Insider threat

Critical national infrastructure organizations face different types of security threats, such as cyber-attacks and physical security breaches which threaten critical vital assets of a country. In addition to threats from actors outside the organization, those organizations can also face insider threats.

That is considered to be an important security concern for organizations and government agencies due to the potential for insider acts, such as terrorism, sabotage, theft of data and espionage, to disrupt services and cause physical and reputational damage.

The insider threat is particularly significant for critical national infrastructure organizations, having the potential to jeopardize the ability to deliver essential services and to cause disruption to daily life for the general public.

To detect the insider threat, research suggested that insiders are likely to exhibit noticeable changes in their everyday behaviour leading up to, and during the act being committed. These behaviours are usually evident to those who work with the individual but often not mentioned or brought forward until the insider act has happened and is being investigated. Pre-employment screening is important but cannot be the sole mitigating factor because evidence of changed behaviour may only be observable when the person has been employed for a while.


The purpose of this study was to determine whether changes in behaviour, which may be associated with insider acts, would be identified and acted upon by employees of a critical national infrastructure organization. In this study, the authors used an online survey to identify which types of behavioural indicators would be acted upon or reported by employees of a large critical national infrastructure organization.

The survey used four scenarios. The first two referred to as ‘Behavior Change,’ described behavioural indicators of attitude change (for example an individual who is usually quiet and reserved becomes vocal and angry about organization culture). The other two, referred to as ‘Evidential Change,’ presented the respondent with some form of evidence or an observable pattern such as unusual working hours and negative remarks on social media. The ‘Evidential Change’ scenarios also included factors that may influence willingness to report, such as the relationship the respondent has with the actor and whether the actor is perceived to be more senior.

The survey results showed that employees are most likely to be reluctant to report changes in a colleague’s behaviour in the context of scenarios where behavioural indicators of attitude change were not accompanied by more overt changes in behaviour. However, respondents were more likely inclined to discuss the change directly with the actor in the first instance. Furthermore, in scenarios where some form of evidence was available, such as where a colleague overtly bragged about counterproductive workplace behaviours on social media or exhibited unusual working patterns, a majority of respondents would report the behaviour. This demonstrates a willingness to report unambiguously suspicious behaviour and supports the idea that observers are more likely to report when behaviour change is accompanied by evidence. However, a lack of evidence coupled with a concern that behavioural indicators may be mistaken was identified as the most common inhibitor of intervention in the study.

These results suggest the need for organizations to include guidance on how to deal with situations of uncertainty and to develop a positive security culture in which employees are confident to challenge unusual behaviours respectfully.

The primary barriers to intervention related to the employees’ ability to make an accurate judgement or knowing how to act can also be addressed by the provision of clear information about what constitutes suspicious behaviour and regarding appropriate, proportionate responses for employees when observing unusual behaviours. A workplace environment in which those behaviours are known to be challenged can act as a deterrent to potential insider actors. Furthermore, the confidence of confidentiality and having a transparent process for reporting and intervention would more generally encourage or facilitate response from employees. This also illustrates that critical national infrastructure organizations need to recognize their role in encouraging intervention and reporting.


Cite: Bell, A. J. C., Rogers, M. B. and Pearce, J. M. (2019). The insider threat: Behavioral indicators and factors influencing likelihood of intervention.  International Journal of Critical Infrastructure Protection, 24, 166-176.