In anticipation of the Australian Cyber, Fraud and Risk Summit, I wrote this blog as an introduction to the way we think about insider threat. While I wanted to cover a veritable blizzard of ideas, I decided to try to stick to a single point, one take-home message.
So here it is: if you only do one thing to improve your risk
management of fraud, ensure your managers have high integrity and are excellent
with people.
The problem with this take-home message is that it is not
very sexy. I’m not an advocating a new piece of technology, a two-day training
package or three-step way of “revolutionising culture from the board to the
floor”. But it is the best single thing to do and the most likely thing that
will work.
If you only make one adjustment, make sure your managers are
of high integrity and are people-managers...and if they are not, do something
about it pronto!
Fraud Prediction
I am drawn to trying to understand why people do things,
and, what allows you to influence their behaviour. Prediction and influence. The
science of psychology centres around these two ideas. What should we measure;
what can we change? This relates directly to insider threat and fraud.
Fraud risk is like an algorithm insofar as there are various
factors that need to be understood in combination. There are ‘organisational’ factors,
i.e., workplace culture, the behaviour of top management, policies and
procedures, the effectiveness of immediate managers and the opportunity to
commit fraud. There are ‘individual’ factors, including the personality, values,
attitude & situational pressure affecting the individual at risk of
perpetrating fraud.
Various analyses of fraudulent behaviour point out that
there is a combination of opportunity, organisational and personal factors
behind fraud. This interaction allows you to form a rough typology of insider
risk. If anything, the rise of the Internet has simply augmented issues of
opportunity and scale rather than the fundamental nature of the behaviour.
Three Types of Risk
I use a rough typology to understand risk. To my way of
thinking, there are four types of insider risk. The first – and one I won’t
cover here – is that of the bad barrel. This is the business where fraud
appears to part of the DNA of the place, almost a necessary component of one’s
conduct. Enron is one popular example of this type of organisation. The other
three types are the ‘benign’ insider, the ‘bad apple’ and the embittered
employee.
Now the benign insider is an individual who exposes an
organisation to risk without themselves attempting to profit from it. This is
the individual who brings the USB stick in from home not knowing it’s infected,
who clicks on the link, who uses ‘password’ as their password. This is
discussed more in our presentation and is less a focus when it comes to the
issue of fraud and creating exposure or opportunity for malignant others to
exploit.
The bad apple is someone intrinsically motivated to use
deceit for personal gain. These are individuals who, when presented with the
opportunity, need very little encouragement to pursue it. They fit with the
long research history regarding the criminal personality.
Then there is the embittered employee. This is the
individual who feels particularly poorly treated by an organisation and
probably a bad manager in particular. They reach a moral tipping point…and tip
over. Their sense of poor treatment acts as the catalyst for revenge.
With all three types of insider, the high integrity people
manager has the opportunity to prevent and detect behaviour associated with
risk.
A Few Good Managers
From a fraud mitigation perspective, managers are in a unique
position because they can see the organisational issues, the potential
opportunities and the individuals with access to such opportunities.
They have the following advantages:
They have the following advantages:
- A manager can work with HR around developing structured interviews and psychometrics around hiring. This can go some way to hiring staff less likely to be a risk, or, highlighting staff who come with particular talents but who also require a more watchful eye. It also establishes a baseline for behaviour. Psychometrics should tell you what to expect over time, and the alert manager can spot staff acting quite differently to that expectation;
- Managers can establish the working rules and culture of the team or teams under his/her influence. Culture is known as an effective predictor of the number of workplace behaviours including those considered counter-productive;
- A frequent problem behind insider threats is that of the embittered or opportunistic employee rationalising their behaviour. Effective person management can offset this risk by keeping a greater number of staff engaged and creating both rewarding and psychologically safe working environment;
- Managers can themselves set the example around safety and security related behaviour. In this way they can demonstrate that they “walk the walk”. Doing so acts as a pre-emptive deterrent: if you see the boss consistently watching that the rules are followed it decreases opportunity and increases likelihood of detection and punishment;
- Having high-integrity managers reduces the risk of the managers themselves acting fraudulently;
- High-integrity managers may be more likely to act on seeing other managers or superiors engaging in fraud.
In summary, managers are probably your best form of defence.
Good people managers are more able to detect problematic behaviour in
employees, model appropriate behaviour in the workplace, monitor workplace
controls/processes etc and establish rewarding relationships with staff. In
addition, many other means of fraud prevention, including improved policies and
procedures, the attitude of top management, workplace culture, appropriate
controls and checks are often moderated by managers.
The upcoming conference will see experts from around the
county and the world gather to talk through issues of fraud, risk and the
cyber-world. Problems will be dissected; solutions generated. The risk with
this - as with all such events - is that you come away with great ideas that struggle
through implementation.
This is one that can be done now.
Make one adjustment. Make sure your managers are high-integrity
people-managers.
Written by: Dr. Tim Doyle
Graduating with a Major in Psychology at the University of
Melbourne in 1997, and completing his post graduate Doctorate of Clinical Psychology
at Deakin University in 2005. Dr Tim Doyle has established himself within the ranks
of the psychology field. Initially establishing a name within the public health
service industry, Dr. Tim Doyle transitioned to a private practice.
Dr. Tim Doyle is currently the Principal Psychologist and founder
of Proof of Character in East Melbourne, Australia. Dr. Tim Doyle through Proof
of Character and the implementation of validated psychology assists businesses select,
develop and drive talent. As well as determine not only who is fit for a role
or fit for culture, but who is fit for business.
No comments :
Post a Comment