Look in the Mirror: How Organizational Blind Spots Create Insider Risk

Most conversations about insider threats focus on the “bad actors”—the spies, the leakers, the shooters. But the real story is often less dramatic, far more human, and frankly, closer to home.

Let me start with a hypothetical scenario that might feel uncomfortably familiar.

The Conversation That Shouldn’t Have Happened

Fred, a senior research scientist, was summoned to a private meeting with a program manager, Tom. No context. No agenda.

Tom wasted no time delivering a chilling warning: “Complaining about management decisions can damage your career.”

Fred was stunned. He hadn’t filed a complaint. He hadn’t even considered filing one. But he did recall a harmless chance airport‑lounge encounter with a company business manager who asked how a proposal had turned out. Fred replied that when the project funding arrived, the work was re-scoped and given to someone else. This simple and honest response must have gotten back to Tom, Fred thought.

Apparently, even innocent comments can echo in strange ways...

Fred left the meeting with Tom, trying to process two things:

1.       He’d been quietly passed over for a project leadership role he believed he’d earned.

2.       Leadership responded not with transparency, but with intimidation.

Now, Fred’s feelings of grievance began to surface and he began to think about leaving, if not perhaps even to seek revenge. Situations like this don’t create insider threats by themselves. But they can create the conditions in which insider threats grow.

Insider Threats Aren’t Just About “Bad People”

Insider threats occur when someone uses legitimate access (intentionally or accidentally) to harm the organization. Most people immediately think of big headline names—Ames, Hanssen, Manning, Snowden, Alexis, Teixeira. These cases dominate public conversations, but they obscure what leads individuals toward harmful behavior.

Insider threats arise from a mix of personal vulnerabilities and organizational conditions. It’s not just who someone is—it’s what they experience and how the organization responds.

Two considerations really matter:

1. Individual Personal Predispositions

Certain personal characteristics can increase risk:

·         Inclination toward interpersonal conflict (aggression, harassment, bullying)

·         feelings of grievance about being undervalued, exploited, or mistreated

·         manipulative tendencies, or narcissism

These predispositions alone don’t turn someone into an insider threat. But under the right stressors, they can.

2. Organizational Conditions

This is where many organizations underestimate their own influence.

Risk is amplified when:

·         leaders communicate poorly (or not at all)

·         workloads and resources are imbalanced

·         security policies confuse or frustrate employees

·         advancement paths are opaque or politicized

·         toxic leadership behaviors go unaddressed

These aren’t small issues. They’re the underlying environmental conditions that determine whether normal workplace frustrations escalate into something destructive.

About ten years ago, I collaborated with a group of researchers working on a U.S. government (Intelligence Advanced Research Projects Activity, IARPA) sponsored project to develop a knowledge base of insider threat Potential Risk Indicators (PRIs): the Sociotechnical and Organizational Factors for Insider Threat (SOFIT). Besides describing hundreds of psychosocial, behavioral and technical PRIs associated with individuals, SOFIT defines a class of approximately fifty organizational factors that are categorized into the following sub-classes:

·         Security Practices (e.g., security awareness training, incident response plans)

·         Policy Clarity (e.g., adequacy of documentation, enforcement of policies and controls)

·         Monitoring Practices. (e.g., monitoring of staff behavior and online activities)

·         Security Controls (e.g., separation of duties/privileges, backup/recovery processes)

·         Management Systems (e.g., communications, resource management, management styles, career advancement)

·         Work Planning and Control (e.g., job pressure/stress, workload)

·         Work Role (e.g., work role conflicts, lack of authority)

·         Working Hours (e.g., extended hours, lack of breaks)

·         Hiring/Firing Practices (e.g., job candidate screening, mishandling terminations)

The SOFIT knowledge base has been updated since it was originally developed. A current version of the SOFIT2.0 taxonomy, including the organizational factor listing, is available at the Cogility website: [https://cogility.com/blog/updated-sofit2-insider-threat-indicator-taxonomy/]

In the scenario described above, Fred may have felt confused about a management decision that deprived him of a project leadership role, but he showed no inclination for retribution that would motivate him to act against the organization until he had an encounter with a toxic leader. 

Certain organizational factors can act as accelerants along the critical path to insider risk: Organizations that ignore such factors create an environment where risk is not only possible, but predictable.

A Call to Look in the Mirror

At the heart of insider‑risk management lies a simple but often overlooked truth: Organizations shape the conditions in which people thrive, struggle, or cross into harmful behavior. Preventing insider risk isn’t just about monitoring people—it’s about understanding the environment in which they work.

If we want to prevent insider incidents before they emerge, we must be willing to ask harder questions about how our organizations function, not just how our employees behave. Are policies fair? Are leaders accountable? Do employees feel respected, heard, and supported? Do they experience the organization as a partner in their success—or an adversary?

Insider risk often grows in the shadows of dismissiveness, poor communication, unresolved grievances, and systemic inequities. Yet the critical path can be interrupted—early and effectively—when organizations invest in transparency, ethical leadership, and continuous improvement. When leaders demonstrate integrity, fairness, and empathy, they not only reduce risk; they strengthen trust, engagement, and loyalty.

Effective tools and analytics are crucial to detect at-risk individuals, but they can be undermined in a culture where communication is strained, leadership is inconsistent, or policies feel unfair. A culture that values people, acknowledges its own shortcomings, and acts decisively to address them is more resistant to the germination of insider threats. Strengthening the security culture and climate through periodic self-examination of organizational factors underlying insider risk may be the most powerful—and most overlooked—proactive insider‑risk mitigation strategy we have.

• To learn more about Cogility Software, see https://cogility.com/.

• To learn more about SOFIT2.0, see https://cogility.com/blog/updated-sofit2-insider-threat-indicator-taxonomy/ 

  
  

Further Reading:

Band, S. R., D. M. Cappelli, L. F. Fischer, A. P. Moore, E. D. Shaw, & R. F. Trzeciak. (2006). Comparing insider IT sabotage and espionage: a model-based analysis. Carnegie-Mellon University, SEI/CERT Coordination Center. CMU/SEI-2006-TR-026.

Cappelli, D. N., A. P. Moore, & R. F. Trzeciak. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Addison-Wesley.

Cole, E, & S. Ring. (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft. Rockland, MA: Syngress Publishing.

Greitzer, F. L. (2019). Insider threats: It’s the HUMAN, Stupid! Northwest Cybersecurity Symposium, April 8-10, 2019. ACM ISBN 978-1-4503-6614-4/19/04.

Greitzer, F. L., D. A. Frincke, & M. M. Zabriskie. (2011). Social/ethical issues in predictive insider threat monitoring. In: MJ Dark (Ed.), Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives. Hershey, Pennsylvania: IGI Global. Chapter 7, pp.132-161.

Greitzer, FL, J Purl, YM Leong, & DE Becker. (2018). SOFIT: Sociotechnical and Organizational Factors for Insider Threat. IEEE S&P Symposium, Workshop on Research for Insider Threat (WRIT). San Francisco, CA, May 24, 2018.

Greitzer, F. L., J. Strozer, S. Cohen, J. Bergey, J. Cowley, A. Moore, & D. Mundie. (2014). Unintentional insider threat: contributing factors, observables, and mitigation strategies. 47th Hawaii International Conference on Systems Sciences (HICSS-47), Waikoloa, Hawaii.

Kiser, A. I. T, T. Porter, & D. Vequist. (2010). “Employee monitoring and ethics: Can they co-exist?” International Journal of Digital Literacy and Digital Competence, 1(3), 30-45.

Reed, G.E. & Olsen, R. A. (2008). Toxic Leadership: Part Deux. Military Review, November-December 2008, 58-64.

Shaw, E. D. (2023). The psychology of insider risk. Taylor & Francis Group/CRC Press.

Shaw, E. D., & L. F. Fischer. (2005). Ten Tales of Betrayal:  The Threat to Corporate Infrastructures by Information Technology Insiders.  Report 1—Overview and General Observations.  Technical Report 05-04, April 2005.  Monterey, CA:  Defense Personnel Security Research Center.

Shaw, E. D. & L. Sellers. (2015). Application of the critical-path method to evaluate insider risks. Studies in Intelligence, 59(2), 41-48.

Shaw, E. D., J. M. Post, & K. G. Ruby. (1999). Inside the mind of the insider. Security Management, 43 (12), 34-42.

Shaw, E. D., K. Ruby, & J. Post (1998). The insider threat to information systems: The psychology of the dangerous insider. Security Awareness Bulletin, 2(98), 1-10.