Stop insider data thieves: Forget profiling, keep an eye on the grumps

Study: Good management can be the best form of counter-espionage

Early last week I posted a blog warning that any company trying to prevent theft of its intellectual property by employees should keep an eye on 37-ish caucasian males with jobs focused on technology.

The headline was accurate as far as it went; it just didn't go very far because most of the results of the study hadn't been released yet and I was trying to emphasize the point that demographic profiles are a dangerously unreliable tool to help track down data thieves. The study was sponsored by Symantec and is available under the title Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall” (PDF, free registration required).

It does profile middle-aged white males as the primary suspects, however, which is enough of a novelty for those of us who fit the profile to be more funny than threatening, partly because it's obviously wrong.

"I kind of wish we hadn't included that [profile] as part of the report, at least not so prominently," said Ph.D. forensic psychologist Harley V. Stock of Incident Management Group on the phone yesterday after I asked whether my picture and those of half the IT workers in America were included on the cover or in a Wanted: section of the report.

White males are overrepresented in technical jobs – especially in corporate IT – and 37 is a kind of general average of the ages of people working in corporations below the executive level, which is primarily where the study focused.

It's not that the profile itself is wrong, Stock said. It's just that the demographics are the weakest indicator the two researchers identified and the least interesting one at that, Stock said.

The important and most original finding in the research isn't what insider data thieves look like or how old they are, according to Eric Shaw, a Ph.D. clinical psychologist who co-authored the study, and who works as a clinical psychologist and security consultant in the Washington, D.C. area.

"Most people have abandoned static profiles as a useful diagnostic or investigatory tool," Stock said.

"The important part is the behavior and motivation," Shaw added. "The understanding that fits the data is that there is a predictable progression of events of how an individual interacts with an organization that tends to lead to the kind of incidents we were examining here."

It's hard to stop a determined data thief who already has access to valuable data; that's why so high a percentage of them have technically oriented jobs.

According to the study, 75 percent of insider data thieves take data they're authorized to use; 65 percent accept a job with a competitor before the time of the theft and the vast majority feel they're being persecuted or not appreciated by their current employers.

"Our understanding of the data is that there is a specific progression of events, " Shaw said. "People get on or off the progression at every point, so even having someone who has gone through all the other predicted behaviors doesn't necessarily mean they'll go all the way to IP theft."

"Also, this is pretty important, those that go through with the data theft generally know someone who can profit from the data they're stealing, especially if it's a new or potential employer," Shaw said.

    Progression of events/personal characteristics leading to data theft :

    (Most common)
  • Personal Predispositions: Medical/psychiatric problems, personality or social skill issues, previous rule violations, social network risks.
  • Stressors : Personal, professional, unmet expectations. Things that create unhappiness in the potential data thief.
  • Concerning Behaviors : Interpersonal, technical, financial, security, mental health/addition, social networks/travel – areas of potential conflict that indicate and contribute to disgruntlement and a sense of entitlement that may lead to theft.
  • Maladaptive Organizational Responses – ineffective or counterproductive response from managers.
  • IP Theft Planning, Recruitment, Preparation, Execution – planning and preparing and carrying out the theft.

    (Least common)

Data theft should not be a surprise to the company; it isn't for the employee

"We have yet to find a big bang – a big explosion that occurs spontaneously, or without any warning that still results in IP theft," Stock said. "We characterize the progression as an overt, observable series of violations of custom, rules, policies and laws by an individual that puts that person on the radar of management in some way – maybe HR for interpersonal conflicts, maybe security for more serious behavior."

Companies that ignore the progression, or don't look hard enough, are setting themselves up by failing to respond to sequence of conflicts that become more serious over time and end up in data theft or other negative responses.

By the same token, companies that jump on every incident as if they've caught the next Julian Assange just about to make off with all their precious data, will cause more angst and anxiety and, ultimately, more data theft, too.

"Far more people think about data theft than actually go through with it," Stock said. "The reaction of the organization to any suspicion, if it's a harsh or unjustified reaction, can make it much more likely that person will go through with something they might only have considered before."

Don't assume the worst about anyone, at least, not too soon

"In 90 percent of the cases the organization does something that makes the situation worse," Stock said. "The person might get into a conflict with the organization and the organization either doesn't realize it's a problem, doesn't take it seriously enough, or does not respond well toward addressing the issues or acting quickly to terminate an individual who doesn't match the [demographic] profile [of a data thief].

Data theft most often happens within 30 days of the time the employee quits or is fired from the company, after planning the theft as part of a series of other reactions for weeks or months.

"Data theft is not a spontaneous event," Stock said. "You don't wake up disgruntled on a Friday and steal on a Saturday. Before they do anything, people have been thinking about it for a while but their behavioral indicators were ignored or there were not enough detection mechanisms in place to identify the person's progression down the critical pathway."

What are legitimate signs of a growing problem? How do you address them?

Fault for data theft remains with the data thief; Stock and Shaw aren't trying to excuse corporate espionage, whether committed for profit or out of spite.

The reaction of managers to a deteriorating relationship with the potential data thief can make it far more or less likely the employee will go through with it.

Firing someone for either real or imagined patterns of behavior that could lead to data theft might cause the event managers were trying to prevent, in fact.

"We found that, of individuals committing sabotage on IP systems, 80 percent commit the attacks after termination. So terminating someone prematurely, before you've either tried to move them off that critical pathway or taken precautions to prevent damage, could be the catalytic moment that leads to an unfortunate event," Stock said.

"If you look at lethal events in the workplace – events in which one employee kills one or more others – about 85 percent are post-termination. It's often the thing that pushes someone over the edge," according to Stock, whose specialty as a psychologist for the State of Michigan was examining those accused of murders and sex crimes. He has also worked as a hostage negotiator and instructor for the FBI, specialist in the psychology and motivations of terrorists and adviser to the U.S. Secret Service on potential threats to the U.S. President.

Entitled and disgruntled: profile of the data thief

The danger in giving IT managers and HR departments profiles and guidelines to help identify which employees pose the greatest risk of data theft is that they use only the most obvious data points: race, gender, age, likeability, productivity – all of which could be factors in a particular decision but are not decisive factors for the employee or infallible indicators for managers.

"Mistakes or just insensitivity in the way organizations behave contributes a lot to developing what we call an Entitled/Disgruntled Thief [personality type]," Shaw said. "These are people who might have helped develop the IP, or played a role in developing it, and feel somewhat proprietary about it.

"People at risk of developing into the profile of the Entitled/Disgruntled Thief may feel they're not being treated fairly, not appreciated, don't get the bounty they think they're entitled to or the bigger office, stock options, etc.," Shaw said. "That starts them down the pathway toward psychological justification mechanisms – the excuses they give themselves to excuse the bad behavior. "

"The term for that outlook is 'hostile attribution bias,'" Stock said. "When bad things happen to you, since you already know you're not causing it, the organization must be messing with you. If they're messing with you, then you're going to mess with them. That's how a lot of the motivation develops."

    Defusing potential conflicts that result in sabotage or data theft are pretty mainstream management advice:
  • Build teams on which employees can feel a part of decisions and in setting goals;
  • Address organizational issues that cause resentment or conflict.
  • Screen potential employees much more thoroughly for previous signs of conflict described in the study
  • Policies and practices designed to detect and address specific steps on the progression toward data theft rather than doing nothing and waiting to prosecute after a potentially disastrous theft.
  • Training and education – for both managers and employees, to improve skills and give them the sense they have a future and to improve their ability to resolve conflicts and see their own situations realistically.
  • Continuing evaluation: setting up enough detection points to prevent crises before they happen.

The process of identifying potential data thieves, investigating their guilt or potential to offend and handle them in ways that don't encourage the theft and don't alienate other workers who might get on the data-thief path is very similar to the techniques and processes intelligence organizations go through in trying to identify traitors, Stock said.

"The market for stolen IP has gotten so bad – it's $250 billion per year in stolen IP alone – that it's become a counter-intelligence problem even within corporations," Stock said.

"The other side of that coin is that the same techniques intelligence agencies use to recruit spies work to recruit insiders," Stock said. "you're not only looking for a vulnerable individual, you're looking for a way to approach them that might solve their problems or give them incentive to break the rules.

"A lot of large companies are hiring counterintelligence specialists for their security departments for that exact reason," Stock said. "People in the corporate world, especially unattached people like contractors, are what are considered soft targets."

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon