Security culture in focus – Interview with Dr. Eric Lang: ”The employee means well, but it creates risk.”

In your article Seven Science-Based Commandments,you write that insider threats are increasing. Is the threat a growing problem; is there an increase in the number of incidents?

”Yes, Insider threats and incidents are both increasing, along with increases in the number of people involved and cases with high costs and negative consequences,” says Dr. Eric Lang.

He points out that there are several types of incidents that are important to distinguish. One is caused by malicious attacks, such as employees attempting to steal information or damage their employer’s business, while another type is non-malicious, such as when employees do not intend harm but make mistakes, do not follow security or safety procedures, or unintentionally create a vulnerability that an attacker can exploit.

Dr. Lang explains that unintentional and non-malicious insider incidents are more prevalent than malicious insider incidents. For example, data leaks are more often caused by employee mistakes and failures to identify social engineering and phishing attempts.

”When it comes to non-malicious insiders, there are also several types. One type involves mistakes by employees who lack knowledge of security procedures or fail to remember security awareness information, which is often due to poor quality security training.

Another type of non-malicious risk involves employees who know the security rules but choose to bend or break them in a misguided belief that it’s a reasonable way to help their organization – such as bringing home classified material to help their Supervisor meet an important deadline. The employee means well, but it creates risk.

That typically happens when the security culture is seen by employees as allowing certain security policies to be bent or broken based on employees’ preferences and perceptions of common workarounds. In other words, not following certain security policies is seen as common and normal,” says Dr. Lang.

It is important that everyone in an organization understands their security culture and organizational culture, and accepts that organizations must be able to quickly identify and mitigate risks when employees go around security rules, even when employees do so with good intentions.

A big part of the problem is that organizations don’t understand or measure how certain policies and security rules create difficulties for employees—difficulties that could be mitigated if organizations had better discussions with employees and were more open to exploring creative solutions. When organizations don’t do this, employees often devise their own solutions, which are more risky.

Ideally, senior executives and line Supervisors help employees understand and buy into the organizational culture, so that everyone feels a sense of personal responsibility for an organizational culture that protects the security, safety, and well-being of all employees and stakeholders.

The key is mutually respectful discussions between front-line employees, managers, and policy-makers.

How do you view the awareness of these risks?

Dr. Eric Lang says that many companies and authorities focus too heavily on protecting themselves against malicious attackers, typically by purchasing technical solutions such as computer network surveillance.

”If you spend money on technology, you believe you have taken action and implemented a sufficient solution. Unfortunately, critical human factors and organizational culture issues are typically not addressed. Strengthening the safety and security culture often requires in-person time: sitting down in small “Psychologically Safe” groups, discussing policy, understanding trade-offs, and airing concerns. Managers worry about the added labor hours for such in-person meetings.

However, managers and senior leaders overlook the risks and world-wide evidence that, when something serious happens, there will be significantly higher costs than meeting time,” says Dr. Lang. Interestingly,

Dr. Lang adds, research consistently shows that improving organizational culture and employee engagement—even if the original focus was security and safety—typically results in important secondary benefits, such as higher employee productivity and trust, less burnout, and lower turnover.

What is the significance of the security culture for the risk of ”the human factor”?

Dr. Lang begins by defining organizational culture as “the perceptions, assumptions, and values that influence employees’ expectations and behaviors”. He emphasizes the importance of helping employees to understand the ethics, practicality, and safety and security issues behind policies that are being considered and implemented.

”If employees believe they can get more work done or advance their career by bending or ignoring a security or safety policy—and organizations are either not aware or look the other way because of profit motives or weak management—security incidents will increase.

When deviations from security policies are tacitly accepted as the ‘unspoken rules’ of being efficient and getting ahead, risky behaviors and costly problems will increase. This is shown by research on organizations all over the world,” says Dr. Lang.

Security risks during the pandemic years

During the pandemic years, many organizations lacked clear rules for security and safety practices for employees who suddenly needed to work from home. Consequently, employees made more decisions on their own, such as integrating work and personal computers to get tasks done.

At the same time, without intentional management to maintain a robust organizational culture, remote work sometimes limited the benefits derived from in-person experiences that build trust, engagement, and a culture of mutual commitment, especially for new employees. Without the helpful ”cultural glue”, insider risks increased.

”Statistics show that insider incidents—mistakes and criminal activity—rose during the Covid pandemic. In addition, behaviors of disgruntled employees and those with malicious intentions often worsened because of unprepared remote supervisors,” Dr. Lang says.

Research shows that remote work can be as (or more) productive, secure, and safe as in-office work, but it takes intentional and supportive management along with appropriate security and HR policies.

Many companies are so small that they probably don’t have an HR, security, or legal department. What tips do you have for them?

”Small businesses can and should still have an insider prevention program. They should at least have a fair and effective see-something-say-something reporting program, including a message that employees don’t need to investigate ambiguous concerns themselves.

Instead, employees should feel comfortable reporting the concern and trusting that the organization will follow up quickly with a fair and confidential assessment and action, if necessary. Good see-something-say-something programs engage employees and build organizational trust, so employees feel it’s okay to report even in cases of uncertainty,” says Dr. Lang.

He says that statistically, reported concerns are more often determined to be an HR matter, rather than a security matter. For example, an employee may be showing behaviors of concern because they are struggling with early-stage alcohol or drug issue, a family crisis, a stressful life event, or just need extra support. He goes on to emphasize that small businesses have an advantage.

”If you are at a company with only 15 people, the CEO will likely know everyone and can build relationships and trust with each employee, thus creating a strong organizational culture of engagement, mutual reliability and collaboration. That’s something that CEOs of larger companies can’t do,” says Dr. Lang.

Do you see any trends among the malicious actors in their way of working?

”Research in many countries shows that even small criminal gangs are becoming more technologically advanced and cooperating with similar groups in other regions, which makes them stronger and better able to carry out larger attacks, such as theft and disruption.

For both malicious and non-malicious insider risks, the fact that we are all more connected by information networks means that even a small mistakes by insiders can have big consequences—such as massive data leaks and vulnerabilities to attackers—because the information systems touch so many databases and operations,” says Eric Lang.

Dr. Eric Lang’s research shows that although non-malicious and accidental insider risks are, overall, more prevalent and damaging than malicious insider incidents, businesses and governments continue to ignore or mismanage non-malicious risks.  And part of this mismanagement is the false belief that technological solutions are sufficient.

For managing malicious and non-malicious insider risks, the greatest gaps and opportunities require insights, policies, and tools that focus on human factors, Psychology, and Organizational Culture.

Dr. Lang points out that even small businesses can build strong security cultures through trust, clear reporting pathways, and engaged leadership. Working with the human factors is often the most effective way to prevent incidents, and it’s something any organization, regardless of size, can do.