One reason the cult classic movie Office Space is beloved by so many is that almost everyone can relate. Who hasn’t developed an emotional attachment to a stapler, grimaced every time a too-cheerful cube mate answered the phone, or fantasized about taking a baseball bat to a stubborn printer? We’ve all been there, and it’s perfectly healthy to experience negative feelings about work - they tend to ebb and flow, and can even serve a purpose, whether it’s a motivating factor to improve things, or a push to move on to the next opportunity.
But what is it that separates a normal, fleeting case of “The Mondays” from the very different impulse to launch an embezzlement scheme or commit arson? Are the “bad actors” who perpetrate acts of insider threat in the workplace born, or made? And most importantly, how can you protect your organization by identifying and addressing a brewing storm before it’s too late?
While you can’t control your employees’ thoughts or behaviors, there are concrete actions you can take to mitigate the risk of an insider threat incident at your organization - as former chief psychologist for the Naval Criminal Investigative Service (NCIS) Michael Gelles Said, "Insiders move along a continuum from idea to action," leaving ample opportunity to detect a potential threat before it's too late. The first step is to increase your organizational awareness of certain indicators that may be predictive of an employee's potential to pose an insider threat and create a "see something, say something" culture.
Let's take a look at some examples of observable and predictive indicators from the movie:
"It's not that I'm lazy, it's that I just don't care."
“Disregard” is a behavioral indicator of insider threat risk, defined by CMU as “having disregard for authority and accepted practices, as well as the impact of actions on others.” Not only does our protagonist, Peter Gibbons, refrain from completing his assigned tasks, but he openly discusses this approach with management and colleagues. Peter starts coming into the office late (if at all) without explanation, violates dress code, and displays other erratic behavior including parking in his boss’s space and removing a wall from his cubicle. These actions are all observable by others in the office, and align with the “disgruntled employee” indicators DoD believes to be predictive of an insider threat risk.
"If they take my stapler, I'll set the building on fire..."
Milton might be considered a textbook illustration of employee disgruntlement. Throughout the movie, he vacillates between isolation and conflict with other employees, and can be heard muttering threats to the company under his breath. Initech’s approach to handling Milton is to relocate his desk to the basement and quietly discontinue his pay without notifying him. This is an extreme example of how not to handle an employee separation -- note that a study of IT sabotage cases found that 92% of the cases examined occurred “following a negative work-related event such as termination, dispute with a current or former employer, demotion, or transfer.” But there is absolutely a lesson here: Milton’s behaviors are a cry for attention, and his feelings continue to fester and grow the more he is ignored. If any of his early indicators of disgruntlement would have been addressed by a concerned manager, maybe Milton would have been satisfied to listen to his radio at a reasonable volume and enjoy watching the squirrels be merry; and if not, he could have at least been released in a more humane manner.
"We need to talk about your TPS reports."
If your company falls under NISPOM standards, you are now required to put a process in place to identify patterns of negligence or carelessness when handling classified information that do not reach the threshold of a reportable security violation. It may seem trivial, but in practice it can be a valuable way of mitigating unintentional incidents; even if you’re not required to stand up this process, you may want to consider it. There is a running joke in the movie about how Peter has forgotten to use the new cover sheet on his TPS report. When confronted by his smarmy boss, he says that he understands the policy, he just forgot this one time. In a classified data situation, forgetting to use the proper cover sheet may represent a serious security violation. But even in the course of everyday business where a cover sheet is simply standard practice, any instance of negligence or carelessness should be flagged, addressed, and possibly documented so that employees get in the habit of safeguarding information.
As General Eugene Habiger, former Department of Energy “security czar” and former commander of U.S. strategic forces put it, “Good security is 20 percent equipment and 80 percent culture.” This is a critical concept in building an Insider Threat program that actually mitigates risk, because although 70% of data breaches are caused by insiders, nearly 60% of those were perpetrated by employees who did not intend to do harm, or “unwitting” insider threats. This is why it’s so important to be vigilant about reigning in carelessness and/or negligence when handling sensitive information through awareness training, modeling by leadership, and error-proofing processes as much as possible. When you think about it that way, maybe Initech knew what it was doing when they deployed eight middle managers to remind Peter to use the new cover sheet on his TPS reports!