitor workplace controls/processes etc and establish rewarding relationships with staff. In addition, many other means of fraud prevention, including improved policies and procedures, the attitude of top management, workplace culture, appropriate controls and checks are often moderated by managers.
The upcoming conference will see experts from around the county and the world gather to talk through issues of fraud, risk and the cyber-world. Problems will be dissected; solutions generated. The risk with this – as with all such events – is that you come away with great ideas that struggle through implementation.
This is one that can be done now.
Make one adjustment. Make sure your managers are high-integrity people-managers.
About the author:
Graduating with a Major in Psychology at the University of Melbourne in 1997, and completing his post graduate Doctorate of Clinical Psychology at Deakin University in 2005. Dr Tim Doyle has established himself within the ranks of the psychology field. Initially establishing a name within the public health service industry, Dr. Tim Doyle transitioned to a private practice.
Dr. Tim Doyle is currently the Principal Psychologist and founder of Proof of Character in East Melbourne, Australia. Dr. Tim Doyle through Proof of Character and the implementation of validated psychology assists businesses select, develop and drive talent. As well as determine not only who is fit for a role or fit for culture, but who is fit for business.