620 likes | 766 Vues
MANAGING RISK IN A DISTRIBUTED ENVIRONMENT. THE CULTURE OF RISK, DIMINISHED LOYALTY AND THE DANGEROUS INSIDER. Jerrold M. Post, MD Political Psychology Associates, LTD American Association of Occupational Psychiatrists April 2010. THE CHALLENGER AND COLUMBIA DISASTERS.
E N D
MANAGING RISK IN A DISTRIBUTED ENVIRONMENT THE CULTURE OF RISK, DIMINISHED LOYALTY AND THE DANGEROUS INSIDER Jerrold M. Post, MD Political Psychology Associates, LTD American Association of Occupational Psychiatrists April 2010
THE CHALLENGER AND COLUMBIA DISASTERS • Columbia, January 2003 • Engineers raised concern about damage from pieces of foam striking wing, request telescope or satellite photos • Managers deride and ignore request - ”I won’t be a Chicken Little”; “It’s a dead issue” • Challenger, October 1986 • Unseasonably cold-Engineers raise safety concern about O-rings for launch below 53 degrees F., recommend cancel launch • Managers override-criticize engineers for not being “team players”
Challenger and Columbia Disasters • In both cases, Management under gun to succeed for financial and program support-delay would have raised questions • In both cases, ad hominem attacks on engineers-”mind guards” prevented consideration and evaluation of concerns • In both cases, safety culture had eroded to risk culture. Instead of having to prove it was safe, had to prove it was dangerous.
WHOM DOES THE ORGANIZATION REWARD? • Is it the bold entrepreneur wiling to take risks for the organization, not intimidated by the hand-wringing worry warts? • NOTE SEMANTICS—Let’s reword. • Is it the reckless headstrong individual willing to put organizational equities at risk, or the prudent manager who judiciously weighs gains against risks in making balanced decisions?
EROSION OF VALUES IN GOVERNMENT AND CORPORATE CULTURES • Prudent management has eroded to risk culture • Think derivatives, credit default swaps • This tendency magnified in distributed decision environment • When organization makes exceptions to its policy, the policy has changed. It is not what is said but what is done.
Examples of Policy Changes • IT consulting firm, partners tell subordinates they need to know the bid of their rival. Break in to hotel room. One partner fired, the other reprimanded-”He was a star rain maker.” • Partner overrides policy of doing background check on all employees-needed skills of new hire. No adverse credit information – indeed no credit information! Initiated major computer fraud as soon as on board. Had been released from jail for computer fraud the day before.
Psychological Qualities of the Dangerous Insider:Lessons Learned from “The Anatomy of Treason” • Soviet acronym MISE • Money • Ideology • Sex • Ego • And the greatest of these is ego!
Vulnerability of Narcissistic Individuals • Individuals who are highly self-absorbed and consider themselves entitled to special consideration have an insatiable appetite for recognition and success • Even when by external criteria doing very well, they may feel dissatisfied • But when they are blocked in their careers and are embedded in unrewarding marriages, can collect injustices and be motivated to strike back • Pattern of split loyalties • Implications for employees in multinational firms
Parents’ Relationship to the Regime Youths’ Relationship to Parents isloyal amaged issident L D oyal L oyal “Golden Youth” D isloyal Generational Pathways of Treason Thus, the two patterns of particular interest are loyalty to dissidence and dissidence to loyalty.
The Life Cycle and Treason Between ages 35 and 45, everyone goes through a period of psychological re-evaluation when they realize that youth is at an end – the mid-life transition Feelings of marital and job dissatisfaction peak at this time – individuals who are blocked in their careers and in unrewarding marriages are especially vulnerable Some need to regain their sense of competence by striking back Nearly all of the major traitors were impelled to act during the mid-life crisis
The Dangerous IT Insider • Two year study for DOD/ C3I • Risk of computer crime by dangerous IT insider ($2.7 million each) greatly exceeds that from outside hackers-($57 thousand each.) • Dangers of loss of availability, reputation, sensitive and/or proprietary data • Evidence of foreign & corporate targeting of US industry • Significant problems with prevention, detection, management
Definition of Research Subject The CITI Critical Information Technology Insider Information Technology Specialist who designs, maintains or manages critical information technologies
People kill information systems Computers don’t kill information systems
Employment Contexts INSIDER/OUTSIDER IS A FALSE DICHOTOMY
Insider Employment Contexts • Employees • Contractors and Consultants • Partners, Customers • Temps • Short-Term • Long-Term • Former Employees • About to become Former Employees
PARADOX THE LESS LOYALTY EXPECTED, THE LESS ATTENTION TO SECURITY!
A Typology of Malicious Acts • Abuse/Fraud • Extortion • Sabotage • Espionage
Introversion • Psychological studies of computer professionals indicate overwhelmingly represented by introverts • Introverts prefer the internal world of ideas to the outer world of people • Introverts tend to internalize stress and express themselves on-line-->management challenge
Social and Personal Frustrations • History of significant frustrations relating to family, peers and coworkers • Report preferring the predictability and structure of work with computers • Propensity for anger toward authority • Revenge Syndrome
Computer Dependency • On-line activity significantly interferes with, or replaces direct social and professional interactions • Prefer virtual world to real world • On-line relationships may constitute an avenue for influence, recruitment or manipulation
Ethical “Flexibility” • Survey research reveals 6-7% approval for hacking, espionage and sabotage • “If it isn’t tied down it’s mine to play with” • Notion that computer is a toy, data is not “real” • The consequences do not seem serious
Reduced Loyalty • Organizational loyalty challenged by high degrees of turnover • HHS study on insider computer fraud found perpetrators identified more with programming than their employers
Entitlement • Belief that one is special and owed corresponding recognition, privilege or exceptions--often re-enforced by employers • Grandiosity covers fragile ego • Prone to anger and revenge when specialness not recognized
Lack of Empathy • Disregard for the impact of their actions on others, or inability to appreciate these effects
Avoidant/ Schizoid Anti-Social/ Narcissistic/ Paranoid Social & Personal Frustration Entitlement Reduced Loyalty Ethical Flexibility Computer Dependency Lack of Empathy
Mitigating Factors Vulnerable CITIs with Predisposing Traits Dangerous CITIs Stressors Critical Path to Insider Acts
Major Stressors • Personal stressors • Divorce • Financial difficulties • Professional stressors • Transfers • Supervision organizational changes • Technological changes w/personnel effects
Person-Situation Interaction Personal Stressors Major Act Vulnerable CITI Mounting Stress and Frustration Professional Stressors
Personal Stressors Major Act Vulnerable CITI Minor Infraction Moderate Infraction Mounting Stress and Frustration Professional Stressors Person-Situation Interaction
Explorer Hacker Golden Parachuter Exception Proprietor Good Samaritan Machiavellian Career Thief Mole Perpetrator Typology
Explorer • Motivated by curiosity • Rarely damages • Tests abilities • unauthorized access to learn more • lacks good judgement re: unmarked files • often picked-up by sysadmin but no policy so no consequences • Programmed Learning Case
Hacker • Prior history of hacking • Needs to challenge system and authority • Derives significant self-esteem from victories • Generally not destructive but may need to leave mark • Hacks to show-off, impress peers • More dangerous if part of hacker peer group
Hacker Subtype: Golden Parachuters • Insert logic bombs or other system booby traps, which they are uniquely qualified to diffuse, in exchange for a generous consulting fee or severance package. • Rarely reported • Often more cost effective for company to pay off the employee • Subcontractor writing code
Good Samaritan • Hacks episodically to fulfill duties more “effectively” or “responsibly” • Doesn’t see violation • Ends justify means • May show-off, save-the-day • hack system to fix it in emergency situation • copy files to save time • Makes great rationale “testing security”
Machiavellian • Covertly hacks to advance career, increase status, damage rival, establish future business • consultant steals proprietary data • subordinate frames boss • employees destroy rival group’s network card • time bomb to establish consulting job • program outages to facilitate travel
Case Example • Civilian Gov’t. programmer • EEOC Complaint against supervisor • Whistleblower • Negative performance evaluation by supervisor • Tried unsuccessfully to rectify negative performance evals through channels--mounting frustration • Transferred, only negative performance evaluations forwarded by supervisor • Seeks revenge against supervisor by remotely taking down Gov’t. database
Career Thief • Computer is tool for criminal scheme • Pure anti-social version vs. disgruntled mixed breed • HHS report on fraud by computer specialists • lack of loyalty to employer • greater identification with profession • Embezzlement at Wells Fargo
Mole • Joins organization to commit espionage for the benefit of a company or foreign government • Different from Avengers, who commit espionage out of revenge • Reuters/Bloomberg
Exception • View themselves as special, deserving of extraordinary recognition • Consider themselves above the rules • Often deflect blame to others • Have a grandiose view of their importance beneath fragile self-esteem • Act in retaliation for real or perceived wrong • Motivation is revenge • Associated with termination, demotion, assignment changes, perceived setbacks • Any group subject to disgruntlement
Exception Subtype: Proprietor • Feels he owns system • Entitled to special privileges • Hacks to protect control of system • Hacks to deter rivals • May create problems only he can solve • Financial Sysadmin • Plant Engineer • Intellectual Property
Case Study: The Proprietor • Well paid systems administrator • Personality Traits-Proprietor • Entitlement • Manipulative • Devaluing of others • Padded OT • New supervisor • Cut-back to PT • Disables Servers
Eleven Months Prior to Event • The company undertakes a corporate reorganization plan and a new, female technology manager is hired to supervise the network project. • Subject immediately has difficulty with the new supervisor(gender, ethnicity issues). • Supervisor believes subject is inflating his billable hours.
Six Months Prior to Event • Subject is informed that his contract would not be renewed after May because he was too expensive, and was complimented for excellent work to date. • He expresses the belief that the company has no employees capable of managing ‘his’ complex computer network.
Three Months Prior to Event • Complains to new supervisor who has instructed him to train replacements that replacements do not have the skills necessary replace him and refuses to give them access to the system. • Supervisor e-mails him: “You seem to have developed a personal attachment to the servers. These servers belong to the company--not to you.”
Email 1: April • (Refuses to train backup) “His experience was ZERO. He does not know ANYTHING about ...our reporting tools.” • “Until you fire me or I quit, I have to take orders from you…Until he is a trained expert, I won’t give him access...If you order me to give him root access, then you have to permanently relieve me of my duties on that machine. I can’t be a garbage cleaner if someone screws up….I won’t compromise on that.”
Email 2: July • “Whether or not you continue me here after next month (consulting, full-time, or part-time), you can always count on me for quick response to any questions, concerns, or production problems with the system. As always, you’ll always get the most cost-effective, and productive solution from me.”
Email 3: July • “I would be honored to work until last week of August.” • “As John may have told you, there are a lot of things which at times get ‘flaky’ with the system front-end and back-end. Two week extension won’t be enough time for me to look into everything for such a critical and complex system.” • “Thanks for all your trust in me.”