Right Risk – Identifying the Insider Threat
Organisations face increasing challenges to ensure that employee risk – particularly for staff members fulfilling high-trust roles – is understood and remains manageable. Recent high-profile cases involving intelligence, police and military personnel have highlighted limitations in vetting; similarly, psychometric testing has proven to be insufficiently reliable in identifying a candidate’s suitability for work in aviation, education or health sectors. Vetting and psychometrics each rely upon either self-reporting, indirect reporting or on observed behaviour (or combinations thereof); accordingly, the insights delivered may not be adequately representative of the subject. For example, a job applicant might be incentivised to submit answers that he/she imagines would create a favourable impression with the potential employer rather than what they actually believe. Equally, the biases, conscious or sub-conscious, of the vetting practitioner or test administrator may also skew results such that failure, at one extreme, means that the best candidate is not selected; at another extreme, a wholly unsuitable candidate – a square peg for a round hole – may be brought into a workforce with potentially catastrophic consequences. Employing an axiological approach – as a complement to other techniques used by businesses to appoint the best candidates to a role or function – fills this capability gap.
Already in-use in many applications related to coaching, personal development, on-boarding/recruiting and team dynamics (and branded, where proprietary applications are used, as Axiometrics™), axiological profiling may also be used as a tool to identifying people-risk at individual, team and organizational levels. The philosophical origins of axiology – literally: the science of value/values – were from Robert S. Hartman’s reasoning regarding why it was that erstwhile ‘good’ people should do ‘bad’ things. This Nobel-nominated capability (Hartman was nominated as a Nobel Laureate in 1973) has been developed over the intervening decades into an accurate and reliable people and organizational profiling capability that is demonstrably objective, rapid to deploy and, uniquely, ungameable.
CPNI Insider Data Collection Study
Drawn from a sample of 120 Insider case studies, the UK Government’s Centre for the Protection of National Infrastructure (CPNI) Insider-Data-Collection-Study (April 2013 – link) identified a set of 18 traits, behaviours and lifestyle vulnerabilities that indicated significant risk amongst individuals to act against the interests of the employers’ business. However, other than urging greater managerial oversight (despite the same report identifying that over 50% of cases reported were committed by managers or executives), it did not offer any solutions to address these risks. We propose that axiologically derived Axiometrics™ processes offer a viable toolset to employ in response to the insider threats identified in the CPNI study; moreover, axiological analysis will support managers and executives in directly identifying 13 of the 18 risk characteristics listed in the study and indicate levels of risk in 3 of the remaining 5. The CPNI report stated that only 6% of cases studied were initiated by individuals who joined an organization with intent to commit ‘rogue’ acts – the remaining 94% were perpetrated by those who joined the business in good faith but then went on to act against their employers interests in response to environmental conflicts: using Axiometric techniques, this environment is now measureable. Axiology offers a unique, effective and affordable solution to support managers and executives counter this complex and, difficult-to-detect organizational challenge.
Of the many threats to an organisation’s reputation & integrity, few are as pervasive as that of malicious activity from inside the organisation; this has an additional impact on all other elements of security risk.
The Axiometrics Process
Based upon the specific needs of the organization, a project lead will define the shape and scale of the investigation and agree the required outcome. The Axiometrics™ experience for the individual is a straight-forward statement-ordering exercise which is completed on-line (a paper-based alternative is also available) at a time of the individual’s choosing and takes, typically, 10-15 minutes to complete. A description of the principles underpinning this exercise is available in a separate briefing but, in summary, this is an accurate, reliable, repeatable and tamper-proof mathematical process which, based on the thought processes resulting from the values and biases developed over a life-time, creates a comprehensive description of the subject’s strengths and weaknesses. This data may then be aggregated across a team or other organizational set to build an environmental view of the distribution of positive characteristics and vulnerabilities throughout the group.
Axiological profiling offers an insightful business intelligence tool to support managers’ and executives’ decision-making processes which, taken over time, additionally provides a unique method of measuring culture. The team-level charts above illustrate degrees of alignment between the business-defined measures of ‘good’ and the measured values held within the group. (Here, conformance with ‘good’ has been shaded green whereas alignment with ‘not good’ or ‘toxic’ is shown in red.)
Taking an axiological approach to people-risk – including the particularly challenging Insider threat – offers a reliable, ungameable, repeatable means to measure individual, team and organizational levels of risk and propose bespoke remediation strategies where risk thresholds are exceeded. Uniquely, taken over time, the environmental axiological view provides a means of measuring the ‘culture’ in an organization: an essential tool in gauging the effectiveness of change initiative or in the performance of a business’s human capital. The complementary Axiometrics™ processes deliver a reliable, low-cost, solution to support executives and managers in the creating the right ‘culture’ that is based on business need as efficiently as possible.