“The Dark Triad and Insider Threats in Cyber Security”
Communications of the ACM, December 2020, Vol. 63 No. 12, Pages 64-80
By Michele Maasberg, Craig Van Slyke, Selwyn Ellis, Nicole Beebe
“Machiavellians engage in bad behaviors for some gain, narcissists engage in bad behaviors because they are only concerned with themselves, and psychopaths behave badly for the thrill, regardless of the risk to themselves or an organization.”
“I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.”
—Tesla CEO Elon Musk in an email to Tesla employees.
Insider cyber sabotage such as that mentioned by Mr. Musk is one of the reasons cyber security remains a top managerial concern. Insider threats, such as the Tesla sabotage, are among the greatest of these security concerns. A major reason for this is that insider security breaches are seen as more costly than those from outsiders.
Understanding the individual, social, and organizational influences on insider threats is important to the development of security-related policies and controls. Cyber sabotage as part of a broader insider threat issue is addressed in the context of an organizational security risk management plan. Such plans should include security controls intended to mitigate the risk of a human threat from the inside. In the U.S., in some cases in which classified material is involved, formal insider threat cyber security programs are mandated by Presidential Executive Order.
The security controls prescribed by insider threat programs often include automated employee monitoring systems for detection, education and training programs for awareness. These controls often include technical and behavioral indicators derived from the observed psychological traits and specific behaviors of high-risk insiders. These indicators should be based on empirical evidence in order to avoid false accusations that harm employees and negative ethical and legal consequences associated with biased systems.
Insiders possess unique personal predispositions, stressors, and concerning behaviors that have been identified as risk factors; these have been included in models of insider threat behaviors. Past research suggests that robust cybersecurity systems include psychological or personality factors in their design. Several insider threat frameworks include personal predispositions (including personality traits) as the origin point of threat behaviors. This suggests it is important to recognize personal factors, especially personality traits, before they lead to malicious behaviors. Such recognition can be the earliest point of threat agent identification.
Much of the existing research into personality traits and cybersecurity is based on case studies, anecdotal evidence, or conceptual reasoning. There is a lack of quantitative empirical evidence to guide our understanding of the relationship between personality traits and insider threats. Understanding the role of traits related to antisocial behavior in malicious insider threats is especially important due to the link between these traits and malevolent behavior. The findings of our research may help enhance and extend existing models and frameworks including advanced technical systems.
In this article, we focus on a set of pathological personality traits known as the dark triad. Evidence from recent insider threat cases leads us to believe these traits may correlate with intentions to engage in malicious behavior. After discussing insider threats and the dark triad traits, we present results from an empirical study that illustrate the relationship between the dark triad traits and malicious intent. We then discuss the importance of these results and make recommendations for security managers and practitioners based on our findings. Despite the inclusion of personality traits in insider threat frameworks, to our knowledge no known studies have empirically investigated the relationships between the dark triad traits (individually or collectively) and insider cyber sabotage. The findings of our research may help enhance and extend existing models and frameworks of insider threat behavior. Additionally, the findings may contribute to empirically validating rulesets in technical systems and traits used in insider threat training and awareness programs.
Insider threats. Insiders represent greater threats to organizations than outsiders due to their access to organizational information and information systems, especially when coupled with their advanced organizational knowledge and the trust that is often afforded to them. Insider threats exist when trusted current or former organizational members act in ways that expose the organization to risk. Inappropriate insider behavior not only threatens organizational resources, it may put the survival of the organization at risk.
When discussing insider threats, it is useful to distinguish between malicious and unintentional threats. Not surprisingly, the key difference is intent. Unintentional threats come from actions (or inactions) undertaken without any malicious intent. Using an easy-to-guess password or responding to a phishing email are examples of unintentional threats. In contrast, malicious threats come from intentional acts. The CERT National Insider Threat Center (NITC) defines a malicious insider threat as “a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.” The research presented here pertains to malicious, rather than unintentional, insider threats.
About the Authors:
Michele Maasberg is a Cyber Security Scientist at the Johns Hopkins University Applied Physics Laboratory, Laurel, MD, USA.
Craig Van Slyke is the Mike McCallister Eminent Scholar Chair in Information Systems at Louisiana Tech University, Ruston, LA, USA.
Selwyn Ellis is Balsley-Whitmore Endowed Professor, an associate professor, department head, and Interim Associate Dean of Graduate Programs at Louisiana Tech University, Ruston, LA, USA.
Nicole Beebe is Department Chair of Information Systems and Cyber Security and Melvin Lachman Distinguished Professor in Entrepreneurship Director of the Cyber Center for Security and Analytics at the University of Texas at San Antonio, TX, USA.