Introduction
The Critical Pathway to Insider Risk™ (CPIR) describes the personal predispositions past insiders have brought to their organisations (personality and psychiatric issues, previous violations, social network risks), the triggers or stressors that have stimulated higher levels of insider risk, the concerning behaviours that signal observable behavioural indicators of increased insider risk in the workplace, the often maladaptive organisational responses that have failed to deter insider risks and the crime scripts that have accompanied insider actions.
It was described in detail by Shaws and Sellers (2015) and has been the focus of significant development and review by practitioners and researchers over the past 20 years (Band et al., 2006; Shaw, 2006; Shaw et al., 2009; Shaw & Fischer, 2005; Weaver, 2010; Shaw & Stock, 2011). Since 2015, the CPIR™ has been frequently incorporated into discussions of insider actions and methods for detection of insider risk. Lenzenweger and Shaw (2022) summarised this development of the CPIR™, its strengths and weaknesses and reasons for its wide acceptance. This work summarises recent evolution of the framework and highlights direct implications for Personnel Security policies and practices.
From practice to research: the evolution of the CPIR™
The CPIR™ framework is a living document. It has evolved as a direct result of feedback and engagement from insider risk professionals. Over 2,000 practitioners have participated in interactive CPIR™ training worldwide and have directly contributed to the framework’s development based on their experience. Examples of these contributions, subsequent modifications, and questions include:
Over 2,000 practitioners have participated in interactive CPIR™ training worldwide and have directly contributed to the framework’s development based on their experience.
- The addition of Organisational Stressors to the Stressor Category as a trigger for heightened insider risk. Instead of concentrating on individual stressors alone, we have learned that leadership changes or controversy, mergers, redundancies, and other organisational changes often impact employee risk drivers;
- The addition of the Community Stressor category, which focuses on events impacting entire communities, also drives employee risk. No experience drove the important impact of these stressors home more than the COVID-19 Pandemic, which resulted in an increase in personal, family, financial, social, professional, and financial stressors to employees;
- Within the category of Community Stressors, the addition of Social Identity Stress (SIS). Based on the work of Veenstra, which focusses on normative conflicts between employees and their organisations increasing insider risk (such as employee disgruntlement regarding Pandemic public health interventions at work);
The CPIR™ has contributed to the development of several tools designed to assist analysts to locate persons at-risk...
- The improved development of SIS and its implications for Social Network Risks, Concerning Behaviours, Problematic Organisational Responses, and the Mitigator of Enlightened Management. SIS can increase the likelihood of Social Network Risks as Concerning Behaviours, managers can over-react to non-threatening network risks causing risk escalation, and Enlightened Management must now understand and communicate with employees regarding potential SIS, in addition to their personal risk issues. Our team are currently working on ways to better identify and assess SIS;
- Despite the relative strength of controlled research demonstrating the relationship between personality disorder traits and insider risk (Randall, 2013, Whitty, 2014; General Strain Theory from Criminology, literature on Counter-Productive Work Behaviours), the addition of immaturity (divided into naivete, as in the case of Clayton Lonetree, and gullibility, as in the case of Sharon Scrange) into the Personal Predispositions category;
- While therapy often succeeds in reducing risk, we have also highlighted many cases in which therapy did not deter or prevent insider acts, and without information on its effectiveness, may not prove a risk mitigator. Security managers are urged not to assume that an employee in therapy is no longer a potential insider;
- Attention to the possibility that suicidal ideation, marking a period of intense hopelessness, despair and need for relief, may prove a gateway into increased insider risk among the estimated 90% of persons who experience suicidal ideation but do not go on to take their lives. We have begun to collect data on insiders who experienced suicidal ideation prior to their violations and noted the relative frequency of such ideation in targeted and domestic violence, as well as in espionage subjects. We are also increasingly focused on better ways to detect suicide risk in the complex communication patterns of the estimated 50% of persons who kill themselves without overt references to self-harm in their communications.
These are currently useful hypotheses regarding the causes, motives, and pathways of insider risk, but may be immediately relevant for practitioner consideration. We welcome feedback from reader’s own observations.
From research to practice: the development of investigative tools
The CPIR™ has contributed to the development of several tools designed to assist analysts to locate persons at-risk, assess and measure their risk level, characterise their personality and decision-making processes for managers and help analysts evaluate their organisation’s vulnerability to insiders. These tools have included:
- The Insider Evaluation and Audit (Shaw, Fischer, and Rose, 2009) which takes managers through policies and practices designed to surface insider risk in employees through each step of the CPIR™ to allow them to assess their organisation’s insider risk vulnerability. For example, the Audit uses Personal Predispositions to determine how well an organisation’s screening and selection methods could detect such risks. It systematically reviews policies and practices designed to detect employee stressors or risk triggers, detect, and intervene in Concerning Behaviours without committing Problematic Organisational Responses, and detect emerging insider crime scripts. We frequently use the Risk Audit to demonstrate how an insider or group of insiders penetrated the different layers of organisational risk detection and management protections, revealing weaknesses.
- The Pathfinder™ application operationalises the CPIR™ as an analyst risk database, directing analyst information search using the Pathway through a series of questions derived from each CPIR™ category. It uses a series of algorithms to produce an overall CPIR™ score, as well as a rating in each category, while comparing a subject to group and “known bad” scores. The application takes about two hours to score a new case, is sensitive to risk changes over time and has good interrater reliability.
- Based on colleague complaints that the Pathfinder™ application was too time-consuming, Lenzenweger and Shaw produced the CPIR-Index™, a simpler operationalisation of the CPIR™ designed to produce similar risk score estimates within 20 minutes. The Index correlates closely with the Pathfinder™ risk score. The CPIR-Index™ provides a handy field screening tool and a common language for concerned security personnel to communicate about a case.
- Cognition communications software is designed to locate individuals at-risk for insider acts from their communications by identifying signs of Disgruntlement. Disgruntlement, defined as levels of Anger, Blame and Victimisation significantly different than peers, has been found to differentiate unhappy employees from those that have demonstrated insider risk indicators (Shaw et al. 2013a and 2013b; Shaw et al. 2017). Based on this earlier work, Cognition’s psycholinguistic algorithms also provide an assessment of other risk areas (substance abuse, violence risk, religious extremism, dehumanisation, suicide, etc.) as well as characterisation of an author’s psychological state, personality, and decision-making preferences.
While we never conceived of the CPIR™ as the definitive analytical approach to insider risk assessment, it has served as a useful heuristic for analysts and managers within insider risk programs. According to Mitre, the CPIR™ has “benefited the insider threat community by motivating security analysts and law enforcement to consider the whole person, recognise risk factors beyond concerning behaviors, and realize that malicious insider activities are not isolated but instead result from a series of events.” The CPIR’s™ utility may lie in its’ ability to tell a story about the evolution of insider risk that makes sense to practitioners, produces testable research hypotheses, and remains consistent with the available empirical research on insider actions.
Read more
Baweja, J., McGrath, S., Burchett, D., & Jaros, S. (2019). An Evaluation of the Utility of Expanding Psychological Screening to Prevent Insider Attacks. OPA Report No. 2019-067, PERSEREC-TR-19-05.
FBI Insider Threat Office. (2019). FBI Typology of Intentional Insider Threat (U/FOUO). Insider Threat Office (FBI).
Myers, C., & Trent, A. (2019). Operational psychology in insider threat. In M. A. Staal & S. C. Harvey (Eds.), Operational psychology A new field to support national security and public safety (pp. 157–184). ABC-CLIO.
Randall, K. (2013). Integrating psychological, social, and behavioral indicators to detect insider threats. The National Security Psychology Symposium, Washington, DC, The Pentagon.
Shaw, E. D. (2006). The role of behavioral research and profiling in malicious cyber insider investigations. Digital Investigation, 3(1), 20–31. https://doi.org/10.1016/j.diin.2006.01.006
Shaw, E. D., & Fischer, L. (2005). Ten tales of betrayal: An analysis of attacks on corporate infrastructure by information technology insiders, Volume One. Defense Personnel Security Research and Education Center. FOUO.
Shaw, E. D., Fischer, L., & Rose, A. (2009). Insider Risk Evaluation and Audit (Technical Report 09-02). Defense Personnel Security Research and Education Center (Technical Report 09-02). http://www.dhra.mil/perserec/reports/tr09-02.pdf
Shaw, E. D., Payri, M., Cohn, M., & Shaw, I. (2013a). How often is employee anger an insider risk I? Detecting and measuring negative sentiment versus insider risk in digital communications. Journal of Digital Forensics, Security and Law, 8, 39–71. https://doi.org/10.15394/jdfsl.2013.1140
Shaw, E. D., Payri, M., Cohn, M., & Shaw, I. (2013b). How often is employee anger an insider risk II? Detecting and measuring negative sentiment versus insider risk in digital communications—Comparison between human raters and psycholinguistic software. Journal of Digital Forensics, Security and Law, 8, 73–83. https://doi.org/10.15394/jdfsl.2013.1144
Shaw, E. D., Payri, M., & Shaw, I. (2017). The use of communicated negative sentiment and victimization for locating authors at-risk for, or having committed, insider actions. Digital Investigation, 22, 142–146. https://doi.org/10.1016/j.diin.2017.06.014
Shaw, E. D., & Sellers, L. (2015). Application of the Critical-Path Method to evaluate insider risk. Studies in Intelligence, 59, 1–8.
Shaw, E. D., & Stock, H. (2011). Behavioral risk indicators of malicious insider theft of intellectual property: Misreading the writing on the wall [White Paper]. Symantec Corporation.
Veenstra, K. (March, 2024) Shifting Sands: Employee Expectations and Insider Risk, [Post] LinkedIn, https://linkd.in/gg4b3T3b
Veenstra, K.ris (November, 2015). Loyalty, social identity, and insider threat. Report prepared for the Australian Criminal Intelligence Commission
Weaver, R. (2010). A preliminary chronological analysis of events in the DIA/CERT insider threat database [Unpublished manuscript]. Software Engineering Institute.
Whitty, M. (2014). The human element of insider threat: Initial findings [Unpublished manuscript]. Center for Protection of National Infrastructure.
Copyright Information
Image credit: © natashapankina | stock.adobe.com