Interview with Dr. Eric Lang – world-leading behavioral science and insider prevention expert, and SRI’s newest Advisory Board member

Hi Dr. Lang!

We are very pleased to welcome you to Team SRI and our Advisory Board! Many of our clients and readers know you from your distinguished work within PERSEREC and the Threat Lab.

Now, as you join our Advisory Board, your impressive experience and breadth of knowledge will be even more readily available to the Swedish and European markets.

Insider threats and insider prevention are two hot topics in Sweden right now, so thank you for taking the time to talk to us and for sharing your insights.

What are your thoughts on the rising insider threat globally and organizations’ insider prevention responses?

“Globally, there are many concerning trends, but two tech-related increases are important to note, along with a traditional trend that continues to be a persistent insider threat.

The first trend is greater use of technological tools by malicious outsiders and insiders to take advantage of vulnerable employees with weak security awareness, personal problems, disgruntlement, or poor security practices. For example, the growing use of customizable and highly believable text, voice, and video-based Gen-AI solicitations is a burgeoning problem.

A second tech-related trend is the increase in frequency and harm of unintentional insider incidents. Because organizations’ data files, intellectual property, financial systems, and operational programs are increasingly interconnected by complex Information Systems (IS), employees’ unintentional lapses, accidental data leaks, and IS exposures result in progressively more extensive and costly harm and loss.

The third trend, that has persisted for thousands of years is bribery. Although I have not seen reliable international data on this, the many noteworthy incidents every year of unethical and illegal solicitations by corporate competitors and thieves indicates that bribery continues to be a prolific and effective way to compromise insiders, gain assets, and disrupt organizations.

An unfortunate insider threat prevention trend is that organizations rely too heavily on system-based monitoring technology. Critical gaps remain in addressing socio-behavioral and Human Factors Insider Risk issues, such as low security culture engagement, divided loyalties, and bribery.

Although UEBA, SIEM, and other system-based technology is necessary to identify some types of security threats, it is far from sufficient to manage the overall insider problem. Bruce Schneier said it best, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Science-based, best-practice, socio-behavioral and Human Factors solutions exist for organizations that are interested. I’m looking forward to helping SRI serve interested groups.”

What do you think we, in Sweden and Europe, can learn from the work and research that you and your fellow researchers have done in the United States?

“With respect to Insider Threats, although geopolitical and sociocultural factors create unique conditions in Sweden, there are also many common problems, especially among democracies in Europe, North America, and the Australia/New Zealand region, e.g., from State-sponsored actors supported by Russia, China, Iran, and North Korea. Additional common threats stem from local malicious activities that affect insiders, e.g., from white supremist and anti-government groups and extremists.

Because the U.S. and UK have the largest public sector and private sector defence-related budgets, we have—for decades—been able to fund substantial portfolios of basic and applied Insider Threat research, resulting in many science-based insights, policy recommendations, and tools that are freely available to benefit NATO countries, like Sweden, and other allies.

My area of expertise is on Psychological, behavioural, and social/organizational systems related to Insider Risk, Insider Threat, and organizational well-being. The problem I’ve seen repeatedly is not with the availability of research-based policy recommendations and tools. Instead, the challenge is with:

(1) organizational leadership not understanding the magnitude of the current and impending insider risks and, consequently, not sufficiently exploring and resourcing best-practice Insider management implementations, and

(2) organizational Managers and vendors not knowing how to work together effectively to assess and customize science-based policies and tools to best fit a group’s specific areas of risk, corporate resources, and organizational culture.”

In your opinion, why is it important to use evidence-based insider prevention, and why is it important to continue social behavioral science research?

“For Insider Threat and other areas that involve Psychological, Human factors, and social influences, too many security professionals and leaders make decisions based on untested assumptions, intuition, memorable experiences, and common misconceptions that are not generalizable or effective for improving security management.

For example, it is still commonly believed that making harsh penalties even harsher will deter violators. Research evidence shows this is untrue.

Using a social science approach to frame questions and test potential approaches is the best way to identify implementations that are effective, efficient, and fair. Because Insider Risks/Threats, as well as social, geopolitical, and technological factors shift and evolve, continuous investments in basic and applied Insider Risk/Threat research is necessary.”

You have a distinguished career spanning over 20 years from the United States government sector, as well as 10 years prior experience in the private sector. Now that you are moving back into the private sector, what are you most excited about? What do you think some of the differences might be?

“Every job is a “package deal” that includes a mix of meaningfulness, restrictions, and opportunities that, hopefully, align well with an individual’s private life circumstances and values.

In my case, the past 20 years serving as a Federal employee and research center Director—in addition to being the best way for me to help the most professionals and citizens—also helped me take care of my family.

In transitioning back to the private sector I’m excited—and already enjoying—greater freedom to choose and maximize the meaningfulness of professional activities, minimize bureaucratic “friction”, and associate with a wider range of stimulating colleagues in areas I find important and fascinating (hint: I’m easily fascinated).”

You are now also joining SRI’s Advisory Board, which we are of course very excited about. What are some of the areas where you believe you can make an impact for SRI’s clients?

“Because I’ve already collaborated with SRI colleagues, I know we share a deep commitment to Humanistic and holistic approaches to security culture and insider prevention.

Consequently, my applied social science skillset and experience in that approach to safety, security, and organizational well-being means that, together, we can make SRI tools like Prisma, SRI services like employee vetting, and reports like the Annual Insider Review, even stronger and more useful.

Collaborating with dedicated and creative teams to support the business and national security needs of allied democracies is what I do best and what I enjoy most! I’m excited and grateful for the SRI opportunity!”

Thank you, Eric, and once again: Welcome to SRI!