Exploring Insider Threat Awareness and Mitigation: More Than The Devil in Disguise

Faculteit Sociale Wetenschappen
Departement Politieke Wetenschappen
Exploring Insider Threat Awareness and Mitigation:

More than the Devil in Disguise
Proefschrift voorgelegd tot het behalen van de graad van doctor in de sociale
wetenschappen aan de Universiteit Antwerpen te verdedigen door
Mathias Reveraert
Supervisor: Tom Sauer Antwerpen, February 2023

Members of the doctoral committee
Prof. dr. Tom Sauer (University of Antwerp, Supervisor)
Prof. dr. Genserik Reniers (University of Antwerp, President of the
committee)
Em. prof. dr. Rona Beattie (Glasgow Caledonian University)
Members of the jury

Prof. dr. Wouter Van Dooren (Universiteit Antwerpen)
Prof. dr. Matthew Bunn (Harvard Kennedy School)
Disclaimer
The author allows to consult and copy parts of this work for personal use. Further reproduction or
transmission in any form or by any means, without the prior permission of the author is strictly forbidden.
i
Table of contents
Table of contents ............................................................................................................ ii
Samenvatting ................................................................................................................. iii
Summary.........................................................................................................................vi
Acknowledgements ..................................................................................................... viii
Figures and tables ............................................................................................................ x
Figures .........................................................................................................................x
Tables ...................................................................................................................... xiii
PART I: INTRODUCTION ............................................................................................ 1
Chapter 1 Setting the stage ..........................................................................................1
PART II: THE INSIDER THREAT PROBLEM .......................................................... 12
Chapter 2 Conceptualizing the insider threat problem ..............................................12
Chapter 3 Understanding insider trust(worthiness) and betrayal...............................62
Chapter 4 Categorizing the insider threat problem ..................................................137
PART III: INSIDER THREAT AWARENESS .......................................................... 183
Chapter 5 Four-part typology of security awareness ...............................................183
Chapter 6 Insider threat awareness in a Belgian context .........................................217
PART IV: INSIDER THREAT MITIGATION .......................................................... 299
Chapter 7 A conceptual model for insider threat mitigation ...................................299
Chapter 8 A Delphi study on insider threat mitigation ............................................324
Chapter 9 Table-top exercise(s) on insider threat mitigation ..................................458
PART V: CONCLUSION ........................................................................................... 534
Chapter 10 Conclusions ...........................................................................................534
Annex .......................................................................................................................... 550
A. The online questionnaire.....................................................................................550
B. Item-selection for the TTX .................................................................................560
C. Author contributions ...........................................................................................572
References ................................................................................................................... 574
ii
Samenvatting
Medewerkers die stelen, frauderen, saboteren of spioneren: het is de
nachtmerrie van elke organisatie. Hoewel elke publieke en private organisatie –
groot of klein – gevoelig is aan de problematiek van zogenaamde interne
dreigingen of ‘insider threats’, is deze problematiek nog te vaak onderbelicht
omdat organisaties er vanuit gaan dat medewerkers te vertrouwen zijn.
Medewerkers moeten namelijk het vertrouwen genieten om toegang te krijgen
tot de waardevolle bezittingen van de organisatie, omdat zij anders niet in staat
zijn hun job uit te oefenen. Vanwege deze vrijgeleide binnen de
spreekwoordelijke veiligheidsperimeter zijn zogenaamde ‘insiders’ grotendeels
vrijgesteld van de veiligheidshindernissen die externe vijanden wel moeten
overwinnen. Ondanks dat insiders het dus relatief gemakkelijker hebben om hun
slag te slaan, worden ze vaak over het hoofd gezien als een potentiële bedreiging.
In België zijn enkele spraakmakende voorbeelden van ‘insider threat’ te
vinden die de wereldpers haalden. De sabotage van Doel 4 in 2014, waarbij de
kerncentrale doelbewust gesaboteerd werd door een medewerker en waarbij
tientallen miljoenen euro’s nodig waren om de schade te herstellen, blijft het
meest tot de verbeelding sprekende voorbeeld, te meer omdat de dader na al die
tijd nog steeds niet gevat is en het onderzoek naar het incident ondertussen werd
stopgezet. Relatief recentere voorbeelden zijn de klopjacht naar Jürgen Conings,
de militair met extreemrechtse sympathieën die zijn toegang tot een wapendepot
misbruikte om zware wapens te stelen en tegelijkertijd bedreigingen uitte aan het
adres van enkele publieke figuren in België, en de onthullingen in het kader van
Operatie Sky die duidelijk maakten dat verschillende actoren
(politiemedewerkers, havenmedewerkers, …) hun positie bewust misbruiken om
de drugshandel te faciliteren.
iii
Om enerzijds meer bewustzijn voor de problematiek te creëren en
anderzijds concrete beleidsaanbevelingen te vinden zodat organisaties zich beter
kunnen beschermen tegen interne dreigingen, deed de Universiteit Antwerpen,
met de steun van Brussels Airport Company, Bel-V, Elia, Engie-Electrabel, het
Federaal Agentschap voor Nucleaire Controle en G4S, onderzoek naar de insider
threat problematiek.
Een eerste doel was om een beter zicht te krijgen op het begrip ‘insider
threat’. Bij gebrek aan een standaarddefinitie zijn de interpretaties van het insider
threat probleem legio, waardoor een duidelijke toelichting van de eigen
interpretatie en bijhorende afbakening van de scope van het doctoraatsonderzoek
nodig is. De resultaten van dit deel van het onderzoek duiden bijgevolg de
conceptualisering die wordt gehanteerd in dit onderzoek.
Een tweede doel was om de mate van bewustzijn van de insider threat
problematiek in België in kaart te brengen via een online vragenlijst. Hierbij werd
niet alleen gekeken naar de kennis van Belgische organisaties ten aanzien van het
probleem (wat weten ze over insider threat?), maar ook naar hun attitude
tegenover het probleem (beschouwen ze insider threat als een probleem?). De
resultaten van dit deel van het onderzoek zorgen ervoor dat we een zicht kregen
op de hiaten in de kennis en attitude van Belgische organisaties aangaande de
karakteristieken van insider threat en de mogelijkheden om het probleem te
mitigeren.
Een laatste doel was om praktische beleidsaanbevelingen te vinden
aangaande mitigatie van insider threats. In dit opzicht werd zowel een Delphi
studie als een tabletop studie gehouden, waarbij in het eerste geval een groep
experten iteratief werd bevraagd aan de hand van online vragenlijsten en in het
tweede geval praktijkdeskundigen tabletop oefeningen speelden. De resultaten
van beide onderzoeken verschaffen nuttige inzichten aangaande ‘rode vlaggen’
iv
waarop organisaties moeten letten om insider threat op te sporen, alsook
aangaande mitigerende maatregelen die organisaties kunnen gebruiken om zich
beter te beveiligen tegen bedreigingen van binnenuit.
v
Summary
Employees that steal, commit fraud, sabotage or leak confidential
information: it is every employer’s nightmare. Even though every public or
private organisation – big or small – is vulnerable to so-called ‘insider threats’,
this problem is too often overlooked because organisations assume that their
employees can be trusted. Indeed, employees need to be trusted with access to
the organizational assets because they need it in order to do their job. Still, this
access implies that insiders are largely exempted from the security obstacles that
external enemies have to overcome. Despite the fact that insiders can relatively
easier threaten the organizational assets, they are often overlooked as potential
threat.
Belgium already encountered multiple insider threat incidents. The most
striking example is the nuclear reactor Doel 4 that was deliberately sabotaged by
an insider, with a financial cost that amounted to tens of millions of euros. More
recent examples in Belgium are Jürgen Conings, a Belgian soldier with links to
right extremism who in May 2021 misused his access to the army barracks to
steal heavy weaponry while expressing intentions to kill prominent figures in
Belgium, and Operation Sky that revealed that Belgian stakeholders (policemen,
port employees, …) deliberately misused their position to facilitate drugs traffic.
To on the one hand raise awareness on the insider threat problem, and on
the other hand provide organizations with mitigation measures to better secure
themselves against insider threats, the University of Antwerp did, with the
support from Brussels Airport Company, Bel-V, Elia, Engie-Electrabel, the
Federal Agency for Nuclear Control and G4S, research on the insider threat
problem.
vi
The first goal was to get a better understanding of the concept ‘insider
threat’. The lack of standardized definition makes that the concept is interpreted
in multiple ways, which makes a clear explanation of the own interpretation and
corresponding scope of the doctoral research necessary. The results of this part
of the research therefore explain the conceptualization of the insider threat
problem that is used in this dissertation.
The second goal was to assess to what extent Belgian organizations are
aware of the insider threat problem, which was done by means of an online
questionnaire. The focus was not solely on the knowledge of these organizations
with respect to the problem (what do they know about insider threat?), but also
on their attitude toward the problem (do they perceive it as a problem?). The
results of this part of the research provide us with insights on the awareness gaps
concerning the characteristiscs of the insider threat as well as the ways to mitigate
it.
The third and last goal was to give policy recommendations on insider
threat mitigation. In this regard both a Delphi study and a tabletop study was
developed, whereby the former iteratively compared the opinions of a group of
experts by way of online questionnaires and the latter asked practitioners to play
tabletop exercices. The results of both studies give useful insights on what can be
considered ‘red flags’ of insider threats that organizations should be vigilant of,
as well as on mitigation measures that organizations can use to better secure
themselves against insider threats.
vii
Acknowledgements
This dissertation and the research behind it would not have been possible
without the support of the sponsors of the research project, namely Bel-V,
Brussels Airport Company, Elia, Engie-Electrabel, the Federal Agency of
Nuclear Control (FANC) and G4S. I sincerely hope this work meets their
expectations and that they will continue their engagement to research the insider
threat problem.
The same goes for my supervisor, Prof. Tom Sauer, who believed in me
from the start of the project and supported me throughout this journey. Tom gave
me the freedom and autonomy required to perform at my best, without leaving
me to my own devices, which made Tom the supervisor that I needed to reach a
successful conclusion of this project.
I am also grateful for the insightful comments offered by the members of
the doctoral committee, Professor Genserik Reniers and Professor Emeritus Rona
Beattie, which allowed me to improve the manuscript. Similarly, I would like to
say thank you to the members of my doctoral jury, Prof. Wouter Van Dooren and
Prof. Matthew Bunn, who were willing to read and review this manuscript. My
colleagues from the University of Antwerp deserve credit as well, they all have
contributed to the successful conclusion of this dissertation, either directly or
indirectly.
A special thank you goes out to the expert panel that showed remarkable
engagement by completing our time-consuming questionnaires, to all
respondents that completed the questionnaire and the participants of the tabletop
exercises. Without their willingness to share their insights, this dissertation could
not have been written. The same goes for all the people and organizations that
assisted me with my research by any means whatsoever, like for instance the
FEB, ECSA, NSA and many others. To all of you who were willing to exchange
viii
views, provide feedback or act as test audience for my empirical studies, thank
you.
Last but definitely not least, I would like to thank my family and friends,
in particular my wife and kids, my sister and brother-in-law, my parents and my
parents-in-law, for giving me their unconditional support throughout this PhD
journey.
ix
Figures and tables
Figures
Figure 1.1: Research questions of this dissertation ......................................................... 6

Figure 1.2: Dissertation outline ....................................................................................... 6
Figure 2.1: Typology insider threat from Information Security Forum (2015:2) .......... 25
Figure 2.2: Summary of the insider threat conceptualization ........................................ 44
Figure 2.3: Four categories of misconduct .................................................................... 46
Figure 3.1: Conceptualization of insider trustworthiness and betrayal ......................... 79
Figure 3.2: Three sources of insider trustworthiness perception according to their
degree of intrinsic motivation ........................................................................................ 81
Figure 3.3: Situational action theory to explain crime (Wikström, 2014: 79) ............... 95
Figure 3.4: The NIPS-model (left: Blum et. al., 2018: 289 - right: Schmitt et. al., 2013:
4) .................................................................................................................................. 104
Figure 3.5: The situational disposition model of espionage (Eoyang, 1994: 81) ........ 106
Figure 3.6: The NIPS model and insider (un)trustworthiness (adapted from Schmitt et.
al., 2013: 4) .................................................................................................................. 109
Figure 3.7: Influence of disposition – example neuroticism & agreeableness ............ 113
Figure 3.8: Influence of situational circumstances - Example sanction certainty ....... 119
Figure 3.9: Determining the insider’s probability of intentional misconduct in a given
situation ....................................................................................................................... 126
Figure 3.10: Assessment of insider (un)trustworthiness (adapted from Wikström, 2014:
79) ................................................................................................................................ 128
Figure 4.1: Typology of insider threat characteristics ................................................. 139
Figure 4.2: Categorization of insider threat according to the insider’s objective ........ 145
Figure 4.3: Categorization of insider threat according to the subject of the insider threat
..................................................................................................................................... 148
Figure 4.4: Categorization of insider threat according to the insider’s motivation ..... 162
Figure 4.5: Categorization of insider threat according to the time the insider becomes
untrustworthy ............................................................................................................... 165
x
Figure 4.6: Categorization of insider threat according to the insider’s modus operandi
..................................................................................................................................... 169
Figure 4.7: Categorization of insider threat according to the severity of the insider
threat ............................................................................................................................ 171
Figure 4.8: Categorization of insider threat according to the number of insiders that are
involved ....................................................................................................................... 173
involved ....................................................................................................................... 175
Figure 5.1: Four-part security awareness typology ..................................................... 191
Figure 5.2: Developing tailor-made awareness programs ........................................... 205
Figure 6.1: Cognitive threat awareness – statement 2 ................................................. 238
Figure 6.8: Attitudinal threat awareness – statement 2 ............................................... 244
Figure 6.9: Attitudinal threat awareness – statement 1 ............................................... 245
Figure 6.10: Attitudinal threat awareness – statement 3 ............................................. 246
Figure 6.14: Cognitive mitigation awareness – statement 4........................................ 251
xi
Figure 6.22: Attitudinal mitigation awareness – statement 2 ...................................... 262
Figure 6.29: Behavior – statement 14 .......................................................................... 270
Figure 6.31: Behavior – statement 8 ............................................................................ 271
Figure 6.40 : Behavior – statement 2 ........................................................................... 277
Figure 6.43: Which of the insider threats outlined below worry your organization the
most (multiple answers possible)? ............................................................................... 281
Figure 6.44: What are the main factors behind insider threats (multiple answers
possible)? ..................................................................................................................... 284
Figure 6.45: The knowledge our organization has on insider threats originates from
(multiple answers possible)? ....................................................................................... 286
Figure 6.46: Within your organization, who is responsible for the protection against
insider threats (multiple answers possible)? ................................................................ 287
Figure 6.47: What should be the main focus of insider threat policy? (N=314) ......... 289
Figure 6.48: Does your organization spend more attention to the insider threat problem
now than before? (N=314)........................................................................................... 290
xii
Figure 6.49: Has your organization already experienced an insider threat incident?
(N=314) ....................................................................................................................... 291
Figure 6.50: How large was the material damage resulting from the insider threat
incident? (N=82) ......................................................................................................... 292
Figure 7.1: Conceptual insider threat mitigation model .............................................. 300
Figure 8.1: Questionnaire design round two - example Likert-scale questions .......... 348
Figure 8.2: Questionnaire design round two - example star-rating questions ............. 348
Figure 8.3: Questionnaire design round three ............................................................. 358
Figure 9.1: All-inclusive TTX design ......................................................................... 463
Figure 9.2: Game cards format .................................................................................... 477
Tables
Table 2.1: Misconduct vs. misbehavior......................................................................... 34

Table 2.2: Insider threat vs. insider hazard.................................................................... 39
Table 2.3: Security threats, safety threats and safety hazards ....................................... 41
Table 2.4: Expressive insider threats vs. instrumental insider threats ........................... 43
Table 2.5: Policy implications of the insider threat conceptualization.......................... 56
Table 3.1: Categorization of insider trustworthiness and betrayal ................................ 78
Table 3.2: Vice, mutable and virtue insiders ................................................................. 98
Table 3.3: Probability of intentional misconduct (derived from figure 3.9) ............... 127
Table 4.1. An overview of eight insider threat domains. ............................................ 178
Table 5.1: Four types of security awareness ............................................................... 197
Table 6.1: Profile of the respondents........................................................................... 231
Table 6.2: Division of respondents according to organization size ............................. 232
Table 6.3: Statements with respect to cognitive threat awareness (N=315) ................ 236
Table 6.4: Positive vs. negative attitude toward the insider threat problem ................ 242
Table 6.5: Statements with respect to attitudinal threat awareness (N = 315) ............ 243
Table 6.6: Statements with respect to cognitive mitigation awareness (N=315) ........ 250
Table 6.7: Positive vs. negative attitude toward insider threat mitigation................... 259
xiii
Table 6.8: Statements with respect to attitudinal mitigation awareness (N=315) ....... 261
Table 6.9: Statements with respect to behavior (statement 1-8 N= 315; statement 9-14
N=314)......................................................................................................................... 268
Table 6.10: Which of the insider threats outlined below worry your organization the
most (multiple answers possible)? (N=315) ............................................................... 280
Table 6.11: What are the main factors behind insider threats (multiple answers
possible)? (N=315) ...................................................................................................... 283
Table 6.12: The knowledge our organization has on insider threats originates from
(multiple answers possible)? (N=315) ......................................................................... 285
Table 6.13: Within your organization, who is responsible for the protection against
insider threats (multiple answers possible)? (N=315) ................................................. 287
Table 7.1: Criticality of the situation - classification on the basis of the insiders
trustworthiness level .................................................................................................... 303
Table 7.2: Insider threat mitigation strategies ............................................................. 303
Table 7.3: Judgement of the potential threat situation (adapted from Martinez-Moyano
et. al., 2008: 7:5) .......................................................................................................... 304
Table 7.4: Synthesis of the conceptual insider threat mitigation model ...................... 321
Table 8.1: Members of the panel of experts ................................................................ 336
Table 8.2: Profile of the panel of experts .................................................................... 338
Table 8.3: The Delphi process ..................................................................................... 341
Table 8.4: Questions round one ................................................................................... 345
Table 8.5: Criteria to categorize the issues .................................................................. 356
Table 8.6: Categorization of issues per question ......................................................... 362
Table 8.7: High-rated red flags during recruitment ..................................................... 365
Table 8.8: Medium-rated red flags during recruitment ............................................... 367
Table 8.9: Low-rated red flags during recruitment ...................................................... 368
Table 8.10: High-rated practices to detect red flags during recruitment ..................... 371
Table 8.11: Medium-rated practices to detect red flags during recruitment ................ 374
Table 8.12: Low-rated practices to detect red flags during recruitment ...................... 374
Table 8.13: High-rated difficulties to detect red flags during recruitment .................. 377
Table 8.14: Medium-rated difficulties to detect red flags during recruitment............. 378
Table 8.15: Low-rated difficulties to detect red flags during recruitment ................... 379
xiv
Table 8.16: High-rated practices to socialize insiders to the organizational culture ... 382
Table 8.17: Medium-rated practices to socialize insiders to the organizational culture
..................................................................................................................................... 384
Table 8.18: Low-rated practices to socialize insiders to the organizational culture .... 385
Table 8.19: High-rated red flags during employment ................................................. 387
Table 8.20: Medium-rated red flags during employment ............................................ 391
Table 8.21: Low-rated red flags during employment .................................................. 392
Table 8.22: High-rated practices to observe red flags during employment ................. 395
Table 8.23: Medium-rated practices to detect red flags during employment .............. 398
Table 8.24: Low-rated practices to detect red flags during employment .................... 399
Table 8.25: High-rated difficulties to detect red flags during employment ................ 402
Table 8.26: Medium-rated difficulties to detect red flags during employment ........... 404
Table 8.27: Low-rated difficulties to detect red flags during employment ................. 405
Table 8.28: High-rated practices to investigate the validity of red flags observed during
employment ................................................................................................................. 407
Table 8.29: Medium-rated practices to investigate the validity of red flags observed
during employment ..................................................................................................... 409
Table 8.30: Low-rated practices to investigate the validity of red flags observed during
employment ................................................................................................................. 409
Table 8.31: High-rated practices to anticipate red flags observed and investigated
Table 8.32: Medium-rated practices to anticipate red flags observed and investigated
Table 8.33: Low-rated practices to anticipate red flags observed and investigated
Table 8.34: High-rated practices to limit the damage from an insider threat incident 417
Table 8.35: Medium-rated practices to limit the damage from an insider threat incident
..................................................................................................................................... 419
Table 8.36: Low-rated practices to limit the damage from an insider threat incident . 419
Table 8.37: High-rated practices to deal with an offender of an insider threat incident
..................................................................................................................................... 421
Table 8.38: Medium-rated practices to deal with an offender of an insider threat
incident ........................................................................................................................ 423
xv
Table 8.39: Low-rated practices to deal with an offender of an insider threat incident
..................................................................................................................................... 423
Table 8.40: High-rated practices to terminate the contract of insiders ........................ 425
Table 8.41: Medium-rated practices to terminate the contract of insiders .................. 427
Table 8.42: Low-rated practices to terminate the contract of insiders......................... 428
Table 8.43: High-rated practices to deal with false positives ...................................... 429
Table 8.44: Medium-rated practices to deal with false positives ................................ 431
Table 8.45: Low-rated practices to deal with false positives ....................................... 431
Table 8.46: Recommendation on the formation of a formal insider threat mitigation
team ............................................................................................................................. 432
Table 8.47: Evaluation of the Delphi technique as a means to research the insider threat
problem ........................................................................................................................ 433
Table 8.48: Prediction of the significance of the results of the current Delphi study.. 434
Table 9.1: Pragmatic TTX designs .............................................................................. 469
Table 9.2: Number of participants pragmatic TTXs .................................................... 470
Table 9.3: Item-selection for the TTX ......................................................................... 473
Table 9.4: Categorization rules .................................................................................... 475
Table 9.5: Paper format ............................................................................................... 476
Table 9.6: Expected outcome TTX.............................................................................. 480
Table 9.7: Results recruitment good practices – High-rated practices Delphi study ... 483
Table 9.8: Results recruitment good practices – Medium-rated practices Delphi study
..................................................................................................................................... 484
Table 9.9: Results recruitment good practices – Low-rated practices Delphi study ... 487
Table 9.10: Results recruitment good practices – Newly suggested practices ............ 489
Table 9.11: Results recruitment red flags – High-rated red flags Delphi study .......... 491
Table 9.12: Results recruitment red flags – Medium-rated red flags Delphi study ..... 492
Table 9.13: Results recruitment red flags – Low-rated red flags Delphi study ........... 494
Table 9.14: Results recruitment red flags – Newly suggested red flags ...................... 495
Table 9.15: Results organizational socialization good practices – High-rated practices
Delphi study................................................................................................................. 496
Table 9.16: Results organizational socialization good practices – Medium-rated
practices Delphi study ................................................................................................. 498
xvi
Table 9.17: Results organizational socialization good practices – Low-rated practices
Delphi study ................................................................................................................ 500
Table 9.18: Results observation good practices – High-rated practices Delphi study 504
Table 9.19: Results observation good practices – Medium-rated practices Delphi study
..................................................................................................................................... 506
Table 9.20: Results observation good practices – Low-rated practices Delphi study . 508
Table 9.21: Results observation red flags – High-rated red flags Delphi study .......... 512
Table 9.22: Results observation red flags – Medium-rated red flags Delphi study .... 515
Table 9.23: Results observation red flags – Low-rated red flags Delphi study........... 516
Table 9.24: Results observation red flags – Newly suggested red flags during the TTX
..................................................................................................................................... 517
Table 9.25: Results investigation good practices – High-rated practices Delphi study
..................................................................................................................................... 519
Table 9.26: Results investigation good practices – Medium-rated practices Delphi
study ............................................................................................................................ 522
Table 9.27: Results investigation good practices – Low-rated practices Delphi study
..................................................................................................................................... 524
Table A.1: Statements cognitive threat awareness ...................................................... 551
Table A.2: Statements attitudinal threat awareness ..................................................... 552
Table A.3: Statements cognitive mitigation awareness ............................................... 552
Table A.4: Statements attitudinal mitigation awareness ............................................. 553
Table A.5: Statements behavior .................................................................................. 554
Table B.1: Item-selection for TTX - Recruitment good practices ............................... 561
Table B.2: Item-selection for TTX - Recruitment red flags ........................................ 563
Table B.3: Item-selection for TTX - Organizational socialization good practices...... 565
Table B.4: Item-selection for TTX - Observation good practices ............................... 567
Table B.5: Item-selection for TTX - Observation red flags ........................................ 569
Table B.6: Item-selection for TTX– Investigation good practices .............................. 571
Table C.1: Author contributions .................................................................................. 573
xvii
xviii
PART I: INTRODUCTION
Chapter 1
Setting the stage
Employees that steal, commit fraud, sabotage or leak confidential

information: it is every employer’s nightmare. Funded by Bel-V, Brussels
Airport Company, Elia, Engie-Electrabel, the Federal Agency of Nuclear Control
(FANC) and G4S, the University of Antwerp initiated a doctoral research project
on so-called ‘insider threats’. Threats posed by insiders are one of the most
challenging threats organizations face today, especially in critical infrastructure
where the damage resulting from insider threat incidents can have far-reaching
consequences. Although the insider threat problem is not at all a new
phenomenon, in the past both academics (Fischbascher-Smith, 2015) and
practitioners (Colwill, 2009) often prioritized the protection against external
threats over the mitigation of insider threats. Attention to the problem is relatively
recent, especially due to high-level incidents in the United States (US) (Gelles,
2016). Think for instance of the terrorist shooting at Fort Hood where US Army
psychiatrist Nidal Malik Hasan shot 13 colleagues and injured several others in
2009 (Zegart, 2016), or the whistleblowing practices of private Chelsea Manning
and Edward Snowden, who respectively leaked confidential information
regarding US military operations in Iraq in 2010 and US surveillance practices in
2012-2013 (Bunn & Sagan, 2016).
There is, however, to the best of my knowledge still no standard
consensus definition of the insider threat concept, with different interpretations
given to the concept (BaMaung, McIlhatton, MacDonald & Beattie, 2018; Gelles,
1
2016; Krull, 2016; Ophoff, Jensen, Sanderson-Smith, Porter & Johnston, 2014).
Existing insider threat conceptualizations mainly originate from two different
perspectives, namely a harm-oriented perspective that concentrates on the harm
that results from the misuse of the insider privilege, and more specifically on
whether or not the insider has the intention to harm the organization (Bunn &
Sagan, 2016; Nurse et. al., 2014) and a privilege-perspective that concentrates on
the misuse of the insider privilege itself, and more specifically on whether or not
the insider has the intention to misuse the insider privilege (Neumann, 2010;
Rehak, Hromada & Lovecek, 2020). A combination of both perspectives has also
been used to conceptualize the insider threat problem (Information Security
Forum, 2015; Krull, 2016; Maasberg, Warren & Beebe, 2015; Willison &
Warkentin, 2013). The different ways of interpreting the insider threat problem
makes that the problem is not conceptualized in a consistent way, which
decreases the comparability of insider threat research and increases the risk of
misconceptions between different stakeholders (Pfleeger, 2008). As a result, “we
need standard definitions of insiders and insider behavior so studies and
discussions can compare” (ibid: 8) whereby “definitions need to be used not just
in the computer security research community but also by commercial security
professionals (such as chief security officers and other management) and the
press” (ibid: 8). This dissertation takes on this challenge by finding common
ground between the different interpretations of the insider and insider threat
concepts to suggest a standard conceptualization that can serve as a common
language in the insider threat (research) community.
While in the US the interest in the insider threat problem relatively
increased in the last years, with for instance US Executive Order 13587 of
October 7 2011 that established the US National Insider Threat Task Force
(NITTF) whose mission is “to develop a Government-wide insider threat
2
program for deterring, detecting, and mitigating insider threats” (US NITTF,
accessed on 25/11/2021), the insider threat problem receives far less attention in
Belgium (and in all likelihood also in Europe). This is not to say that the insider
threat problem is not applicable to Belgium. In fact, Belgium already encountered
multiple insider threat incidents, of which some high-level ones. In August 2014
the nuclear reactor Doel 4 was deliberately sabotaged by an individual who
intentionally opened a valve in the steam turbine, thereby causing a deficiency of
lubricating oil that severely damaged the reactor (FANC, accessed on
25/11/2021). Although the culprit was never found (Bové, 2021b), there is no
doubt an insider was responsible for the incident, or at least deliberately provided
assistance to an external adversary (Federal Police, accessed on 29/11/21). A
more recent insider threat incident in Belgium is Jürgen Conings, a Belgian
soldier with links to right extremism who in May 2021 misused his access to the
army barracks to steal heavy weaponry while expressing intentions to kill
prominent figures in Belgium (e.g. virologist Marc Van Ranst) (Torfs, 2021; Vast
Comité I van Toezicht op de Inlichtingen- en Veiligheidsdiensten, 2021).
Luckily, the damage resulting from these insider threat incidents was limited to
financial and reputational costs. The financial cost of the sabotage of Doel 4
amounted to tens of millions of euros because the reactor was shut down for a
few months, implying considerable loss of revenues; hundreds of millions of
euros were needed to repair the damage (Dewey, Hobbs, Foster, Salisbury &
Tzinieris, 2020; Hegghammer & Hoelstad Daehli, 2016). Concerning the
Conings case, the costs of the massive manhunt that was put in place to find the
fugitive soldier amounted to 650.000 euros (Knack, 16/06/21). Both incidents
thus gave rise to significant financial costs to society. Still, there is no need to
explain that the damage resulting from those insider threat incidents could have
been much worse, with for instance large-scale exposure to nuclear
3
contamination similar to the Chernobyl tragedy, or a terrorist attack with multiple
human casualties. As a result, this dissertation wants to make a baseline
assessment of the current level of awareness on the insider threat problem in
Belgium. Through the baseline measurement, awareness gaps can be addressed
by establishing tailor-made awareness programs that align the actual awareness
level of Belgian stakeholders with the awareness level that is needed to better
secure themselves against insider threats.
Still, awareness of the insider threat problem is not enough to tackle it.
Since the principal aim of organizations is of course to mitigate insider threats to
their organization, the most valuable contribution the insider threat research
community, and therefore also this dissertation, can have is finding policy
recommendations to better protect organizations against insider threats. Still, as
argued before, attention for the problem has only relatively recently increased
both in academia and in a practitioner context, and this predominantly in the US.
Consequently, knowledge about the ways to mitigate insider threats remains
relatively understudied, especially on a Belgian and European academic level.
On top of that, not all aspects of the insider threat problem are examined to the
same extent, given that insider threat research is mostly concentrated on the cyber
& physical aspect of insider threat and less on the human aspect (Beattie &
BaMaung, 2015). Given that most organizations do not have much experience
with insider threat mitigation, at least in comparison with external threat
mitigation, an intuitively straightforward but holistic overview is needed of the
different moments organizations can take decisions that might influence the risk
that an insider threat incident occurs. Although valuable insider threat mitigation
models exists in insider threat literature (e.g. the Critical Pathway by Shaw and
Sellers (2015) or the insider threat maturity model developed by the US NITTF
(2018)), I believe such an intuitively easy understandable model that looks at
4
insider threat from the perspective of organizations and that provides them with
a straightforward roadmap of the different steps of insider threat mitigation policy
is currently absent. As a result, this dissertation wants to fill this gap by
developing a step-by-step guide that helps organizations to start thinking about
insider threat mitigation in their organization, thereby not only providing
organizations with a holistic understanding of the different aspects of insider
threat mitigation they should take into account when developing insider threat
mitigation policy but also providing them with a catalogue of policy
recommendations at each step of the step-by-step model.
It follows from the above that the goal of this dissertation is two-fold,
namely the identification of insider threat awareness (gaps) among Belgian
stakeholders and the provision of an insider threat mitigation framework that
helps organizations to better secure themselves against insider threats. Still, to
reach these goals, one additional goal has to be met, namely the development of
a suitable conceptualization of the insider threat problem that will form the main
building block of the dissertation. Translating these research goals into research
questions leads to two main research questions, one on insider threat awareness
(main RQ1) and one on insider threat mitigation (main RQ2) that can only be
answered by answering a level-setting question on insider threat
conceptualization first, as illustrated in figure 1.1.
5
Main RQ1: Insider threat awareness Main RQ2: Insider threat mitigation
• What is the current level of awareness, and the • How can an effective framework be developed
related awareness gaps, on the insider threat that helps organizations to mitigate insider
problem in Belgium? threats?
Level-setting research question:

Insider threat conceptualization
• How should the insider threat problem be
conceptualized?
Figure 1.1: Research questions of this dissertation
Part III:
Part I: Awareness Part V:
Introduction • Chapter 5 Conclusions
• Chapter 1 • Chapter 6 • Chapter 10
Part II: Part IV:

Problem Mitigation
• Chapter 2 • Chapter 7
Figure 1.2: Dissertation outline
6
The outline of the dissertation is shown in figure 1.2. Figure 1.2 shows
that the dissertation is divided into five large parts corresponding with 10
chapters. Part I is an introductory part that sets the stage of the dissertation. More
concretely, chapter one (i.e. this chapter) discusses the relevance of the
dissertation, its main objectives and the outline of the dissertation.
Part II addresses the level-setting research question and consists of three
chapters. Chapter two starts with a discussion of the shortcomings of the existing
insider threat conceptualizations, elaborating on the conceptualizations
originating from the harm-oriented perspective, the privilege-oriented
perspective and the ones based on a combination of both perspectives.
Consequently, a new conceptualization is proposed, defining both the insider and
the insider threat. The novel conceptualization distinguishes misconduct, or
misuse of access to or knowledge about the organizational assets, from
misbehavior, or inappropriate behavior not related to the insider privilege, and
sub-divides misconduct into insider hazards that relate to the insider’s
competence and insider threats that relate to the insider’s trustworthiness. In turn,
four categories of insider misconduct are distinguished, namely expressive
security insider threats, instrumental security insider threats, instrumental safety
insider threats and safety insider hazards.
Chapter three takes a closer look at two key concepts related to insider
threat, namely insider trustworthiness and betrayal, which are studied both from
an organizational and a societal perspective. It will be illustrated that trusting
insiders benefits organizations if the insider is trustworthy, but that the possibility
of insider untrustworthiness (i.e. insider threat) makes organizations also
vulnerable to betrayal of organizational trust, which does in its turn not always
entail betrayal of trust from a societal point of view. Apart from conceptualizing
insider trustworthiness and betrayal from an organizational and a societal
7
perspective, different sources are explored through which organization presume
that its insiders will conduct in a trustworthy way, simultaneously explaining why
assessing insider trustworthiness is preferable to presuming it. The chapter
finishes with a first step towards a model to assess the probability that insiders
will cause an insider threat incident by elaborating on a non-exhaustive list of
antecedents of on the one hand the insider’s disposition to conduct in an
untrustworthy way and on the other hand the situational circumstances that have
a facilitating or inhibiting effect on insider betrayal.
Chapter four concludes the second part of the dissertation by digging
deeper into the characteristics of the insider threat problem. The chapter
examines the vulnerability of critical infrastructure to insider threats by providing
an innovative typology of insider threat characteristics. The typology is
developed based on an interplay between insider threat literature and publicly
available examples of insider threat incidents found in (inter)national media. In
order to establish the eight-part insider threat typology, a spin-off version of the
who, what, where, when, why, and how (5W1H) methodology is used, answering
the following elementary questions: (1) What does the insider want to achieve
with the insider threat incident?; (2) Who suffers or benefits from the insider
threat incident?; (3) Why does the insider want to cause an insider threat
incident?; (4) When does the insider become untrustworthy?; (5) How does the
insider causes an insider threat incident?; (6) How serious is the impact of the
insider threat incident?; (7) How many insiders are involved with the insider
threat incident?; (8) How much is the insider involved in the insider threat
incident?
Part III of the dissertation elaborates on the first main research question
on insider threat awareness in Belgium and consists of two chapters, one
theoretical chapter and one empirical chapter. Chapter five, the theoretical
8
chapter, provides a four-part typology of security awareness that will form the
basis of the empirical chapter. It will be argued in this chapter that existing
awareness typologies that distinguish problem awareness from solution
awareness and that separate descriptive awareness from prescriptive awareness
are on its own insufficient and need to be merged to have a complete picture of
security awareness. Renaming and bridging both distinctions leads to four
security awareness types: (1) Cognitive awareness of the threat; (2) Attitudinal
awareness of the threat; (3) Cognitive awareness of the mitigation; and (4)
Attitudinal awareness of the mitigation. Each type will be explained in greater
detail and illustrated by referring to the 2020 worldwide outbreak of COVID-19,
while simultaneously demonstrating that the typology is applicable to study both
organizational awareness and individual awareness.
Chapter six, the empirical chapter, elaborates on the research design and
results of the insider threat awareness and behavior questionnaire that, with the
help of the National Security Authority (NSA), was distributed in July 2021
among 1,500 Belgian security officers and that was eventually completed by 315
respondents (21%). Drawing upon the four-part typology developed in chapter
five, the results offer insights into insider threat awareness of Belgian
organizations, and more specifically (1) what the organizations know about
insider threats (i.e. cognitive threat awareness), (2) whether they consider
themselves to be vulnerable to insider threats (i.e. attitudinal threat awareness),
(3) what they know about measures that mitigate insider threats (i.e. cognitive
mitigation awareness) and (4) their attitude towards insider threat mitigation (i.e.
attitudinal mitigation awareness). On top of that, the respondents were also
questioned on (5) what their organization currently does to mitigate insider
threats in their respective organizations (i.e. behavior), (6) the organizations’
perception of the insider threat landscape, (7) their knowledge sources of the
9
insider threat problem, (8) their prioritization of the ideal insider threat policy
and (9) their experiences with insider threat incidents.
Part IV of the dissertation discusses the second main research question on
insider threat mitigation and consists of three chapters, one theoretical and two
empirical ones. In chapter seven, on the basis of a literature study a conceptual
insider threat mitigation model is proposed that consists of nine stages, namely
(I) recruitment, (II) organizational socialization, (III), observation, (IV)
investigation, (V) anticipation, (VI) damage limitation, (VII) reconstruction,
(VIII) deliberation and (X) termination. At each stage of the framework,
reference will be made to the insider’s trustworthiness level (ranging from
satisfactory to beyond repair), as well as to the strategy that the organization
should apply (prevention, detection, pre-emption or remedy). Moreover, for each
stage of the framework not only the appropriate way to manage the insider threat
situation is discussed, but also the possibilities and potential consequences of
mismanagement (i.e. false positives, false negatives and null) are elaborated on.
Chapter eight, the first empirical chapter on insider threat mitigation,
digs deeper into the conceptual model outlined in chapter seven, taking the first
step towards transforming the theoretical insider threat mitigation framework into
a framework with more practical usability. The chapter thoroughly discusses the
research design and the results of a three-round Delphi study on insider threat
mitigation whereby the opinions of insider threat experts are iteratively
compared. In more concrete terms, the chapter talks about potential ‘red flags’ of
insider threat incidents (i.e. factors that may point to insider threat), good
practices on insider threat mitigation throughout the employee life cycle (before,
during and after employment), actors responsible for insider threat mitigation and
difficulties related to insider threat mitigation. Furthermore, the panel of experts
is questioned on the possibility of mismanagement, on the desirability to establish
10
a formal insider threat mitigation team and on the evaluation of the Delphi
technique as such and more particularly the Delphi study outlined in the chapter.
Chapter nine, the second empirical chapter on insider threat mitigation,
concerns a follow-up study on the Delphi study in the form of tabletop-exercises
(TTX). The chapter not only outlines the exercises that I was able to play, but
also expands on the design of a TTX that I wanted to play but was not able to put
in practice due to budgetary and time constraints. Similar to the Delphi study,
chapter nine builds upon the conceptual insider threat mitigation model outlined
in chapter seven, whereby the evaluation of insider threat mitigation measures
and possible red flags of insider threat incidents by the panel of experts during
the Delphi study is re-examined by practitioners during the TTX.
Part V of the dissertation, to conclude, consists of one chapter, namely
chapter ten, that discusses the conclusions that can be drawn from the doctoral
research project.
11
PART II: THE INSIDER THREAT PROBLEM
Chapter 2
Conceptualizing the insider threat problem
2.1. Introduction
“If one cannot define a problem precisely, how can one approach a
solution, let alone know when the problem is solved?” (Probst, Hunker,
Gollmann & Bishop, 2010: 1). In other words, the meaning and scope of the
insider threat problem should be clear in order to be able to construct effective
policy to mitigate insider threats (Dinev & Hu, 2007). This theoretical chapter1
therefore defines and categorizes the insider threat. Because no suitable
conceptualization was found in existing literature on insider threats, this chapter
proposes a new conceptualization of the insider threat problem. Existing insider
threat conceptualizations originate from two different perspectives, namely a
harm-oriented perspective and a privilege-oriented perspective. The harm-
oriented perspective is more outcome-oriented because it concentrates on the
harm that results from the misuse of the insider privilege, and more specifically
on whether or not the insider has the intention to harm the organization (Bunn &
Sagan, 2016; Nurse et. al., 2014). The privilege-oriented perspective is rather
action-oriented because it concentrates on the misuse of the insider privilege
itself, and more specifically on whether or not the insider has the intention to
misuse the insider privilege (Neumann, 2010; Rehak et. al., 2020). A
combination of both perspectives has also been used to conceptualize the insider
1
It should be mentioned that a part of this chapter was published as a co-authored article in
‘Security Journal’ (Reveraert & Sauer, 2021).
12
threat problem (Information Security Forum, 2015; Krull, 2016; Maasberg et. al.,
2015; Willison & Warkentin, 2013).
The conceptualization suggested in this study draws on both perspectives,
whereby the privilege-oriented perspective is used to define the scope of the
insider threat concept and the harm-oriented perspective is used to illustrate
variation within the insider threat concept. From a privilege-oriented perspective,
a distinction between insider hazards and insider threats is suggested, based on
the question whether or not the insider wittingly misuses the insider privilege, or
whether the insider can be held accountable for the misuse of privilege. If the
insider unwittingly misuses the privilege (i.e. no accountability), the incident is
considered to be an insider hazard. In contrast, if the insider wittingly misuses
the insider access or knowledge (i.e. accountability), the incident is considered to
be an insider threat. It is therefore suggested in this chapter that only the
intentional misuse of privileged access/knowledge by insiders, whether or not
with the intention to inflict harm, should be interpreted as an insider threat.
From a harm-oriented perspective, insider threats are further divided into
security insider threats whereby the insider knows that the deliberate misconduct
will definitely cause harm to the organization and safety insider threats where the
insider knows that the deliberate misconduct might possibly cause harm to the
organization. Furthermore, a distinction is made between expressive insider
threats whereby the harm resulting from the deliberate misconduct is a goal in
itself and instrumental insider threats whereby the harm is rather a means to
achieve another goal. In the end, I suggest to divide misconduct committed by
insiders in four categories: (1) expressive security insider threats, (2) instrumental
security insider threats; (3) instrumental safety insider threats and (4) safety
insider hazards.
13
In what follows, the chapter starts with an outline of the existing
conceptualizations originating from the harm-oriented and the privilege-oriented
perspective as well as the combination of both perspectives. After explaining why
the contemporary approaches are not suitable, a new conceptualization is
suggested. To conclude, the advantages and shortcomings of this new
conceptualization will be outlined, followed by a conclusion section.
2.2. Existing insider threat conceptualizations
To the best of my knowledge, there is still no standard, consensus
definition of the insider threat concept. Because different interpretations are
given to the concept (BaMaung et. al., 2018; Gelles, 2016; Krull, 2016; Ophoff
et. al., 2014), the purpose of this chapter is to clearly define the meaning of the
insider threat concept and consequently the scope of this dissertation. A review
of the literature shows that there are two main perspectives to define the insider
threat concept, one centered on the intention to harm the organization and one
concentrated on the intention to misuse the privilege given by the organization.
2.2.1. Harm-oriented perspective
Starting from a harm-oriented perspective, the insider threat

conceptualization depends on whether or not the insider has the intention to harm
the organization. Generally, a distinction is made between malicious and non-
malicious insider threats (Bunn & Sagan, 2016; Nurse et. al., 2014). Some tend
to interpret insider threats narrow by restricting it to the so-called malicious
insider who has the explicit intent to negatively affect the organization. Cole and
Ring (2006: 8) for instance refer to the insider threat as “anyone who has special
access or knowledge with the intent to cause harm or danger”. Also the US
Transport Security Administration (TSA) defines the insider threat as “one or
more individuals with access or insider knowledge that allows them to exploit
the vulnerabilities of the Nation’s transportation systems with the intent to cause
14
harm” (Deffer, 2012: 2). Also other entities, like for instance the International
Atomic Energy Agency (IAEA, 2008) , interpret insider threats narrow in their
Nuclear Security Series by concentrating on the malicious insider2. The common
thread that runs through the narrow definitions is intent to harm. An example of
a malicious insider threat is the previously mentioned terrorist shooting at Fort
Hood where US Army psychiatrist Nidal Malik Hasan murdered colleagues and
injured several others out of ideological convictions (Zegart, 2016).
In contrast, a number of researchers tend to apply a broader scope by
including non-malicious insiders, or insiders that inflict harm without the
intention to inflict harm, as part of the insider threat definition. Steele and Wargo
(2007: 25) for example include unintentional insider incidents in their
conceptualization, stipulating that a “common mistake in defining insider threats
is limiting focus on malicious insiders. Failing to recognize the threats from
insiders’ unintentional or accidental actions also has led to a number of high-
profile security breaches”. Nurse et. al. (2014: 214) too “consider two categories
of insider threat. The first is a malicious insider threat (…). The second form of
threat is that of an accidental, or nonmalicious, insider”. They thereby refer to the
Computer Emergency Response Team (CERT) at the Software Engineering
Institute of Carnegie Mellon University, an expert organization in
(cyber)security, who “define the accidental threat as an insider who, without
malicious intent and through action or inaction, causes harm or increases the
probability of future harm to the confidentiality, integrity or availability of the
2
The IAEA (2008) denotes an insider as “an adversary with authorized access to a nuclear
facility, a transport operation or sensitive information” (ibid: 2), whereby the term
‘adversary’ is interpreted as an “individual performing or attempting to perform a malicious
act” (ibid: 1-2). The term threat, on the other hand, is used to “describe a likely cause of
harm to people, damage to property or harm to the environment by an individual or
individuals with the motivation, intention and capability to commit a malicious act” (ibid:
2-3).
15
organisation’s assets or resources” (ibid, 214). Also other researchers, like for
instance Colwill3 (2009) and Elifoglu, Abel and Taşseven4 (2018), interpret
insider threats more broad by considering all insider actions that cause harm to
the organization as insider threats. The US soldiers that recorded their work-out
session on the social media application Strava and that thereby accidentally
revealed the location of the US military base (Hern, 2018) can be used as an
illustration of a non-malicious insider threat.
Applying a harm-oriented perspective is problematic because
“distinctions between malicious acts and accidental events are often misleading
– in that events occurring accidentally could often be triggered intentionally, and
adverse events may occur unbeknownst to the inadvertent triggerer” (Neumann,
2010: 18). Harm-oriented definitions define the concept either too narrow or too
broad. Given that the principal objective of each organization is to prevent harm
to the organization, confining the insider threat to malicious incidents provides
an interpretation that is too strict. Focusing solely on the malicious insider would
ignore an important sub-group of insider threats, namely the insiders that
wittingly misconduct themselves without intent to cause harm (Bunn & Sagan,
2016; Neumann, 2010). If insiders decide to intentionally commit misconduct,
this should be considered an insider threat, even if the misconduct has no harmful
purpose.
The fact that each organization wants to prevent harm to the organization
might, however, give the impression that the broad interpretation, regarding all
harmful incidents involving an insider as an insider threat, is desirable. Still, the
3
Colwill (2009: 188) speaks of accidental and malicious insider threats, indicating that “insiders
can compromise information confidentiality, integrity and availability and both accidental
and malicious risks must be considered”.
4
Elifoglu et. al. (2018: 62) indicate that “the insider threat comes from the abuse or misuse of the
computer usage privileges. (…). If the threat is intentional, it is called a malicious attack.
If the intent to harm the organization is missing, the misuse is called accidental”.
16
broad interpretation runs the risk of turning insider threat into a container
concept, which complicates the formation of an adequate mitigation policy. In
other words, one should be careful not to make the insider threat concept a catch-
all term, because container concepts make room for ambiguity and therefore
complicate the formation of adequate policy to counter the problem. Analogy can
be made to the concept of ‘radicalization’ that too suffers from ambiguity and
lacks a clear-cut standard definition that everybody agrees upon, resulting in
difficulties to develop adequate deradicalization policies (Coolsaet, 2015;
Coolsaet, 2016).
Moreover, it is argued that the terminology corresponding with ‘intent to
harm’ and ‘no intent to harm’ is often confusing. Some scholars (e.g. Mehan,
2016) divide the insider threat in an ‘intentional’ and ‘unintentional’ category,
but this terminology is confusing because it is unclear whether these concepts
refer to the insider’s intent to harm or their intent to commit misconduct. The
terms most often used are ‘malicious’ and ‘non-malicious’, which do clearly refer
to the insider’s intent to harm the organization. Nevertheless, the meanings of the
concepts ‘malicious’ and ‘non-malicious’ have become too ambiguous, making
it is difficult to say whether a specific incident is malicious or non-malicious.
Think for instance of insiders that steal from their employer. It is assumed that
such misconduct will be denoted ‘malicious’ by the majority of the insider threat
(research) community5, given that stealing is seen as a wicked activity aimed at
5
Krull (2016: 3) for instance states that “malicious insiders intend to cause direct harm or damage
to their place of employment with a motive of either personal gain or revenge”. Nurse et al.
(2014: 214) states that “it is typically understood that a malicious insider will seek to exploit
their privileged access for some inappropriate gain, whether it be personal, financial or for
revenge”. Noonan (2018: 5) interprets the malicious insider even broader, stating that
“malicious intent refers to a desire to cause harm to an organization or its assets. (…).
Malicious activities include an even broader range of exploits, such as negligent use of
classified data, fraud, unauthorized access to sensitive information, data or materials, and
illicit communications with unauthorized recipients”. Sarkar (2010: 113), to conclude,
17
acquiring personal gain. Intuitively, it is understandable to consider insiders that
steal from their organization and hurt their organization with a motive of personal
gain malicious, because the insider’s actions are indeed morally wrong. A quick
search in some of the most prestigious English dictionaries6, however, shows that
the term ‘malicious’ does not refer to engaging in behavior that is morally wrong,
but rather indicates having a desire to cause harm.
Consequently, insiders acting out of personal gain should, contrary to
expectations, not be considered malicious because their desire is not to damage
the organization but to achieve a personal advantage or reduce a personal
disadvantage. A greedy insider or an insider with financial problems might not
resist the temptation to misuse the insider access to the organization’s financial
resources to respectively increase personal wealth or pay off debts. In case of the
former, the insider’s primary goal is to get a personal advantage, not to harm the
organization. In case of the latter, the insider’s principal aim is to reduce a
personal disadvantage, not to harm the organization. The same principle applies,
in fact, to insiders that are coerced by a hostile third party to steal from their
employer, for instance because threats are made against family members
(BaMaung et. al., 2018; Hobbs & Moran, 2015). In other words, morally wrong
stipulates that “insider threats conjure up images of disgruntled employees planning to take
revenge or malicious employees looking for financial gains”.
6
Cambridge defines malicious as “intended to harm or upset other people” (see
https://dictionary.cambridge.org/dictionary/english/malicious). Merriam-Webster defines
malicious as “having or showing a desire to cause harm to someone : given to, marked by,
or arising from malice” (see. https://www.merriam-webster.com/dictionary/malicious)
MacMillan defines malicious as “unkind and showing a strong feeling of wanting to hurt
someone” (see https://www.macmillandictionary.com/dictionary/british/malicious). The
Oxford English Dictionary, to conclude, defines malicious as “characterized by malice”
(see https://www.oed.com/view/Entry/112915?redirectedFrom=malicious#eid), with
malice referring to “the intention or desire to do evil or cause injury to another person;
active ill will or hatred” (see
https://www.oed.com/view/Entry/112910?rskey=P9DUBl&result=1&isAdvanced=false#
eid).
18
(or even illegal) misconduct that is not primarily intended to hurt the organization
but that is rather performed to meet another purpose should, perhaps counter-
intuitively, be interpreted as non-malicious.
On the basis of the above-stated reasonings, I conclude that the existing
conceptualizations that solely use the harm-oriented perspective are not a suitable
for this dissertation.
2.2.2. Privilege-oriented perspective
In contrast to the existing definitions originating from the harm-oriented

perspective, where the presence (malicious) or absence (non-malicious) of
intention to harm the organization is decisive, the privilege-oriented perspective
does not focus on the intended outcome of the misconduct (i.e. intentionality to
harm the organization), but on the privilege that the insider gets, and more
specifically on whether or not the insider has the intention to misuse this privilege
(Neumann, 2010; Rehak et. al., 2020). It starts from the assumption that the
organization gives insiders access to and/or knowledge about the organizational
assets. It further assumes that in order to stimulate the proper handling of the
organizational assets, the organization provides the insiders with guidance on
how to conduct themselves in an appropriate way. In other words, the
organization can establish a code of conduct that reflects the organizational
culture and that contains organizational norms that insiders have to adhere to.
Analogous to Katzenstein’s (1996) definition of norms7, an organizational norm
will be interpreted in what follows as a guideline on the usage of the access to
and/or knowledge about the organizational assets that the organization perceives
as legitimate and that insiders are expected to comply with. The organizational
norms function as a red line that separates acceptable use of the insider privilege
7
Katzenstein (1996: 5) defines norms as “collective expectations for the proper behaviour of
actors with a given identity”
19
from unacceptable use of the access/knowledge (Dekker, 2009; Dekker, 2017;
Von Solms & Von Solms, 2004). The provision of guidelines does not guarantee
compliance with the organizational norms. The norms are expectations from the
organization, meaning that insiders have the possibility to, wittingly or
unwittingly, deviate from these expectations (Neumann, 2010; Robinson &
Bennett, 1995).
The insider threat definitions provided by scholars that have already
applied a privilege-oriented perspective are problematic because they either
refrain from eliminating the unintentional misuses of privilege from the insider
threat concept or do not adequately indicate whether the unintentional misuses
fall within the scope of the insider threat concept. The first group includes both
intentional and unintentional misuses in their conceptualization of the insider
threat. For instance the US NITTF (2016: 3) refers to the insider threat as “the
risk an insider will use their authorized access, wittingly or unwittingly, to do
harm to their organization”. The same applies to Munshi, Dell and Armstrong
(2012: 2402) who define insider threat as “the potential harm posed by any
trusted entity with inside access to the organization”. Consequently, these
conceptualizations mirror the broad interpretation of the harm-oriented
perspective that was criticized earlier, with a similar risk of turning insider threat
into a container concept.
The second group provides definitions that are unclear on whether or not
insiders that unwittingly misuse their privilege fall under the scope of the insider
threat concept, leaving too much room for interpretation for the reader.
Sokolowski, Banks and Dover (2016: 274) for example refer to insider threat as
“a legitimate user who abuses access and, given his or her proximity to, and
familiarity with, an environment, can cause significant damage or loss”. Here, it
is imprecise whether it relates to intentional or unintentional abuse. Also the
20
definitions of for example The Commonwealth of Australia8 (2012), Gelles9
(2016), Padayachee10 (2016), and Greitzer, Kangas, Noonan, Dalton and
Hohimer11 (2012), the latest also mentioned by for example BaMaung et. al.
(2018), Krull (2016) and Noonan (2018) all refrain from explicitly mentioning
the intentionality of the misuse of the privilege. Therefore, they leave too much
ambiguity on whether or not insiders that unwittingly commit misconduct fall
under the scope of the insider threat concept. Although it can be argued that it
can be implicitly deduced from these definitions that unintentional misuses of
privilege are not included in the definition of insider threat, it is better to have
an unambiguous definition that explicitly defines the scope of the insider threat
concept to increase the comparability of insider threat research (Pfleeger, 2008).
Without eliminating ambiguity, these conceptualizations again resemble the
previously criticized broad interpretation of the harm-oriented perspective, with
a similar risk of turning insider threat into a catch-all term.
Two definitions applying a privileged-oriented perspective closely
related to my interpretation of the insider threat concept, but still showed some
flaws that made them not suitable for this dissertation. While the former does not
distinguish misconduct from misbehavior, the latter uses too specific terms that
do not cover the whole spectrum of insider threat. Firstly, Ho, Kaarst-Brown &
8
The Commonwealth of Australia (2014: 2) defines the insider threat as a “threat posed by
unauthorized access, use or disclosure of privileged information, techniques, technology,
assets or premises by an individual with legitimate or indirect access, which may cause
harm”.
9
Gelles (2016: 3) defines insider threat as “the potential for an insider to harm an organization
by leveraging his or her privileged level of knowledge and/or access”.
10
Padayachee (2016: 47) argues that “an ‘insider threat’ uses the authority granted to him/her for
illegitimate gain”
11
Greitzer et. al. (2012: 2392) define insider threat as “harmful acts that trusted individuals might
carry out; for example, something that causes harm to the organization, or an unauthorized
act that benefits the individual. The insider threat is manifested when human behaviors
depart from established policies, regardless of whether it results from malice or disregard
for security policies”.
21
Benbasat (2018: 271-272) define the insider threat as “a reference to situations in
which a “focal actor”—someone with authorized access—inflicts damage to their
own organization by behaving against the interests of the organization (i.e.,
betraying), generally in an illegal and unethical manner. (…) [I]nsider threat
always involves some aspect of betrayal, which is an intentional act of trust
violation against the interest of another party (..). Although there are many types
of nonmalicious (well-intentioned or negligent) insiders who might inadvertently
betray the organization, there are also those who do so maliciously, with
deliberate intent to harm the organization for some benefit”.
Although I agree with Ho et. al. (2018) to interpret the insider threat
problem in terms of trust and betrayal, I argue that their definition is problematic
because it leaves ambiguity on whether or not the betrayal is linked to the
privilege of the insider. The trust relationship between an insider and their
organization in fact consists of two types of trust, namely specific trust and
general trust (Wright, 2010). In case of specific trust, the organization expects
adherence to specific organizational norms that guide the insider on how to
conduct or use the entrusted access to or knowledge about the organizational
assets. In case of general trust, the organization expects adherence to general
organizational norms that are unrelated to the privileged access/knowledge and
that guide the insider on how to behave in general. General organizational norms
therefore correspond with the norms prescribed by society (i.e. societal norms).
As Robinson and Bennett (1995: 556) argue, “[specific] organizational norms, or
those prescribed by formal and informal organizational policies, rules, and
procedures, are specified here because deviance must be defined in terms of the
standards of a specified social group rather than in reference to a system of
absolute moral standards”. I will further elaborate on trust(worthiness) and
22
betrayal in an employment context in chapter three of this dissertation. For now,
it is enough to know that conduct should be distinguished from behavior.
The distinction between conduct and behavior means that a similar
distinction has to be made between misconduct and misbehavior, depending on
whether the insider uses the privileged access or knowledge to deviate from the
norm. To illustrate the difference between misconduct and misbehavior, think of
an employee who is convicted for stealing. If the employee stole from the
company they work for because they had insider access/knowledge, it is
considered to be misconduct. An example is a cocktail waitress in a casino who
conspires with one of the casino dealers to steal tokens (Bunn & Glynn, 2016). If
the employee did not steal from the company but instead randomly robbed a bank
in their spare time, it is not considered to be misconduct but rather misbehavior,
given that the bank robbery has nothing to do with the insider’s privileged access
or knowledge. An example is the involvement of a former municipal officer in
the explosion of an Automated Teller Machine of Bpost (Het Nieuwsblad,
18/10/2019). Both thefts can be considered a deviation from a norm the
organization embraces (i.e. not stealing), but the difference between both
incidents lies in whether or not the culprit misused their insider privilege to steal.
By misusing their access/knowledge to steal from the company, the employees
of the casino deviated from a specific organizational norm (i.e. not stealing from
the company) and thereby committed misconduct. Instead, the former municipal
officer deviated from a general organizational norm (i.e. the societal norm ‘not
stealing in general’) and thereby misbehaved herself given that her stealing was
not related to her job at the municipality. Only misconduct, or deviations from
specific organizational norms whereby the insider intentionally misuses the
access to or knowledge about the organizational assets, should be included in the
insider threat concept. Misbehavior, or deviation from general organizational
23
norms, should not be considered an insider threat, as the norm deviation is not
related to the ‘insiderness’. This nuance is not explicitly present in the definition
of Ho et. al. (2018).
To conclude, the definition that avoids all the above-stated criticism is the
one used by Bell, Rogers and Pearce (2019) and Guido and Brooks (2013). Both
studies define insider threat as “a current or former employee, contractor, or
business partner who has or had authorized access to an organization’s network,
system or data and intentionally exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or availability of the
organization’s information or information systems” (Cappelli, Moore &
Trzeciak, 2012 cited in Bell et. al., 2019: 167 and Guido & Brooks, 2013: 1831).
Still, this definition is problematic because the terms used in this definition are
too specific to be used as a holistic definition covering the entire spectrum of the
insider threat problem. On the one hand, reference to ‘a current or former
employee, contractor, or business partner’ overlooks the fact that insiders can
appear in many other guises (e.g. interns12). On the other hand, by referring to
‘network, systems or data’ and ‘information or information systems’ this
definition is too much focused on a cyber or information security context,
overlooking insider threat incidents outside this cyber context (e.g. workplace
violence13). It is better to use general terms like ‘actor’ or ‘organizational assets’
in the quest for a generally accepted, standard definition of insider threat.
On the basis of the above-stated reasonings, I conclude that the existing
conceptualizations that solely use the privilege-oriented perspective are not
suitable for this dissertation.
12
An example of an insider threat involving an intern is the 15-year-old student that stole a car
during his internship (Het Nieuwsblad, 11/12/2019)
13
Think of the previously mentioned case of Nidal Malik Hasan (Zegart, 2016).
24
2.2.3. Combination of both perspectives
It follows from the above that there are two different perspectives to look
at misuse of insider privilege and that on their own, both perspectives are not
enough to properly conceptualize the insider threat problem. It is also possible to
combine both perspectives, as illustrated in Figure 2.1 developed by Information
Security Forum (2015: 2). A combination of the harm-oriented perspective and
the privilege-oriented perspective creates three categories of insiders: the
malicious insiders, the negligent insiders and the accidental insiders.
Figure 2.1: Typology insider threat from Information Security Forum (2015:2)
Firstly, the malicious insider is an insider who deliberately commits

misconduct with the intention to cause harm to the organization. An example is
the previously mentioned case of workplace violence committed by Nidal Malik
Hasan (Zegart, 2016). Secondly, the negligent insider also deliberately misuses
the insider privilege, but not with the intention to cause harm to the organization.
25
An example is the Japanese mailman who intentionally hid letters at home
because it cost him too much effort to deliver all the letters (NOS Nieuws,
23/01/2020). Lastly, the accidental insider is an insider whose misconduct is
unintentional, meaning that the harm to the organization that results from the
misconduct is also unintentional. An example is the supervisor of an exam who
by mistake threw away the exams, meaning that all the students had to redo the
exam (Outters, 2020). Scholars have developed different versions of this three-
part categorization of insider threat. Willison and Warkentin (2013) for instance
speak of an intentional malicious abuse, a volitional but non-malicious non-
compliance and passive, non-volitional non-compliance to respectively refer to
the malicious, negligent and accidental categories, while Krull (2016), in turn,
uses malicious, intentional/non-malicious and unintentional to refer to the same
three categories.
Although I agree that a combination of both perspectives is necessary to
form a holistic conceptualization of the insider threat problem, the existing
conceptualizations that follow from the combination of both perspectives are
problematic because these conceptualizations view the three categories as
different types of insider threat. I therefore question whether all three categories
of misuse of insider privilege should be interpreted as an insider threat or not,
and argue that doing so mirrors the previously criticized broad interpretation of
the harm-oriented perspective, with a similar risk of turning insider threat into a
container concept. Moreover, the conceptualizations that combine the harm-
oriented perspective and privilege-oriented perspective still predominantly draw
on the often misinterpreted concepts ‘malicious’/’non-malicious’, which was
also criticized earlier in this chapter when discussing the harm-oriented
conceptualizations (see 2.2.1).
26
2.3. A new conceptualization
The previous section illustrated that existing conceptualizations of insider
threat are not suitable for this dissertation. As a result, this chapter presents a new
conceptualization, drawing on both the privilege-oriented perspective and the
harm-oriented perspective. A combination of both perspectives is used because
“every wrongful act may raise two distinct questions with respect to the intent of
the doer. The first of these is: How did he do the act - intentionally or
accidentally? The second is: If he did it intentionally, why did he do it?” (Cook,
1917 cited in Maasberg et. al., 2015: 3522). While the first question relates to the
privilege-oriented perspective, the second touches upon to the harm-oriented
perspective. The privilege-oriented perspective will therefore form the basis of
the conceptualization developed in this dissertation, with the harm-oriented
perspective being addressed in a later stage.
The conceptualization starts with the assumption that each organization
possesses assets that it wishes to protect (Bishop, Gates, Frincke & Greitzer,
2009; Bunn & Sagan, 2016; Sarkar, 2010). Organizational assets are interpreted
as being valuable resources controlled by the organization that are situated within
the (proverbial) security perimeter and that need to be protected (Bunn & Sagan,
2016; Lynch, 2006; Nurse et. al., 2014). Examples of organizational assets are
among other things intellectual property or financial resources and can be
clustered in four groups, namely people, tangibles, intangibles and data (Bunn &
Sagan, 2016; Cools, 1994; Gelles, 2016; Thompson & Friedlander, 2016).
Critical organizational assets are assets that are essential for the continuation of
the organization’s business (Bishop et al., 2009; Gelles, 2016), whereby the exact
interpretation of the (critical) organizational assets varies from one organization
to another.
27
The ultimate goal of each organization is to protect its organizational
assets as much as possible from harm. Harm is interpreted as negatively affecting
the confidentiality, availability or integrity of the organizational assets (Cole &
Ring, 2006; Nurse et. al., 2014; Sarkar, 2010). Harm to confidentiality implies
that unauthorized individuals are able to access the security perimeter. Harm to
integrity implies that the organizational asset is modified. Harm to availability
implies that the organizational asset is destroyed or made inaccessible.
In order to be successful, the organization has no other choice than to
provide access to and/or knowledge about the organizational assets to certain
individuals, simply because they need it in order to do their job (Baier, 1986).
The organization has to trust that these individuals, referred to as insiders, will
handle the assets with care. Before conceptualizing the insider threat, it is
therefore necessary to discuss the concept ‘insider’.
2.3.1. Insiders
First of all, it should be acknowledged that insiders can appear in many

guises, including as individuals, as enterprises or even as states. Notwithstanding
this acknowledgment, insiders will be interpreted as individuals in the remainder
of the dissertation, unless otherwise stated. Insiders are given a certain privilege
that is characterized by three aspects: access to the organizational assets,
knowledge about the organizational assets and trust by the organization
(BaMaung et. al., 2018; Bishop et. al., 2010; Probst et. al. 2010).
Firstly, access refers to the free permission that the organization gives to
the insider to penetrate the security perimeter that protects the organizational
assets. The access can be physical, like for instance the authorization to enter a
building, or virtual, like the password to enter the network system (Colwill, 2009;
Munshi et. al., 2012). The access is privileged because insiders get access to the
assets while outsiders don’t get access. The privileged access is also given for
28
free, since the individual does not have to pay to enter the security perimeter but
entrance is simply based on trust. The insiders might be trusted with access to
organizational asset X (for example a key to access their own office) but not
necessarily to organizational asset Y (for example a key to access the office of
their colleague).
Secondly, knowledge is interpreted as the free information on the
organizational assets that the organization gives to the insider. Bunn and Glynn
(2016) make a distinction between first-degree and second-degree critical
knowledge. While the former is knowledge about the organizational assets, like
for instance the location or code of a vault, the latter is knowledge about
vulnerabilities (or security holes) that are related to the organizational assets, like
for instance blind spots on the closed-circuit television (CCTV) that is monitoring
the vault (Cole & Ring, 2006; Nurse et al., 2014; Sarkar, 2010). Similar to access,
knowledge is privileged because insiders possess the knowledge while outsiders
do not possess it. Moreover, the knowledge is free since the individual is simply
trusted by the organization.
Thirdly, trust refers to the organization’s belief that the access and/or
knowledge is safe with the insider. The individual is authorized by the
organization to have the access or knowledge because the organization is
convinced that the individual will use it in an appropriate way (Ho et. al., 2018;
Malik, 2020). A division is made between the individuals are allowed to come
into contact (access/knowledge) with the organizational assets, and the
individuals that should be kept out of the security perimeter. While the former
belong to the trusted insider-group, the latter are part of the distrusted outsider-
group. The trust criterion is not only applicable to current confidants of the
organization, but also to former ones. To put it in a different way, insiders are not
only individuals currently belonging to the organization, but are also individuals
29
that used to be part of it and were trusted by the organization in the past (Krull,
2016; Nurse et al. 2014; Randazzo, Keeney, Kowalski, Cappelli & Moore, 2005).
An example is the case of David Burke, the man who was responsible for the
crash of the Pacific Southwest Airlines Flight 1771. Although Burke was
dismissed from the airline company, he was still able to retain both his
identification badge and uniform. As a result, Burke could misuse this privileged
access to bypass security screening, smuggle a gun on board, kill his former
manager and crash the plane (Greco, 2017; Loffi & Wallace, 2014).
Consequently, if individuals were previously trusted by the organization and are
still able to misuse their privileged access and/or knowledge to the organizational
assets, they should still be considered insiders and should be taken into account
when discussing the insider threat.
In sum, access to the organizational assets, knowledge about the
organizational assets and trust by the organization can be used as distinctive
criteria to separate the insider from the outsider. As a result, the following
definition of the insider is suggested:
An insider is an actor who is or used to be trusted by the organization

with the free privilege of authorized access to and/or knowledge about the
organizational assets.
On the basis of the definition, a clear distinction can be made between the
insider, or the one who is or used to be trusted and granted the free privilege of
authorized access to and/or knowledge about the organizational assets, and the
outsider, the one who is not trusted and not granted the free privilege. The
definition illustrates that insiders are not only individuals that work on a
permanent basis for their employer. Also other individuals, like for instance
contract employees or apprentices, that are not part of the permanent labor force
of the organization might be trusted by the organization with privileged access or
30
knowledge (Colwill, 2009). To illustrate, reference can be made to Aaron Alexis
who was outsourced to the Washington Navy Yard by one of the Navy’s prime
contractors and who during his employment murdered colleagues (Gelles, 2016;
Shaw & Sellers, 2015), or to the 15-year-old student that stole a car during his
internship (Het Nieuwsblad, 11/12/2019). Moreover, the definition illustrates
that the insider should have at least access to or knowledge about the
organizational assets to be considered an insider, but that they do not necessarily
have to possess both. Indeed, only one of the two has to be present in combination
with trust to speak of an insider.
The trust criterion is, however, pivotal because only access or knowledge
is insufficient to speak of an insider. As stated before, insiders do not have to pay
to obtain access or knowledge, but are simply trusted by the organization that
they will handle the privileged access/knowledge in an appropriate way.
Consequently, individuals that pay to acquire access or knowledge are excluded
from the insider category. Think for instance of the difference between a pilot
who gets access to the airplane for free, and passengers who buy a ticket to get
access to the airplane. Only pilots are considered to be insiders because they are
trusted by the organization with privileged access. Also individuals that obtain
access or knowledge not via trust by the organization but through manipulating
a trusted individual fall out of the scope of the insider concept. In contrast to for
instance Cole and Ring (2006) and Sarkar (2010) who consider individuals who
are not trusted by the organization, like spouses, friends and social engineers14,
as insider threats, my definition limits the insider concept, and consequently the
insider threat, to individuals that are trusted by the organization. Although it is
recognized that spouses, friends or social engineers might get access to or
14
Individuals that have no access to or knowledge about the organizational assets, but that
manipulate a trusted insider that has authorized access/knowledge in order to reach the
organizational assets (Wall, 2013).
31
knowledge about the organizational assets, like the FBI trainee that “allegedly
stole [information] from his then-girlfriend, a corporate law firm associate who
was working on confidential matters at home due to the pandemic” (Thomas,
2022, first paragraph), they will always have to get it from an individual that the
organization trusts or trusted with the authorized access/knowledge, the actual
insider (i.e. the girlfriend). From a policy perspective it is beneficial to limit the
insider category to trusted individuals, as the organization is less able to develop
policies that influence the behavior of spouses, friends and social engineers.
Instead, the organization’s policy is applicable to the individual that the
organization trusts or trusted with the access/knowledge, or the individual from
which the spouse, friend or social engineer gets the access or knowledge.
To conclude the conceptualization of the insider concept, it should be
mentioned that not all insiders should be treated alike. Although I distinguished
insiders from outsiders, the insiders should not be huddled into one category
contrary to the outsider category. Instead, the insider category should be viewed
as a continuum of insiders that can be sorted on the basis of the scope and
application area of the granted privilege, or on their ”degree of insiderness”
(Bishop et al., 2010: 135). Ceteris paribus, insiders whose privilege consists of a
large privilege (i.e. large amount of trust, access to and/or knowledge about the
assets), or a privilege that applies to the most important assets of the organization,
pose a different (i.e. greater) threat than insiders whose privilege corresponds
with a small privilege (i.e. small amount of trust, access to and/or knowledge
about the assets) or a privilege that applies to less important assets (Bishop et. al.,
2009; Bishop et al., 2010; Probst et. al., 2010).
32
2.3.2. Insider threats
After clarifying the insider concept, I move on to explain the novel

conceptualization of the insider threat. As mentioned before, in this dissertation
preference is given to combine both perspectives, with the privilege-oriented
perspective forming the basis of the insider threat concept and the harm-oriented
perspective being used to address the variation within the insider threat concept.
Remember that privilege-orientation assumes that, to stimulate the proper
handling of the organizational assets, the organization provides its insiders with
guidance on how to conduct themselves in an appropriate way (Dekker, 2009;
Dekker, 2017; Von Solms & Von Solms, 2004), here referred to as organizational
norms. The provision of guidelines does not guarantee compliance with the
organizational norms, as insiders might deviate from organizational norms and
pose a danger to the organizational assets (Neumann, 2010; Robinson & Bennett,
1995). Before elaborating on the conceptualization, it is important to emphasize
that in this chapter I do not intend to have a moralistic perspective on the norm
deviation itself. In other words, whether or not it is a good or a bad thing to
deviate from the norm is not the main focus of the chapter. Instead, the main
focus is the fact that the insider deviates from one of the imposed standards of
conduct that the organization demands adherence to from its insiders (Wikström,
2014).
2.3.2.1. Insider threats vs. insider hazards
The fact that deviation from the organizational norms poses a danger to
the organizational assets does not mean that each norm deviation should be
considered an insider threat. It was argued before in section 2.2.2. that
organizational norms can be divided in specific organizational norms and general
organizational norms, whereby the former instruct the insider on how to use the
33
insider privilege or how to conduct, and the latter are unrelated to the insider
privilege but rather guide the insider on how to behave in general. Moreover, it
was suggested that only misconduct, or deviations from specific organizational
norms should be included in the insider threat concept. Table 2.1 summarizes the
difference between misconduct and misbehavior.
MISCONDUCT MISBEHAVIOR
Deviation from specific organizational Deviation from general organizational

norms that guide the insider on how to norms that are unrelated to the insider
conduct or use the insider privilege. privilege and that guide the insider on
how to behave in general.
Table 2.1: Misconduct vs. misbehavior
The suggestion that only misconduct should be included in the insider

threat concept does, however, not imply that every instance of misconduct should
be regarded as an insider threat. Organizations are indeed vulnerable to insider
misconduct, but misconduct can either be unintentional due to lack of “technical
competence” (Morris & Moberg, 1994: 167) or intentional due to lack of
“fiduciary responsibility” (ibid: 167). Or to put it in the words of Dekker (2017),
a distinction should be made between technical errors that relate to the insider’s
competence and normative errors that relate to the insider’s trustworthiness.
Consequently, two kinds of insider misconduct can be distinguished, here
denoted ‘insider hazards’ and ‘insider threats’. While the former relates to
whether the insider can adhere to the expectations of the organization, the latter
relates to whether the insider wants to adhere to them (Buechner, Simon &
Tavani, 2014; Colquitt, Scott & LePine, 2007; Elangovan & Shapiro, 1998;
Hawley, 2014; McKnight & Chervany, 2001).
If the insider unintentionally misuses the insider privilege due to a lack of
competence, it concerns an insider hazard. In other words, insiders are willing to
34
adhere to the organizational norms, but are not able to adhere to them because
they (a) do not know which organizational norms they have to adhere to (Gundu
& Flowerday, 2012), (b) do not have the necessary skills to adhere to them (Ho
et. al., 2018), or (c) make an honest mistake (Steneck, 1994). In all cases, these
insiders unintentionally or unwittingly commit misconduct (Rehak et. al., 2020).
If, on the other hand, the insider intentionally misuses the insider privilege due
to a lack of trustworthiness, it is regarded as an insider threat. In other words,
insiders are able to adhere to the organizational norms because they know the
norms and have the necessary skills to adhere to them, but are not willing to do
so. These insiders intentionally or wittingly commit misconduct (Rehak et. al.,
2020). As a result, the following definition of the insider threat is suggested:
An insider threat is the possibility that an actor who is or used to be

trusted by the organization with the free privilege of access to and/or
knowledge about the organizational assets, causes harm to the
organization because they intentionally misuse their access to or
knowledge about the organizational assets.
To illustrate the difference between insider hazards and insider threats,

reference is made to misconduct in sports, or athletes that misuse the privileged
access given by their organization to compete in sports events. If the misconduct
is the result of being human, or of an honest mistake (Steneck, 1994), it concerns
an insider hazard rather than an insider threat. Examples are the cases of Belgian
cyclist Iljo Keisse, who successfully claimed his positive drug test was due to a
contaminated food supplement (De Morgen, 02/11/2009) or Belgian cyclist Tosh
Van Der Sande who successfully claimed his positive drug test was due to
accidentally reporting the wrong medicine to the doping controllers (De
Standaard, 23/01/2019).
35
Furthermore, if the misconduct is the result of unawareness of the
applicable norms (Gundu & Flowerday, 2012), it also concerns an insider hazard
rather than an insider threat. This means that insider threat is not inherent in the
act of the insider or the specific organizational norm deviation itself, but in the
intentionality of the deviation from the norm (Becker, 1963). When the insider
wittingly takes actions without knowing those actions will lead to misconduct, it
does not concern an insider threat but rather an insider hazard. If the athlete for
instance deliberately takes a drug without knowing that the particular drug is
prohibited, it concerns an insider hazard and not an insider threat. An example is
the case of Belgian cyclist Björn Leukemans, who was accused of drug abuse
because he took the prohibited substance Prasteron. As it turned out, Leukemans
was unaware of the prohibition, as the drug was prescribed by the team doctor
(De Morgen, 20/12/2007).
If the misconduct is the result of lack of necessary skills to adhere to the
organizational norms, it equally concerns an insider hazard rather than an insider
threat. Think for instance of the whereabouts system that obliges athletes to share
residency data with controllers of drug abuse. Although athletes might be aware
of the whereabouts system, they also need the skills to properly report their
whereabouts, which is not always the case (De Morgen, 13/11/2009). For
instance Belgian judoka Dirk Van Tichelt was on the verge of being suspended
not because he intentionally falsified his whereabouts or because he was unaware
of the obligation to report, but because he lacked the necessary skills to properly
report his residency data (De Standaard, 12/07/2012).
If, on the other hand, the athlete is aware of the applicable norms and
competent to adhere to the norms, but nevertheless wittingly decides to deviate
from these specific organizational norms, it concerns an insider threat rather than
36
an insider hazard. Multiple athletes15 can be cited that deliberately deceived their
sport, for any reason whatsoever. The most obvious reason is performance
enhancement. The textbook example of deliberate misconduct in sports is Lance
Armstrong, the central figure in the biggest doping scandal in the history of
cycling (Carroll, 2013). Besides performance-enhancing, athletes can also
misconduct for personal reasons, like Danish cyclist Michael Rasmussen who
falsified his whereabouts to conceal his extramarital affair (Gallagher, 2011).
The origin of the insider hazard-insider threat terminology stems from the
distinction between safety and security, whereby ‘hazards’ are generally related
to safety and ‘threats’ are generally related to security (Albrechtsen, 2003; Jore,
2019). Although Jore (2019: 159) acknowledges that “there exists no academic
consensus definition of security”, she (perhaps inadvertently) summarizes that
safety and security can be regarded from the two previously mentioned
perspectives. On the one hand, she states that “scholars claim that the difference
between security and safety lies in whether the incident is inflicted intentionally
or not; safety risks are characterized by being accidental e.g., industrial accidents
and security is intentional or deliberate” (ibid: 160). This interpretation of the
safety/security distinction corresponds with the privilege-oriented perspective.
On the other hand, Jore herself rather supports the interpretation that for instance
Van Nunen, Sas, Reniers, Vierendeels, Ponnet and Hardyns (2018) and Blokland
and Reniers (2018) recommend and that distinguishes safety from security based
15
As previously mentioned, insiders can appear in many guises, including as enterprises or even
as states. Consequently, also entire enterprises or even states can commit intentional
misconduct. In the context of sports misconduct, reference can be made to the team-
orchestrated doping scheme of Festina that overshadowed the 1998 Tour de France (Van
Cauwelaert, 1998), or the state-orchestrated doping scheme in Russia (Duval, 2017).
37
on the intention to inflict harm, thereby using the harm-oriented perspective to
look at the safety/security demarcation. Or to put in in the words of Jore (2019):
“In both security and safety a violator could be present, but in the case of
security the violator has a malicious intent and deliberately aims to cause
harm. Accordingly, it is not sufficient to claim that safety is unintentional
and that security is intentional; it is the malicious intent that separates
safety from security. As a result, the demarcation between security and
safety should be drawn in terms of the dichotomy of non-malicious versus
malicious intent, not between intentional and unintentional” (ibid: 162).
As stated before, the basis of the insider threat conceptualization outlined

here is the privilege-oriented perspective, not the harm-oriented perspective.
Interpreting the safety/security distinction from a privilege-oriented perspective
implies that a distinction is made between intentional misconduct (with or
without the intention to harm) that is related to security, and unintentional
misconduct that is related to safety. Given that the dangers corresponding with
safety are usually denoted ‘hazards’ and the dangers associated to security are
usually referred to as ‘threats’ (Albrechtsen, 2003; Jore, 2019), I opted to refer to
insider hazards16 if the insider unintentionally commits misconduct and refer to
insider threats if the insider intentionally commits misconduct. Table 2.2
summarizes the insider threat-insider hazard distinction.
16
The term ‘insider hazard’ was also brought to my attention during a bilateral meeting with Prof.
dr. Genserik Reniers.
38
INSIDER THREAT INSIDER HAZARD
Intentional misconduct whereby the Unintentional misconduct whereby the

insider is able to comply with the insider is willing to comply with the
organizational norm but not willing to organizational norm but not able to
comply with it due to lack of comply with it due to lack of competence
trustworthiness
Table 2.2: Insider threat vs. insider hazard
2.3.2.2. Security insider threats, safety insider threats and safety insider
hazards
Although my choice to start the conceptualization from the privilege-

oriented perspective makes it appear that safety and security are perceived as two
separate fields, the safety/security distinction becomes less dichotomic when the
privilege-oriented perspective is combined with the harm-oriented perspective.
Combining both perspectives shows that perhaps it is better to perceive the
safety/security dichotomy as a continuum in which both fields can become
intertwined (see infra figure 2.3). At one extreme safety deals with incidents of
unintentional misconduct whereby the insider does not know that their actions
will harm the organization, so-called safety hazards. An example of a safety
hazard is the unintentional leakage of classified information to an unauthorized
person because the insider clicks ‘reply all’ instead of ‘reply’ (Probst et. al.,
2010). At the other extreme, security deals with deliberate misconduct whereby
the insider knows that the misconduct will definitely cause harm, so-called
security threats. An example of a security threat is the intentional leakage of
classified information to a criminal organization (Hiroux, 2020).
However, Jore (2019) suggested another interesting term, namely ‘safety
threats’ (ibid: 162), referring to workers that violate safety procedures as an
example. Therefore, in the middle of the safety-security continuum, safety and
39
security become intertwined and deal with deliberate misconduct whereby the
insider knows that the misconduct might possibly cause harm to the organization.
An example of a safety threat is the unintentional leakage of classified
information to an unauthorized person because the insider is negligent, like the
employee from contractor Balfour Beatty that refrained from safely storing the
building plans of the new headquarters of the British security service MI6 and
that subsequently lost the plans (Warrel & Wright, 2019).
Whereas both security threats and safety threats concern deliberate
misconduct, the difference between the two lies in the insiders knowledge about
the consequences of their actions. In case of a security threat, the insider is sure
that their misconduct will definitely harm the organization. In case of a safety
threat, on the other hand, the insider knows that their deliberate misconduct might
possibly cause harm to the organization. For example, compare the three
employees of a cable railway in Italy that deliberately sabotaged the emergency
braking system to prevent delays that were frequently occurring due to the system
(Decré, 2021) with the insider that deliberately sabotaged nuclear reactor Doel 4
(Bové, 2021b; FANC, accessed on 25/11/2021). In case of the latter, the insider
is 100% sure that the sabotage will harm the organization, whereas in case of the
former the insiders are aware that the possibility exists that the sabotage causes
harm, are willing to take that risk and simply hope the negative consequences do
not occur. Unfortunately, the negative consequences did occur in this specific
case because the cable railway was broken and the emergency braking system
could not be activated, resulting in the death of 14 people (Decré, 2021). In case
of safety hazards, to conclude, the insider simply does not know that their actions
will harm the organization and therefore does not pose an insider threat but rather
an insider hazard. Table 2.3 summarizes the distinction between security threats,
safety threats and safety hazards.
40
SECURITY SAFETY SAFETY HAZARD
INSIDER THREAT INSIDER THREAT
Intentional misconduct Intentional misconduct No intentional misconduct
whereby the insider whereby the insider whereby the insider does
knows the action will knows the action might not know the action
definitely cause harm possibly cause harm causes harm
Table 2.3: Security threats, safety threats and safety hazards
2.3.2.3. Expressive insider threats vs. instrumental insider threats
The distinction between security threats, safety threats and safety hazards
to a large extent corresponds with the distinction made by Information Security
Forum (2015: 2) that separates malicious, negligent and accidental insiders and
that was discussed in section 2.2.3 of this chapter. Still, I pointed out before that
I’m hesitant to use the term ‘malicious’ because this term is ambiguous and
therefore often misused. While most scholars would indeed refer to security
threats as malicious in nature, security threats are not only posed by malicious
insiders in the original sense of the word. To reduce this ambiguity and possible
confusion related to the malicious/non-malicious distinction, I suggest to replace
the concepts ‘malicious’ and ‘non-malicious’ with ‘expressive’ and
‘instrumental’ respectively. Drawing upon Willison and Warkentin’s (2013)
distinction between expressive crimes and instrumental crimes, whereby
expressive crimes are crimes where “(…) the actual commission [of the crime] is
considered an end in itself (…) [with] no additional goal to be met” (ibid: 9) and
instrumental crimes are crimes that “focus on achieving a goal where the criminal
act is viewed as a means to an end” (ibid: 9), expressive security insider threats
can be differentiated from instrumental security insider threats based on the
41
question whether causing harm to the organization is a goal in itself or a means
to achieve another goal.
Security insider threats that are principally aimed at causing harm to the
organization are considered to be expressive security insider threats. In case of
expressive security insider threats, the organization is a deliberate victim that
from the perspective of the insider deserves to be harmed. The insider’s mission
is only accomplished when the organization is hurt, making harming the
organization the main objective. An example of an expressive security insider
threat is the former employee from UK Supermarket chain Morrison’s who
publicly leaked confidential information out of revenge (Ring, 2015). In contrast,
instrumental security insider threats are a more pragmatic choice to harm an
arbitrary organization based on an “it is the end that justifies the means”
mentality, implying that any means, even those that inflict harm on the
organization, can be used to reach the insider’s ultimate objective. For example
insiders that deliberately steal from their employer because they see no other way
out of their financial difficulties, like the police officer who stole and sold
truncheons, alarm pistols and bulletproof vests to pay his financial debts (Stacius,
2021), are security threats, but are, perhaps counterintuitively, not malicious in
nature. The same goes for coerced insiders whose families are taken hostage and
are forced to take part in a heist, like in the case of the 2004 Northern Bank
robbery (BaMaung et. al., 2018). In all examples discussed above, the insiders
certainly know that their actions will have negative consequences for the
organization (i.e. security threat), but only in the expressive example the insider
has a real desire to harm the organization, which is the decisive criterion for
labeling something ‘malicious’. Instead, the negative consequences related to the
deliberate misconduct in the instrumental examples can be perceived as
‘collateral damage’ necessary to meet another objective, namely the reduction of
42
financial debts or the safekeeping of family members. Because categorizing the
instrumental examples as ‘non-malicious’ would be counterintuitive and may
lead to confusion, it is better to speak of expressive vs. instrumental insider
threats than of malicious vs. non-malicious insider threats.
For the sake of completeness, in contrast to security insider threats which
can either be expressive or instrumental, safety insider threats are by definition
instrumental because insiders posing safety threats never have the desire to harm
the organization. These insiders always commit misconduct to achieve another
objective, accepting the possibility of harm to the organization. Safety hazards,
on the other hand, are neither expressive nor instrumental because the misconduct
committed by the insider is unintentional and therefore serves no specific
purpose. The expressive-instrumental distinction will be further elaborated on in
chapter four. Table 2.4. summarizes the distinction between expressive insider
threats and instrumental insider threats.
EXPRESSIVE INSIDER THREATS INSTRUMENTAL INSIDER
THREATS
Intentional misconduct whereby the Intentional misconduct whereby the
organization is a deliberate victim of organization is an arbitrary victim of
the misconduct and the harm resulting the misconduct and the harm resulting
from it is a goal in itself. from it is a means to achieve another
goal.
Table 2.4: Expressive insider threats vs. instrumental insider threats
2.3.2.4. Summary of the conceptualization
Figure 2.2 provides a schematic overview of the insider threat

conceptualization outlined above, clearly indicating the scope of the insider threat
concept (i.e. the blue boxes). It shows that insider action consists of action related
to the insider privilege (i.e. conduct) and action not related to the insider privilege
43
(i.e. behavior). Furthermore, it illustrates that in both cases insiders can either
comply with or deviate from the organizational norms, whereby deviance from
specific organizational norms results in misconduct and deviance from general
organizational norms results in misbehavior, the latter not being taken into
account when constructing the insider threat concept. In turn, misconduct can be
divided in unintentional misconduct, denoted insider hazards, and intentional
misconduct, denoted insider threats.
Insider action
Conduct Behavior
No No
Misconduct Misbehavior
misconduct misbehavior
Insider threat Insider hazard
Security Safety insider

insider threat threat
Expressive Instrumental Instrumental

security security safety insider Safety hazard
insider threat insider threat threat
Figure 2.2: Summary of the insider threat conceptualization
44
In conclusion, I recommend to divide misconduct committed by insiders
in four categories, summarized in figure 2.3: (1) Expressive security insider
threats, referring to incidents of intentional misconduct whereby the insider
knows that the deliberate misconduct will definitely cause harm to the
organization and whereby the harm to the organization is a goal in itself; (2)
Instrumental security insider threats, referring to incidents of intentional
misconduct whereby the insider knows that the deliberate misconduct will
definitely cause harm to the organization but whereby the harm to the
organization is not a goal in itself but rather a means to achieve another goal; (3)
Instrumental safety insider threats, referring to incidents of intentional
misconduct whereby the insider has no desire to harm the organization but
deliberately commits misconduct to achieve another goal knowing that this
deliberate misconduct might possibly cause harm to the organization; and (4)
Safety insider hazards, referring to incidents of unintentional misconduct
whereby the insider does not know that the actions will harm the organization.
45
Figure 2.3: Four categories of misconduct
46
2.4. Advantages
Although I acknowledge that every conceptualization has its
imperfections and that other conceptualizations of the insider threat problem
exist, I argue that the conceptualization suggested here forms a better building
block of the dissertation in comparison to the existing conceptualizations that
solely draw upon the harm-oriented malicious/non-malicious distinction, that
solely use the privilege-oriented perspective or that combine both perspectives
into three categories of insider threat. In section 2.2 of this chapter I already
outlined the pitfalls of these existing conceptualizations, and here I will explain
first why the novel conceptualization outlined in this chapter is more suitable than
the existing conceptualizations and second why the conceptualization is
beneficial in terms of policies on insider misconduct.
2.4.1. Compared with existing conceptualizations
Regarding the harm-oriented perspective and the resulting distinction

between malicious and non-malicious incidents, I criticized both the narrow
conceptualization that only concentrates on the malicious insider threat, and the
broad conceptualization that takes into account all actions insiders wittingly or
unwittingly take that inflict harm on the organization. The novel
conceptualization suggested here not only refrains from using the often
misinterpreted terms ‘malicious’ and ‘non-malicious’, but also finds the golden
mean between the narrow and the broad interpretation. It proposes an alternative
conceptualization that can be perceived as a middle course between the
definitions that are limited to the malicious insider and that do not encompass the
whole spectrum of insider misconduct, and the definitions including unwitting
insider actions that increase the risk of turning insider threat into a container
concept.
47
Regarding the existing definitions originating from the privilege-oriented
perspective, I previously argued that the definitions provided by scholars that
have already applied a privilege-oriented perspective leave too much room for
interpretation because they either refrain from eliminating the unintentional
misuses of privilege from the insider threat concept or do not adequately indicate
whether the unintentional misuses fall within the scope of the insider threat
concept. Also, I questioned the definitions used by on the one hand Ho et. al.
(2018) and on the other hand Bell et. al. (2019) and Guido and Brooks (2013)
because the former does not distinguish misconduct from misbehavior and the
latter uses too specific terms to cover the whole insider threat spectrum. It is
argued that the novel conceptualization suggested here to a large extent reduces
the interpretability of insiders and insider conduct.
Concerning the first group, Pfleeger (2008) states that “because the word
‘threat’ has a negative connotation, some people would understandably not
ordinarily use it to describe unintentional or non-malicious behavior. We must be
especially careful when using the term ’insider threat’ to be sure our meaning is
not misconstrued and insiders are not offended” (ibid: 8). The distinction between
insider hazards and insider threats outlined in this chapter addresses this concern
as it differentiates insiders that unintentionally misuse their access or knowledge,
or insiders that act in good faith, from insiders that deliberately choose to misuse
their access or knowledge, or insiders that make a willful decision to deviate from
a specific organizational norm. In contrast to the definitions that include
unintentional misconduct, the conceptualization in this article refrains from
putting all incidents involving an insider under the same insider threat umbrella.
Concerning the second group, it is argued that although it can be
implicitly deduced from the definitions of for instance Sokolowski et. al. (2016),
the Commonwealth of Australia (2014), Greitzer et. al. (2012), Padayachee
48
(2016) and Gelles (2016) that unintentional misuses of privilege are not included
in the definition of insider threat, it is better to have an unambiguous definition
that explicitly defines the scope of the insider threat concept. Pfleeger (2008: 8)
correctly indicates that “we need standard definitions of insiders and insider
behavior so studies and discussions can compare”. Although I acknowledge that
every definition is susceptible to ambiguity and grey areas (Steneck, 1994), I
argue that the present conceptualization of insider action to a large extent
eliminates the ambiguity around both the intentionality of the insider’s misuse of
the privilege and the insider’s intention to harm. As a consequence, my
conceptualization reduces the interpretability of insiders and insider conduct,
increasing the comparability of insider threat research.
In comparison with the definition suggested by Ho et. al. (2018), my
conceptualization distinguishes misbehavior from misconduct and excludes
misbehavior from the insider threat concept. This is desirable because the
organization’s ability to develop policy is limited to misconduct and because the
impact of misconduct is higher than the impact of misbehavior (Dejonghe, 2005).
On the one hand, the organization’s ability to develop policy against misbehavior
is minimal, as an organization has few means to manage the personal life of its
insiders. In contrast, the ability to work out policy against misconduct is more
extensive, given that the organization has more tools to administer insiders’ use
of the privilege. To pick up on the examples given earlier on insiders that steal,
an organization can develop policy to prevent that employees steal company
property, but it can to a lesser extent develop policy to prevent employees to rob
a bank in their spare time (Cools, 1994; Dejonghe, 2005).
On the other hand, it is believed that misconduct will probably have a
higher impact on the organizational assets than misbehavior. Misconduct can
have a direct impact on company property by negatively affecting the
49
confidentiality, availability or integrity of the organizational assets (Cole & Ring,
2006; Nurse et. al., 2014; Sarkar, 2010). This direct impact is absent in case of
misbehavior. Misconduct can also have an indirect impact by negatively
influencing the organization’s reputation, given that the possibility exists that the
general public will equate the trusted insider with the organization they work for
and will depreciate the organization for trusting those kind of individuals.
Although reputational damage might also originate from misbehavior, it is
assumed that the reputational damage resulting from misconduct is more
extensive than that arising from misbehavior because the organization is
perceived to bear more responsibility in case of the former. In other words, it is
presumed that in case of misbehavior, the focus will be on the vicious employee
with the organization perceived as a victim, while in the case of misconduct, the
proneness of the organization to fall victim to the misconduct will be discussed
too, with people wondering what the organization did wrong to allow the insider
to commit misconduct. For the sake of clarity, it is not advocated that
misbehavior has a negligible impact or that it should be tolerated, especially
because since the emergence of social media organizations are increasing their
attention for misbehavior on those channels with social media policies that can
reprimand or even dismiss insiders that deviate from general organizational
norms17 (Dapaah, 2022; Schillewaert, 2022). Still, besides the fact that only
misconduct is related to the ‘insiderness’, both the extensive ability to develop
policy and the higher negative impact of misconduct make that insider threat
(policy) has to be concentrated on misconduct rather than misbehavior.
17
Examples of situations where the organization did not tolerate misbehavior on social media are
a politician that was suspended for racist comments on Facebook (Mertens, 2022) or a
professor that was fired because of sexist Tiktok-videos (Dapaah, 2022; Schillewaert,
2022).
50
In comparison with the definition used by Bell et. al. (2019) and Guido
and Brooks (2013), the present conceptualization uses terminology that covers
the entire spectrum of insiders (i.e. individuals like employees, contractors and
interns, but also organizations or even countries) and insider threat (i.e. not a
cyber-specific definition).
To conclude, the conceptualizations originating from the combination of
the harm-oriented perspective and the privilege-oriented perspective resulted in
three categories of insider misconduct that were all perceived as different types
of insider threat and are therefore subject to the same criticism as the broad
interpretation of the harm-oriented perspective. Instead, the novel
conceptualization too covers the whole range of insider misconduct, but this time
without making the insider threat concept a catch-all term that results in
difficulties to develop adequate policies on insider misconduct. In the next
section, I will further elaborate on the benefits of the novel conceptualization in
terms of insider misconduct policy.
2.4.2. Advantages in terms of policy on insider misconduct
“Some people may object that this [conceptualization] is merely a

terminological quibble, that one can, after all, define terms any ways he wants
to” (Becker, 1963: 14). Although there may be some truth in it, I argue that the
present conceptualization adds value from a policy point of view. First of all, the
distinction between insider hazard and insider threat is worthwhile because they
both raise different policy questions. Insider hazard policy concerns awareness
of the specific organizational norms and competence to adhere to these norms, or
concentrates on communication, education and training. Insider hazard policy is
focused on finding ways to communicate the organization’s expectations
regarding the appropriate use of the insider privilege so that insiders are aware of
these specific organizational norms. Moreover, it is concentrated on ensuring that
51
insiders have enough skills to be able to adhere to the norms. The organization
should therefore educate insiders to make sure that they know how they are
supposed to use the privilege that is provided to them, and train them so that they
are able to do it.
Insider threat policy, on the other hand, relates to enforcement and
internalization of the norm, or to compliance and persuasion (Siponen, 2000).
Insider threats refer to insiders that are already aware of the expectations of the
organization and already have the competence to comply with them, but wittingly
choose to deviate from these expectations. Therefore, insider threat policy is not
a question of awareness, communication, education or training, but of motivation
to comply with or deviate from the specific organizational norms. Insider threat
policy is concentrated on making sure that insiders do not “lack the motivation
to conform to normative expectations of the social context or become motivated
to violate those expectations” (Robinson & Bennett, 1995: 556). Motivation to
adhere to the organization’s expectations of appropriate conduct can be extrinsic,
whereby compliance is enforced through positive and negative sanctions, but in
the end the goal should be to persuade insiders of the appropriateness and the
usefulness of the organizational norms so that they internalize the norms and
adopt the organizational culture. Think for instance of the transport firm that,
despite reservations at the announcement, was able to convince its employees to
implement a camera system in the driver’s cabin (Verstuyft, 2020). In other
words, the eventual objective is not compliance through enforcement, but
through acceptance (Chipperfield & Furnell, 2010; Siponen & Kajava, 1998;
Siponen, 2000).
Although compliance with specific organizational norms is the
organization’s main goal, not all insiders will comply with the norms all the time.
Insider threat policy should therefore not solely think about prevention via norm
52
enforcement and norm internalization, but should also take into account the
aftermath of the insider threat incident. In an analogy with Dekker (2017), who
makes a separation between a guilt-phase and a penalty-phase, the present
conceptualization divides insider threat policy in an accountability-phase and a
culpability-phase, but adds a third phase denoted trust repairability. While the
accountability-phase examines whether the misconduct was intentional and
whether or not the insider should be held accountable for it, the culpability-phase
examines the culpability of the insider or determines whether the insider is
“worthy of blame” (McCall & Pruchnicki, 2017: 145). The trust-repairability-
phase, to conclude, determines to what extent the trust relationship between the
insider and the organization can be restored, or to what extent the organization
can forgive the offender (Finkel, Rusbult, Kumashiro & Hannon, 2002; Lewicki
& Bunker, 1996).
To start with, the privilege-oriented part of the conceptualization is based
upon a question of accountability, which is absent in case of insider hazards but
which is required in case of insider threats. Accountability means that the insider
is expected to thoroughly explain and defend their decision to intentionally
misuse the insider privilege (Lewicki & Bunker, 1996; McCall & Pruchnicki,
2017). Applying a privilege-oriented perspective to separate insider hazards from
insider threats actually advocates that insiders should be held accountable “not
necessarily for the outcomes they create, but for the choices they (supposedly)
make while doing their work” (Dekker, 2017: 2). In case of an insider hazard, the
insider did not wittingly deviate from the organizational norm and therefore acted
in good faith. As a result, the insider should not be held accountable because they
had benevolent intentions. For the sake of clarity, absence of accountability does
not alter the fact that it is still beneficial to have a debriefing with the insider to
analyze the circumstances that made the insider hazard happen. In this way, the
53
organization can learn from it and prevent it from happening again via additional
education and/or training (De Vleeschauwer, 2019).
In the case of intentional misconduct, the insider cannot invoke good faith
as an argument, as they are aware that their conduct deviates from the specific
organizational norm. Therefore, insiders that deliberately go against
organizational norms should be held accountable, even when the deviation is not
intended to harm the organization. The fact that the insider is aware that they
misuse their access/knowledge also implies that they are aware, or at least are
expected to be aware, of the (potential) negative consequences that misuse
entails. An insider that wittingly continues to commit misconduct while knowing
the possible harm that is associated with it, should be held accountable.
Even though insiders that wittingly deviate from an organizational norm
without harmful intentions are included in the insider threat conceptualization, I
do not urge to demonize or name and shame these insiders (Wall, 2013). Apart
from the privilege-oriented part that is based upon accountability, the present
conceptualization also includes a harm-oriented part that is based upon a question
of culpability (McCall & Pruchnicki, 2017). Whereas accountability means that
the insider is expected to thoroughly explain and defend their decision to misuse
the insider privilege, culpability judges the validity of the insider’s arguments
(Lewicki & Bunker, 1996; McCall & Pruchnicki, 2017). To put it in another way,
being accountable means that the insider is questioned on the incident, while
being culpable means that the insider can be blamed and disciplined for the
insider threat incident.
It could thus be that an insider is held accountable for their intentional
misconduct, but is not found culpable because they had a valid reason to
misconduct. To pick up on the example of witting misconduct in sport, reference
can be made to the Salbutamol affair of British cyclist Christopher Froome.
54
Froome was accused of drug abuse because his test revealed abnormal levels of
Salbutamol, after which he admitted that he took extra Salbutamol on the day of
the test (Ingle & Kelner, 2017; Ingle, 2017). Nevertheless, the governing body of
cycling deemed Froome not guilty, thereby judging he had a valid reason to take
the extra Salbutamol (Ingle, 2018).
The culpability-phase of the insider misconduct is subsequently followed
by the trust-repairability-phase where the goal is to find out what the appropriate
response is to the intentional misconduct or to determine whether the offender
can be forgiven (Finkel et. al., 2002; Lewicki & Bunker, 1996). Trust
repairability only takes place if the organization perceives that the insider can be
forgiven, and forgiveness can take place in a retributive or restorative way
(Dekker, 2017). Retribution means that justice originates from punishing the
insider. To put it in a different way, the harm to the organization is compensated
by harming the culprit as a kind of payback. Instead a restorative response creates
trust repairability “not by blaming people, but by getting people actively involved
in the creation of a better system to work in” (Dekker, 2009: 183). Misconduct
can be based on flaws in the organization’s culture or policies (Wall, 2013). In
other words, the violation of the organizational norm might indicate that the norm
itself is inconclusive. Hence, restorative trust repairability ensures that the
organization “[listens] to the voice from below—from those who have to get the
job done” (Dekker, 2017: 8). It functions as a learning mechanism, or an
indication of the validity of the organizational norms. If the insider has valid
arguments to deviate from the organizational norm, it could be an indication that
the norm needs revision. Restorative response therefore corresponds with a duty
for the insider to contribute to the revision of the norm. In short, while retribution
emphasizes payback and retaliation, restoration concentrates on ensuring the
engagement of the insider in the improvement of the organization’s framework
55
of organizational norms in order to increase the future adherence to the
organizational norms and avoid prospective violations that inflict harm to the
organization. Table 2.5 summarizes the policy implications of the present
conceptualization. The insider threat aftermath will be further elaborated on in
chapter seven.
ACCOUNTABILITY CULPABILITY TRUST
PHASE PHASE REPAIRABILITY
PHASE
The insider is expected to Judgement of the validity Determine to what extent
thoroughly explain and of the insider’s the trust relationship
defend their decision to arguments to determine between the insider and
intentionally misuse the whether the insider can the organization can be
insider privilege. be blamed and restored, or to what extent
disciplined for the the organization can
intentional misconduct forgive the offender
Table 2.5: Policy implications of the insider threat conceptualization
2.5. Limitations
Notwithstanding the advantages, it is acknowledged that the
conceptualization is limited by some weaknesses. Firstly, it starts from the
assumption that it is easy to draw a red line between acceptable and unacceptable
behavior regarding the use of the insider privilege. However, it is nearly
impossible to draw an indisputable line between appropriate and inappropriate
conduct (Dekker, 2009, Dekker, 2017). In reality, insiders are confronted with
unforeseen circumstances for which they are not prepared, meaning that they
have to make a judgement on imperfect information and use the available
information to interpret the red line. It is therefore impractical to think that each
course of action of personnel can be perfectly directed by the organization
56
(Pfleeger, 2008; Probst et. al., 2010). It is recognized that the red line between
acceptable and unacceptable behavior is difficult to draw and that there are not
only black and white areas but also grey ones. Moreover, it is true that not all
conduct of insiders can be exactly prescribed as they are confronted with
unforeseen events. This means that insiders need a certain degree of freedom
while on the job, or “room for maneuvering” (Dekker, 2009: 183), that gives
them the opportunity to make their own choices. Nevertheless, “the concept of
misuse is meaningful only with respect to a policy that defines what usage is
acceptable and what is not” (Neumann, 2010: 19). The fact that it is difficult to
draw the line does not mean that no attempt should be made to do it. As Guido
and Brooks (2013: 1832) argue, “security policies should outline responsibilities
and acceptable use for an organization’s users”. Trying to provide insiders with
directions on how to handle organizational assets at least beats the alternative
situation of anarchy in which insiders are allowed to do whatever they want.
Furthermore, the conceptualization emphasized the importance of the
accountability phase that allows the insider to explain their decision to commit
misconduct.
Secondly, norms are (sometimes) ambiguous. This vagueness might lead
to a discrepancy between the interpretation of the norm by the insiders and the
interpretation of the norm by the organization and could give insiders the
propensity to refute their awareness of the norm. One could therefore wonder
why the conceptualization is not based on rules instead. The answer is that it is
impractical and undesirable for an organization to translate all expected conduct
in rules and regulations. In contrast, the organization counts on its organizational
culture to guide the conduct of its insiders, whereby norms function as a reflection
of this organizational culture (Von Solms & Von Solms, 2004). As stated before,
the ultimate objective of an organization is not enforcement of organizational
57
rules, but rather acceptance and internalization of organizational norms. The
organization wants to persuade the insiders with argumentation and justification
into accepting the organizational norms, rather than to hegemonically enforce a
regulatory framework without their buy-in (Siponen & Kajava, 1998; Siponen,
2000). The ultimate recommendation for organizations is thus to develop “work
arrangements that afford high degrees of autonomy to individuals who base their
decision making on internalized norms of appropriate practice” (McCall &
Pruchnicki, 2017: 14). Again, reference can be made to misconduct in sports, and
more precisely to cycling. It is an unwritten rule that cyclists from the same team
cooperate and refrain from chasing teammates (Pauli, 2011). It can be assumed
that cyclists that let self-interest prevail over the interest of the team do not violate
an official rule, but rather sin against an informal norm. In other words, the
organization’s expectation to think in terms of group interest is probably not
officially translated into formal rules and regulations but is still part of the
organizational culture. Deviations from this organizational norm should be
considered an insider threat, not least because it might lead to considerable
sporting losses (Pauli, 2011), as well as corresponding financial losses.
Lastly, the entire conceptualization depends on the ability to
“recognize—objectively, unarguably—willful violations, negligence, or
destructive acts” (Dekker, 2017: 3). In other words, insiders have the opportunity
to claim that the specific organizational norm deviation was unintentional,
because it was an accident, because they were not aware of the norm or because
they lacked skills to comply with the norm, while they in fact were aware of the
prescribed guidelines and were competent to comply with them but deliberately
chose to commit misconduct. Furthermore, the chapter draws upon the
assumption that organizations provide insiders with clear guidance on how to
conduct in an appropriate way, which will not always be the case (Chipperfield
58
& Furnell, 2010; Neumann, 2010). Although this shortcoming is acknowledged,
it is argued that in most instances the organization can accurately evaluate
whether the insider’s misuse of privilege is witting or not, as well as whether the
claim of unawareness or incompetence is credible or not (Ho et. al., 2018; Probst
et. al., 2010). By any means, it should be the organization’s first objective to
properly inform its insiders on the specific organizational norms that prescribe
the way in which the insider has to use the privilege as well as to properly train
them so that they are able to adhere to the norms. The organization should
communicate to its insiders in a clear way which conduct is expected to make
sure they are aware of the applicable organizational norms, and should train them
to acquire the necessary skills that enable norm compliance (Gundu &
Flowerday, 2012). If the organization can succeed in this ambition, insiders have
no opportunity to assert that they are unaware of the norm or incompetent to
comply with it, eliminating the possible ambiguity. Moreover, it should be
mentioned that the same setback applies to the harm-oriented conceptualizations
that focus on the maliciousness of the insider, as the determination of malicious
intent is also subjective rather than objective.
In sum, it is advocated that the advantages of the present
conceptualization outweigh the shortcomings. It addresses the negative aspects
of the existing conceptualizations while simultaneously covering all harmful
insider incidents that the organization can face and addressing the variation
within the insider threat concept.
2.6. Conclusion
This chapter suggested a new conceptualization of insiders and insider
threats. It started with an outline of the deficiencies of the existing
conceptualizations, elaborating on the conceptualizations solely based on the
harm-oriented perspective, the ones solely based on the privilege-oriented
59
perspective and the ones based on a combination of both perspectives. Existing
harm-oriented conceptualizations that are limited to the malicious insider (i.e.
narrow ones) do not encompass the whole spectrum of insider threats, while the
ones including unwitting insider actions (i.e. broad ones) increase the risk of
turning insider threat into a container concept. Existing privilege-oriented
conceptualizations either mirror the broad harm-oriented conceptualizations or
leave too much room for interpretation for the reader, making it difficult to
compare insider threat research. Existing conceptualizations originating from a
combination of both perspectives too mirror the broad harm-oriented
conceptualizations since all three types of insider misconduct are included in the
insider threat concept. Consequently, a new definition of insiders and insider
threat was proposed, defining the insider as an actor who is or used to be trusted
by the organization with the free privilege of access to and/or knowledge about
the organizational assets, and the insider threat as the possibility that an insider
causes harm to the organization because they intentionally misuse their access to
or knowledge about the organizational assets.
The novel conceptualization distinguished misconduct, or misuse of
access to or knowledge about the organizational assets, from misbehavior, or
inappropriate behavior not related to the insider privilege, and sub-divided
misconduct into insider hazards and insider threats based on the intentionality of
the misconduct. In turn, insider threat was divided into security insider threats
whereby the insider knows their action will definitely cause harm to the
organization and safety insider threats whereby the insider knows their action
might possibly cause harm. Moreover, as an alternative to the ‘malicious’/’non-
malicious’ distinction, I suggested to replace the concepts with ‘expressive’ and
‘instrumental’ respectively, whereby expressive means the harm to the
organization is a goal in itself and instrumental means the insider harms the
60
organization to achieve another goal. In conclusion, I recommend to distinguish
four categories of insider misconduct, namely expressive security insider threats,
instrumental security insider threats, instrumental safety insider threats and
safety insider hazards.
Throughout the chapter, several times reference was made to trust and
trustworthiness, without properly elaborating on these concepts. As a result, the
next chapter will address in greater detail the trust relationship between an
organization and its insiders, who respectively operate as truster and trustees, as
well as the related concepts of insider trustworthiness and betrayal.
61
Chapter 3
Understanding insider trust(worthiness) and betrayal
3.1. Introduction
In the previous chapter it became clear that I endorse Malik’s (2020: 6)
plea to “reframe [the insider threat] away from the traditional definitions of
exploiting vulnerabilities, but rather as people who abuse the trust the company
places in them”. In this chapter, I will open the black box of ‘trust’ by examining
the trust relationship between an organization and its insiders. Trust refers here
to “confident prediction of appropriate behavior” (Hawley, 2019: 8). It is
interpreted as a unidirectional (Mayer, Davis & Schoorman, 1995) three-place
relation (Baier, 1986; Hawley, 2014), whereby a truster (1) trusts a trustee (2) to
perform a task (3). Applied to the employment context, the organization acts as
truster (1) that trusts the insider, who operates as trustee (2), to use the insider
privilege in accordance with the organizational norms (3).
In chapter two it was mentioned that the trust relationship between an
insider and their organization consists of two types of trust, namely specific trust
and general trust (Wright, 2010). In case of specific trust, the organization
expects adherence to specific organizational norms that guide the insider on how
to conduct or use the insider privilege. In case of general trust, the organization
expects adherence to general organizational norms (i.e. societal norms) that are
unrelated to the insider privilege and that guide the insider on how to behave in
general. In this chapter, I will predominantly focus on specific trust, unless
otherwise stated.
Adapted to the terminology used in this dissertation, trust thus refers to
the confident prediction of appropriate insider conduct. Trust is pivotal in an
62
employment relationship (Castaldo, Premazzi & Zerbini , 2010; Lewicki &
Bunker, 1995; Searle, 2013). Since “trust can only be present in an environment
where disloyalty is possible” (Carney, 1994: 21), and since organizations cannot
exert full control over the conduct of its insiders (Bijlsma & Koopman, 2003;
Blodgett, 2010), disloyalty is possible in an employment context. Even with
employment contracts, the organization cannot be certain that the insider will
always comply with the specific organizational norms (Baier, 1986; Williamson,
1993), given that “they are open-ended [because] the employee promises to obey
commands within some realm of task activities with the details allowed to float
with the circumstances” (Moberg, 1997: 43). As a result, organizations have to
trust insiders, expecting them to use the insider privilege in an appropriate way
but simultaneously accepting vulnerability to their “possible but not expected ill
will (or lack of good will) toward [the organization]” (Baier, 1986: 235). This
makes risk of insider misconduct a consequence of trust (Isaeva, Hughes &
Saunders, 2019; Kee & Knox, 1970; Mayer et. al., 1995; Rousseau, Sitkin, Burt
& Camerer, 1998).
Trust is an action performed by the truster (Dietz & Den Hartog, 2006;
Kee & Knox, 1970), an action whereby the truster takes a risk. Indeed, “trust (…)
presupposes a situation of risk. You may or may not buy a used car which turns
out to be a ‘lemon’. (…) You can avoid taking the risk, but only if you are willing
to waive the associated advantages” (Luhmann, 2000: 98). In a similar vein,
organizations can (at least theoretically) refrain from hiring insiders if they are
willing to renounce the benefits that originate from that employment. In practice,
however, refraining from trust in the first place is impossible. Organizations have
no choice but “to allow people to get into positions where they can, if they
choose, injure what [the organization] cares about, since those are the same
positions that they must be in order to help [the organization]” (Baier, 1986: 236).
63
Trusting insiders might thus significantly benefit organizations if the insider is
trustworthy (Deutsch, 1958; Searle, 2013), but the other side of the coin is that
organizations may recruit and employ an insider that in the end turns out to be a
‘lemon’ (Luhmann, 2000) that commits misconduct and inflicts harm on the
organization (Bailey, 2002; Deutsch, 1958).
In view of the foregoing, organizations separate the trusted insider-group
that contains individuals that are granted the insider privilege from the mistrusted
outsider-group that contains individuals that are not granted access to and/or
knowledge about the organizational assets. It is however still open to question
what determines whether or not an organization accepts an insider into its trusted
insider-group. It is argued here that deciding whether or not to trust depends on
two main factors (Colquitt et. al., 2007; Mayer et. al., 1995), namely the truster’s
propensity to trust and (the truster’s perception of) the trustee’s trustworthiness.
The latter is, however, less discussed in the literature, at least in comparison with
the former. Hardin (1996: 28) for instance indicates that “much of the literature
on trust hardly mentions trustworthiness even though much of it is primarily
about trustworthiness, not about trust”. Also Levine, Bitterly, Cohen &
Schweitzer (2018: 468) indicate that “existing trust research provides
surprisingly little insight into whom to trust. Rather than examining the actual
qualities that make a person trustworthy, prior investigations in economics,
organizational behavior, and social psychology have focused largely on what
makes people more or less trusting”. Reiersen (2019: 2) too emphasizes that the
literature made that scholars “now have a reasonably good understanding of what
trust is and why it is important. Much less research has been directed at
understanding the related, yet separate concept of trustworthiness”.
Also in an employment context, insider trustworthiness is often
understudied, at least in relation to insider competence. Or as Pearce (2000: 81)
64
puts it, “job relevant knowledge, skills, and abilities are critical to potential
workers' employability. Yet trustworthiness is a necessary and underappreciated
condition of employability”. Sinek (2019) too states that “the problem in business
is that we have lopsided metrics. We have a million-in-one metrics to measure
someone's performance, and negligible to no metrics to measure someone's
trustworthiness” (Sinek, 2019: 06:24). Organizations conventionally consider
insiders to be suitable for the job if they possess the necessary skills but often
neglect the question whether insiders will use these skills in the interest of the
organization (Beattie, 2019; Beattie & BaMaung, 2015), even though it is
probably easy to call to mind examples where skills were used against the
organization’s interest (Buechner et. al., 2014; Morris & Moberg, 1994). Bunn
and Sagan (2016) refer to this ignorance as the Not In My Organization (or
NIMO) bias, whereby an organization recognizes the existence of insider
disloyalty in other organizations but dismisses the possibility that one of its own
insiders will conduct in an untrustworthy way. They indicate that “like the well-
known NIMBY (Not in My Back Yard) phenomenon, whereby citizens recognize
the need to place hazardous materials somewhere but not near them, security
leaders may suffer from NIMO (Not in My Organization) biases” (ibid: 147).
NIMO thus indicates that organizations acknowledge the existence of the insider
threat in general, but (wrongly) believe that their organization is not vulnerable
to the insider threat.
Consequently, this chapter addresses this gap in the literature by
elaborating on the understudied trustworthiness component and the related
concept of betrayal of trust. After conceptualizing insider trustworthiness and
betrayal, it is outlined when insider misconduct is considered betrayal, both from
an organizational and a societal point of view. Subsequently, it is illustrated that
for pragmatic, rational or constructivist reasons organizations draw on
65
deterrence, stimulation, convention or internalization to presume insider
trustworthiness. Because insider trustworthiness should be assessed rather than
assumed, a conceptual model to assess insider (un)trustworthiness is developed
that helps to form a more accurate perception of the insider’s trustworthiness.
The chapter concludes with a discussion of the limitations of the
conceptualizations and the conceptual assessment model, followed by a
conclusion section.
3.2. Conceptualizing insider trustworthiness and betrayal
3.2.1. Conceptualizing insider trustworthiness
While the choice to trust is an action performed by the truster,

trustworthiness relates to the trustee, who has the choice of being either
trustworthy or untrustworthy (Dietz & Den Hartog, 2006; Kee & Knox, 1970).
As Deutsch (1958: 268) argues, a distinction can be made between the general
meaning of trustworthiness as “anything which can be trusted“, and a more
specific meaning of trustworthiness where it “implies that the trustworthy person
is aware of being trusted and that he is somehow bound by the trust which is
invested in him” (ibid: 268). Concerning trustworthiness in a general sense,
reference can be made to Mayer et. al.’s (1995) ABI-model (ability-benevolence-
integrity). In an employment context, ability refers to the insider’s competence,
benevolence to the insider’s willingness to act in the interest of the organization,
and integrity to whether the principles the insider adheres to correlate with the
principles the organization prescribes. In contrast, interpreting trustworthiness in
a stricter sense emphasizes the benevolence and integrity component of the ABI-
model, relegating the ability component. This strict interpretation of
trustworthiness is for instance used by Tinsley (1996), who argues that the
aggregate of the trustee’s ability, benevolence and integrity does not display a
trustee’s trustworthiness, but rather a trustee’s source credibility. Tinsley (1996:
66
336) suggests that “certain people with high capabilities are not to be trusted.
Conversely, some trustworthy people have low capabilities and are ineffective”.
As a result, Tinsley urges to distinguish ability from integrity and benevolence,
whereby only the two latter components are taken into account to define
trustworthiness. In the remainder of the chapter, the strict interpretation of
trustworthiness will be followed, whereby trustworthiness is “understood in
terms of commitment – to be trustworthy is to live up to one’s commitments”
(Hawley, 2019: 23). Insider trustworthiness denotes a willingness to be
responsible to the trustor’s trust, whereby “being responsible to the trust of
another implies that the responsible person will produce ‘X’ (the behavior
expected of him by the [the organization]), even if producing ‘Y’ (behavior which
violates the trust) is more immediately advantageous to him“ (Deutsch, 1958:
268).
Organizations are in fact looking for what Merton (1938) refers to as
‘conformists’ in his strain theory (Monahan & Quinn, 2006). Once the
organization has selected a number of competent applicants of which the ability
is above the organization’s satisfactory threshold, the organization should select
the insider that demonstrates a willingness to pursue the organizational goals with
the appropriate means. Therefore, the organization wants insiders that exhibits
benevolence and integrity, whereby the former refers to chasing the
organization’s “culturally defined goals, purposes, and interests” (Merton, 1938:
672) and the latter refers to doing it in accordance with the organization’s
“acceptable modes of achieving these goals” (ibid: 673).
Arguing that insider trustworthiness resembles conformism in the
Mertonian sense of the word does however not mean that the organization expects
the insider to be a string puppet (Blodgett, 2010). As mentioned before, a
complete prescription of the insider’s conduct is impossible, not even in the
67
employment contract (Baier, 1986; Moberg, 1997; Williamson, 1993). This
makes it difficult to draw an indisputable red line between acceptable and
unacceptable conduct (Dekker, 2009; Dekker, 2017), as was already mentioned
in chapter two of this dissertation (see section 2.5). Insider trustworthiness
therefore does not equal unconditional compliance (Wright, 2010), as it relates
to “the spirit rather than the letter of organizational regulations” (Moberg, 1997:
46).
Insiders need so-called “room for maneuvering” (Dekker, 2009: 183)
within their role as safekeeper of the organizational assets. The specific
organizational norms should thus not be interpreted as hegemonic rules that
insiders should unconditionally adhere to in all circumstances, but rather as
“work arrangements that afford high degrees of autonomy to individuals who
base their decision making on internalized norms of appropriate practice”
(McCall & Pruchnicki, 2017: 14). Specific organizational norms provide the
insider with an idea of the organization’s expectations, nonetheless leaving the
insider discretionary powers to judge what should be done to fulfill these
expectations (Baier, 1986; Bailey, 2002; Morris & Moberg, 1994; Reina & Reina,
2005), thereby acknowledging the fact that insiders usually encounter unforeseen
circumstances that induce them to act upon imperfect information.
Notwithstanding the degree of freedom to make their own decision on
how to adhere to the specific organizational norms, insiders are not given “carte
blanche to do as they wish” (Bailey, 2002: 9). Insiders can adhere to the specific
organizational norms in many ways, at least as long as “any fluctuations between
perceived intentions and actions does not exceed the [organization’s]
expectations” (Ho & Katukoori, 2013: 19).
68
In conclusion, inspired by Ben-Ner and Halldorsson’s18 (2010: 65-66)
trustworthiness definition, which is adapted here to fit the trust relationship
between an organization and its insiders, insider trustworthiness refers to:
the willingness of an insider to act responsibly towards the organization,
when the organization has placed an implicit or explicit expectation to
properly use the insider privilege. The expectations are based on specific
organizational norms that do not entail a precise course of action in a
variety of situations, but provide the insider considerable room for
discretion as to what constitutes trustworthy conduct.
Willingness to be responsible towards the organization can originate
through different motivational cues, ranging from full extrinsic motivation to full
intrinsic motivation (Deutsch, 1958; Weibel, 2007). While the former refers to
trustworthiness that solely results from a positive or negative impetus, without a
determined intention to be trustworthy, the latter refers to trustworthiness that
due to internalization of organizational norms and values originates from an inner
drive to behave in a trustworthy way, irrespective of positive or negative stimuli
(Hawley, 2014; Weibel & Six, 2012). Whether the insider’s motivation should
be taken into account in the conceptualization of insider trustworthiness is
however subject to debate.
On the one hand, Wright (2010: 625) for instance indicates that “when
we can see that there are other things that could motivate a trustee to comply, it
is less evident that their action is as a result of them considering the value of a
trusting relationship”. In this view, genuine trustworthiness solely corresponds
with an intrinsic motivation, as a “trustor increasing external pressures on
18
Ben-Ner & Halldorsson’s (2010: 65-66) define trustworthiness as “the willingness of a person
B to act favorably towards a person A, when A has placed an implicit or explicit demand
or expectation for action on B. (…) In most situations the expectations are based on social
norms that do not entail a precise course of action in a variety of situations, providing B
considerable room for discretion as to what constitutes trustworthy behavior”.
69
someone does not have the effect of making them more trustworthy, rather it
actually has the outcome of obscuring their motives, which means that it is harder
to tell how they have responded to the trust and consequently whether or not they
are actually being trustworthy” (ibid: 626). In this interpretation of
trustworthiness, living up to the commitment to the trustor is not enough, as the
honoring of the commitment has to come from the right motive. The
trustworthiness of the trustee is considered to be insincere not only when the
trustee does not complete the task they have committed themselves to, but also
when the honoring of the commitment results from an extrinsic motivation rather
than an intrinsic motivation. This interpretation is what Hawley (2014; 2019)
refers to as the ‘motive account’ of trustworthiness.
However, Hawley (2019) herself does not agree to interpret
trustworthiness in this way. Instead, she is faithful to the so-called ‘commitment
account’ of trustworthiness, “not placing much weight on people’s motives for
living up to their commitments” (ibid: 23). In this interpretation of
trustworthiness, it does not matter whether the trustee lives up to their
commitment because they have an intrinsic motivation to honor it. Rather, it
simply matters that the trustee upholds their end of the deal, even if the trustee
lives up to the commitment out of pure self-interest (Hardin, 1996). In contrast
to the motive account where trustworthiness is considered to be genuine only if
the commitment is lived up to with the right motive, with the commitment
account “it is enough to behave in accordance with one’s commitment, regardless
of motive” (Hawley, 2014: 16), for trustworthiness to be considered genuine.
Given that this study concentrates on insider trustworthiness, interpreting
the concept in an employment context, the preferred interpretation of
trustworthiness is the commitment account. Hawley (2019: 24) correctly
stipulates that the “emphasis on the ‘right’ motives may be especially common
70
within intimate relationships. In the workplace, on the other hand, motives may
seem less important so long as things get done”. As a result, later in the chapter I
will not solely focus on intrinsic insider trustworthiness, but will equally touch
upon more extrinsic forms of trustworthiness.
3.2.2. Conceptualizing betrayal of trust
This chapter so far elaborated on the definition of insider trustworthiness.

It was illustrated that insider trustworthiness relates to the insider’s willingness
to be responsible to their commitment to use the insider privilege appropriately,
represented by their benevolence and integrity, and that the motivation to be
willing can be either extrinsic or intrinsic. It is, however, of equal importance to
elaborate on the opposite situation of insider trustworthiness, namely insider
untrustworthiness or betrayal of trust.
Although Sitkin and Roth (1993: 371) indicate that “trust is violated to
the extent that expectations about context-specific task reliability are not met”
and Hawley (2019: 23) indicates that “to be untrustworthy is to fail to live up to
one’s commitments”, it is argued here that not all deviance from specific
organizational norms comprises betrayal. It is suggested here that “betrayal may
be said to have occurred when the victim believes that the perpetrator has
knowingly departed from the norms that are assumed to govern their relationship,
thereby causing harm to the victim” (Finkel et. al., 2002: 957, emphasis added).
The focus of betrayal is not on the practical outcome of the misuse of the insider
privilege, but rather on the decision to wittingly commit misconduct (Elangovan
& Shapiro, 1998; Goold, 2002; Hawley, 2014; Ho & Katukoori, 2013; Morris &
Moberg, 1994). One can for instance refer to an insider of an intelligence agency
that acts as a double agent and attempts to sell classified information to an
undercover agent posing as a competitor (Anderson, 1994; Eoyang, 1994), like
the espionage case of Jonathan Toebbe who was arrested by the FBI when he
71
tried to sell sensitive information on US nuclear submarines to Brazil (Barnes,
Spigariol, Nicas & Goldman, 2022). Here, the practical damage is averted, as the
classified information remains within the organization, but the emotional damage
is nevertheless present due to the negative feelings associated with the insider’s
decision to intentionally commit misconduct. The example shows that “in cases
where we trust and are let down, we do not just feel disappointed, as we would if
a machine let us down. We feel betrayed” (Holton, 1994: 66). This feeling of
betrayal is rather absent in case of unintentional misconduct (Mishra, 1996),
because “when there is reason for the target [i.e. the organization] to believe that
the communicator [i.e. the insider] has good intentions (…) then the target [i.e.
the organization] is unlikely to be dramatically [emotionally] harmed” (Levine,
Roberts & Cohen, 2020: 39). Unintentionally spreading sensitive information to
unauthorized individuals, for instance because someone accidentally hits ‘reply
all’ instead of ‘reply’ (Probst et. al., 2010), might result in practical damage and
disappointment, but not in a feeling of betrayal.
In view of the foregoing, it is suggested that betrayal of trust solely relates
to insider threats and not to insider hazards. As a reminder, it was argued in
chapter two that organizations are vulnerable to insider misconduct, which can
either be unintentional due to lack of competence, so-called insider hazards, or
intentional due to lack of trustworthiness, so-called insider threats. Putting the
insider threat-insider hazard distinction in the context of this chapter, insider
threat relates to the insider’s “commitments to do what they have undertaken to
do” (O’Neill, 2018: 294), while insider hazard relates to the insider’s
“competence to meet those commitments” (ibid: 294). Both insider threat and
insider hazard incidents can cause considerable practical harm to the
organization, but since betrayal does not concentrate on the practical harm, but
rather concentrates on the emotional harm related to an incident, it is suggested
72
here that betrayal of specific organizational trust solely relates to insider threats,
not to insider hazards. In other words, betrayal only refers to situations where
insiders wittingly violate the specific trust the organization placed in them when
they “lack the motivation to conform to the expectations of the truster or become
motivated to violate these expectations” (Elangovan & Shapiro, 1998: 550),
which only occurs with insider threat incidents.
Reina and Reina (2005) properly summarize my argument on betrayal of
trust in an organizational context, indicating that “when a person has honestly
tried to accomplish a task but failed because of lack of skill or aptitude, we may
feel let down, but their behavior is not a betrayal. It is not a betrayal in that they
were not acting in a self-serving manner. They simply did their best” (ibid: 71).
This is in line with my suggestion to not consider insider hazard incidents as
betrayal of trust, because the insider acted in good faith and had benevolent
intentions. They continue by saying that “if, however, the individual did have the
ability but chose not to use that talent, it is a betrayal. Knowingly failing to meet
expectations is an intentional breach of contractual trust” (ibid: 71). This is in
line with my suggestion to consider insider threat incidents betrayal of trust.
For the sake of completeness, it should be mentioned that the extent to
which the organization feels betrayed by the intentional misconduct will differ
from one incident to another. It is assumed that the feeling will be relatively
stronger in case of expressive security insider threats than in case of instrumental
safety insider threats, with the feeling of betrayal resulting from instrumental
security insider threats situating in between. I expect the feeling of betrayal to be
relatively strong in case of expressive security insider threats whereby the insider
has a desire to harm, for instance because they want to avenge themselves. In
contrast, I expect the feeling of betrayal to be relatively weak in case of
instrumental safety insider threats whereby the insider has no desire to harm the
73
organization but deliberately commits misconduct to achieve another goal, like
an insider that violates safety rules that are perceived as red tape in order to get
the job done more quickly. To conclude, I expect the feeling of betrayal to be
situated in between the previous examples in case of instrumental security insider
threats whereby the insider knows that the deliberate misconduct will definitely
cause harm to the organization but whereby the harm to the organization is not a
goal in itself but rather a means to achieve another goal, like a desperate insider
that steals out of financial necessity. Therefore, betrayal of trust should be viewed
as a continuum.
3.2.3. Insider trustworthiness and betrayal from a societal perspective
So far, insider trustworthiness and betrayal were studied from an

organizational perspective. However, both concepts can also be regarded from a
societal perspective (Tavani & Grodzinsky, 2014). Indeed, Robinson and Bennett
(1995: 556) stipulate that “the study of workplace deviance is distinct from the
study of ethics in that the former focuses on behavior that violates organizational
norms, whereas the latter focuses on behavior that is right or wrong when judged
in terms of justice, law, or other societal guidelines determining the morality of
behavior”. In other words, organizations expect insiders to comply with specific
organizational norms, even if these norms differ from norms prescribed by
society, whereas society expects insiders to comply with societal norms, even if
these norms differ from specific organizational norms prescribed by their
organization.
Insider trustworthiness and betrayal can thus be interpreted from two
main perspectives whereby the desirability of insider trustworthiness depends on
the applied perspective. Inspired by Robinson and Bennett’s (1995) distinction
between ethics and workplace deviance, from a societal perspective trustworthy
action (i.e. no betrayal of societal trust) is referred to in this dissertation as ethical,
74
while untrustworthy action (i.e. betrayal of societal trust) is referred to as
unethical. Similarly, from an organizational perspective, trustworthy conduct (i.e.
no betrayal of specific organizational trust) is referred to as compliance, while
untrustworthy conduct (i.e. betrayal of specific organizational trust) is referred to
as intentional misconduct.
According to Tavani and Grodzinsky (2014: 8), “most people seem to
assume that trustworthiness (in general) is an inherently good thing and that
betrayal is an inherently bad thing”. When the specific organizational norms
correspond with the societal norms, norm compliance is indeed good (i.e. ethical
compliance) and norm deviance is wrong (i.e. unethical intentional misconduct),
irrespective of the applied perspective. An example of the former situation is a
doctor that treats a patient according to the applicable societal (i.e. ethical) and
specific organizational (i.e. compliance) norms, whereas an example of the latter
situation is an insider that steals from their organization, as stealing is considered
to be untrustworthy action both from a societal (i.e. unethical) and organizational
(i.e. intentional misconduct) perspective. Although I assume that in the majority
of cases specific organizational and societal norms will indeed coincide, one can
also think of instances where specific organizational norms and societal norms
collide. Robinson and Bennett (1995: 556-557) for instance indicate that
“dumping toxic waste in a river is not deviant if it conforms with the policies of
one's organization. However, most people would probably agree that this act is
unethical. Conversely, reporting this dumping to authorities may be an ethical
act, but it would also be a deviant act in this particular example if it violated
organizational norms”.
In other words, when the specific organizational norm differs from the
societal norm, “there are times where it would be good to be untrustworthy and
times where being trustworthy might be a bad thing” (Wright, 2010: 625). As
75
Robinson and Bennett’s example already illustrated, the organization might for
instance expect immoral or illegal activities from the insider, and if the insider
fulfills these immoral or illegal expectations, the insider might be despised by
society, but remains trustworthy from the point of view of the organization (i.e.
unethical compliance). An example of such a situation is an insider that is
instructed by their organization to camouflage rotten meat with extra herbs so
that it could still be sold (Gazet van Antwerpen, 09/03/2018). Wittingly sickening
people to secure profit is considered to be untrustworthy action from a societal
point of view (i.e. unethical), while it is considered to be trustworthy conduct if
it corresponds with the organization’s instructions (i.e. compliance). More
extreme examples are the Australian soldiers that were instructed by their
superiors to kill innocent civilians as a hazing ritual (Vanderschoot, 2020b), or
Nazi officers in the concentration camps (Tavani & Grodzinsky 2014). Looking
at these cases from a societal perspective, “many people would likely say that the
individuals involved should have intentionally violated the trust relationships
they had with their respective employers (by blowing the whistle), even if that
also meant betraying the trustor(s) involved” (ibid: 8).
If the insider refuses to fulfill the immoral or illegal expectations and
informs society on the maladaptive organizational practices, the organization will
feel betrayed but the insider will be considered trustworthy from the point of view
of society (i.e. ethical intentional misconduct). An example of such a situation is
Edward Snowden who blew the whistle on US global surveillance practices
(Bunn & Sagan, 2016; Mehan, 2016). Revealing confidential information about
the organization can be considered untrustworthy conduct from an organizational
standpoint (i.e. intentional misconduct), while notifying society of large-scale
privacy violations of innocent citizens can, at least in democratic societies, be
considered trustworthy action from a societal point of view (i.e. ethical). Another
76
example is the case of Jeffrey Wigand, the man who blew the whistle on
controversial actions related to the tobacco industry (BaMaung et. al., 2018).
The above-mentioned examples show that betrayal of specific
organizational trust is not necessarily betrayal of societal trust and vice versa.
Table 3.1 gives an overview of the possible outcomes of insider trustworthiness
and betrayal when combining the organizational and societal perspective.
Societal perspective
Insider trustworthiness
No betrayal of societal Betrayal of societal
and betrayal
trust trust
Ethical compliance Unethical compliance
• The insider • The insider

complies with complies with
the specific the specific
organizational organizational
norms, which norms, which
correspond differ from the
with the norms norms society
society prescribes. An
prescribes. An example of
No betrayal of example of such a situation
Organizational specific such a situation is an insider
perspective organizational is a doctor that that is
trust treats a sick instructed by
patient their
according to organization to
the applicable camouflage
specific rotten meat
organizational with extra
and societal herbs so that it
norms. could still be
sold (Gazet van
Antwerpen,
09/03/2018).
77
Ethical intentional Unethical intentional
misconduct misconduct
• The insider • The insider

deviates from deviates from
the specific the specific
organizational organizational
norms, which norms, which
differ from the correspond
norms society with the norms
Betrayal of
prescribes. An society
specific
example of prescribes. An
organizational
such a situation example of
trust
is Edward such a situation
Snowden who is an insider
blew the that steals from
whistle on US their
global organization.
surveillance
practices
(Bunn &
Sagan, 2016;
Mehan, 2016).
Table 3.1: Categorization of insider trustworthiness and betrayal
Figure 3.1 summarizes the key points of the conceptualization of insider

trustworthiness and betrayal of organizational and/or societal trust. It shows that
from an organizational perspective, insider action can either concern specific
trust if the action is related to the insider privilege (i.e. conduct), or general trust
if the action is not related to the insider privilege (i.e. behavior). As mentioned
before, the scope of this dissertation is limited to insider conduct. Regarding
insider conduct, the insider can either act in conformity with the specific
organizational norm (i.e. no misconduct) or can deviate from it (i.e. misconduct).
Compliance results from insiders that are both able and willing to comply with
78
the specific organizational norms, while misconduct results from insiders that are
either not competent to adhere to the specific organizational norms (i.e. insider
hazard) or insiders that are not untrustworthy (i.e. insider threats). Betrayal of
specific organizational trust only occurs in case of insider threats, or
untrustworthy insiders that wittingly deviate from the specific organizational
norms. Betrayal of societal trust, on the other hand, can occur both when the
insider acts in conformity with or deviates from the specific organizational
norms, depending on whether the specific organizational norms correspond with
the norms society prescribes.
Figure 3.1: Conceptualization of insider trustworthiness and betrayal
It should be emphasized that in the remainder of the dissertation, insider

trustworthiness is interpreted from the perspective of the organization, unless
otherwise stated. The organization is looking for insiders that comply with the
specific organizational norms, whether or not this compliance is considered
79
ethical or unethical by society. Put another way, the organization is looking for
insiders that always conduct in a trustworthy way towards them, setting aside
their trustworthiness to society.
3.3. Perception of insider trustworthiness
In the previous sections, the chapter elaborated on insider trustworthiness
and the related possibility of betrayal of trust, whereby both concepts were
examined from an organizational and a societal perspective. Although the
objective of the organization is to solely engage in trust relationships with
trustworthy insiders (Baier, 1986; Reiersen, 2019), it is nearly impossible for an
organization to determine the objective trustworthiness of the insider because
“the trustor does not have a magical ability to determine the trustworthiness of
any agent for any kind of activity to which that agent might be entrusted”
(Buechner et. al. 2014: 8). The organization can at the most make a subjective
judgement about the insider’s objective trustworthiness, or form a perception
about it (O’Neill, 2018). In this section, the question is therefore asked how
organizations form a perception of insider trustworthiness.
The perception of insider trustworthiness is based on the organization’s
beliefs about the insider’s willingness to be responsible to the organization. It
was mentioned before that willingness to be responsible towards the organization
can originate through extrinsic motivation or intrinsic motivation (Deutsch, 1958;
Weibel, 2007), whereby the former refers to trustworthiness that solely results
from a positive or negative impetus and the latter refers to trustworthiness that
originates from an inner drive to behave trustworthy, irrespective of positive or
negative stimuli (Hawley, 2014; Weibel & Six, 2012). Via a synthesis of the
different typologies of trust developed by Dietz and Den Hartog19 (2006),
19
Dietz and Den Hartog (2006) differentiate five types: deterrence-based trust, calculus-based
trust, knowledge-based trust, relational-based trust and identification-based trust.
80
Lewicki and Bunker20 (1995; 1996), Pearce21 (2000) and Rousseau et. al.22
(1998), I distinguish three sources of insider trustworthiness, namely
reinforcement, convention and internalization, through which organizations form
a perception of their insiders’ trustworthiness. As illustrated in figure 3.2, the
sources differ in their degree of intrinsic motivation to adhere to the specific
organizational norms, whereby the closer the source is to the core of the figure,
the higher the degree of intrinsic motivation to comply with the specific
organizational norms. Below, the three sources will be elaborated on in greater
detail.
Internalization
Convention
Reinforcement
• Deterrence (-)
• Stimulation (+)
Figure 3.2: Three sources of insider trustworthiness perception according to their degree
of intrinsic motivation
20
Lewicki and Bunker (1995; 1996) differentiate three types: deterrence-based trust, knowledge-
based trust and identification-based trust.
21
Pearce (2000) differentiates three types: process-based trust, characteristic-based trust and
institution-based trust.
22
Rousseau et. al. (1998) differentiate four types: deterrence-based trust, calculus-based trust,
relational-based trust and institution-based trust.
81
3.3.1. Sources of insider trustworthiness perception
3.3.1.1. Reinforcement
Firstly, the organization’s perception of insider trustworthiness can

originate from reinforcement, which can either be negative in the form of
deterrence (Bailey, 2002; Dietz & Den Hartog, 2006; Deutsch, 1958; Hardin,
1996; Rousseau et. al, 1998) or positive in the form of stimulation (Lewicki &
Bunker, 1996; Puusa & Tolvanen, 2006). This source implies that the
organization derives benevolence and integrity from its perceived ability to tip
the balance between trustworthy and untrustworthy conduct in favor of
trustworthy conduct through negative or positive reinforcement. The
organization starts from the assumption that in general insiders are not to be
trusted (Hosmer, 1995), perceiving insiders “as self-interested ‘homo
oeconomicus’ and thus ultimately not trustworthy” (Weibel & Six, 2012: 60). To
offset this presumed untrustworthiness, the organization relies upon negative and
positive reinforcement that make the cost-benefit ratio of trustworthy conduct
more attractive than the cost-benefit ratio of untrustworthy conduct.
Negative reinforcement means that the organization tries to encourage
benevolence and integrity via deterrence (Bailey, 2002; Dietz & Den Hartog,
2006; Deutsch, 1958; Hardin, 1996; Rousseau et. al, 1998). By threatening
insiders with negative sanctions, the organization simply assumes the insider will
not undertake unwanted actions because the costs of untrustworthy conduct are
too extensive. Positive reinforcement, on the other hand, implies that the
organization tries to encourage benevolence and integrity via stimulation
(Lewicki & Bunker, 1996; Puusa & Tolvanen, 2006). Stimulation of
trustworthiness encourages trustworthy conduct via positive sanctions rather than
discouraging untrustworthy conduct via negative sanctions. Consequently, the
organization puts trust in the insider not because it believes that the insider is
82
deterred by the punishments associated with untrustworthy conduct, but because
it believes the insider is emboldened by the rewards associated with trustworthy
conduct. Both negative and positive reinforcement of insider trustworthiness
correspond with a rather low degree of intrinsic motivation (figure 3.2), given
that the trustworthiness merely originates through threat of punishment or
promise of rewards (Weibel, 2007).
3.3.1.2. Convention
Secondly, the organization’s perception of insider trustworthiness can

emerge from convention, meaning that trustworthy conduct is perceived to be
normal, routine conduct for the insider (Möllering, 2005; Pearce, 2000). This
source implies that the organization derives benevolence and integrity from the
insider’s professional credentials, since holders of the professional credential are
associated with trustworthy conduct (McAllister, 1995; Pearce, 2000; Puusa &
Tolvanen, 2006). In contrast to reinforcement through deterrence and/or
stimulation, where the organization starts from a rationalist perspective and the
insider is a ‘homo oeconomicus’ that acts out of utility considerations, the
organization here applies a more constructivist perspective, assuming the insider
acts out of role considerations. The organization presumes insiders to follow what
March and Olson (1998) refer to as a ‘logic of appropriateness’ whereby “action
involves evoking an identity or role and matching the obligations of that identity
or role to a specific situation” (ibid: 951). The organization presumes that its
insiders will engage in trustworthy conduct because the role related to their
profession requires them to act in such a way. As Bailey (2002: 8) indicates, “if
I trust the doctor to prescribe me appropriate treatment, I rely on her because I
believe that she has taken responsibility for her role in my decisions about my
health”. Similarly, the organization perceives the insider to be trustworthy
83
because it believes the insider has taken responsibility for their professional role
within the organization.
To determine whether the insider can be trusted with access to and/or
knowledge about the organizational assets, organizations often value the
professional certificates the insider has obtained to form their perception of the
insider’s trustworthiness (Blodgett, 2010; Pearce, 2000; Rousseau et. al., 1998).
Here, trust becomes institution-based (Hosmer, 1995; McKnight & Chervany,
2001; Möllering, 2005), whereby it is “centered on generalized expectations that
extend beyond a particular exchange or person and is taken for granted” (Pearce,
2000: 84). In other words, the professional certificate signals the insider’s role
preparedness, convincing the organization that the insider is prepared to take up
the social role that corresponds to the certificate and that prescribes trustworthy
conduct (McAllister, 1995; Puusa & Tolvanen, 2006). Again, reference can be
made to a doctor whose medical degree is used to perceive that the doctor is
prepared to take up the social role that corresponds to their professional certificate
identified with trustworthiness.
While control through monitoring is pivotal in case of reinforcement
through deterrence and stimulation to respectively ensure absence of negative
intentions or presence of positive intentions, it is of less importance in this source
of insider trustworthiness because of the expectation of positive intentions on a
more voluntary basis. In the latter case, the organization trusts the insider because
it perceives the insider will conduct in a trustworthy way, even in the absence of
control (Lewicki & Bunker, 1996). This source of insider trustworthiness
therefore corresponds with a medium degree of intrinsic motivation (figure 3.2),
as trustworthiness does not originates from positive or negative reinforcement
but rather results from routines related to their professional role (Weibel, 2007).
Given that the insider’s motivation originates from the norms and values related
84
to the general profession, rather than the norms and values specifically related to
the organization, the level of intrinsic motivation is medium rather than high.
3.3.1.3. Internalization
Lastly, the organization’s perception of insider trustworthiness can

originate from internalization, meaning that the organization grants the insider
access to the trusted insider-group on the basis of relational- or identity based-
trust (Dietz & Den Hartog, 2006; Lewicki & Bunker, 1995; Puusa & Tolvanen,
2006). This source implies that the organization derives benevolence and
integrity from its perceived ability to (re)socialize the insider to develop a
collective identity (Dietz & Den Hartog, 2006; Lewicki & Bunker, 1995;
Scheibe, 1994). In similarity with convention, the organization looks at
trustworthiness from a constructivist perspective where insider conduct is guided
by norms and values, rather than driven by a cost-benefit analysis between
trustworthy and untrustworthy action. The organization’s trust originates from a
shared social orientation that displays an emotional attachment between the
insider and the organization (Isaeva et. al., 2019). The insider is expected to
produce trustworthy conduct not because they are deterred by the punishments
associated with untrustworthy conduct (i.e. negative reinforcement), emboldened
by the rewards associated with trustworthy conduct (i.e. positive reinforcement)
or because their professional role prescribes this kind of conduct (i.e.
convention), but because the insider shares a collective identity with the
organization, pursuing the same goals and values (Lewicki & Bunker, 1996).
Internalization implies a process of second-order learning whereby the insider
“learns what really matters to [the organization] and comes to place the same
importance on those behaviors as [the organization] does “ (Lewicki & Bunker,
1995: 151). Because internalization of organizational norms and values takes
time, internalization only works as a source of insider trustworthiness in the
85
course of employment, rather than at the initial establishment of trust between a
new insider and the organization (McAllister, 1995).
Given that the organization believes that the insider has fully internalized
the needs and preferences of the organization, monitoring the insider is
considered obsolete. The organization assumes that the insider identifies with the
organization and will therefore fully defend the interest of the organization on a
voluntary basis. Value internalization (Weibel, 2007) makes that internalization
corresponds with a high degree of intrinsic motivation (figure 3.2). It applies to
insiders that “are intrinsically motivated to contribute to the corporate commons
through their organizational identification or through their intrinsic involvement
with their task” (Weibel & Six, 2012: 58). The difference between internalization
and convention is that the former specifically relates to the role within the
organization, while the latter relates to the broader professional role. As a result,
internalization relates to a higher degree of intrinsic motivation to conduct in a
trustworthy way than convention.
3.3.2. Underlying reasons for the presumption of insider trustworthiness
The sources of insider trustworthiness perception show that organizations

have a tendency to adopt a trusting stance towards its insiders, presuming via
reinforcement, convention or internalization that “[it] will achieve better
outcomes by dealing with [its insiders] as though they are well-meaning and
reliable” (McKnight & Chervany, 2001: 39). At first glance, this assumption
seems not even that far-fetched from a pragmatic, a rational and a constructivist
point of view.
Firstly, from a pragmatic point of view, organizations do not have an
infinite pool of individuals from which they can choose. Or as Eoyang (1994)
puts it in relation to the prevention of espionage, “if clearance standards were set
so high as to screen out these [spies] and similar individuals, there would be
86
thousands of otherwise blameless people that could be stigmatized as security
risks. Such an approach is only feasible when there is a very large applicant pool
relative to the number of jobs to be filled, such as employment with the Astronaut
Corps or the Secret Service” (ibid: 75). Taking into account the size of the
applicant pool, as well as the extensive costs related to comprehensive screening
(Eoyang, 1994; Pearce, 2000), the organization might sometimes use the trusting
stance as a “means of making our social life simpler and safer, and of making
possible cooperative activities which each of us could not undertake alone”
(Bailey, 2002: 3). Despite a degree of suspicion and possibly avoidance of trust
with a particular insider in times of greater choice (Hawley, 2019), the
organization might be obliged to trust ‘spuriously’ when “[organization] A may
not trust [insider] B yet may be forced, because of the contextual factors, to at
least sham trust” (Bews & Martins, 2002: 15). Although most organizations
probably still have the possibility to choose the insider of their preference rather
than being completely forced into a trust relationship (Holton, 1994), the relative
lack of attractive candidates that meet the organization’s ideal profile might force
organizations to lower the initial standards.
Referring back to the sources of insider trustworthiness perception, the
pragmatic reasoning relates to reinforcement and convention. Concerning the
former, I assume reinforcement to be present in case of ‘spurious trust’ because
the lack of attractive alternatives may leave the organization little choice but to
trust a particular insider (Hawley, 2019), relying upon deterrence and/or
stimulation in an attempt to still manage the situation. Concerning the latter, it is
assumed that organizations more quickly look for individuals that satisfy the
competence requirements if the pool to choose from is sparsely populated (Sinek,
2019). Competent insiders are immediately deployable and able to meet
performance goals, whereas a trustworthy but for the time being incompetent
87
candidate requires much more effort from the organization to attain full
employability. As a result, it might be easier for the organization to select a
competent individual that can become immediately active in the position and
presume their trustworthiness until proven otherwise, rather than selecting an
insider who is known to be willing to meet the prescribed standards of conduct
but who is also known to not be able to act upon this willingness. The professional
certificate that the insider has obtained (Blodgett, 2010; Pearce, 2000; Rousseau
et. al., 1998) signals the insider’s role preparedness, convincing the organization
that the insider is prepared to take up the social role that corresponds to the
certificate and that prescribes trustworthy conduct (McAllister, 1995; Puusa &
Tolvanen, 2006).
Secondly, from a rational point of view, the repeated interactions
between the organization and the insider might lead the organization to believe
in the so-called ‘shadow of the future’ (Möllering, 2005), whereby insiders are
expected to conduct in a trustworthy manner because they want to maximize their
long-term self-interest. In other words, “what [the insider] might gain by cheating
in a given instance is outweighed by the value of the tradition of trust that makes
possible a long sequence of future agreement” (Schelling, 1960, cited in
Reiersen, 2019: 4-5). Counting on the effects of the shadow of the future,
organizations presume that its insiders will refrain from intentional misconduct
because that would jeopardize their future employment and would therefore go
against their own long-term self-interest.
In similarity with the pragmatic point of view outlined above, the
organization mainly draws upon negative and positive reinforcement to form a
perception of the insider’s trustworthiness. It puts trust in the insider because of
its perceived ability to make the cost-benefit ratio of trustworthy conduct more
attractive than the cost-benefit ratio of untrustworthy conduct, either through
88
deterrence of untrustworthy conduct in the form of threat of punishment or
through stimulation of trustworthy conduct in the form of rewards.
Thirdly, from a constructivist point of view, the organization might
perceive insiders to be trustworthy because trustworthiness is grounded in social
norms (Hawley, 2019; Reiersen, 2019; Weibel & Six, 2012). In contrast to the
rational point of view, where the organization perceives insiders to be trustworthy
because untrustworthy conduct would harm the insider’s interest, the
constructivist perspective perceives insiders to be trustworthy because betrayal
of trust would not correspond with the insider’s role as trustee. Via a one-shot
trust game, Reierson (2019) showed that trustees are generally bound by a social
obligation that dictates them to forego self-interest to maintain and honor the trust
trusters have placed in them, even if betrayal turn out to be more beneficial. This
also means that “when trustors are aware that trustworthiness is rooted in norms,
trustors have reason to believe that trustees will act trustworthy” (Reiersen, 2019:
3). Trusting insiders is therefore a kind of “natural attitude” (Möllering, 2005:
23) for organizations, whereby they “take their everyday world and the fact that
they are engaged in social relations for granted” (ibid: 23).
The constructivist perspective corresponds with the convention source of
insider trustworthiness, whereby the organization presumes that its insiders will
engage in trustworthy conduct because their role as trustee in the trust
relationship with the organization prescribes trustworthy conduct.
3.4. Assessment of insider (un)trustworthiness
3.4.1. The need to assess insider trustworthiness
Up till now, the study delved into the meaning of trust(worthiness) and
betrayal in an employment context, conceptualizing these concepts and
elaborating on the sources of insider trustworthiness perception and the
underlying reasons for the presumption of insider trustworthiness. In this section,
89
it is argued that the sources of insider trustworthiness perception outlined above
are not enough to make an adequate perception of insider trustworthiness, and
that a more explicit assessment of the insider’s trustworthiness would be
appropriate.
Regarding reinforcement, at least four conditions have to be fulfilled to
make deterrence and/or stimulation work (Lewicki & Bunker, 1995; Lewicki &
Bunker, 1996; Sauer 1998). First, as “a person who normally would follow a
norm of trustworthiness can be tempted to deviate if his behavior is not
observable” (Reiersen, 2019: 6), the successfulness of reinforcement depends on
the organization’s ability to monitor the insider. Deterrence can only work if the
organization is able to observe and subsequently punish untrustworthy conduct
(Bailey, 2002; Lewicki & Bunker, 1995). Similarly, the organization has to
monitor the conduct of the insider to determine whether rewards are merited.
Second, the organization’s threat to sanction untrustworthy conduct or to
reward trustworthy conduct has to be credible (Sauer, 1998). As long as the
insider thinks the organization is able and willing to execute the warning,
deterrence can work even when there is lack of capacity to effectively carry out
the warning. However, because solely relying on the gullibility of the insider
equals bluffing, having sufficient capability to put the warning into effect avoids
possible exposure of the bluff and increases the chance of convincing the insider
to stay within the boundaries of acceptable conduct (ibid). The sole presence of
capability, without the insider’s belief that the organization will use it to sanction
untrustworthy conduct, is however equally insufficient, because the insider has
to believe the stated threat in order to be deterred by it (ibid). In a similar vein,
the organization’s positive reinforcement initiatives should be credible and
executed, avoiding empty promises.
90
Third, the insider’s conduct should predominantly emerge from
utilitarianism, neglecting emotions. To put it in a different way, the insider has
to be a rational individual with a rational orientation towards risk, able to make a
cost-benefit analysis through which they weigh the costs and benefits of their
actions while putting aside ego and emotions (ibid). However, insiders not always
act as ‘homo oeconomicus’ and sometimes engage in irrational conduct from a
cost-benefit perspective, interpreting risk in a naïve or paranoid way (Lewicki &
Bunker, 1995, McKnight & Chervany, 2001).
Finally, the negative and positive sanctions should be of such a kind that
it would make the cost-benefit ratio of trustworthy conduct more attractive than
the cost-benefit ratio of untrustworthy conduct. The threat or reward must be
made towards a significant interest of the insider, otherwise the insider will not
be bothered by the negative or positive sanction. Only if deterrence and
stimulation is directed at the pivotal interest of the insider, it will have the
desirable effect (Sauer, 1998). In this regard, it is open to question whether belief
in ‘the shadow of the future’ (Möllering, 2005) is valuable because the insider
might not be willing to renounce immediate short-term gratification for the
purpose of long-term benefits (ibid), or might prefer short-term self-interest to
long-term self-interest. In that case, the benefits of betraying the organization’s
trust outweigh the benefits of keeping the trust relationship, which means that
insiders might have a rational self-interest to exploit the organization’s trust
(Elangovan & Shapiro, 1998; Möllering, 2005; Weibel & Six, 2012).
Regarding convention and internalization, it should be clear that not every
insider might feel bound by the trustworthiness norm. The previously mentioned
trust game of Reiersen (2019) for instance showed that not all trustees adhered to
the trustworthiness norm. This is especially the case for a “self-interested ‘homo
oeconomicus’” (Weibel & Six, 2012: 60) that takes every opportunity to
91
maximize their own interest. Also the use of techniques of neutralization (Sykes
& Matza, 1957), whereby insiders neutralize potential moral barriers by applying
different techniques, like denial of injury23, denial of victim24 or denial of
responsibility25, to rationalize their deviation from the trustworthiness norm
(Agnew & Peters, 1986; Willison, Warkentin & Johnston, 2018).
It follows from the above that the pragmatic, rational and constructivist
reasons that make organizations infer insider trustworthiness from reinforcement,
convention and internalization might result in situations where the organization
excessively trusts insiders who do not merit trust, with all the negative
consequences that entails (Hardin, 1996; Isaeva et. al., 2019). As a result,
organizations should “stop thinking that certain employees, once hired, will
respond to incentives to do good when they have opportunities to do bad. Like it
or not, there are some people who will take advantage of any opportunity to rip
off their employers. It may not be within every organization's ability to
rehabilitate these poor souls, but it is within the grasp of every organization to
acknowledge their presence within their work force” (Moberg, 1997: 54).
Organizations should, apart from assessing insider competence, also more
explicitly assess insider trustworthiness (Ho, 2008; Pearce, 2000; Sinek, 2019) in
the evaluation of the insider’s suitability for the job to ensure only trustworthy
individuals get access to the organizational assets. Because “to trust someone to
23
Technique of neutralization whereby the insider “may turn on the question of whether or not
anyone has clearly been hurt by his deviance, and this matter is open to a variety of
interpretations. Vandalism, for example, may be defined by the delinquent simply as
"mischief"-after all, it may be claimed, the persons whose property has been destroyed can
well afford it” (Sykes & Matza, 1957: 667).
24
Technique of neutralization whereby the untrustworthy conduct is “neutralized by an insistence
that the injury is not wrong in light of the circumstances. The injury, it may be claimed, is
not really an injury; rather, it is a form of rightful retaliation or punishment” (Sykes &
Matza, 1957: 668).
25
Technique of neutralization whereby the insider “asserted that delinquent acts are due to forces
outside of the individual and beyond his control such as unloving parents, bad companions,
or a slum neighborhood” (Sykes & Matza, 1957: 667).
92
do something is to believe that she has a commitment to doing it, and to rely upon
her to meet that commitment” (Hawley, 2014: 10, emphasis added), assessment
of insider trustworthiness will be the focal point of the remainder of this chapter,
whereby a conceptual model is suggested to assess the probability that an insider
will conduct in a (un)trustworthy manner.
3.4.2. A conceptual model to assess insider trustworthiness
Since “it is only when trust is well placed, in targets who are trustworthy,
that trust yields substantial benefits” (Levine et. al., 2018: 468), and since relying
on the presumption of insider trustworthiness is questionable, the organization
has a legitimate interest in assessing insider (un)trustworthiness to more
accurately estimate the probability that an insider will engage in intentional
misconduct. In that case, the perception of insider trustworthiness becomes
knowledge-based (Dietz & Den Hartog, 2006), whereby “trust is grounded in
behavioral predictability – a judgement of the probability of the other’s likely
choice of behaviors. Knowledge-based trust occurs when one has enough
information about others to understand them and to accurately predict their likely
behavior” (Lewicki & Bunker, 1995: 142, emphasis added). During the
recruitment stage, information can be gathered directly from the new insider
through for instance a recruitment interview (Lewicki & Bunker, 1996), or via
third-parties that regularly interacted with the new insider in the past (i.e.
references) (Isaeva et. al., 2019; McAllister, 1995; Rousseau et. al., 1998).
During employment, the information gathered can stem from first-hand
experiences (Möllering, 2005; Pearce, 2000) in the form of past interactions and
exchanges between trustor and trustee that provide the former with opportunities
to directly watch and observe the latter in social interactions, thereby enabling
the trustor to get more insight about the trustee (Isaeva et. al., 2019). In other
words, the trustor learns to read the trustee, or “learn[s] where the other’s
93
strengths and weaknesses lie and how much [the trustor] can expect of the other”
(Blodgett, 2010: 39).
Perception of insider trustworthiness that emerges from assessment
implies that the organization predicts benevolence and integrity after evaluating
the insider’s trustworthiness to estimate whether the insider merits the
organization’s trust, rather than assuming it from reinforcement, convention or
internalization. But how should organizations assess insider (un)trustworthiness?
To the best of my knowledge, no adequate model to assess insider trustworthiness
is available. “We have a million-in-one metrics to measure someone's
performance, and negligible to no metrics to measure someone's trustworthiness”
(Sinek, 2019: 06:24). Even though the outcome of the chapter will not be a ready-
to-use assessment tool, the goal of the remainder of the chapter is to take the first
step towards developing an assessment tool of insider trustworthiness.
To start with, I refer back to the conceptualization of insider
trustworthiness and betrayal outlined in section 3.2 of this chapter. There, it was
explained that insider trustworthiness is interpreted as the commitment to use the
insider privilege in accordance with the specific organizational norms, whereas
insider untrustworthiness (i.e. betrayal of trust) is interpreted as wittingly
violating the specific organizational norms. As a result, “acting consistent within
a prevailing code of ethics or community norms (…) emerged as an important
criterion or standard to assess the trustworthiness of people in organizations”
(Bies & Tripp, 1996: 249-250). Assessment of insider trustworthiness therefore
corresponds with determining the probability that the insider will comply with or
deviate from the specific organizational norms. In the remainder of the chapter,
a conceptual model is suggested to determine this probability.
The conceptual model draws upon the insights of Situational Action
Theory (SAT) (Craig, 2019; Wikström, 2014). As illustrated in figure 3.3, this
94
theory stipulates that “action is not a result of the person (propensities) or the
setting (environmental inducements) but the situation (the perception choice
process that arises from the person-setting interaction). When a particular kind of
person is exposed to a particular kind of setting, a particular situation (perception-
choice process) arises that initiates and guide his or her actions in relation to the
motivations he or she may experience. That is why the theory is called situational
action theory” (Wikström, 2014: 79).
Figure 3.3: Situational action theory to explain crime (Wikström, 2014: 79)
The conclusion that can be drawn from SAT is that in order to assess
insider trustworthiness and determine the probability that an insider will or will
not commit intentional misconduct, three aspects deserve attention. The first
aspect, ‘perception of action alternatives’, relates to whether or not the insider
accepts intentional misconduct as a possible action they can undertake (i.e. a so-
called ‘action alternative’ in the terminology of SAT). The second aspect,
‘process of choice’, refers to whether or not the insider perceives to be in a
situation where intentional misconduct is acceptable. The third aspect, ‘action’,
concerns the probability that the insider will actually engage in intentional
95
misconduct. In what follows, each of these aspects will be discussed in greater
detail to come to an assessment of insider (un)trustworthiness.
3.4.2.1. Perception of action alternatives: virtue, vice and mutable insiders
The first aspect relates to the insider’s perception of intentional

misconduct as an action alternative (Craig, 2019; Wikström, 2014), or whether
the insider accepts witting misconduct as a possibility (Agnew & Peters, 1986).
Theoretically, three ideal types of insiders can be distinguished, namely virtue
insiders that are always trustworthy, vice insiders that are always untrustworthy
and mutable insiders that are opportunistically trustworthy (Cools, 1994; Kumar,
Deshmukh, Liu & Stecke, 2013). The first ideal type, here denoted ‘virtue
insiders’ (Koehn, 1998; Moberg, 1997), consists of insiders that never lack
motivation to comply with the specific organizational norms. In other words,
virtue insiders do not see untrustworthy conduct as an action alternative, meaning
that they under no circumstance will engage in untrustworthy conduct (Kumar et.
al., 2013). Insiders belonging to this ideal type unconditionally prohibit
themselves to misuse their insider privilege and betray the organization. These
are the kind of insiders that, in their urge to live up to their commitment to the
organization, are willing to engage in ‘unethical compliance’ (see section 3.2.3.),
ranging from immoral behavior like lying or cheating (Mayer & Norman, 2004)
to even illegal behavior like the previously mentioned practices of the Nazi
officers in the concentration camps (Tavani & Grodzinsky, 2014). It is, however,
reasonable to believe that this category of insiders is sparsely populated, given
that “if the incentives are right, even a trustworthy person can be relied upon to
be untrustworthy“ (Dasgupta, 1988, cited in Williamson, 1993: 466). It can for
instance be assumed that coerced insiders whose families are taken hostage, like
in the previously mentioned case of the Northern Bank robbery (BaMaung et. al.,
96
2018), will have little choice than to cooperate and behave untrustworthy from
an organizational point of view.
The second ideal type, here referred to as ‘vice insiders’ (Koehn, 1998;
Moberg, 1997), is the opposite situation of the virtue insiders, as those insiders
are always ready to conduct in an untrustworthy way, irrespective of the
circumstances (Kumar et. al., 2013). In contrast to the virtue insiders who never
consider untrustworthy conduct as an action alternative, vice insiders consider it
the only suitable action, constantly lacking motivation to adhere to the specific
organizational norms. Insiders belonging to this ideal type are unconditionally
incited to misuse their insider privilege, making untrustworthy conduct a habit
(Wikström, 2014). However, much like virtue insiders, it can be assumed that the
number of vice insiders is scarce, as it is not “because person X did this evil deed
Y [that] person X must [always] be evil” (Koehn, 1998: 158). Or to put it in
another way: “most people, deep down, are pretty decent” (Bregman, 2020, cited
in Power, 2021).
A third and probably most common ideal type of insiders are here referred
to as ‘mutable’ insiders (Eoyang, 1994; Kumar et. al., 2013). Similar to the vice
insiders, these insiders consider witting misuse of the insider privilege a possible
action they can undertake, at least in some instances. Whether mutable insiders
perceive intentional misconduct acceptable namely depends on the situation
(Kumar et. al., 2013). While in some circumstances intentionally deviating from
the specific organizational norms will be considered legitimate, in other
circumstances it will be unthinkable. It is reasonable to think that most insiders
will fit the mutable ideal type, as “everyone is potentially a spy under the
appropriate conditions” (Eoyang, 1994: 78). In a similar vein, every insider can
become untrustworthy if they perceive that the circumstances require them to
intentionally commit misconduct. As a result, the study will mainly elaborate on
97
mutable insiders, relatively leaving aside the rather exceptional virtue and vice
insiders. Table 3.2 summarizes the distinction between vice, virtue and mutable
insiders.
VICE INSIDERS MUTABLE INSIDERS VIRTUE INSIDERS
Insiders that perceive Insiders that perceive Insiders that do not
intentional misconduct as intentional misconduct perceive intentional
the only suitable action acceptable in some misconduct as acceptable
and are therefore always circumstances but not action and are therefore
untrustworthy. acceptable in others and always trustworthy.
may therefore be either
trustworthy or
untrustworthy,
depending on the
situation.
Table 3.2: Vice, mutable and virtue insiders
3.4.2.2. Process of choice: the non-linear interaction of person and situation

(NIPS) model
3.4.2.2.1. Person-situation debate

The previous sub-section illustrated that the majority of insiders perceives
intentional misconduct as an action that is acceptable, at least in some conditions.
Acceptance of intentional misconduct as a possible action to undertake is
therefore on its own not enough to assess insider (un)trustworthiness. Mutable
insiders accept that intentionally deviating from the specific organizational norms
is possible in a given situation, but actual deviance from these norms will only
take place if the insider believes they have encountered that particular situation
where intentional misconduct is acceptable. Agnew and Peters (1986: 83) for
instance indicate that “individuals must believe that shoplifting is justified if one
is cheated by a store owner, and they must believe that they have been cheated
by a store owner. The first dimension can be viewed as a predisposing factor
98
toward deviance; the second dimension can be viewed as the situational factor
that ignites the deviant act”.
The above-mentioned quote brings me to the person-situation debate
(Funder, 2009), “which is based on a false dichotomy between the personal and
situational determination of behavior” (Funder, 2006: 21). Putting the person-
situation debate in the context of this dissertation, the debate revolves around “the
relative ability of person variables versus situation variables to predict
[intentional misconduct]” (Fleeson & Noftle, 2008: 150), whereby supporters of
the person-side (i.e. trait theorists) believe that an insider commits misconduct
because they are bad people with bad personality characteristics, and supporters
of the situation-side (i.e. situationists) rather see provocative situational
circumstances as the driving force of intentional misconduct (Fleeson & Noftle,
2008; Mastroianni, 2011).
Trait theorists put emphasis on predisposition towards intentional
misconduct, whereby “dispositional traits of individuals might explain the
differences among them in the use and abuse of power” (Mastroianni, 2011: 3-
4). Trait theorists attribute witting insider misconduct solely to rogue insiders,
who are labeled ‘bad apples’ (Searle, Rice, McConnell & Dawson, 2017). It is
assumed that the organization can divide the pool of potential insiders in two sub-
groups of trustworthy and untrustworthy insiders on the basis of their disposition
(Eoyang, 1994). Subsequently, the main goal of the organization is to check the
insider’s propensity to deviate from the specific organizational norms, for
instance through honesty testing (Elangovan & Shapiro, 1998; Isaeva et. al.,
2019), to identify to which pool the particular insider belongs. In this way, the
organization is able to screen out insiders with an increased likelihood of witting
misconduct. Put another way, screening insiders’ personality traits during
recruitment (and employment) allows the organization to refrain from selecting
99
insiders whose propensity to engage in witting misconduct exceeds the
organization’s risk threshold, solely selecting insiders from the trustworthy pool
(Sitkin & Roth, 1993). By “first developing a reliable and accurate measure of
the psychological variable of interest and then determining the criterion level of
acceptability” (Eoyang, 1994: 73), the organization can prevent intentional
misconduct by screening out the bad apples during recruitment, or removing the
bad apples during employment.
While the trait theorists focus on identifying bad apples, situationists
concentrate on identifying environmental factors that deplete the initially good
apples, or the circumstances that transform initially good apples into bad apples
(Eoyang, 1994; Searle et. al., 2017). Applying a situationist perspective, the
intentional misconduct is attributed to the “administrative, social and
environmental conditions (…) rather than the actual perpetrators of the unethical
acts” (Mastroianni, 2011: 4). Contrary to the trait theorists that attribute witting
misconduct to personality differences among insiders, situationists make factors
beyond the insider the center of attention, whereby the insider undergoes a
“temporary transformation” (ibid: 7) in the sense that “‘good apples’ are
corrupted by ‘bad barrels’ but then revert to their good selves when removed
from the toxic situation” (ibid: 7). Although the insider initially has the incentive
to conduct in accordance with the prescribed standards of conduct, the
circumstances hamper the insider to put this incentive into practice. This implies
that situational factors, such as degree of social control or social context, have an
influence on the probability to commit intentional misconduct. For example, the
probability of insider misconduct is assumed to be higher in a low-social control
environment where the likelihood of punishment is close to zero than in a high
social control environment where punishment is probable if not certain
(Elangovan & Shapiro, 1998). In a similar vein, Eoyang (1994) argues that the
100
probability of insider espionage activities against the United States is higher in a
highly competitive environment like China than in a low competitive
environment like Canada.
Research (e.g. Blum, Rauthmann, Göllner, Lischetzke & Schmitt, 2018;
Blum & Schmitt, 2017; Funder, 2006) has, however, shown that both the person-
side of the debate and the situation-side of the debate on their own are insufficient
to predict the probability of an action. Indeed,
“we must arguably understand the role of both situational and
personal variables in shaping ethical behavior (…). It is certainly
the case that most of the people who commit ethical transgressions
(…) are largely indistinguishable from [insiders] who do not
commit such offenses on any clinical or scientific basis: they are
not suffering from mental illness, nor do they represent a particular
personality profile. It is also the case, however, that there is
variability of behavior within situations: different people behave
differently though they may find themselves in similar
circumstances” (Mastroianni, 2011: 7).
With respect to the person-side of the debate, the dispositional trait upon
which the insiders from the untrustworthy pool can be objectively screened out,
without false positives and false negatives, is yet to be found (Eoyang, 1994).
Anderson (1994: 6) for instance emphasizes that “the presumption that spies
differ from other people in measurable ways and that they have a traitor
characteristic that can be detected before the fact through proper screening and
testing has yet to be validated. Most spies passed all the tests required for access
to classified information before they were able to commit espionage”. Trait
theorists not only fail to explain why an insider with a certain characteristic
engages in witting misconduct while an insider possessing the exact same
characteristic refrains from it (i.e. between-person variance), but also why one
insider will show different conduct in different situations (i.e. within-person
101
variance) (Funder, 2006; Funder, 2009). Situationists, on the other hand, fail to
explain why not all individuals will react in an identical way to the same
environmental exposure (Eoyang, 1994; Funder, 2009). Referring back to the
examples of social control and social context, some individuals will refrain from
intentional misconduct, even if the lack of social control implies there is a great
chance they would get away with it. Likewise, not every single American
employed in the embassy at Beijing will engage in espionage activities, while
some employed in the embassy of Ottawa will.
3.4.2.2.2. The non-linear interaction of person and situation (NIPS) model

While on its own both sides of the person-situation debate are not suitable
to examine how an insider comes to the perception to have encountered a
situation where intentional misconduct is permitted, combining the two sides in
a P x S interaction model is. The interaction model implies that “if one knew and
understood everything about a person and about the situation he or she is in, it
ought to be possible to predict what he or she will do” (Funder, 2006: 32). The
NIPS model does not favor the person-side or the situation-side of the person-
situation debate (Blum & Schmitt, 2017), but takes into account both the
individuality (person-side) and the environment of the insider (situation-side),
thereby illustrating why not everybody has the same probability to show a
specific conduct in the same situation as well as why one single individual does
not have the same probability to show specific conduct in all situations.
The conceptual model outlined in this chapter draws upon the non-linear
interaction of person and situation (NIPS) model (Blum et. al., 2018; Blum &
Schmitt, 2017; Schmitt et. al., 2013). As an interaction model, the NIPS model
interprets conduct as a function of both the person and the situation, whereby
conduct is shaped by the interaction between personality and situational
102
characteristics. The person-side of the model looks at the ‘psychological person’
(i.e. personality) (Blum & Schmitt, 2017) and makes a distinction between strong
persons and weak persons (Blum et. al., 2018; Schmitt et. al., 2013). Strong
persons score either high or low on a specific trait (for instance aggression),
thereby showing little variance in conduct over different situations. “People who
are extremely low in trait-aggressiveness may respond nonaggressively
regardless of how much they are provoked. People extremely high in trait-
aggressiveness may respond aggressively regardless of how little they are
provoked” (Schmitt et. al., 2013: 6). In contrast, weak persons score moderately
on the trait variable, meaning that the variability of the conduct is higher over
different situations. Indeed, “moderately trait-aggressiveness individuals may
show considerable variation in aggressive responding across a range of different
provocation levels” (ibid: 6).
The same principle applies to the situation-side of the model, which
focuses on ‘psychological situation’26 (Blum & Schmitt, 2017) and distinguishes
strong situations from weak situations (Blum et. al., 2018; Schmitt et. al., 2013).
Strong situations “constrain interindividual variability in behaviour: Most people
will show the same level of behaviour” (Blum et. al., 2018: 288), whereas in weak
situations “interindividual variability in behaviour increases, and people will
enact different levels of a given behaviour” (ibid: 288). Referring back to the
example on aggression (Schmitt et. al., 2013), a strong situation concerns a
situation so provocative that almost everybody will turn to aggression, and a
situation so non-provocative that almost nobody will turn to aggression. Instead,
a moderately provocative situation will make that certain persons will turn to
aggression whereas others will refrain from it, corresponding with a weak
26
‘Psychological’ refers to situational characteristics such as dangerousness or stressfulness, as
opposed to the ‘physical’ situation that refers to situational characteristics such as size of
the room or the temperature (Blum & Schmitt, 2017).
103
situation. As a result, “the NIPS model implies that traits are more predictive of
behaviour in weak than in strong situations, and situational characteristics are
more predictive of behaviour in weak than in strong persons” (Blum et. al., 2018:
301).
Figure 3.4: The NIPS-model (left: Blum et. al., 2018: 289 - right: Schmitt et. al., 2013:
4)
Schematically, the NIPS model is presented in figure 3.4, with on the left
the general model presented by Blum et. al. (2018: 289) and on the right the
application of the model to the example previously referred to on aggression
(Schmitt et. al., 2013: 4). The Y-axis displays either intensity (left) or probability
(right) of behavior27, whereas the X-axis shows the different situational
circumstances. The extremes of the continuum on the X-axis represent strong
situations, with the situations in between representing weak situations (Blum et.
al., 2018). The curve illustrates a personality trait28 and has a nonlinear shape
because “when a dependant variable is represented as a probability (or
percentages), its values can vary only within the boundaries of 0 and 1 (or 0-
27
Blum & Schmitt (2017) indicate that the Y-axis in the NIPS model usually represents the
intensity of behavior rather than the probability.
28
The figure can also be constructed so that the X-axis shows the personality treat level and the
curve shows the situation (see Blum et. al., 2018: 289, figure 3b and Schmitt et. al., 2013:
figure 4).
104
100%). A linear function is impossible in this case, and a logistic function is the
necessary consequence”29 (Blum & Schmitt, 2017: 19). The nonlinear curve is s-
shaped because the situational circumstances will have little influence on the
probability of action (i.e. mild slope) until a certain threshold situation is reached
and the probability of action starts to increase (i.e. steep slope). After the
threshold, situations that are even more provocative will have again less influence
because the probability is already high and cannot increase much further, making
the slope of the curve flatten again (Blum & Schmitt, 2017; Schmitt et. al., 2013).
Different curves represent different trait levels that correspond with different
thresholds, with curves on the left side of the graphs representing people with
low thresholds and curves on the right side representing people with high
thresholds (Blum & Schmitt, 2017). Indeed, “it is easy to see that an anxious
person will already exhibit anxious behavior in a situation that is not very
threatening and will reach the maximum in a moderately threatening situation.
Conversely, a non-anxious person will not show any anxious behavior in a
situation that is not very threatening, will show some anxiety in a moderately
threatening situation and will reach the maximum much later than an anxious
person” (ibid: 16).
An (unconscious) application of the NIPS model that is even more closely
related to the insider threat problem, is Eoyang’s (1994) situational-disposition
model of espionage30, even though this model was developed before the NIPS
model was introduced. The situational disposition-model is illustrated on figure
29
Blum et. al. (2018) showed the superiority of the logistic approach to the linear approach in
their empirical tests of the NIPS-model.
30
The situational-disposition model “posits that an individual will vary in his or her probability
of committing espionage, depending on the degree of behavioral pressure extant in a
specific situation (…) [and] proposes that different individuals will have different spying
propensities in the same situation reflecting their idiosyncratic dispositions toward
espionage in that given situation” (Eoyang, 1994: 81).
105
3.531 (Eoyang, 1994: 81). The figure shows five different individuals (lines A-E)
whereby each individual has a different probability of espionage in the same
situational circumstances due to different dispositions towards espionage (i.e.
influence of the person-side), and whereby one and the same person has a
different probability of espionage in different situation (i.e. influence of the
situation-side).
Figure 3.5: The situational disposition model of espionage (Eoyang, 1994: 81)
The model shows that if the individuals are for instance stationed in
Moscow, the probability to spy is much lower for individual A than for individual
E. Moreover, figure 3.5 shows that individual E will need little incentive to spy
(i.e. high disposition), committing espionage even in relatively unfavorable
circumstances, while individual A needs strong incentive to spy (i.e. low
disposition), even refraining from it in a facilitating situation. In contrast to
individual A and E whose probability to spy is less depending on the situation,
31
The shapes of the curves are different from the ones shown in figure x that displays the NIPS
model because the X-axis is sorted from high to low situations instead of low to high
situations like is the case with figure.
106
sticking to their principles (respectively almost never vs. almost always), the
probability to spy of individual C is more context-dependent, engaging in
espionage if opportunities to spy arise while refraining from espionage in case of
unfavorable circumstances.
Interpreting Eoyang’s model in the terminology of the NIPS model, it can
be argued that person A (i.e. low probability irrespective of situation) and person
E (i.e. high probability irrespective of situation) are strong persons, given that
their conduct shows little variation over different situational circumstances.
Person C, on the other hand, can be considered a weak person, given that there
will be high variation over different circumstances, with a high probability of
espionage in Beijing but a low probability of espionage in Iowa. Similarly,
Beijing and Iowa are considered strong situations, given that every individuals
(A till E) has respectively a high and low probability to spy in these situations.
Moscow and Ottawa, on the other hand, are weak situations because the variation
in the probability to spy between the individuals is relatively larger, with person
A and B having a relatively low probability to spy but person C, D and E having
a relatively high(er) probability to spy.
3.4.2.2.3. NIPS and insider (un)trustworthiness

Since personnel recruitment and assessment are presented as a suitable
context to apply the NIPS model (Blum et. al., 2018), the model is here applied
to the context of insider trustworthiness and betrayal and forms a building block
of the conceptual assessment model outlined in this chapter. The dependent
variable is the probability of intentional misconduct, whereas the independent
variables that influence this probability are the insider’s disposition and the
situational circumstances they encounter (Blum & Schmitt, 2017). Figure 3.6
schematically shows the application of the NIPS model to the context of the
107
dissertation. For the sake of clarity, it should be emphasized that the figure 3.6,
and the other figures presented in the remainder of the chapter, simply “represent
relations between dependent and independent variables schematically” and are
thus not based on actual data.
Regarding the dependent variable ‘probability of intentional misconduct’,
I draw upon Coulton, Burnett and Gradinar (2016) who distinguish three
categories of probability, namely “possible – might happen, plausible – could
happen, and probable – likely to happen” (ibid: 3). On the basis of their types,
seven different probability categories are distinguished here, as illustrated on the
Y-axis in figure 3.6: certain (100%), probable (99%-80%), plausible (79%-60%),
possible (59%-40%), implausible (39%-20%), improbable (19%-1%), and
impossible (0%). The probability of intentional misconduct is certain in case of
vice insiders (insider A figure 3.6), while intentional misconduct is impossible in
case of virtue insiders (Insider F figure 3.6). Vice and virtue insiders can thus be
considered extreme cases of strong persons (Blum et. al., 2018; Schmitt et. al.,
2013). Mutable insiders, on the other hand, have a probability ranging from
probable to improbable, depending on their situational disposition to commit
intentional misconduct (Eoyang, 1994). Two factors are thus important in
assessing the probability that a mutable insider will engage in intentional
misconduct, namely the person-side that studies the insider’s disposition to
commit intentional misconduct, represented by the curves A to F, and the
situation-side that studies the extent to which the situational circumstances that
the insider encounters have a facilitating or inhibiting effect, represented by the
position on the X-axis.
108
Figure 3.6: The NIPS model and insider (un)trustworthiness (adapted from Schmitt et.
al., 2013: 4)
109
The present conceptual assessment model, however, wants to go beyond
a copy-paste of the NIPS model in an insider threat context by also addressing
“why and how the factors of influence exert their influence” (Blum & Schmitt,
2017: 15). Although Kumar et. al. (2013) already provide useful insights, given
that they assess trustworthiness based on “an employee’s propensity to commit
fraud [≈person-side] and controls sensitivity [≈situation-side]” (emphasis in
original) (2013: 83), it is believed that an even more thorough understanding of
the influential factors of the person-side and the situation-side (Blum et. al., 2018)
is helpful. As a result, the novelty of the application of the NIPS model lies in the
provision of (non-exhaustive) lists of determinants of both the insider’s
disposition to commit intentional misconduct and the situational circumstances
that might facilitate or inhibit intentional misconduct. In what follows, I will first
look at each independent variable separately. After that, I will look at the
interaction of both sides to predict the probability of insider (un)trustworthiness.
i. Person-side: disposition
On the one hand, the disposition of the insider to commit intentional
misconduct has to be determined. Leaving aside virtue insiders (insider F figure
3.6) and vice insiders (insider A figure 3.6), the organization has to determine
whether the mutable insider is a weak person that is to a large extent influenced
by situational circumstances or a strong person that is less influenced by
situational circumstances, and in case of the latter whether it concerns a mutable
insider that has a relatively low (for instance insider E figure 3.6) or a rather high
disposition (for instance insider B figure 3.6) to engage in intentional misconduct.
To determine the insider’s disposition, organizations can first of all draw
information from static personality traits (Greitzer et. al. 2012; Greitzer et. al.
2016; Shaw & Sellers, 2015). Below, a non-exhaustive list of static traits
organizations can take into account in this assessment is provided, referring
110
successively to (a) the ‘Big Five’ personality dimensions (in particular
neuroticism and agreeableness); (b) the dark triad of personality; (c) lack of self-
control (or temperament issues in general); (d) guilt-proneness and (e) proneness
to techniques of neutralization. Apart from the static personality traits, also the
insider’s personal history (f) might tell something about the insider’s disposition
(Gelles, 2016; Greitzer et. al. 2012; Greitzer et. al., 2016; Kumar et. al., 2013;
Sarbin, 1994; Shaw & Sellers, 2015).
Firstly, “according to the Five Factor Model (FFM), there are five
dimensions of personality traits that account for all individual differences which
can be attributed to genetic and non-shared environmental factors” (Noonan,
2018: 2.9). These so-called (a) ‘Big Five’ personality dimensions (Bews &
Martins, 2002; O’Neill & Hastings, 2010), referring to neuroticism, extraversion,
openness to experience, agreeableness, and conscientiousness, might provide
useful insights to determine the insider’s propensity to commit misconduct. Take
for instance neuroticism and agreeableness. According to Funder (2009: 124),
“people high on the trait of Neuroticism are more likely to find themselves in
situations that are evocative of rebelliousness, frustration, and hostility”, while
Ben-Ner & Halldorsson (2010: 77) indicate that “individuals who are more
agreeable will respond more favorably to an obligation imposed on them”.
Therefore, it is assumed that an insider scoring high on neuroticism has a
relatively higher disposition to intentionally misconduct, while this disposition is
relatively lower if the insider scores high on agreeableness. Graphically, figure
3.7 illustrates that the line representing the disposition of a random insider Z
shifts to the left in case of a high score in neuroticism (Z to Z’, the red line), while
the line shifts to the right in case of a high score on agreeableness (Z to Z’’, the
green line). In what follows, the same principle applies to the other static
personality traits: if the trait is associated with a higher disposition to commit
111
intentional misconduct, the line shifts to the left. In contrast, if the characteristic
corresponds with a lower disposition, the curve shifts to the right.
112
Figure 3.7: Influence of disposition – example neuroticism & agreeableness
113
In addition, the (b) dark triad of personality, sometimes extended to the
dark tetrad of personality (Noonan, 2018) that encompasses narcissism,
Machiavellianism and psychopathy (and sadism in case of the tetrad) might also
give an indication of the insider’s disposition to commit intentional misconduct.
Levine et. al. (2018: 471) indicate that “trustworthiness requires recognizing
another individual’s expectations and feeling a sense of responsibility to fulfill
those expectations. In contrast, the Dark Triad reflects self-interest, insensitivity
to punishment, and the propensity to exploit others”. Also Nurse et. al. (2014),
Maasberg et. al. (2015) and Searle et. al. (2017) propose that the dark triad of
personality is positively related to workplace deviance. From this, it follows that
insiders scoring high on narcissism, Machiavellianism, psychopathy and sadism
are assumed to have a higher disposition to intentionally commit misconduct.
Furthermore, Greitzer et. al. (2016) point to observable temperament
issues like ego, lack of empathy or preoccupation with power as an influential
factor of disposition. Perhaps the clearest example of a temperament issue that
might influence the insider’s general tendency to wittingly deviate from specific
organizational norms is (c) lack of self-control (Moberg, 1997; Gottfredson &
Hirschi, 1990; Scheibe, 1994). Given that Craig (2019: 174) indicates that
“previous evidence suggests low self-control predicts individualistic white-collar
crime”, it is assumed that mutable insiders that score low on self-control have a
higher disposition to commit intentional misconduct than insiders who score high
on self-control. Or more generally, it is assumed that insiders that score high on
temperament issues have a higher tendency to intentionally misuse their insider
privilege than insiders that score low on temperament issues.
Moreover, the insider’s (d) guilt-proneness can also give an indication
of their propensity to commit intentional misconduct. Levine et. al. (2018) argue
that “guilt-proneness—the individual difference that captures the anticipation of
114
guilt over wrongdoing—causes people to avoid transgressing in the first place”
(ibid: 471) and that “individuals who anticipate feeling guilty over wrongdoing
(i.e., those with high levels of guilt-proneness) avoid norm violations, such as
taking credit for a colleague’s work, that would cause them to feel guilt” (ibid:
471). The same conclusion is drawn by Cohen, Kim, Jordan and Panter (2016),
who too demonstrate that insiders who are highly prone to feelings of guilt
commit fewer deviant behavior. As a result, guilt-proneness is assumed to be “a
key driver of trustworthiness” (Levine et. al., 2018: 488) that is useful in the
assessment of the insider’s disposition to commit intentional misconduct.
Insiders that are slightly prone to feelings of guilt are assumed to have a relatively
higher disposition to commit intentional misconduct than insiders that are highly
prone to feelings of guilt, the latter having a relatively lower disposition to
intentionally deviate from specific organizational norms.
Additionally, Hogan and Hogan (1994) identify self-deception as one of
the four characteristics that typify the ideal betrayer. A prominent form of self-
deception is the (e) use of techniques of neutralization (Sykes & Matza, 1957),
whereby insiders neutralize potential moral barriers by applying different
techniques, like denial of injury32, denial of victim33 or denial of responsibility34,
to rationalize their deviation from the specific organizational norm (Agnew &
Peters, 1986; Willison et. al., 2018). With respect to techniques of neutralization,
Cressey (1950: 741) stipulates that during research on embezzlement, “many
trust violators expressed the idea that they knew the behavior to be illegal and
wrong at all times and that they merely "kidded themselves" into thinking that it
was not illegal”. Furthermore, Barlow, Warkentin, Ormond & Dennis (2013) and
Piquero, Tibbetts & Blankenship (2005) found evidence that (at least some)
32
See footnote 23
33
See footnote 24
34
See footnote 25
115
neutralization techniques cause higher intentions to violate security policies and
higher intentions to commit corporate crime respectively. As a result,
“neutralization is an excellent predictor of employees' intention to violate IS
[Information Systems] security policies” (Siponen & Vance, 2010: 496), or to
commit intentional misconduct in general. Consequently, proneness to
techniques of neutralization can be taken into account to determine the insider’s
disposition to deviate from the organization’s prescribed standards of conduct,
with insiders that are highly prone to apply techniques of neutralization assumed
to have a relatively higher disposition to wittingly commit misconduct and those
who do not absolve themselves of feelings of guilt through techniques of
neutralization assumed to have a relatively lower tendency to deviate from
specific organizational norms.
Apart from the static personality traits, the relevant (f) personal history
of the insider, like for instance previous employment experiences or criminal
records, might equally provide useful insights to assess the insider’s disposition
to commit intentional misconduct (Gelles, 2016; Greitzer et. al., 2016; Kumar et.
al., 2013; Sarbin, 1994; Shaw & Sellers, 2015). Concerning the former, an insider
that has a history of violating the organizational norms of their previous
employers is assumed to have a relatively higher disposition to deviate from the
specific organizational norms of the current employer than an insider that
behaved within their previous employers’ limits of acceptable conduct.
Concerning the latter, an insider with a high number of (job-relevant) convictions
is assumed to have a relatively higher disposition to deviate from the specific
organizational norms than an insider with a low number of (job-relevant)
convictions. Graphically, the same principle applies as with the static personality
traits (figure 3.7): if the personal history of the insider is associated with a
relatively higher disposition to commit intentional misconduct, the curve shifts
116
to the left. In contrast, if the personal history of the insider corresponds with a
relatively lower disposition to commit intentional misconduct, the curve shifts to
the right.
ii. The situation-side of the person-situation debate: situational

circumstances
On the other hand, organizations have to determine which situational
circumstances might pave the way for insiders to commit intentional misconduct.
In this study, five different categories are distinguished, as illustrated on the X-
axis in figure 3.8: very facilitating, facilitating, neither facilitating nor inhibiting,
inhibiting and very inhibiting. A facilitating situation refers to a situation that
spurs or ignites intentional misconduct, while an inhibiting situation refers to a
situation that discourages insiders to wittingly deviate from specific
organizational norms. As mentioned before, the extremes of the continuum on
the X-axis represent strong situations, with the situations in between representing
weak situations (Blum et. al., 2018). In similarity with the above-mentioned non-
exhaustive list of antecedents of the insider’s disposition to intentionally misuse
the insider privilege, a non-exhaustive list of situations with a facilitating or
inhibiting effect is outlined below. In this regard, the insights from Greitzer et.
al. (2012) and Greitzer et. al. (2016), who distinguish between organizational
factors and individual factors, provide a good starting point.
With respect to organizational factors, reference can for instance be made
to (g) sanction probability. Sanction probability is often seen as a deterrent for
insiders with a motivation to commit intentional misconduct (Elangovan &
Shapiro, 1998; Kumar et. al., 2013; Willison et. al., 2018). A high probability to
be penalized therefore corresponds with a relatively higher inhibiting situation to
commit intentional misconduct, while absence of penalty is a relatively more
facilitating situation to wittingly deviate from specific organizational norms.
117
Graphically, figure 3.8 illustrates that the extent to which a situation has a
facilitating or an inhibiting effect on the probability that insider Z will commit
intentional misconduct is presented on the X-axis. Situation one presents a
neutral situation in which the situational circumstances are neither facilitation nor
inhibiting. Taking into account sanction probability, the position of Situation one
changes along the X-axis. Insiders who almost certainly get away with their
deviant conduct without any sanction find themselves in a situation more to the
right of the X-axis (Situation two), as the absence of penalty facilitates intentional
misconduct. Conversely, insiders that will be punished for committing intentional
misconduct with a probability verging on certainty find themselves in a situation
more to the left of the X-axis (Situation three), given the deterrent effect of the
sanctions. For a random insider Z, a facilitating situation corresponds with a
higher probability to commit misconduct (S2) than a neutral situation (S1),
whereas an inhibiting situation corresponds with a lower probability to commit
misconduct (S3). The same principle applies to the other organizational and
individual factors outlined below: the more the factor facilitates the insider to
commit intentional misconduct, the more the situation is positioned to the right
on the X-axis. The more the factor inhibits the insider from committing
intentional misconduct, the more the situational circumstance is positioned to the
left on the X-axis.
118
Figure 3.8: Influence of situational circumstances - Example sanction certainty
119
Concerning other organizational factors, reference can for instance be
made to factors related to control and work planning (Greitzer et. al., 2016).
Whether (h) control has a facilitating or inhibiting effect depends on the nature
of the control applied by the organization. According to Weibel (2007: 513) an
organization can “influence employees’ trustworthiness by applying the right
form of managerial control in the right way, which is in a nutshell a managerial
control based on participation and two-way communication executed by a
manager who seeks to influence her or his subordinates not for her or his own
benefit but for the benefit of the collective”. Given that insiders “only react
negatively if monitoring is evidently done with a suspicious/controlling
intention” (Weibel & Six 2012: 69), organizations that signal distrust by
hegemonically imposing controls are assumed to create negative reactions among
insiders, thereby to a greater extent provoking them to intentionally misuse the
insider privilege (i.e. facilitating effect). Or in the words of Searle et. al. (2017:
44), “the failure to adequately support and monitor vulnerable staff members
implies a level of organizational complicity and culpability”. Instead,
organizations that let insiders participate in the development and execution of
controls are assumed to increase the intrinsic motivation of insiders to adhere to
the specific organizational norms, thereby having a more inhibiting effect. In a
similar vein, organizations that perform need-based monitoring to keep an eye on
the insiders’ problems and needs (Greitzer et. al. 2012; McAllister, 1995; Shaw
& Sellers, 2015) are assumed to inhibit intentional misconduct.
The influence of work planning, on the other hand, relates for instance to
(i) the feasibility of the organization’s expectations (Holton, 1994; Blodget,
2010; Reina & Reina, 2005). In order to meet company deadlines, insiders might
wittingly decide to engage in deviant conduct (Piquero et. al., 2005; Poudin,
2019). Organizations that apply strict security rules but simultaneously expect
120
insiders to meet productivity targets in an unrealistic time frame might force
insiders to prioritize productivity over security, encouraging insiders to violate
the strict protocols. As a result, the situation is assumed to be more facilitating to
commit intentional misconduct if the organization has unrealistic expectations
than when the expectations of the organization are feasible.
Furthermore, “when organizational leaders set financial goals for
subunits and set their workers loose to pursue those goals, they encourage norm
violating behavior while simultaneously buffering themselves from
accountability for the actions of lower-level participants” (Monahan & Quinn:
365). The degree of (j) decoupling, which can be defined as “a strategy for
balancing the demands for organizational effectiveness with the organization’s
need for external legitimacy” (ibid: 379), can therefore also be regarded as a
situational factor that influences the probability of intentional misconduct.
Decoupling in fact refers to a discrepancy between the injunctive norms (i.e. the
prescribed specific organizational norm), or what ought to be done, and the
descriptive norms (i.e. actual conduct in force in the workplace), or what is done
(Cialdini, Reno & Kallgren, 1990; Gino, Ayal & Ariely, 2009; Searle et. al.,
2017). In contrast to the ‘bad apple’ theory where intentional misconduct is
attributed to the individual, reference is made to ‘corrupting barrels’
(Mastroianni, 2011; Searle et. al., 2017) whereby deviance is collectively
normalized among workers. Due to the discrepancy between the standards of
conduct that the organization prescribes and the actual standards of conduct the
workforce applies, (new) insiders are socialized into deviant conduct. Searle et.
al. (2017: 25) for instance stipulate that “the normalisation of explicit sexual talk
lead to inappropriate behaviours being tolerated until a more severe level or when
an unspoken ‘line’ was crossed”. Also Dabney (1995) and Shigihara (2013)
demonstrated the presence of ‘normalization of deviance’ among nurses and
121
restaurant workers respectively, as they showed that in both cases stealing was to
a certain extent the descriptive norm even though refraining from stealing from
the organization was the injunctive norm. Injunctive norm salience can counter
normalization of deviance, or can create a more inhibiting situation. Cialdini et.
al. (1990: 1020) for instance argue that “by making the injunctive norm against
littering more prominent, we should expect reduced littering even in a heavily
littered environment”. It is therefore assumed that organizations that apply a
decoupling strategy by allowing divergence between the injunctive and the
descriptive norm create a more facilitating situation to commit intentional
misconduct than organizations that refrain from decoupling by making the
injunctive norm salient and congruent with the descriptive norm.
Apart from the organizational factors, also individual factors influence
the level of facilitation of the situational circumstances. While the disposition to
commit intentional misconduct takes into account the personal history of the
insider, the situational circumstances rather look at the current stage of the
insider’s life narrative. In this regard, reference can for instance be made to the
non-shareable problem (Cools, 1994; Robin, 1970; Sarbin, 1994). Cressey (1950:
742) indicates that “trusted persons become trust violators when they conceive
of themselves as having a financial problem which is non-shareable, have the
knowledge or awareness that this problem can be secretly resolved by violation
of the position of financial trust, and are able to apply to their own conduct in
that situation verbalizations [i.e. techniques of neutralization, see supra] which
enable them to adjust their conceptions of themselves as trusted persons with
their conceptions of themselves as users of the entrusted funds or property”.
Although Cressey (1950) limits the non-shareable problem to financial
problems, the problem can be interpreted in a broader way, whereby “unfulfilled
real or imagined needs may also prompt the trustee to consider betrayal as a
122
solution” (Elangovan & Shapiro, 1998: 555). Individual factors thus relate to the
insider’s current exposure to situational stressors (Shaw & Sellers, 2015),
whereby situational stressors relate to (k) failure to achieve positively valued
goals (for example not get a promotion), (l) removal of positively valued stimuli
(for example the dismissal of a befriended colleague) or (m) presentation with
negative stimuli (for example their own dismissal) (Agnew, 1992). Insiders
experiencing these situational stressors are assumed to be in a relatively more
facilitating situation to commit intentional misconduct than insiders who do not
experience such stressors. Affect and attitude might provide useful insights to
determine the level of facilitation of the potential situational stressor (Greitzer et.
al., 2016). In an employment context, affect for example relates to the insiders
level of engagement to the organization, while attitude for example refers to
whether feelings of disgruntlement with the organization are present. Concerning
engagement, Gelles (2016: 150) argues that “a highly engaged employee is far
less likely to exploit assets than an employee who is disengaged”. Regarding
disgruntlement, Geis (1994: 132) indicates that “there is in much of the literature
a strong belief that disenchantment with one's position in the firm makes a person
particularly susceptible to turning against it in a treacherous manner”. As a result,
it is reasonable to believe that insiders that are to a large extent disengaged from
the organization, and insiders that express feelings of disgruntlement with the
organization, find themselves in a situation that is relatively more facilitating to
commit intentional misconduct than engaged insiders that express feelings of
satisfaction with the organization.
Apart from the more job-related situational stressors outlined above,
situational stressors that say something about the insider’s personal life should
not be overlooked (Shaw & Sellers, 2015). Stressors that can arise in a personal
context are for instance addictions, loss of loved ones or financial problems.
123
Again, it might be assumed that insiders experiencing such personal strains are
in a more facilitating situation to commit intentional misconduct than insiders
who perceive to live a carefree life.
3.4.2.3. Action: probability of intentional misconduct
So far, it was argued in relation to the first aspect of SAT (i.e. perception
of action alternatives, see 3.4.2.1.) that mutable insiders should be distinguished
from virtue and vice insiders, and in relation to the second aspect of SAT (i.e.
process of choice, see 3.4.2.2.) that the extent to which these mutable insiders
perceive intentional misconduct as an acceptable action depends on their
situational disposition to commit intentional misconduct. The last aspect of SAT
(i.e. action) is touched upon in this sub-section by looking at the interaction
between the person-side and the situation-side of the NIPS model applied to the
context of this dissertation.
Figure 3.9 illustrates that the interaction allows to estimate the probability
that a particular insider will commit intentional misconduct in a particular
situation. Once a particular situation is identified on the X-axis (very facilitating
– very inhibiting), the organization can go upwards until the curve that illustrates
the insider’s disposition (insider A-F) is reached. Subsequently, the probability
that an insider will commit intentional misconduct when encountered with that
particular situation is displayed on the Y-axis (certain – impossible). To give an
example, two different situational circumstances are displayed on figure 3.9, one
situation that inhibits the insider to deviate from the specific organizational norms
(situation one) and one situation facilitating the insider to commit intentional
misconduct (situation two). Table 3.3, which is derived from figure 3.9, gives an
overview of the probabilities that insiders A to F will commit intentional
misconduct in both situations.
124
Both table 3.3 and figure 3.9 show that insiders with a relatively low
disposition to commit intentional misconduct (insider E) will have a relatively
low likelihood of committing intentional misconduct, even in the facilitating
situation (situation two). Conversely, insiders with a relatively high disposition
to commit intentional misconduct (insider B) will have a relatively high chance
of committing intentional misconduct, even in the inhibiting situation (situation
one). Insider E and B can therefore be considered strong persons. In contrast to
insider E and B whose probability to commit intentional misconduct is less
depending on the situational circumstances, the probability to wittingly misuse
the insider privilege can also be more context-dependent, like in the case of
insider C and D that engage in intentional misconduct if opportunities arise but
refrain from it in case of unfavorable circumstances. Insider C and D can
therefore be regarded as weak persons.
125
Figure 3.9: Determining the insider’s probability of intentional misconduct in a given
situation
126
Insider Situation 1 (inhibiting) Situation 2 (facilitating)
Insider A A1 – Certain A2 – Certain
Insider B B1 – Possible B2 – Probable
Insider C C1 – Implausible C2 – Plausible
Insider D D1 – Improbable D2 – Possible
Insider E E1 – Improbable E2 – Implausible
Insider F F1 – Impossible F2 – Impossible
Table 3.3: Probability of intentional misconduct (derived from figure 3.9)
To conclude this section, figure 3.10 provides a schematic overview of

the conceptual model to assess insider (un)trustworthiness. It shows that
organizations should first distinguish vice and virtue insiders from mutable
insiders based on the question to what extent the insider perceives intentional
misconduct as an acceptable action alternative (1). While intentional misconduct
is certain in the case of vice insiders, it is impossible in the case of virtue insiders,
although it was demonstrated that it is reasonable to believe that both categories
are sparsely populated. For mutable insiders, the most densely populated
category (Cools, 1994; Kumar et. al., 2013), the possibility of intentional
misconduct depends on the interaction between an insider’s disposition to
commit intentional misconduct and the situational circumstances the insider
encounters, referred to as their situational-disposition (Eoyang, 1994) (2). An
application of the NIPS model (Blum et. al., 2018; Blum & Schmitt, 2017;
Schmitt et. al., 2013) allows to determine an insider’s situational disposition and
therefore to assess the probability that a particular insider will intentionally
deviate from the prescribed standards of behavior in a given situation (3).
127
Figure 3.10: Assessment of insider (un)trustworthiness (adapted from Wikström, 2014:
79)
128
3.5. Limitations
Notwithstanding the advantages of the conceptualization and assessment
of insider trustworthiness and betrayal outlined in this chapter, it consists of some
limitations that should be taken into account in future research. First of all, the
trust relationship between an organization and its insiders was interpreted in a
unidirectional way, whereby the organization acts as truster and the insiders as
trustees (Mayer et. al, 1995). This implies that I solely looked at trust from a
given trustor (i.e the organization) to a given trustee (i.e. the insider), and not at
mutual trust. Although an organization does not only take the role of truster but
also of trustee, examining the insider’s trust in the organization (Searle, 2013)
was beyond the scope of this study. The same principle applies to the insiders,
who should not only be considered as trustees but also as trusters. Future research
on insider trustworthiness and betrayal should therefore consider the trust
relationship in a bidirectional way, focusing on both directions of the trust
equation.
Furthermore, trust in an organizational context is complicated by what
Monahan and Quinn (2006: 363) refer to as “the legal fiction of the corporation
as ‘individual’”. Throughout the chapter, the organization was
anthropomorphized, neglecting that it concerns a collective actor that depends on
human agency. Although considering the organization as a unitary actor is useful
for the purpose of theory building and analysis (Waltz, 1979), making abstraction
of human agency by interpreting ‘the organization’ as truster with human
characteristics is erroneous, given that it concerns impersonal trust rather than
personal trust (Morris & Moberg, 1994). Elangovan and Shapiro (1998) urge to
not equate deviance and betrayal, emphasizing that “a violation of impersonal
trust could be considered deviance, whereas a violation of personal trust could be
considered betrayal. (…). What differentiates the two is the presence of a specific
129
trustor (instead of the organization in general) and the violation of the trustor's
personal expectations of the trustee (instead of the impersonal expectations of the
office occupied by the trustee) in betrayal” (ibid: 549). The conceptualization and
assessment suggested in this chapter neglected their advice, and future research
should refrain from the simplifications used in this chapter to include human
agency in theory building. In this regard, future research can for instance
elaborate on the identification of biases among recruiters (Klotz, Da Motta Veiga,
Buckley & Gavin, 2013; Mayer & Norman, 2004; Pearce, 2000), or include
human agency during employment by interpreting supervisors as trusters
(Schafheitle, Weibel & Möllering, 2016).
Concerning the conceptual assessment model, I am aware that the model
outlined here does not provide organizations with a ready-to-use assessment tool
of insider trustworthiness, but this was not my intention. The objective of the
present chapter was to increase the understanding of the trust relationship
between an organization and its insiders and the related concepts of insider
trustworthiness and betrayal (section 3.2), to show the added value of insider
trustworthiness assessment as compared to presumption of insider
trustworthiness (section 3.3) and to take the first step towards developing a tool
to measure insider (un)trustworthiness (section 3.4). It is clear that the application
of the NIPS model to the insider threat problem as illustrated in the present
conceptual model remains a simplification (Schmitt et. al, 2013), particularly
because it leaves aside the mathematical part of the NIPS model (Blum et. al.,
2018; Blum & Schmitt, 2017). Still, since the goal of the conceptual assessment
model was limited to getting an understanding of the way probability of
intentional misconduct is dependent on the interaction between the insider’s
disposition to commit misconduct and the situational circumstances the insider
130
encounters, I chose to “present the model in its simplest form to avoid making it
too complex” (Schmitt et. al., 2013: 5).
This does not alter the fact that more theoretical and empirical research is
needed to transform the present conceptual model into an operational model with
practical usability. First of all, because the NIPS model “also provides a
mathematical formula (i.e., a logistic curve) for predicting the manner in which
this interaction takes place” (Blum and Schmitt, 2017: 17), future research should
include the mathematical part. On top of that, not only should additional
antecedents of both the person-side and the situation-side be identified in a more
systematic way (like a systematic literature study), also the suitability and
veracity of the determinants suggested in this study have to be empirically
checked, given that these determinants were not derived in an empirical way but
were theoretically derived from past literature (Maasberg et. al., 2015).
Concerning the insider’s disposition, it should for instance be verified through
empirical research whether neuroticism indeed corresponds with a higher
disposition to commit intentional misconduct, or whether high proneness to guilt
indeed corresponds with a lower disposition to intentionally deviate from the
specific organizational norms. In this regard, existing personality scales, like
HEXACO in the case of the big five personality dimensions, or the guilt
proneness scale (GASP) in the case of guilt proneness can be used for this
empirical verification (Cohen et. al., 2016; Levine et. al., 2018). Moreover, some
characteristics might not only be associated with higher disposition to commit
intentional misconduct, but might also be admirable. For example, integrity is
often seen as an important indicator of trustworthiness, but “standard integrity
measures will be useless in such an effort because good managers are creative
and flexible, and creative people receive low scores on conventional measures of
131
integrity” (Hogan & Hogan, 1994: 93). Contemplating on this difficulty is
recommended when calibrating the conceptual assessment model.
Concerning the situational circumstances, proper scaling of the categories
‘very inhibiting’, ‘very facilitating’ and any category in between is essential in
the conceptual assessment model (Schmitt et. al. 2013). Although it is of utmost
importance to properly define the position of a situational circumstance on the
X-axis, so far it has been difficult to do this in practice. Take for instance sanction
probability, which was categorized as having an inhibiting effect if the
probability of a sanction is high and a facilitating effect if the probability is low.
However, Barlow et. al. (2013: 147) for instance indicate that “implementation
of deterrent sanctions may even cause employees to feel that the organization
does not trust them, leading to the very behaviors that the sanctions intended to
combat”. In other words, they suggest that high sanction probability might have
a facilitating rather than an inhibiting effect. Consequently, future empirical
research should not only confirm or deny the effects of the situational
circumstances suggested in this chapter, but should equally look for additional
situational circumstances that have an inhibiting or facilitating effect to commit
intentional misconduct. Still, Funder (2009: 123) argues that “while methods for
assessing dimensions of individual differences across persons abound,
equivalently-sophisticated, parallel methods for assessing (…) situations are
painfully lacking”. Since Blum et. al. (2018: 303) too emphasize that “the quality
of P × S interactions research crucially depends on how well psychologists can
solve the task of measuring situations with the same precision with which they
are able to measure personality” (Blum et. al., 2018: 303), future research should
work on the development of adequate measurement tools of the situation-side.
To conclude, also cultural differences complicate the assessment of
insider trustworthiness in an objective and unbiased way. Nishishiba and
132
Ritchie’s (2000) comparison between trustworthiness in a Japanese context,
where the concept corresponds with an interdependent view equaling
organizational commitment, and trustworthiness in an US context, where the
concept corresponds with an independent view where it equals personal integrity,
demonstrates that the meaning of trustworthiness may vary across cultures.
Future research on insider trustworthiness and betrayal should take these cultural
differences into account.
3.6. Conclusion
This chapter examined the trust relationship between an organization and
its insiders, who respectively operated as truster and trustees. While admission to
the organization’s trusted insider-group depends on the organization’s propensity
to trust and the (organization’s perception of) the insider’s trustworthiness
(Colquitt et. al., 2007; Mayer et. al., 1995), the latter is underexposed in the
literature in comparison with the former (Hardin, 1996; Levine et. al., 2016;
Reiersen, 2019). This study addressed this gap in the literature by elaborating on
insider trustworthiness and the related possibility of betrayal of trust, whereby
both concepts were examined from an organizational and a societal perspective.
First of all, it was argued that insider trustworthiness relates to the
insider’s willingness to be responsible to their commitment to use the insider
privilege appropriately, represented by their benevolence and integrity.
Moreover, it was illustrated that trusting insiders with access to and/or knowledge
about the organizational assets benefits organizations if the insider is trustworthy
but simultaneously leaves organizations vulnerable to betrayal of specific
organizational trust. This is not to say that every instance of insider misconduct
concerns betrayal of trust, given that betrayal of specific organizational trust only
occurs in case of insider threats. Furthermore, it was illustrated that contrary to
the assumption that “trustworthiness (in general) is an inherently good thing and
133
that betrayal is an inherently bad thing” (Tavani and Grodzinsky, 2014: 8),
betrayal of specific organizational trust does not always entail betrayal of trust
from a societal point of view and vice versa. As a result, it is important to always
take into account the applied perspective when examining insider trustworthiness
and betrayal.
Apart from conceptualizing insider (un)trustworthiness from an
organizational and a societal perspective, different sources (i.e. reinforcement,
convention and internalization) were explored through which organizations
derive their perception of insider trustworthiness, or through which they presume
that the insider will conduct in a trustworthy way. Subsequently, the underlying
pragmatic, rational and constructivist reasons that make organizations presume
trustworthiness were elaborated on, simultaneously explaining why assessing
insider trustworthiness is preferable to presuming it. Organizations might be
prone to the NIMO bias (Bunn & Sagan, 2016), disregarding the possibility of
insider disloyalty, which in its turn might result in situations where the
organization excessively trusts insiders who do not merit trust, with all the
negative consequences that entails (Hardin, 1996; Isaeva et. al., 2019).
Consequently, a conceptual model was suggested to assess insider
(un)trustworthiness, mainly drawing upon the insights of SAT (Craig, 2019;
Wikström, 2014). The main goal of the study was to develop a conceptual tool
that helps organizations to assess the probability that their insiders will commit
intentional misconduct. Three ideal types of insiders (vice, virtue and mutable
insiders) were separated depending on whether the insider considers intentional
misconduct as acceptable. The model concentrated on mutable insiders, referring
to the insiders that accept intentional misconduct in some conditions but not in
others. These conditions were explored by elaborating on the NIPS model (Blum
et. al, 2018; Blum & Schmitt, 2017; Schmitt et. al., 2013), and in particular on
134
Eoyang’s (1994) application of NIPS. More specifically, a non-exhaustive list of
antecedents of on the one hand the insider’s disposition (i.e. person-side) and on
the other hand the situational circumstances that have a facilitating or inhibiting
effect (i.e. situation-side) was provided. After discussing the person-side and
situation-side separately, the interaction between both was elaborated on to
determine the probability that a particular insider in a particular situation will
engage in intentional misconduct.
It is relatively uncommon to frame employment in terms of
trustworthiness, acknowledging trust relationships with insiders and
acknowledging that trusting insiders by granting them the insider privilege
implies vulnerability to betrayal of trust via intentional misconduct. Nevertheless,
organizations should not only focus on competence to gauge whether the insider
will meet their presumed commitments but should equally focus on whether or
not the insider has made the commitment in the first place. “From the
organization's standpoint, the greatest problems occur when employees are
placed in a position of trust but do not exercise their fiduciary duties of diligence,
disinterestedness, and disclosure” (Moberg, 1997: 43). Trusting an insider with
access to and/or knowledge about the organizational assets implies that the
organization has to believe rather than presume that its insiders have committed
themselves to handle the insider privilege in accordance with the specific
organizational norms (Hardin, 1996). It is important to reconsider the
conventional view on insider suitability for the job, not only assessing insider
competence but also assessing insider trustworthiness to ensure only trustworthy
individuals get access to the organizational assets (Ho, 2008; Pearce, 2000;
Sinek, 24/09/2019). Notwithstanding the fact that considerable work needs to be
done to make the present conceptual insider trustworthiness assessment model
ready-to-use, applying SAT and the NIPS model in terms of insider threats and
135
simultaneously digging deeper into the factors that influence an insider’s
disposition to commit intentional misconduct and the situational circumstances
that facilitate or inhibit intentional misconduct paved the way for the
development of an operational (instead of conceptual) assessment tool of insider
trustworthiness in the future. It is acknowledged that the conceptual model is only
the first step towards a better understanding of the probability that an insider will
commit intentional misconduct and that more theoretical and empirical research,
in the form of integration of the mathematical part of NIPS, identification of
additional determinants of the person-side and situation-side, verification of these
determinants via proper measurement methods, and validation of the entire model
is needed to refine the model and increase the practical usability for
organizations.
To conclude, it was argued earlier in this chapter that a fully objective
assessment of insider trustworthiness is nearly impossible (Buechner et. al. 2014)
and that the organization can at the most infer a degree of the insider’s objective
trustworthiness about it (O’Neill, 2018). Even though it is argued that the (future
versions of the) conceptual model presented in this chapter helps organizations
to more accurately predict insider (un)trustworthiness, it still holds that “trust
rests on good reasons up to a point but then requires faith in order to be realized”
(Möllering, 2005: 30). Because the organization has to base its decision to trust
on a perception about the insider’s trustworthiness (Held, 1968; Reiersen, 2019;
Schoorman, Mayer & Davis, 1996), it will never be able to assess insider
trustworthiness with a 100% certainty, as recruiting and employing insiders
always involves a certain leap of faith (Bijlsma & Koopman, 2003; Li, 2012;
Möllering, 2005; Schafheitle et. al., 2016).
136
Chapter 4
Categorizing the insider threat problem
4.1. Introduction
While the previous chapters clarified the conceptualization of the insider threat
problem (chapter two) and the related concepts of insider trustworthiness and
betrayal (chapter three), a detailed understanding of the main characteristics of
the insider threat problem was not given in those chapters. These chapters rather
set the scene of the insider threat concept, explaining what is and what is not
considered an insider threat and who poses the threat without delving deeper into
other relevant questions related to the problem, like why insiders misuse their
privilege, when an insider becomes untrustworthy or how serious the impact of
intentional misconduct can be. As a result, the last chapter of the second part of
the dissertation addresses this shortcoming with a typology of the various
characteristics of insider threat.
The goal of this chapter35 is to illustrate the complexity of the insider
threat problem. To establish the eight-part insider threat typology, a spin-off
version of the who, what, where, when, why, and how (5W1H) methodology
(Hart, 1996; Homoliak, Toffalani, Guarnizo, Elovici & Ochoa, 2018) was used
to answer elementary questions on the insider threat problem. Moreover, the
typology was developed based on an interplay between on the one hand insider
threat literature and on the other hand publicly available examples of insider
threat incidents found in (inter)national media and insider threat literature.
35
It should be mentioned that most information discussed in this chapter will be published as a
book chapter in ‘Management and Engineering of Critical Infrastructures’, co-authored
with dr. Marlies Sas, Prof. dr. Wim Hardyns, Prof. dr. Genserik Reniers and Prof. dr. Tom
Sauer.
137
In what follows, the chapter starts with a brief outline of the research
design. Subsequently, the typology itself is illustrated by systematically referring
to real examples of insider threat incidents in critical infrastructure sectors that
are publicly available. Finally, the chapter discusses the shortcomings of the
typology and recommendations for future research, before ending with a
conclusion section.
4.2. Research design
Regarding the research design, the typology relies upon a spin-off version
of the who, what, where, when, why, and how (5W1H) methodology utilized by
for instance Hart (1996) and Homoliak et al. (2018). In contrast to these authors,
I used the 4W4H methodology, asking the following eight questions: (1) What
does the insider want to achieve with the intentional misconduct?; (2) Who
suffers or benefits from the intentional misconduct?; (3) Why does the insider
want to commit intentional misconduct?; (4) When does the insider become
untrustworthy?; (5) How does the insider commit intentional misconduct?; (6)
How serious is the (potential) impact of the intentional misconduct?; (7) How
many insiders are involved with the intentional misconduct? and (8) How much
is the insider involved in the insider threat incident? The basic premise of the
typology was that through these elementary questions I would get a more
complete picture of the characteristics of insider threats.
While the bedrock of the typology is based upon a theoretical analysis of
existing insider threat literature, it was (and still is) challenged by real insider
threat incidents that appear(ed) in (inter)national media sources36 and that did (or
do) not fit in any existing category. In other words, the answers to the four W and
36
International media sources are for instance BBC News, CNN News, NOS Nieuws and The
Guardian. National media sources are among others De Morgen, De Standaard, De Tijd,
Het Nieuwsblad and VRT NWS.
138
(derivates of) How came into existence via a constant interplay between insider
threat literature that provides the foundation of the theoretical framework and
publicly available examples of insider threat incidents that continuously
reassess(ed) the theoretical framework in order to validate it. In the end, this
enabled me to draw the mind map illustrated in figure 4.1 that displays the
(provisionally discovered) characteristics of the insider threat problem.
Figure 4.1: Typology of insider threat characteristics
139
To illustrate the typology displayed in figure 4.1, I have opted to link each
item of the typology with at least one insider threat incident that actually
happened in a critical infrastructure sector, making reference to examples that are
publicly available in academic journals, (academic or non-fiction) books or
mainstream media. Although the dark or hidden number of insider threats
remains high due to the tendency to avoid public announcements in order to
safeguard the organization’s reputation (Mehan, 2016; Sarkar, 2010), I insisted
on using real-case examples instead of hypothetical ones because they are
functional both in a theoretical and a practical way. On the one hand, real cases
help me to continuously reassess and validate the theoretical framework. On the
other hand, discussing real insider threat incidents can help organizations to
recognize their vulnerability to insider threats (Bunn & Sagan, 2016) as they
“bridge the gap between theoretical concepts and real world problems” (Hobbs
& Moran, 2015: 8).
For the sake of clarity, I build upon the EU framework for critical
infrastructure protection for the interpretation of the concept ‘critical
infrastructure’, and more precisely the green paper on a European Program for
critical infrastructure protection published by the European Commission in 2005
and the European Council Directive EC 2008/114 that resulted from it (Smedts,
2011). In the directive, critical infrastructure is defined as “an asset, system or
part thereof (…) which is essential for the maintenance of vital societal functions,
health, safety, security, economic or social well-being of people, and the
disruption or destruction of which would have a significant impact (…) as a result
of the failure to maintain those functions” (European Council, 2008: article 2,
part (a)). In the green paper the directive is based upon, an indicative list of
critical infrastructure sectors was given in annex 2, considering the following
eleven sectors as critical infrastructure: (I) energy, (II) information,
140
communication technologies and ICT, (III) water, (IV) food, (V) health, (VI)
financial, (VII) public and legal order and safety, (VIII) civil administration, (IX)
transport, (X) chemical and nuclear industry, and (XI) space and research
(European Commission, 2005).
While eleven sectors were included in the proposal of the directive, only
two sectors, energy and transport, were included in the final draft of the directive
itself37. Because I believe that critical infrastructure goes beyond energy and
transport and consider the indicative table to be a better representation of the
scope of critical infrastructure, I will refer to insider threat incidents that have
been taken place at different organizations within any of these eleven sectors
mentioned in the green paper and the proposal of the directive, both in Belgium
and in other parts of the world. In the remainder of the chapter, the typology will
be elaborated on, discussing eight domains in greater detail.
4.3. A typology of insider threats to critical infrastructure
4.3.1. Objective
The first domain of the typology refers to the objective of the insider
(Nurse et al., 2014), or what the insider wants to achieve with the intentional
misconduct. In order to answer this question, reference can be made to chapter
two where expressive insider threats were differentiated from instrumental
insider threats in the sense that causing harm to the organization is a goal in itself
in case of the former while it is a means to achieve another goal in case of the
latter.
37
A possible explanation for this is the distinction between national and European critical
infrastructure, whereby the directive focused on “the European dimension (…) when the
infrastructure becomes critical for more than one member state of the Union” (Smedts,
2011: 73-74).
141
4.3.1.1. Expressive insider threats
Insider threats that are principally aimed at causing harm to the

organization are considered to be expressive insider threats. An example of an
expressive insider threat is the previously mentioned case of David Burke, the
man who was responsible for the crash of the Pacific Southwest Airlines Flight
1771. Being aware that the employer who recently dismissed him was on board
of the plane, Burke misused his access to the plane to smuggle a gun on board,
kill his former employer and crash the plane (Greco, 2017; Loffi & Wallace,
2014). Since Burke’s mission was only accomplished when the organization (or
organizational representative in Burke’s case) got hurt, harming the organization
was his main objective. Expressive insider threats are therefore not a pragmatic
choice to harm an arbitrary organization, given that the identity of the
organization (or organizational representative) is a decisive factor. Insiders
posing expressive insider threats can be considered ‘malicious’ in the original
sense of the word (see chapter two).
4.3.1.2. Instrumental insider threats
In contrast, instrumental insider threats are mainly aimed at reaching

another goal through the intentional misconduct. While expressive insider threats
are posed by ‘malicious’ insiders in the original sense of the word, instrumental
insiders threats can be posed by miscalculating, desperate, unscrupulous or
positive externality insiders that respectively regard the (potential) damage to
achieve their ‘higher’ goal as unintentional, ‘collateral damage’, are indifferent
about the damage they inflict or see it as a positive side effect.
Firstly, the miscalculating insider has no intention at all to hurt the
organization but miscalculates the situation, disregarding the fact that their
intentional misconduct can potentially hurt the organization. Think for instance
142
of a nurse at a hospital in The Netherlands who accidentally cut off a fingertip
from a newborn baby in an attempt to remove a bandage from the baby girl’s
hand (Het Nieuwsblad, 04/12/2021). The nurse allegedly used a scissor, which
was not according to the applicable procedures. Also socially engineered
insiders, referring to insiders who are manipulated by a third, unauthorized
person (i.e. the social engineer) into sharing their authorized access to the
organizational assets with them (Wall, 2013), fit this description. Although the
insider intentionally violates the organizational norm, there is no intention to hurt
the organization. The insider does simply not take account of the fact that the
witting misconduct might have counterproductive results.
Secondly, the desperate insider perceives that from their perspective, the
potential benefits of hurting the organization outweigh the potential costs. In
other words, the insider is desperate to achieve an advantage or reduce a
disadvantage and has to make the organization suffer in order to achieve this
advantage or reduction of the disadvantage, making the damage to the
organization ‘collateral damage’. Instrumental insider threats therefore do not
only arise from insiders that are blind to possible counterproductive effects of
witting misconduct, but also from insiders that have an ‘the end justifies the
means’ mentality, implying that any means, even those that inflict harm on the
organization, can be used to reach the ‘ultimate’ objective. The insider simply
neutralizes their wrongdoing in order to overcome potential moral barriers,
convincing themselves that they are allowed to harm the organization because it
is for ‘the greater good’ (Siponen & Vance, 2010; Willison & Warkentin, 2013).
An example of such an insider threat is the case of Abdul-Majeed Marouf Ahmed
Alani, a former American Airlines mechanic who was accused of trying to
sabotage a commercial airliner. He claimed his intensions were purely financial
and allegedly explained that the sabotage enabled him to get overtime pay for
143
repairing the plane, money he desperately needed to pay his children’s study costs
(Chavez and Royal, 2019; NOS Nieuws, 04/03/2020).
Thirdly, the unscrupulous insider is indifferent about the (potential)
damage their actions may cause to their employer. While the desperate insider
would avoid intentional misconduct if they could achieve their goal more easily
in an alternative way, using neutralization techniques to rationalize the
intentional misconduct, unscrupulous insiders have no need to neutralize their
wrongdoing because they simply don’t care about the fact that the organization
has to suffer to achieve their main objective. Think for instance of a nurse who
not only stole thousands of euros from a dying patient to buy private stuff (e.g.
clothes, toiletries, …) but also bragged about it to friends and family (Verhaeghe,
2022).
Finally, apart from being indifferent about inflicting harm on the
organization, insiders can also perceive the harm as a positive side effect. This is
the case with the positive externality insiders, who consider the harm to the
organization a nice extra to the achievement of the main objective. An example
is the employee of Pfizer that before starting employment at a competitor stole
intellectual property related to COVID-19 vaccines (Stempel, 2021). From a
zero-sum perspective, the current employer has to be harmed to achieve the main
goal of the insider, namely improving the competitive position of the new
employer. This makes the harm a positive externality. The same principle applies
to cases of espionage, since the main goal of spies is to improve the position of
the country they are loyal to and the only possible way to do this is via harming
the opposing country. Figure 4.2 shows the categorization of insider threat
according to the objective of the insider.
144
Expressive Malicious
Positive
Objective externality
Unscrupulous
Instrumental
Desperate
Miscalculating
Figure 4.2: Categorization of insider threat according to the insider’s objective
4.4.2. Subject
In a second domain, insider threats can be divided according to the subject

that is affected by it (Bunn & Sagan, 2016; Moberg, 1997). Two separate sub-
questions can be asked, namely who38 suffers from the insider threat (i.e. victim)
and who benefits from it (i.e. perceived beneficiary)?
4.4.2.1. Victim
With respect to the victim, a distinction can be made between insider

threats that solely cause harm to the organization39, and insider threats that also
cause harm to a third party outside the organization. Harm to the organization is
present when the insider threat only impacts the organization’s assets. To
illustrate, reference can be made to the previously mentioned case of the police
38
The question ‘who poses the threat’ is already addressed earlier in chapter two while discussing
the definition of the insider.
39
One could distinguish victims within the organization, separating individuals, groups and the
organization as such. Even though I acknowledge this, I make abstraction of this distinction
because in this dissertation I start from the assumption that organization are unitary actors
(see chapter three).
145
officer that stole truncheons, alarm pistols and bulletproof vests (Stacius, 2021),
or to the case of Oswald Bilotta, a former sales representative at a Swiss
pharmaceutical company who acted as a whistleblower and exposed that his
company had paid thousands of doctors bribes to prescribe its own drugs (De
Schamphelaere, 2020).
In contrast, one can speak of harm to a third party when the impact of
the insider threat exceeds the impact on the organizational assets and profoundly
affects a third party in a negative way. The third party may appear in many guises,
ranging from customers and fellow organizations to ordinary citizens. To give an
example, reference can be made to the case of Vitek Boden, who “worked for
Hunter Watertech, a supplier of radio-controlled sewage control systems to the
Maroochy Shire Council in Queensland, Australia. When Boden quit his job and
was refused another by the council, he took his revenge by sabotaging the control
systems, sending 800,000 litres of raw sewage into local parks and rivers ” (Ring,
2015: 10). Given that Boden’s sabotage caused nuisance like contaminated water
and stink, the harm caused by his actions was not confined to the organization’s
assets but also affected third parties.
4.4.2.2. Perceived beneficiary
Concerning the (perceived) beneficiaries of the insider threat, a division

can be made between insider threat incidents that benefit the insider, benefit the
organization (how strange it may sound) or benefit a third party. Insider threats
aimed at benefitting the insider refer to insiders that are primarily interested in
improving their own position, even at the expense of the organization. An
example is the case of the employee of Bpost, the Belgian postal company, who
stole over 300.000 euros by intentionally withholding certain letters over a period
of ten years (Het Nieuwsblad, 01/07/2019).
146
Insider threats that perceive to cause benefit to the organization refer to
insider threats where the ultimate goal is to aid the organization in the long run.
It includes insiders that wittingly circumvent organizational norms in order to (at
least in their perception) help the organization. An example is the case of Oleg
Savchuk, who deliberately infected the computer system of the Ignalina Nuclear
Power Plant in Lithuania with a computer virus, allegedly as a wake-up call to
the inadequate security measures (Bunn & Sagan, 2016). In other words, in an
attempt to improve security, Savchuk perceived that, as a cautionary tale, he had
to hurt the organization in the short run, only in order to help the organization in
the long run. Other insiders that fall under the scope of this category are
whistleblowers (Tavani & Grodzinsky, 2014), socially engineered insiders (Wall,
2013), and insiders who perceive that productivity is more important than
security, and who therefore tend to ignore security protocols (Roemer, 2008).
Next to the insiders that (want to) benefit either themselves or the
organization, also insiders that benefit a third party should be considered. Like
with third party victims, third party beneficiaries can refer to a broad spectrum of
actors, among others referring to whistleblowers like Snowden who during his
employment at the National Security Agency (NSA) leaked confidential
information to newspapers (Fischbascher-Smith, 2015; Ring, 2015) or to spies
and moles like Robert Hanssen (Bunn & Sagan, 2016) and Ana Montes (Shaw &
Sellers, 2015) who misused their access to classified US information to spy for
respectively the Soviet Union (and later Russia) and Cuba. Other third party
beneficiaries are terrorist or criminal organizations, like in the case of Waheed
Mohammed who “considered using his inside knowledge and access to the
energy sector to facilitate damage to the gas network as part of a bomb plot linked
to Al- Qaeda” (Bell et. al., 2019: 167), or competitors like in the previously
mentioned case of the Pfizer employee that took intellectual property to her new
147
employer (Stempel, 2021). Also the thwarted case of Auburn Calloway, whose
“plan was to disable the DC-10's cockpit voice recorder, kill the crewmembers
with hammers to simulate injuries consistent with an aircraft crash, and fly the
aircraft into the ground so that his family would be able to collect on a $2.5
million life insurance policy provided by the company” (Greco, 2017: 722) can
be considered an insider threat that wants to benefit a third party (i.e. the family).
Figure 4.3 shows the categorization of insider threat according to the subject of
the insider threat.
Organization
Victim
Third party
Subject
Insider
Beneficiary Organization
Third party
Figure 4.3: Categorization of insider threat according to the subject of the insider threat
4.4.3. Motivation
A third domain concerns the motivation of the insider (Mehan, 2016;

Nurse et al., 2014; Sarkar, 2010), or why the insider intentionally misuses the
insider privilege. The difference with domain one is that the latter questions the
insider’s intent (i.e. harm as a goal or harm as a means to achieve another goal),
while the former questions the motivation behind the intent, whereby “multiple
motivations may map into a single intent” (Probst et. al., 2010: 11). This study
provides a (non-exhaustive) list of thirteen potential driving forces of insider
148
threat incidents. Each time, an indication is given on whether the insider threats
related to the motivation are expressive or instrumental in nature.
4.4.3.1 Ideology
A first motivation is ideology (Fischbascher-Smith, 2015; Maasberg et.

al., 2015; Mehan, 2016). The ideological insider threat refers to insiders that want
to make a religious, political or ideological statement, or insiders that want to
express their views on how (international) society should be managed. It
includes, but does not exclusively consist of, cases of extremism and terrorism
that can originate from different kinds of ideology.
The ideological insider threat can for instance be based on religion, like
the previously mentioned case of US Army psychiatrist Nidal Malik Hasan, who
out of ideological convictions killed 13 people and wounded several others at
Fort Hood (Zegart, 2016). During the lead-in time to his attack, his colleagues
described him as “a ticking time bomb due to his radical views on Islam”
(BaMaung et al., 2018: 137). Another example is the foiled terrorist attack from
Terry Loewen. Inspired by Al-Qaida members Osama Bin Laden and Anwar Al-
Awlaki, Loewen intended to misuse his access to an airport in Kansas in order to
set off a vehicle stored with explosives (ibid). Although both examples refer to
the Islamic religion, also other religious beliefs (Christianity, Judaism, …) should
be borne in mind when discussing insider threats based on religious ideology.
Apart from religious ideology, the insider threat can also originate from
right-wing ideology. A relatively recent example in the Belgian context is the
example elaborated on in the introduction of this dissertation of Jürgen Conings,
a Belgian soldier with links to right extremism who misused his access to the
army barracks to steal heavy weaponry while expressing intentions to kill known
people (Heylen, 2021b). Similar examples of ideological insider threats based on
right-wing ideology can be found in other countries as well. In Australia, soldiers
149
were photographed while waving a swastika flag on an Australian army vehicle
(Zhou, 2018). In the United States, reference can be made to the case of US
soldier Ethan Melzer who has been charged for planning a terrorist attack on his
unit by sending sensitive details to a neo-Nazi group (BBC News, 23/06/2020).
In Germany, the Parliamentary Oversight Panel stated in a report that “in the
Bundeswehr and in several other security services on federal and state level
(police and intelligence agencies) – despite a security screening – there are a
number of public servants with an extreme far-right and violence-oriented
mindset” (cited in Flade, 2021: 3). In the United Kingdom, one can think of the
multiple investigations that were carried out among members of the UK military
services in 2019 stemming from potential far-right concerns (Quinn, 2021). Apart
from extremism and terrorism, instances of racism or xenophobia can be grouped
under the right-wing ideology insider threat category, like the insider from the
public transportation company in Belgium that indulged in racist or xenophobic
conduct (Luyten, 2019).
Next to religious and right-wing ideology, also left-wing ideology should
be taken into account. Take for instance the case of Chinese double agent Larry
Wu-Tai Chin who “joined the Communist party in 1942 and worked as an
undercover agent while translating first for the U.S. Army in China, then for the
CIA in the United States, until his arrest in 1985” (Herbig, 1994: 49). Also the
activist from Animal rights that went undercover in the abattoir in Tielt to get
visual evidence of the atrocious ways the animals were treated (Het Nieuwsblad,
23/03/2017) can be categorized under left-wing ideological insider threat. In the
present context, a possible breeding ground for left-wing ideological insider
threats is the problem of climate change. Although the protests started with
peaceful demonstrations, more radical climate organizations like Extinction
Rebellion perceive that the reaction from the political authorities is
150
unsatisfactory, as a result of which they believe they have to go a step further
than simply marching the streets. By now, the climate protests have escalated
into civil disobedience with for instance the disturbance of public order in
London (Gayle & Quinn, 2019) and more recently gluing themselves to famous
art works (Willems, 2022). If the climate activists continue to believe that their
concerns about climate change are not properly met by political authorities and
businesses, the possibility exists that activists with access to entities that are
perceived to be sharing responsibility on the causes of climate change engage
into intentional misconduct in order to make a symbolic statement. To give a
concrete example, oil and gas company Royal Dutch Shell was sued by
environmental organizations in an attempt to force the company to scale back
their polluting activities (Temmerman & Vandenhole, 2019). It is possible that,
if the legal measures do not have the desired effects, activists perceive that they
will have to take the fate of the earth into their own hands, and the insider threat
is a possible scenario that activists might take into consideration.
Additionally, also other ideological beliefs can lead to insider threat
incidents. Think for instance of nationalism as a breeding ground for insider
threat. Reference can be made to the case of A.Q. Khan, who stole confidential
information during his employment at the Physics Dynamics Research
Laboratory in the Netherlands and shared it with Pakistani researchers that were
in charge of the Pakistani nuclear weapons program (Barbé, 2012; Hobbs &
Moran, 2015). Khan misused his access to the classified information of the
nuclear facility in order to give his country of birth a competitive advantage by
acquiring nuclear weapons. Also the more recent debate about mandatory
COVID-19 vaccinations can lead to ideological motivations to intentionally
misconduct. Reference can be made to the demand of Belgian hospitals to be able
to fire staff who refuse to vaccinate themselves against COVID-19 (Baert, 2021).
151
From a theoretical perspective, whether an ideological insider threat is
expressive or instrumental is arguable. On the one hand, it could be argued that
insiders that harm the organization to express their ideology, especially those
who engage in terrorism and extremism, are expressive, perceiving that they
primarily act out of aversion to the current societal construct and have a principal
intention to inflict harm. In the previously mentioned case of Ethan Melzer,
Melzer expressed during his interrogations a clear desire to harm his own unit,
suggesting an expressive intent (De Standaard, 23/06/2020). On the other hand,
it can also be perceived that insiders that act out of ideological conviction harm
the organization to achieve a ‘higher’ goal, namely a society that embraces their
ideology, and should therefore be considered instrumental. Theoretically
speaking, insiders that primarily focus on the short-term objective of damaging
the contemporary situation are expressive, while insiders that mainly concentrate
on the long-term aspiration of ideological dominance are rather instrumental.
4.4.3.2. Grievance
A second motivation is grievance (Greitzer et al., 2012; Randazzo et. al.,

2005; Willison & Warkentin, 2013). It refers to insiders who believe that they are
treated unfairly by the organization, which leads to a sense of disgruntlement.
The insider can deal with this disgruntlement in different ways, for instance by
verbally expressing their concerns to the organization in an attempt to clear the
air, by resigning and leaving the organization or by putting the disgruntled feeling
aside and showing loyalty to the organization (Hirschman, 1978; Long, 2016).
However, the insider also has the opportunity to express their grievance by
turning themselves against the organization. To illustrate, one can refer to the
case of Roger Duronio, the logic bomber of UBS PaineWebber that crippled the
company’s ability to exchange stocks. Duronio sabotaged the IT-system of the
company because “he didn’t receive the large annual bonus he expected”
152
(Mehan, 2016: 17). Another example is the case of Ricky Joe Mitchell, who
sabotaged the computer network of his employer EnerVest when he found out
about his impending dismissal (Ring, 2015).
Insider threats based on grievance are by definition expressive insider
threats, given that the goal of the insider is to get revenge for the (perceived) bad
treatment by the organization, implying that the insider has a desire to harm the
organization. Insider threats based on grievance are thus rather expressive than
instrumental because the identity of the organization is the decisive factor, as
only suffering of that particular organization leads to redemption. Still, insiders
often argue that the organization did not hold its end of the deal, which urged
them to react to a perceived relative deprivation. In theory, one could therefore
argue that because insiders state that through the intentional misconduct they only
seized what they were entitled to, the expressiveness of the insider threat
diminishes. Again, a theoretical argument can be made that if the vengefulness is
superior to the sense of justice, the insider threat should be considered expressive
and that if the opposite is true, the insider threat should be regarded as more
instrumental in nature.
4.4.3.3. Personal strain
A third motivation is personal strain (Agnew, 1992; Shaw and Sellers,

2015), referring to negative personal experiences that are not directly related to
the role as an insider. The difference between grievance and personal strain is
that the former originates from the organization and is directed toward it, while
the latter is not directly caused by the organization40. An example is the case of
Helga Wauters, a Belgian anesthetist, who has been hold responsible for the death
40
If the insider indicates insufficient support from the organization to mitigate personal strain as
primary motivation for the intentional misconduct, it should be considered as an insider
threat based on grievance rather than personal strain.
153
of a pregnant woman in a French hospital in 2014 (Hodge, 2020). During the
caesarean section, the woman’s brain received too little oxygen which caused her
death. An investigation revealed that Wauters was addicted to alcohol and had
therefore started her working day by drinking vodka with water, as she did every
day since her divorce. She only worked in the hospital for less than two weeks
after being discharged from a Belgian hospital for showing up drunk to work.
Another example is the case of a Dutch call center employee at an oil company,
who was suspected of ordering liquor and food worth more than a ton without
paying for it by pretending to be the director of the company. He told in court
that he resold the meals and drinks because he saw no other way to pay his debts
(NOS Nieuws, 03/07/2020).
It could be assumed that personal strain is more related to instrumental
insider threats, meaning that the primary aim is to reduce a personal disadvantage
rather than to injure the organization. In contrast to grievance where the identity
of the victim is decisive to reach redemption, the identity of the victim is not
important in case of personal strain, given that the insider threat posed to the
organization is a pragmatic decision to solve personal problems at the expense of
the organization the insider coincidentally works for.
4.4.3.4. Greed
A fourth motivation is greed, applying to insiders that have a desire to

have more of something (Fischbascher-Smith, 2015; Mehan, 2016; Sarkar,
2010). An example of an insider threat based on greed is the case of an employee
of Belgian bank KBC who ignored the investment mandate of a client and instead
spent the 200.000 euros on a new expensive car and other luxurious expenses
(Milio, 2020). Although greed is often interpreted as a strive for more money, I
define the concept in a broader way by also including other kinds of personal
gain. Reference can be made to the case of a retired British major who misused
154
his military rank to fraudulently collect 25 armored vehicles from several army
museums to enlarge his personal collection of armored vehicles (Barbieux,
2021). Moreover, greed can be expressed in a sexual way, like former Norwegian
politician Svein Ludvigsen who misused his political authority to sexually abuse
asylum seekers that “believed their response to Ludvigsen's demands for sex
could either result in being deported or securing permanent residency” (BBC
News, 05/07/2019, third paragraph). In sum, greed refers to an overwhelming
desire to have more of something.
Insider threats based on greed are instrumental because the principal
motive of the insider is personal gain, not damaging the company. For all we
know, the insider could have robbed a bank, but making use of the insider
privilege to steal from their employer is less complicated than a bank robbery
(Herbig, 1994). The decision to steal from the company is just an opportunistic
decision in which the harm to the organization is simply perceived acceptable to
achieve the ‘higher’ goal.
4.4.3.5. Coercion
A fifth motivation is coercion, which refers to insiders that are pressured

by a third person to execute a certain action that hurts the organization (Bunn &
Sagan, 2016; Noonan, 2018). To give an example, one can refer to the previously
mentioned Northern Bank robbery where two bank officials were pressured by
gang members to enable the bank robbery (BaMaung et. al., 2018; Hobbs &
Moran, 2015). The insiders had no other choice than to cooperate with the gang,
because their families were taken hostage and would have been murdered if the
insiders did not collaborate. Also the testimonies of dockworkers from the port
of Antwerp showed that dockworkers experience pressure from drugs gangs to
commit intentional misconduct and facilitate drugs traffic through ports (Hiroux,
2020; Van de Vliet, 2021; Van den Berghe & Vanhelden, 2022). The same
155
applies to police officers that are not only corrupted through temptation (i.e.
greed) but also through coercion (NOS Nieuws, 17/09/2020).
Insider threats originating from coercion are instrumental in nature, given
that refusal to take this harmful action could have negative personal
consequences, like for instance the leak of sensitive personal material, or even
the death of a loved one. The fact that the desperate insider has to hurt the
company can therefore be seen as collateral damage, rather than intent to harm
the organization. The harm to the organization is just a means to justify the
ultimate end, which is the protection of a valuable item or person.
4.4.3.6. Negligence
A sixth motivation is negligence, which applies to “insiders who (…) take

the path of least resistance (…) to make their working lives easier” (Wall, 2013:
117). In other words, it refers to insiders who deliberately deviate from the
organization’s specific norms just to make their own lives as easy as possible. An
example is the case of an Italian man who did not show up for work at a hospital
for 15 years, but did receive his monthly salary. Also in Italy, 35 employees were
caught in 2015 after camera images showed how they clocked in at their work at
the Sanremo City Hall and afterwards went shopping or canoeing (De Standaard,
22/04/2021). A similar incident was found in public transportation in Brussels
and New York where insiders respectively circumvented the time-registration
system (De Standaard, 12/03/2021) or resided in a self-decorated mancave with
a television, refrigerator and sofa under Grand Central Station during work hours
(Ebrahimji, 2020). These insider threats are instrumental in that the insider has
no intention to harm the organization, but simply wants to ease the own work
burden.
156
4.4.3.7. Well-meaning
A seventh motivation concerns well-meaning insiders that have no

intention to cause harm to the organization but “knowingly take risks to
purposefully bypass bureaucratic security processes in order to be more effective
in achieving what they think are organizational goals (…)” (Wall, 2013: 117).
The difference between the well-meaning insiders and the negligent insiders is
that the former act (or at least perceive to act) in the interest of their organization,
while the latter act out of self-interest. The well-meaning category includes for
instance insiders that bend the organization’s behavioral guidelines if these are
believed to slow down the achievement of the organization’s objectives (Colwill,
2009; Roemer, 2008; Thompson, 2018), or socially engineered insiders (Wall,
2013), but also the “two control room trainees [that] poured caustic soda on fuel
assemblies at a US nuclear power plant in order to draw attention to the lax
security at the site” (Hegghammer and Hoelstad Daehli, 2016: 25). As in the
previously mentioned case of Oleg Savchuck (see 4.4.2.2.), the trainees perceived
that, as a cautionary tale, they had to hurt the organization in the short run, only
in order to help the organization in the long run. Well-meaning insider threats are
instrumental in nature, given that the ultimate goal of the intentional violation of
the specific organizational norm is actually the opposite of inflicting harm on the
organization, as the insider perceives that their actions (in the long run) benefit
rather than damage the organization.
157
4.4.3.8. Moral concerns
An eight motivation is moral concerns, which mainly corresponds to the

category of whistleblowers41 (BaMaung et al., 2018; Wall, 2013). The example
of Snowden was already elaborated on earlier in this dissertation. Another
example is the group of doctors in Brazil that shared a 10.000 paged document
with investigators in which they accused Prevent Senior, a prominent healthcare
provider in Brazil, of “covering up coronavirus deaths, pressuring doctors to
prescribe ineffective treatments, and testing unproven drugs on elderly patients
as part of ideologically charged efforts to help the Brazilian government resist a
Covid lockdown” (Phillips & Milhorance, 2021, first paragraph).
Insider threats originating from moral concerns are instrumental because
the intentional misconduct is not primarily driven by a desire to hurt the
organization, but by an eagerness to inform society on the organization’s
wrongdoing and by urging the organization to reconsider its own moral compass.
The principal objective of whistleblowers is to make a third party, like
‘competitive colleagues’ or society as a whole, aware of the immorality of the
organization. Applying a long-term perspective, it could be argued that
whistleblowers help the organization rather than harm it, although this does not
alter the fact that the organization suffers in the short term (Moberg, 1997).
4.4.3.9. Love and empathy
A ninth motivation is love and empathy (Greco, 2017), or insiders that

misuse their insider privilege to benefit a third party they feel emotionally
connected with. To illustrate this type of insider threat, reference can be made to
the case of Joyce Mitchell who as a prisoner guard contributed to the escape of
41
For the sake of clarity, whistleblowing that originates from revenge or financial gain (Moberg,
1997) is categorized under grievance and greed respectively.
158
two prisoners, including one with whom she allegedly had a sexual affair (Bunn
& Sagan, 2016). Other examples are the paramedic in Pakistan that with the help
of her colleagues stole a newborn to give to her childless aunt that desperately
wanted to become a mother (Kazim, 2019), or the police officer who falsified a
police report with the sole purpose of helping the victim of the crime get a refund
from the insurance company (Ooghe, 2018). Insider threats based on love and
empathy are instrumental because the damage to the organization is perceived as
collateral damage that is unavoidable to achieve the greater cause, namely
assisting a beloved third party.
4.4.3.10. Personality disorder
A tenth motivation relates to insiders with a personality disorder42 (Nurse

et al., 2014; Noonan, 2018). It concerns insider threats where the drive to deviate
from the organization’s specific norms primarily emerges from a certain inner
drive that originates from personality traits, without a clear-cut alternative motive
like financial gain or revenge. Given that personality traits play an important role
in the thoughts and actions of an individual (Nurse et. al., 2014), personality
disorders may be the main reason why certain individuals pose insider threats.
An example is the case of Niels Högel (Oltermann, 2019) whose personality
resulted in the death of several people. Working as a nurse, Högel deliberately
injected patients with medication that resulted in cardiac arrest so that he could
act as the hero that tried to save those patients. According to a psychiatric expert,
Högel “displayed traits of noticeable personality disorders, such as a lack of
42
Theoretically speaking it is up for debate whether insiders that are not sound of mind, like a
nurse in Rotterdam that murdered several patients (NOS Nieuws, 19/12/2019), can be
categorized here since the insider has to make the deliberate decision to misuse their
privilege in order to be considered an insider threat (see chapter two).
159
shame, guilt and empathy” (Oltermann, 2019, 17th paragraph). The same applies
to an Austrian doctor who suffered from serious psychological disorder related
to pedophilia and sexually abused over 100 children (NOS Nieuws, 17/06/2020).
Insider threats based on personality disorders are considered to be
instrumental rather than expressive, as the decision to cause harm is not directly
related to the organization but is rather a decision to experience a feeling of
satisfaction. In other words, although the insider has to harm the organization in
order to experience gratification, it is perceived that the insider acts pragmatically
at the expense of an arbitrary organization they coincidentally have privileged
access to, rather than deliberately harming a particularly targeted organization.
4.4.3.11. Sensation-seeking
An eleventh motivation refers to insiders who are driven by the urge to

seek sensation (Nurse et. al., 2014), without the urge stemming from a personality
disorder. To illustrate this type of threat, reference can be made to the US military
pilots who were posting selfies from their F-16 aircraft cockpits on social media,
or to the one who was reading a book with his hands off the controls (McCurry,
2019). It again concerns an instrumental insider threat because the potential harm
to the organization is not a goal in itself but rather a means to reach another goal,
namely sensation-seeking.
4.4.2.12. Ego
A twelfth motivation concerns insider threats that are caused by insiders

who commit intentional misconduct out of ego considerations (Fischbascher-
Smith, 2015; Noonan, 2018). An example is the case of the transplant surgeon
responsible for the death of a 36-year old patient and the illness of two other
patients who became ill of an infection from donated organs. Several organs
became infected after the surgeon spilled stomach contents over other organs
160
while retrieving these from the donor. As the surgeon did not tell anyone about
spilling contents, covering up his mistakes to not lose face and save his ego, the
organs were transplanted into the three patients with serious consequences (BBC
News, 21/11/2019). Also acts of intentional misconduct stemming from ego
considerations are instrumental in nature, since the insider has no desire to harm
the organization but simply perceives that saving their ego is only possible
through intentional misconduct.
4.4.2.13. Opportunism
A last motivation builds upon the ‘opportunity makes the thief’ paradigm
(Mehan, 2016). Sometimes, the insider threat is only caused because an
opportunity presented itself to the insider, just at the right time. An example is
the case of Britta Nielsen, who due to insufficient safeguards saw an opportunity
to commit financial fraud. According to Nielsen, “it was a standing joke that you
could easily add your own account number and then be off to the Bahamas” (cited
in Oltermann, 2020, ninth paragraph). An even clearer example is the case of a
Chilean employee from Consorcio Industrial de Alimentos who by mistake
received hundreds of times his salary, was requested by his employer to correct
the mistake after he reported it but who promptly gave his resignation and fled
with the money (Het Nieuwsblad, 05/07/2022). Opportunism too relates to
instrumental insider threats since the insider simply takes advantage of a given
situation that allows them to seize an opportunity, without the desire to harm the
organization. Figure 4.4 shows the categorization of insider threat according to
the motivation of the insider.
161
Ideology
Grievance
Personal strain
Greed
Coercion
Negligence
Motivation
Well-meaning
Moral concerns
Love and
empathy
Personality
disorder
Sensation-
seeking
Ego
Opportunism
Figure 4.4: Categorization of insider threat according to the insider’s motivation
4.4.4. Time
Next to the objective, subject and motivation, the fourth domain of the
insider threat typology refers to the time the insider slips through the
trustworthiness net (Bunn & Sagan, 2016; Catrantzos, 2010; Homoliak et. al.,
2018). In other words, when does the insider become untrustworthy? A
distinction is made between pre-care insider threats and aftercare insider threats.
162
4.4.4.1. Pre-care insider threats
Pre-care insider threats are posed by insiders that are untrustworthy from
the start of their employment. They should have been prevented from joining the
organization in the first place. On the one hand, it can refer to insiders that
infiltrate on behalf of an outside party and oppose the organization from the start.
An example of such an insider threat are infiltrations related to extremism or
terrorism, like the case of Shannon Maureen Conley who infiltrated the US army
to gain combat experience that she could subsequently take to Islamic State in
Syria (BaMaung et al., 2018) or the case of Takuma Owuo-Hagood who started
a career as baggage handler at Delta Airlines in order to feed the Taliban sensitive
information (Krull, 2016). Other examples are drug gangs that infiltrate ports to
facilitate drug traffic from the inside (Renson, 2022), or journalists that infiltrate
to expose malpractices in certain organizations, like a French reporter who
infiltrated the French police to expose a culture of racism and violence (Willsher,
2020).
On the other hand, pre-care can refer to insiders that independently from
an outside party deceive the organization, or circumvent the organization’s
screening procedures by falsifying their credentials. An example is the case of
Zholia Alemi who “falsely claimed to have a medical degree from Auckland
university when she registered in the UK in the 1995” (BBC News, 19/11/2018,
second paragraph) and who was able to legally exercise the medical profession
for more than 20 years without the necessary qualifications (ibid).
163
4.4.4.2. Aftercare insider threats
In contrast, aftercare insider threats are posed by insiders who convert

during or after their employment at the organization (Colwill, 2009). Aftercare
insider threats can be a consequence of either recruitment, outreach or
autonomous actions (Hegghammer and Hoelstad Daehli, 2016). An example of
recruitment is the defection of Eugène Michiels, who worked for the Belgian
Foreign Ministry since the sixties but who was contacted in 1978 by Romanian
and Russian secret services with a request to sell classified information, which
he eventually did until he was caught in 1983 (Lasoen, 2020).
While recruitment refers to insiders that are persuaded by an outside party
to commit misconduct, outreach refers to insiders that on their own take the
initiative to convert by reaching out to an outside party. An example is the case
of Rajib Karim, a software engineer at British Airways, who corresponded with
senior Al-Qaeda figure Anwar al-Awlaqi. Karim exchanged information with al-
Awlaqi about how he could attack the computer servers of British Airways to
cause financial and operational disruption (Hobbs & Moran, 2015). According to
Hegghammer and Hoelstad Daehli (2016: 38) “it was Rajib Karim who first
reached out to al-Awlaqi by e-mail”.
Insider threats based on autonomous actions, to conclude, refer to
insiders that act individually without a link to an outside party. An example is the
suicide of Andreas Lubitz, the co-pilot of German Wings who out of mental
health problems deliberately crashed a plane, killing hundreds of innocent
civilians (Krull, 2016). Figure 4.5 shows the categorization of insider threat
according to the time the insider becomes untrustworthy.
164
Infiltration
Pre-care
Deception
Time
Recruitment
Aftercare Outreach
Autonomous
action
Figure 4.5: Categorization of insider threat according to the time the insider becomes
untrustworthy
4.4.5. Modus operandi
A fifth domain refers to the modus operandi of the insider, or how the
insider misused the insider privilege. Inspired by Cools’ (1994) typology of
employee crime, insider threats are divided into financial misconduct, sexual
misconduct, violent misconduct, information misconduct and a residual category
of other forms of misconduct.
4.4.5.1. Financial misconduct
A first category refers to financial misconduct, such as the case of several

leaders in the Russian space industry who were suspected of using false invoices
and phantom firms in setting up a satellite navigation system (VRT NWS,
09/11/2021), or the case of two managers of Eskom, South Africa’s ailing power
firm, who were suspected of manipulating contracts relating to the construction
of two large power stations (BBC News, 19/12/2019).
165
4.4.5.2. Sexual misconduct
Also sexual misconduct can be committed by insiders. Savage (2022,

second paragraph) for instance indicates that “there is little academic research
available on the proliferation of porn consumption during the workday, but some
surveys throughout the past few years suggest it is not uncommon”. Another
example of sexual misconduct committed by an insider is the case of an employee
of a German railway company who after work used her privileged access to enter
one of the railway wagons in order to shoot porn videos and earn herself a little
on the side (Het Nieuwsblad, 22/05/2019). A more serious case of sexual
misconduct is the case of former British police officer Ian Naude, “who raped a
young girl he met on duty” (BBC News, 15/11/2018, first paragraph). Sexual
misconduct can also be targeted at co-workers, given that a survey from IDEWE,
the largest occupational prevention and protection service in Belgium, revealed
that 6.5% of the 41.000 respondents indicated to have fallen victim of sexual
misconduct by an internal stakeholder (Verberckmoes & Notelteirs, 2022).
4.4.5.3. Violent misconduct
Another form of intentional misconduct is violent misconduct, which can

either be interpersonal or organizational (Robinson & Bennett, 1995). With
violent misconduct one spontaneously thinks of cases of interpersonal violence,
ranging from verbal misconduct to deadly physical violence. The shooting an
(off-duty) fireman caused in his firehouse in Agua Dulce in the US, thereby
killing one colleague and wounding another (De Standaard, 02/06/2021), is an
example of the latter end of the spectrum. However, violence can also be aimed
at the property of the organization, referring to cases of sabotage (Cools, 1994).
The case of Rodney Wilkinson, who after exchanges with the African National
Congres (ANC) used his privileged access to the Koeberg nuclear facility in
166
South Africa to commit a terrorist attack on the nuclear plant (Hegghammer &
Hoelstad Daehli, 2016; Hobbs & Moran, 2015), can therefore also serve as an
example of violent misconduct.
4.4.5.4. Information misconduct
Intentional misconduct can also refer to information misconduct, such as

the case of Xiang Haitao, a former employee of Monsanto, who pleaded guilty to
steal software developed by the agribusiness company. Xiang has admitted “to
commit economic espionage on behalf of China” (The Guardian, 06/01/2022,
fourth paragraph). Also leakage of information to press fits this category, like in
the case of anti-terror analyst Henry Kyle Frese who allegedly “leaked classified
materials about a foreign country’s weapons system to two journalists” (The
Guardian, 09/10/2019, second paragraph), or leakage to terrorist organizations
like the previously mentioned infiltration of Takuma Owuo-Hagood (Krull,
2016).
4.4.5.5. Other misconduct
Finally, numerous other types of misconduct constitute a residual

category. For instance, reference can be made to arms trafficking like the case of
Eugene Harvey, who as an airport employee misused his access to smuggle guns
and ammunition in cooperation with an outside accomplice (Greco, 2017),
human trafficking like the employees of a public hospital in Kenya that misused
their position in the hospital to steal and subsequently sell children for $400 (BBC
News, 19/11/2020), or drugs trafficking like the revelations in the context of
Operation Sky that discovered the assistance Belgian stakeholders provided to
drug gangs (Bové, 2021a).
Notice that so far, the examples cited above relate to illegal conduct.
Indeed, when discussing the modus operandi of insiders, the center of attention
167
seems to be on criminal actions like sabotage, fraud, theft (of intellectual
property) and terrorism (BaMaung et al., 2018; Maasberg & Beebe, 2014;
Mehan, 2016). However, not every insider threat activity is equivalent to a
criminal offence in the legal meaning of the word. In his work on employee
crime, Cools (1994) expands the legal meaning of the word ‘employee crime’ to
include conduct that is criminalized by the organization itself, thereby relating it
to sociological concepts like deviance. The broadening of the concept of
employee crime therefore resembles my conceptualization of insider threat. As a
result, this study not only includes illegal misconduct where the insider commits
a crime in a legislative sense but also includes extralegal misconduct where the
deviation from the specific organizational norm does not correspond with a crime
in a legal sense. An example is the malpractice of Belgian postmen who when
delivering packages simply put a card in the client’s post box that urges the client
to pick it up at the post office, instead of ringing the doorbell to check whether
the client is home, as prescribed by the specific organizational norms (VRT
NWS, 28/10/2020).
What is considered to be misconduct however depends on the
organizational culture and the applicable specific organizational norms. In other
words, what is considered to be misconduct for one organization might be
considered proper conduct for another. To give an example, some organizations
allow love relationships among colleagues, while others prohibit43 it (Biaggio et.
al., 1997). Likewise, whether or not misconduct is considered to be illegal or
extralegal differs from organization to organization, as it depends on the
legislation of the country of the organization, as well as on the employment
contracts and code of conducts applicable within the particular organization
43
Think for instance of relationships prison guards and inmates, like the previously mentioned
case of Joyce Mitchell (Bunn & Sagan, 2016).
168
(Cools, 1994). Figure 4.6 shows the categorization of insider threat according to
the modus operandi of the insider.
Financial
misconduct
Sexual
misconduct
Violent
misconduct
Modus operandi
Information
misconduct
Other misconduct
Extralegal
misconduct
Figure 4.6: Categorization of insider threat according to the insider’s modus operandi
4.4.6. Severity
A sixth insider threat domain refers to the severity of the insider threat, or
how serious the (potential) impact of the insider threat is. Impact can appear in
many guises, like damage to physical equipment, financial loss, litigation,
reputational damage or even loss of life. In this study, severe insider threats are
distinguished from serious and limited insider threats (Sarkar, 2010).
169
4.4.6.1. Severe insider threats
Severe insider threats are threats that endanger the so-called critical assets
of the organization (Gelles, 2016), or the assets that are essential for the
continuation of the organization’s business (Bishop et al., 2009). In other words,
severe insider threats put the survival of the organization at risk. An example is
the case of the employee of American Superconductor who stole a crucial
software program and passed it on to the organization’s main consumer (i.e.
Sinovel Wind Group), who subsequently refrained from using American
Superconductor’s services. The theft of intellectual property and the resulting
decrease in sales put the organization on the brink of insolvency (US NITTF,
2016).
4.4.6.2. Serious insider threats
Insider threats that do not pose a threat to the survival of the organization
are either serious or limited, depending on the acceptable level of loss of the
organization (Bunn & Glynn, 2016; Cole & Ring, 2006; Kumar et. al., 2013).
Serious insider threats refer to threats that not necessarily endanger the survival
of the organization, but that nevertheless inflict considerable harm to the
organization that goes beyond the organization’s level of acceptable loss. An
investigation by the Flemish radio broadcast service Radio 2 revealed that 10%
of the stamps on the Christmas cards were not validated. Although the objective
is to validate all stamps, the acceptable level of loss set by Bpost amounts to 2 to
3% of the stamps (VRT NWS, 13/01/2021). Lack of validation will not put the
survival of Bpost at risk, but a 10% rate exceeds the acceptable level of loss and
therefore poses a serious insider threat.
170
4.4.6.3. Limited insider threats
Limited insider threats are threats that only slightly harm the organization
and therefore fall within the scope of the organization’s acceptable level of loss.
I just gave the example of Bpost willing to take a 2 to 3% of lack of validation of
stamps (VRT NWS, 13/01/2021), and Bunn & Glynn (2016: 123) too indicate
that both the casino and the pharmaceutical industry “accept that in some cases
the expense of preventing small thefts may not be worth the cost of prevention”.
In other words, although the threat causes some harm to the organization, the
benefits of mitigating the threat do not outweigh the costs of mitigation, making
it a risk the organization is willing to take.
Whether an insider threat is considered to be severe, serious or limited
again differs from organization to organization, depending on the interpretation
of the organization’s (critical) assets and the organization’s risk appetite. Figure
4.7 shows the categorization of insiders threats according to the severity of the
(potential) impact of the intentional misconduct.
Severe
Severity Serious
Limited
Figure 4.7: Categorization of insider threat according to the severity of the insider threat
171
4.4.7. Number
A seventh domain distinguishes intentional misconduct according to the

number of insiders that participate in the insider threat. In other words, how many
insiders are involved in the insider threat? Insider threats may either be the work
of one single insider or multiple insiders, with or without outside accomplices
(Bunn & Sagan, 2016).
4.4.7.1. One insider
Firstly, the insider threat might be posed by only one single insider. Here,
a sub-division can be made between lone actors and individual defectors. On the
one hand, lone actor insider threats are insider threats where the insider acts
completely on their own, without outsider involvement. An example of a lone
actor is Jan Karbaat, a Dutch doctor who against the rules donated his own sperm
on multiple occasions, which resulted in the parenthood of dozens of children
(The Guardian, 12/04/2019). On the other hand, a combination between one
insider and one or multiple outsiders is possible, whereby the insider is
significantly linked44 to the outsider(s). The insider defects45 by shifting
allegiance to the outside party, like with the previously mentioned case of A.Q.
Khan (see 4.4.3.1.).
4.4.7.2. Multiple insiders
In contrast to insider threats posed by one single insider, insider threats

can also be posed by multiple insiders. Again, a sub-division can be made
between insiders that operate independent of outsider involvement, referred to as
insider conspiracies, and insiders that defect to an outside party in group, referred
44
This should be interpreted as at least one direct contact (physically or virtually) between the
insider(s) and the outsider(s).
45
Premeditated in case of insiders that infiltrate on behalf of an outside party.
172
to as group defection. To demonstrate the insider conspiracies, one can refer to
the case of former prime minister of India Indira Gandhi who was murdered by
two of her Sikh personal guards as retaliation for her military action against the
Sikh population at the Golden Temple in Amritsar (BaMaung, et al., 2018; Bunn
& Sagan, 2016). Regarding group defection, reference can be made to the case
of the employees of a security company, who helped a drug gang to smuggle
thousands of kilos of cocaine through the port of Rotterdam into the Netherlands
(NOS Nieuws, 13/01/2021). Figure 4.8 shows the categorization of insider threats
according to the number of insiders involved in the intentional misconduct.
Lone actor
One insider
Individual
defection
Number
Insider
conspiracy
Multiple insiders
Group defection
involved
4.4.8 Complicity: how much is the insider involved in the insider threat?
A eight and last insider threat domain is based on the complicity of the
insider (Bunn & Sagan, 2016; IAEA, 2008), or how much the insider is involved
in the insider threat. In other words, the question is asked whether the insider
played a supportive role, which is appointed as a passive insider threat, or a
decisive role, denominated as an active insider threat. Metaphorically speaking,
the active insider is the one that pulls the trigger, while the passive insider is the
173
one that provides the gun or that refrains from notifying the authorities about the
murder he has witnessed.
4.4.8.1. Active insider threats
An active insider threat means that the insider is the principal culprit, as
they directly harm the organizational assets. The majority of the incidents
mentioned so far refer to active insider threats.
4.4.8.2. Passive insider threats
A passive insider threat means that the insider is complicit in harming the
organization. On the one hand, the insider can be complicit by providing a
hostile party with essential access to or knowledge about the organizational
assets, or vulnerabilities related to the organizational assets, that the outsider
party needs to strike. To illustrate, one can point out the US defense department
linguist that allegedly passed on confidential information, like the names of US
informants, to Lebanese Islamist militant group Hezbollah (BBC News,
14/03/2020).
On the other hand, the insider can be complicit by deliberately
refraining from preventing a negative incident to happen or informing the
organization on an ongoing hostile event. In this regard, reference can be made
to the employee of a healthcare facility that was aware that a colleague had a love
relationship with a patient, but did not report this to the organization (NOS
Nieuws, 13/10/2020). Here, the employee that had the relationship is the active
insider, whereas the employee that deliberately refrained from reporting the
intentional misconduct is the passive insider. Although the distinction between
an active and a passive insider might be a thin line, it is at least worth mentioning
the difference because the threshold to passively participate in an insider threat
174
might be lower than the barrier to actively contribute. Figure 4.9 shows the
categorization of insider threats according to the complicity of the insider(s).
Active
Providing hostile
party essential
Complicity
access/knowledge to
attack
Passive
Deliberately
refraining from
preventing or
reporting an incident
involved
4.4.9. Summary
In sum, a typology of eight insider threat domains (i.e. objective, subject,

motivation, time, modus operandi, severity, number and complicity) was outlined
and illustrated by referring to relevant situations in critical infrastructure sectors.
Table 4.1 provides a schematic overview of the typology of insider threats,
demonstrating the diversity and complexity of the issue and showing the different
ways in which the insider threat can be expressed.
175
OBJECTIVE: What does the insider want to achieve with the intentional
misconduct?
To cause harm to the organization Expressive
To reach a higher goal or personal gain through harming the Instrumental
organization
• Miscalculating insider
• Desperate insider
• Unscrupulous insider
• Positive externality insider
SUBJECT: Who suffers or benefits from the intentional misconduct?
The party that suffers: The victim
• Only the organization
• The organization and a third party
The subject that benefits: The perceived
• The insider beneficiary
• The organization
• A third party
MOTIVATION: Why does the insider want to commit intentional misconduct?
Because of the belief in an ideology Ideology
• Religious ideology
• Right-wing ideology
• Left-wing ideology
• Other
Because of a sense of disgruntlement Grievance
Because of negative personal experiences Personal strain
Because of the desire to have more of something Greed
Because of the pressure of a third party Coercion
To make things more easy Negligence
To act in the interest of the organization Well-meaning
To make a third party aware of the immorality of the Moral concerns
organization
To benefit a third party they feel connected with Love and empathy
Because of a personality disorder Personality
disorder
Because of the urge to seek sensation Sensation-seeking
Because of the fear to lose face Ego
Because of an interesting opportunity Opportunity
176
TIME: When does the insider become untrustworthy?
Before employment Pre-care
• Infiltration = with outsider involvement
• Deception = without insider involvement
During or after employment Aftercare
• Outreach = insider → outsider
• Recruitment = outsider → insider
• Autonomous action = without outsider involvement
MODUS OPERANDI: How does the insider misuses the insider privilege?
Illegal financial behavior (e.g., fraud, bribery, theft, …) Financial
misconduct
Illegal sexual behavior (e.g., sexual assault, sexual Sexual misconduct
harassment, …)
Illegal violent behavior (e.g., physical abuse, murder, Violent misconduct
sabotage,…)
Illegal information behavior (e.g., espionage, theft IP, …) Information
misconduct
Other types of illegal behavior (e.g. drugs, human Other misconduct
trafficking, …)
Extralegal deviant behavior (e.g. bullying, …) Extralegal
misconduct
SEVERITY: How serious is the impact of the intentional misconduct?
The insider threat affects the survival of the organization Severe
(i.e. critical assets)
Insider threat > acceptable level of loss Serious
Insider threat < acceptable level of loss Limited
NUMBER: How many insiders are involved with the intentional misconduct?
The insider acts on his own One insider
• Lone actor = without outsider involvement
• Individual defection = with outsider involvement
At least two insiders are involved Multiple insiders
• Insider conspiracy = without outsider involvement
• Group defection = with outsider involvement
177
COMPLICITY: How much is the insider involved in the insider threat
incident?
The insider is the principal culprit and harms the Active insider
organization directly
The insider has a supportive role by Passive insider
• Sharing essential access/knowledge that allows an
outsider party to harm the organization
• Deliberately refraining from preventing a hostile
incident to happen, or deliberately refraining from
reporting a hostile incident that is happening.
Table 4.1. An overview of eight insider threat domains.
4.5. Limitations
Apart from the limitations already mentioned in chapter two of this
dissertation (see 2.5.), the main limitation of the categorization outlined in this
chapter is that many of the answers to the W’s and How questions on which the
typology is grounded are based on subjective interpretations rather than objective
observations (Dekker, 2009). Given that one single story consists of several
aspects, insider threat cases can be categorized according to the interpretation of
the reader. In other words, each reader will have their own way of looking at the
story, reading it from their own perspective. The distinction between negligent
and well-meaning insiders is for instance a thin and ambiguous line, as illustrated
by the case of John Deutch who as a CIA director “handled highly sensitive
classified information on an insecure computer connected to internet” (Bunn &
Sagan, 2016: 168). Here, it can be argued that the insider had well-meaning
intentions and handled in the interest of the organization, or that the insider was
negligent and handled in his own self-interest. The categorization of such
ambiguous cases as negligent or well-meaning insider threat therefore depends
on the persuasiveness of the insider’s justification.
An interrogation of the insider can give an indication on why the insider
deviated from the organizational norm, but precaution is still recommended as
178
the insider has the propensity to lie and control the truth. Referring back to the
case of Oleg Savchuk who allegedly sabotaged the computer system of the
Ignalina Nuclear Power Plant, Bunn and Sagan (2016) indicate that he did not
only do it “in order to call attention to the need for improved security” (ibid: 168),
but apparently also “to be rewarded for his diligence” (ibid: 168). Similarly,
former American Airlines mechanic Abdul-Majeed Marouf Ahmed Alani
claimed that his decision to sabotage the plane was purely financial, but
simultaneously admitted that he was upset over a contract dispute between the
airlines and union workers (Chavez & Royal, 2019), pointing to grievance as a
possible ulterior motivation.
Although it is true that each insider threat has alternative readings, the
quest for the veracious interpretation of the insider threat resembles our judicial
system, where a breach of law is investigated and each party involved has the
opportunity to give its interpretation of the facts. Ultimately, the interpretation
that is most likely to be true determines the alleged guilt of the perpetrator. It is
therefore believed that, in similarity with the judicial system, a thorough
investigation of the insider threat incident, collecting evidence à charge and à
décharge by taking into account the perspective of the different stakeholders that
are involved and giving them the possibility to explain their version of events,
should make it possible to properly judge the situation.
4.6. Conclusion
The following conclusions can be drawn from the typology suggested in
this chapter. Firstly, the division of the insider threat characteristics into different
domains and categories “does not mean that these categories are ready formed
and should be hunted down and exposed” (Dekker, 2017: 26). Instead, the
domains and categories are just indicative of the different characteristics of the
insider threat problem and the possible scenarios in which the insider threat can
179
take place. It is not argued that for instance the examples that were given to
illustrate the different motivations only apply to that specific category, as
motivation is difficult to observe and subject to interpretation (Probst et al.,
2010). The goal of the study was not to claim that insider threats should be siloed
into these categories. Instead, I simply want to illustrate the variation of insider
threats, like the variety of motivations that might urge an insider to misuse the
insider privilege. In similarity with Eoyang (1994)’s interpretation of espionage,
who urges to consider espionage as “a class of criminal behaviors and not as a
single distinct crime” (ibid: 88), one of the main conclusions of this chapter is
that insider threat should be interpreted as a class of threats and not as a single
distinct threat.
I took a first step to analyze this class of threats to critical infrastructure
sectors. Insiders who constitute a threat to critical infrastructure can have a
significant impact on the vulnerable assets of the organization and ultimately
cause irreparable damage to its activities and reputation. To tackle this problem
properly, organizations in critical infrastructure need to have a good
understanding of the threats that they face before they can think about mitigating
it (Dinev & Hu, 2007; Probst et. al., 2010). The current study can serve as a
framework that can guide organizations into getting a better understanding of the
phenomenon. Nevertheless, more empirical studies are needed to consider the
validity of the typology presented here and to develop possible mitigation
strategies.
In this light, it should be clear that each organization belonging to critical
infrastructure should make an organization-specific threat analysis to examine
which of the categories apply to their organization, and a corresponding risk
analysis to evaluate the odds that correspond with those threats. I urge each
individual organization to interpret the insider threat within its own
180
organizational context whereby I believe that the (non-exhaustive) insider threat
typology might serve as guidance to help organizations in this difficult exercise.
The diversity of insider threats implies that there is not one holy grail that can
mitigate the insider threat problem, but that a tailor-made approach is needed
(BaMaung, 2018). The typology might be a good starting point in the
development of such a tailor-made approach, both to create awareness on the
topic within the organization as well as to brainstorm about the different types of
insider threat applicable to the organization. Subsequently, the organization can
by means of risk assessments build on the conclusions of the insider threat
typology to determine the probabilities and impact that are associated with these
different scenarios.
With this typology, I also paved the way for future research that might
apply the typology to less security-minded sectors. The insider threat is generally
considered to be a threat that is universal and therefore applicable to every
organization (Cole & Ring, 2006; Sarkar, 2010). Or as Gelles (2016: 4) indicates,
“insider threats exist within every organization because employees, or insiders,
comprise the core of an organization’s operational plan and are the key drivers
of its business objectives”. As illustrated in this chapter, the insider threat is a
non-discriminatory threat that applies to organizations across different countries
and sectors, including the financial sector (e.g. Randazzo et al., 2005), the nuclear
sector (e.g. Hegghammer and Hoelstad Daehli, 2016; IAEA, 2008; Hobbs &
Moran, 2015), the energy sector (e.g. Bell, et al., 2019; Rehak et. al., 2020), the
aviation sector (e.g. BaMaung, 2018; Greco, 2017; Krull, 2016; Loffi & Wallace,
2014), the military sector (e.g. Armstrong, 2013; Long, 2016; Zegart, 2016), the
intelligence and security services (e.g. Eoyang, 1994; Hershkowitz, 2007;
Kramer and Heuer Jr., 2007), the pharmaceutical sector (e.g. Bunn and Glynn,
2016) and so on. I believe the typology outlined in this chapter might not only
181
help to understand the complexity of the insider threat to these sectors and
organizations, but might also function as an starting point for other, less security-
minded ones.
182
PART III: INSIDER THREAT AWARENESS
Chapter 5
Four-part typology of security awareness
5.1. Introduction
The second part of this dissertation (i.e. chapter two, three and four)
provided a clear understanding about the meaning, scope and characteristics of
the insider threat problem that was necessary to seek the answer to the two main
research questions this dissertation addresses. In the third part, the focus is shifted
to the first main research question on insider threat awareness. The main goal of
the third part is to get an understanding of the current state of awareness on the
insider threat problem in Belgium. To reach this goal, the first chapter of the
second part elaborates on the way to assess security awareness in general,
whereas the second chapter discusses the application of the model to the insider
threat problem.
In this chapter46, it is argued that existing awareness typologies that on
the one hand distinguish problem awareness and solution awareness (Dinev &
Hu, 2007; Hänsch & Benenson, 2014; Hanus, Windsor & Wu, 2018) and that on
the other hand separate descriptive awareness and prescriptive awareness
(Siponen & Kajava, 1998; Siponen, 2000) are on its own insufficient to fully
grasp the concept of security awareness. As a result, a new typology is provided
that renames and merges both distinctions, leading to four awareness types.
Cognitive threat awareness refers to the factual knowledge (theoretical or
46
It should be mentioned that part of this chapter was published as a co-authored article in
‘Information Security Journal: a Global Perspective’ (Reveraert & Sauer, 2022).
183
practical) the actor (i.e. an individual, a group of people, an enterprise, a state,
…) possesses of the characteristics of what is generally considered to be a threat.
Attitudinal threat awareness signifies the attitude the actor has toward the
significant threat that applies to them, or the actor’s vision on the significance
and applicability of the threat. Cognitive mitigation awareness relates to the
factual knowledge the actor possesses about the measures that prevent, detect and
respond to the threat. Attitudinal mitigation awareness refers to the attitude the
actor has toward the mitigation of the significant and applicable threat, or the
actor’s vision on the significance of mitigating the threat, their evaluation of the
measures that are prescribed as adequate to mitigate it and their motivation to
apply these mitigation measures themselves.
Moreover, it is illustrated that in an organizational context, the typology
is applicable to examine both organizational awareness and individual awareness.
The former refers to the aggregated awareness of the organization as a unitary
actor that is translated in organizational policies, while the latter refers to the
individual awareness about the organizational policies of the organizational
members that have to adhere to these organizational policies.
In what follows, the chapter starts with an outline of both the threat-
mitigation distinction and the cognitive-attitudinal distinction. After that, the
typology is clarified by elaborating on each awareness type in detail, using the
COVID-19 outbreak as an illustration. Subsequently, the difference between
organizational awareness and individual awareness is explained. The chapter
concludes with a discussion of the advantages and shortcomings of the four-part
typology, recommendations for future research and a conclusion section.
184
5.2. Security Awareness: four types
Since awareness can be interpreted in multiple ways (Haeussinger &
Kranz, 2013; Hänsch & Benenson, 2014; Hanus et. al., 2018), its meaning should
first be clarified. In this chapter, the problem-solution distinction (Dinev & Hu,
2007; Hänsch & Benenson, 2014; Hanus et. al., 2018), which will be denoted
hereafter as the threat-mitigation distinction, is merged with the descriptive-
prescriptive division (Siponen & Kajava, 1998; Siponen, 2000), which will be
denoted hereafter as the cognitive-attitudinal distinction. Security awareness is
looked at from the perspective of an actor as a unitary actor (Viotti & Kauppi,
2012; Waltz, 1979), unless otherwise stated. The term ‘actor’ will thus be
systematically used as the subject of study of security awareness, whereby an
actor can be an individual, a group of people, an organization, an enterprise or
even a state. The only assumption is that actors are unitary. Before discussing
each awareness type in detail, both the threat-mitigation distinction and
cognitive-attitudinal division are further elaborated on.
5.2.1. Threat awareness vs. mitigation awareness
The threat-mitigation distinction implies that awareness of the threat (i.e.

the problem) itself should be separated from awareness of the ways to mitigate
the threat (i.e. the solution) (Dinev & Hu, 2007; Hänsch & Benenson, 2014;
Hanus et. al., 2018). Because this chapter is concentrated on security awareness,
I use threat awareness rather than problem awareness. Moreover, solution
awareness is replaced with mitigation awareness because it is acknowledged that
not all threats have an overarching or definite solution. In short, the problem-
solution distinction is referred to in this study as the threat-mitigation distinction.
Threat awareness refers to being aware of the characteristics of the threat (what,
why, who, when, how, …). Mitigation awareness refers to being aware of the
mitigation measures to counter the threat.
185
The threat of climate change can be used to illustrate the difference.
Awareness of the threat of climate change indicates that the actor is conscious
about the negative effects of the increase in man-made emissions of carbon-
dioxide (CO2) and that the resulting global warming is expected to lead to among
other things an increase in extreme weather conditions (heat waves, droughts,
floods, …) and rising sea levels. In contrast, awareness of the mitigation of
climate change signifies that the actor is conscious of the ways in which CO2
emissions can be reduced, like for instance the use of renewable energy sources,
the cutback in the consumption of disposable items and the increase in proper
insulation of houses.
5.2.2. Cognitive awareness vs. attitudinal awareness
Apart from the threat-mitigation distinction, Siponen and Kajava (1998)

introduce the descriptive-prescriptive division, stipulating that “security experts
want people to internalize and follow given guidelines (prescriptive) rather than
people to be aware of them but for some reason or other fail to apply them in
reality (descriptive)”. In other words, awareness can be interpreted from a
descriptive perspective where the emphasis is on the degree of factual knowledge
about the issue, and a prescriptive perspective where the emphasis is rather on
the actor’s attitude. As a result, hereafter reference is made to cognitive
awareness to indicate the descriptive or knowledge component and attitudinal
awareness to indicate the prescriptive or attitude component of awareness.
Regarding cognitive awareness, multiple scholars have touched upon
knowledge when defining security awareness. Hänsch and Benenson (2014) for
instance separate three different interpretation of information security awareness,
namely awareness as a perception, awareness as protection and awareness as
behavior. Awareness as a perception means that one is considered to be aware
when the actor knows the existing threat. Awareness as protection signifies that
186
awareness is present when one knows the existing threat and subsequently is
familiar with the measures to counter the threat. Awareness as behavior goes one
step further than the previous interpretations, as awareness is assessed on whether
one knows, on top of the knowledge about the threat and the protection measures,
how to use the protection measures. The common thread that runs through the
interpretations of Hänsch and Benenson (2014) is knowledge. Also Hanus et. al.
(2018) prioritize their analysis on the knowledge aspect. They indicate that the
primary aim of information security awareness is to provide knowledge that
enables the actor to interpret a certain situation in such a way that they
comprehend it and are able to react in a proper way. Finally, Gutwin and
Greenberg (1997: 1) likewise state that “awareness is often defined in terms of
knowledge, of being cognizant of some fact (…)”. In brief, “knowledge is
important because even if an employee believes security is important, he or she
cannot convert that intention into action without the necessary knowledge and
understanding” (Gundu & Flowerday, 2012: 5). The interpretations of security
awareness outlined above all correspond to my notion of ‘cognitive awareness’
that emphasizes what the actor knows about the threat and threat mitigation.
Notwithstanding the importance of knowledge, Siponen and Kajava
(1998: 330) argue that “often users know the guidelines, but they fail to apply
them correctly (…). Successful organizational awareness requires more action
than the giving of a set of rules”. In other words, there is more to security
awareness than solely description or knowledge. Security awareness also
encompasses an attitudinal component, referring to "a situation where people see
(internalize) a norm or guideline X as a matter which they are bound and obliged
to follow. (…) [P]eople’s cognitive states can be changed by giving reasons for
particular guidelines (arguments and justifications), with the result that they may
187
change their attitude and motivation toward the guidelines in the intended way”
(ibid: 330).
Attitudinal awareness is therefore not related to the actor’s knowledge,
but rather to the actor’s attitude. Other researchers tend to support the idea that
security awareness is broader than knowledge. According to Spitzner (2017: 5),
talking about cyber security, “in order to effectively engage people, you have to
first explain to them WHY cyber security is important. The most effective
awareness programs engage people at an emotional level”. Shahri, Ismail and
Rahim (2013: 10) too stress the attitudinal component of awareness by stipulating
that “information security awareness can be defined as the amount of perceptions
of the users about the importance of information security, security level required
for the organization, personal and individual responsibility in security, and acts
accordingly”. Also Haeussinger and Kranz (2013: 2) consider the prescriptive
aspect of security awareness, interpreting information security awareness as an
“employee’s state of mind, which is characterized by recognizing the importance
of [information system security] and being aware and conscious about
[information system] security objectives, risks and threats, and having an interest
in acquiring the required knowledge to use [information system] responsibly, if
not already present”. Likewise, Spruit (2010) emphasizes that security awareness
is about understanding the importance of security, as well as about being
motivated to contribute to it. Finally, Gundu and Flowerday (2012), Thomson
and Von Solms (1998) and Olusegun and Ithnin (2013) indicate that altering the
actor’s perceptions, ideas and behavior should be the objective of security
awareness training. In short, “the attitude of employees towards information
security is important because unless they believe that information security is
important, they are unlikely to work securely, irrespective of how much they
know about security requirements” (Gundu & Flowerday, 2012: 5). The
188
interpretations of security awareness outlined above all correspond to my notion
of ‘attitudinal awareness’ that concentrates on the actor’s attitude toward the
threat and threat mitigation, which is determined by the actor’s evaluation of the
significance and applicability.
Attitudinal awareness is however different from the actor’s actual
behavior, given that actual behavior also depends on other factors, like
operational constraints (Furnell, Gennatou & Haskell-Dowland, 2002) or the
actor’s competence level (Furnell & Thomson, 2009; Korovessis, Furnell,
Papadaki & Haskell-Dowland, 2017). As Schermerhorn Jr., Hunt and Osborn
(2002: 30) indicate, “an attitude results in intended behavior; this intention may
or may not be carried out in a given circumstance”(emphasis in original). Also
Gundu, Flowerday and Renaud (2019: 1) stipulate that “regardless of their
assessed knowledge and stated intentions, some employees will not fully comply
with their organization’s security policies”. Kabay (2002: 35-6), to conclude,
points out that “security personnel must remember that failure to comply with
policy is not necessarily the result of a bad attitude”. In other words, an actor can
be attitudinally aware and can therefore have the intention to behave in a certain
way, but can be restricted because of multiple reasons, like for instance financial
strains or lack of skills.
Once more, the example of climate change might be used to illustrate that
cognitive awareness of climate change should be distinguished from attitudinal
awareness of climate change. Cognitive awareness refers to being conscious
about the characteristics of the threat of climate change as well as about the
measures that mitigate climate change. Attitudinal awareness, on the other hand,
indicates that even if actors know what is generally meant by climate change, it
does not necessarily mean that they automatically perceive climate change as a
threat. And even if they do recognize climate change as a threat, and/or are
189
knowledgeable about the countermeasures that might tackle it, they do not
necessarily feel the sense of urgency to mitigate climate change, or are not
necessarily motivated to contribute to this mitigation. For example, the Special
Eurobarometer 459 on climate change of the European Commission (2017)
confirms that there are indeed people who do not perceive climate change as a
serious problem, people that are skeptical about the mitigation measures
prescribed by experts and people that are not motivated to take personal action to
mitigate climate change. Moreover, an actor that is attitudinally aware of the
measures to mitigate climate change might have the intention to contribute to the
mitigation, but might be constrained to transform this intentions into actual
behavior. To give an example, an actor might not have the financial resources to
buy an energy-efficient car, or might not be able to properly insulate their house.
5.2.3. Typology: four types of security awareness
The previous section elaborated on the existing security awareness

typologies, explaining why these typologies are on their own insufficient and
why they need to be merged to have a complete picture of security awareness.
Combining the existing typologies leads to four distinct types of awareness, as
illustrated in figure 5.1. In what follows, the awareness types will be explained
in detail and will be illustrated by referring to the worldwide outbreak of COVID-
19 (hereafter often referred to as the coronavirus).
190
Figure 5.1: Four-part security awareness typology
191
Firstly, cognitive awareness of the threat relates to the factual knowledge
(theoretical or practical) the actor possesses on the characteristics of what is
generally considered to be a threat. The more factual knowledge the actor
possesses of the characteristics of the threat, the higher the cognitive awareness
of the threat. Conversely, the less factual knowledge the actor has about the
typical features of the threat, the lower the cognitive awareness of the threat.
Applied to the coronavirus, cognitive threat awareness refers for instance to being
knowledgeable about the ways the coronavirus can be transmitted, its symptoms,
and the high-risk groups that are especially vulnerable to it (De Roy, 2020a;
Draulans, 2020; Gallagher, 2020; Sample, 2020). The more knowledge the actor
has of these attributes, the more cognitively aware the actor is of the coronavirus
and vice versa.
Secondly, attitudinal awareness of the threat signifies the attitude the
actor has toward the threat. It indicates whether the actor perceives it as a
significant threat and whether they are directly concerned about it. The more
positive the actor’s attitude toward the threat, the higher the attitudinal awareness
of the threat, whereby a positive attitude means that the actor keeps a watchful
eye on the threat and considers the threat applicable to them. Vice versa, the more
negative the actor’s attitude toward the threat, the lower the attitudinal threat
awareness, whereby a negative attitude means that the actor minimizes the threat
and is not (much) personally concerned about it. Applied to the coronavirus,
attitudinal threat awareness signifies the actor’s recognition of the coronavirus as
a threat in general, but also as a threat to the own health or the health of their
loved ones. The actor is attentive to the threat, understands the seriousness of the
situation and refrains from dismissing the virus as a minor issue like a common
flue (Grady, 2020; Keulemans, 2020). Moreover, the actor understands that the
threat applies to them and their loved ones, as everybody is prone to infection
192
(Staes & Vergauwen, 2020; Simon, 2020; Oprysko, 2020). The more the actor
understands the gravity of the situation and comprehends that everybody is
susceptible to getting infected, the more attitudinally aware the actor is of the
threat. In contrast, the more the actor denigrates the whole situation with regard
to the coronavirus, the lower the actor’s attitudinal awareness. It is a frequently
asked question whether the threat of the coronavirus is exaggerated, with various
messages and videos circulating on social media trivializing the threat
(Keulemans, 2020). Even the at the time President of the US, a country
considerably affected by the pandemic, urged people not to be afraid of the virus
(Schabregs & Huyghebaert, 2020). Likewise, the numerous violations all around
the world of the corona-related countermeasures suggest that the violators are not
personally concerned about the virus harming their own health and the health of
their loved ones (Connolly et al., 2020; Noor, 2020; Terryn, 2020; Tondo, 2020).
Those violators lack attitudinal awareness of the threat of the coronavirus.
Thirdly, cognitive awareness of the mitigation refers to the actor’s factual
(theoretical or practical) knowledge about the measures to counter the threat. As
stated before, it should be interpreted broadly by not only including
consciousness of the solutions that completely eliminate the threat, but also by
including consciousness of measures that mitigate it, given that not all threats
have definite solutions. Cognitive mitigation awareness can be sub-divided into
awareness of measures that prevent, detect or respond to the threat (Cole & Ring,
2006). The more factual knowledge the actor possesses of this prevention,
detection and reaction measures, the higher the cognitive awareness of the
mitigation. In contrast, the lesser factual knowledge the actor possesses, the lower
the cognitive awareness of the mitigation. Applied to the coronavirus, cognitive
mitigation awareness refers to knowing that infection is prevented by for example
quarantine, social distancing and frequently washing your hands (Davidson,
193
2020; Maerevoet, 2020), detected by medical tests (De Roy, 2020b; Readfearn,
2020a), and responded to through for instance hospitalizing the patient, in a worst
case at intensive care, and providing artificial respiration (Effting & van den
Berg, 2020; Readfearn, 2020b; Torfs, 2020). The more conscious the actor is of
prevention, detection and reaction strategies, the more cognitively aware the
actor is about the mitigation of the coronavirus. Conversely, the less the actor is
informed about the mitigation measures, the lower the cognitive awareness of the
mitigation. For example, one common cause of concern was that the mitigation
measures communicated by the government do not reach parts of the population,
especially those who do not understand the language in which these measures are
communicated (Parveen, 2020; Santens, 2020) or those who are not familiar with
the communication channels used, including mainstream media (Brock, 2020;
Knack, 22/03/2020). If these barriers cannot be removed, the mitigation measures
do not reach all target audiences, resulting in lack of cognitive mitigation
awareness for this part of the population.
Lastly, attitudinal awareness of the mitigation signifies the attitude the
actor has toward the mitigation of the threat. It denotes the actor’s vision on the
significance of mitigating the threat, their evaluation of the measures that are
prescribed as adequate to mitigate it and their motivation to apply these
mitigation measures themselves. The more positive the actor’s attitude toward
the mitigation of the threat, the higher the attitudinal awareness of the mitigation,
whereby a positive attitude means that the actor perceives the mitigation of the
threat as necessary, acknowledges the usefulness of the prescribed
countermeasures and is willing to contribute to the implementation of these
measures. Vice versa, the more negative the actor’s attitude toward the mitigation
of the threat, the lower the attitudinal mitigation awareness, whereby a negative
attitude means that the actor regards the mitigation of the threat as non-urgent,
194
questions the appropriateness of the prescribed countermeasures and lacks
motivation to contribute to the mitigation of the threat. Applied to the
coronavirus, attitudinal mitigation awareness signifies the actor’s understanding
of the urgency and responsibility to take mitigation measures to ‘flatten the
curve’, limit the number of simultaneous contaminations and lessen the burden
on health care services. In contrast, the less the actor is convinced of the sense of
urgency to mitigate the coronavirus, the less they are persuaded of the suitability
of the prescribed countermeasures and the less they are inclined to contribute to
the mitigation, the lower the attitudinal mitigation awareness. There are people,
not least the at the time President of Brazil, that tend to shrug the coronavirus off
as a common flue that will blow over eventually (Debruyne, 2020; Phillips, 2020;
Vanderschoot, 2020a). Consequently, a common claim that was originally
endorsed by the at the time President of the US but later retracted is that the
countermeasures taken to tackle the virus are like using a sledgehammer to crack
a nut (Van Hessche, 2020a; Van Hessche, 2020b). In other words, the measures
are overkill and will cause more damage than the virus itself, not least to the
economy (Annemans, 2020a; Annemans, 2020b). Also religious actors have
difficulties implementing the prescribed measures, as these measures contravene
their religious beliefs and hamper their religious obligations (Brock, 2020;
Parveen, 2020). Aversion toward the prescribed countermeasures probably leads
to a reduced motivation to play part in the implementation of the
countermeasures, putting a strain on the fight against the virus. Table 1
summarizes the aforementioned explanation of the four-part typology, including
the illustration by reference to the coronavirus.
195
Threat Mitigation
Cognitive threat awareness Cognitive mitigation
awareness
• The factual knowledge
(theoretical or practical) • The factual knowledge
the actor possesses on the actor possesses
the characteristics of about the measures that
what is generally prevent, detect and
considered to be a respond to the threat.
threat.
Example of coronavirus Example of coronavirus
• Knowing among other • Knowing infection is
Cognitive things the ways the prevented by for
coronavirus can be example quarantine,
transmitted, its social distancing and
symptoms, the high-risk frequently washing your
groups that are hands, detected by
especially vulnerable to medical tests and
it, and its other responded to through
characteristics. for instance
hospitalizing the
patient, worst case at
intensive care, and
providing artificial
respiration.
Attitudinal threat awareness Attitudinal mitigation
awareness
• The attitude the actor
has toward the threat, or • The attitude the actor
whether the actor has toward the
perceives the threat as a mitigation of the threat,
significant threat that is or the actor’s vision on
applicable to the own the significance of
Attitudinal mitigating the threat,
situation.
their evaluation of the
measures that are
prescribed as adequate
to mitigate it and their
motivation to apply
these mitigation
measures himself.
196
Example coronavirus Example coronavirus
• Being attentive to the • Understanding the

threat by understanding urgency and
the seriousness of the responsibility to take
situation and refraining proportionate
from dismissing the mitigation measures to
virus as a minor issue ‘flatten the curve’, limit
like a common flue. the number of
• Understanding that the simultaneous
threat applies to the contaminations and
actor as everybody is lessen the burden on
prone to infection and to health care services and
the indirect negative social security to avoid
consequences of high both infections and
numbers of related health problems
simultaneous and indirect negative
infections. consequences.
Table 5.1: Four types of security awareness
As mentioned before, attitudinal awareness is different from the actor’s

actual behavior. In other words, being attitudinally aware of the mitigation does
not necessarily mean that actual mitigation takes place, given that attitudinal
awareness relates to intended behavior rather than actual behavior (Furnell, et.
al., 2002; Furnell & Thomson, 2009; Gundu et. al., 2019; Kabay, 2002;
Korovessis et. al., 2017; Schermerhorn Jr. et. al., 2002). In order to comply with
the prescribed mitigation measures, one should for example have the skills to be
able to implement the measures. Take for instance the guideline of self-isolation,
which is believed to contribute to halting the proliferation of the virus. To
implement this measure, one should, however, be able to quarantine themselves
in the own residence. This is for instance impossible for homeless people, who
may be attitudinally aware of the mitigation but are not able to self-isolate
(Arnoudt, 2020). In other words, an actor can be attitudinally aware and have the
intention to apply the mitigation measures, but that does not necessarily mean
197
that they have the competence or capacity to actually apply them. Therefore,
awareness relates to intended behavior, and not actual behavior.
5.2.4 Characteristics of the typology
The typology outlined above shows that security awareness should not be
considered a dichotomy in which the actor is either aware or not aware, but
should rather be viewed as a continuum in which the actor can be more or less
aware (Hänsch & Benenson, 2014). For example, an actor can understand the
sense of urgency to tackle the threat, but can simultaneously dismiss the
applicability of the threat to them, i.e. the previously mentioned NIMO bias
(Bunn & Sagan, 2016). The same principle of continuity applies to the
coronavirus. Although experts already know a lot about the coronavirus, there is
still a lot to be learned with respect to the virus itself and the ways the virus can
be mitigated.
Apart from being continuous rather than dichotomous, the typology also
demonstrates that one can for instance be aware of a threat without being aware
of the mitigation (or vice versa), or that one can know the mitigation measure but
not feel bound or obliged to follow it (or vice versa). In other words, “each [type]
may vary independently of the others. This statement does not imply that the
[four] are unrelated to one another, but only that they are separable” (Mayer et.
al., 1995: 720). Each of the different awareness types can thus be interpreted as
a distinct awareness dimension that can be present to a greater or lesser extent
(Hänsch & Benenson, 2014).
It can, however, be assumed that having a slight acquaintance of the threat
is a prerequisite for any of the awareness types. Volpentesta, Ammirato and
Palmieri (2011: 318) stipulate that “awareness occurs when an individual is
sufficiently informed about a subject for him/her to be conscious of its existence
and its broad subject matter. (…) Knowledge requires a theoretical or practical
198
understanding of a subject”. Although I do not endorse their interpretation of
awareness, given that I interpret security awareness in a much broader way than
having a basic glimpse of the threat, their distinction between ‘conscious of its
existence and its broad subject matter’ and ‘theoretical or practical understanding
of a subject’ is valuable.
Accordingly, it is acknowledged that the actor has to have a slight
acquaintance of the threat to be able to become cognitively and/or attitudinally
aware of the threat and/or the mitigation of the threat, or to be eligible for any of
the security awareness types. Extensive knowledge about the threat (i.e. cognitive
awareness of the threat) can only occur after one has a slight acquaintance of the
threat. Likewise, in order to develop extensive knowledge of the measures that
mitigate the threat (i.e. cognitive awareness of the mitigation), one first has to
have a glimpse of the threat that should be mitigated. Similarly, the actor has to
have a slight acquaintance of the threat before they can consider it a significant
problem that is applicable to them (i.e. attitudinal awareness of the threat) and
before they can consider the mitigation of the threat as important, endorse the
prescribed mitigation measures and be motivated to contribute to the mitigation
(i.e. attitudinal awareness of the mitigation).
In theory, each actor that is susceptible to the threat should develop an
extensive level of all the security awareness dimensions, or should strive for
awareness on all four security awareness types. In reality, however, this ambition
might be difficult to achieve (for instance due to budgetary constraints or reasons
of workability), meaning that prioritization might take place. As a result of the
separability of the security awareness dimensions, it is possible that the actor has
for instance more insight on how to mitigate the threat than insight on what the
threat actually encompasses. Think for example of an actor who knows that
regularly updating a computer with anti-virus software protects the computer
199
from getting infected, without being able to clearly explain what a computer virus
is (Hänsch & Benenson, 2014). Therefore, it is true that the actor has to have a
slight acquaintance of the threat, but it could be the case that cognitive awareness
about the mitigation measures outweighs cognitive awareness about the threat.
The same reasoning can be applied to the threat of the coronavirus, as it is
assumed that the majority of the population is better able to explain the mitigation
measures (washing hands, social distancing, self-isolation,…) than the actual
characteristics of the coronavirus itself.
A similar argument can be made with respect to attitudinal awareness.
Although one would presume that attitudinal awareness of the threat and
attitudinal awareness of the mitigation are only possible after a thorough insight
on the threat, this is not necessarily the case. In the creation of attitudinal
awareness, persuasion plays an important role (Russell, 2002; Siponen & Kajava,
1998; Siponen, 2000). Feldman (2011), however, indicates that there are two
different ways by which people can be persuaded, namely central route
processing and peripheral route processing:
“Central route processing occurs when the recipient thoughtfully
considers the issues and arguments involved in persuasion. In central
route processing, people are swayed in their judgments by the logic,
merit, and strength of arguments. In contrast, peripheral route processing
occurs when people are persuaded on the basis of factors unrelated to the
nature or quality of the content of a persuasive message. Instead, factors
that are irrelevant or extraneous to the issue, such as who is providing the
message, how long the arguments are, or the emotional appeal of the
arguments, influence them” (Feldman, 2011: 580).
Only in case of central route processing extensive cognitive awareness is

necessary to create the attitudinal awareness types. In case of peripheral route
processing the emphasis is not put on the content of the message, but rather on
the way the message is provided. Regarding peripheral route processing, it is for
200
instance important to take into account the method (i.e. classroom training,
posters, newsletters, intranet,…) that is used to convey the content (Gemeentelijk
Havenbedrijf Antwerpen, 2012; Nationaal Adviescentrum Vitale Infrastructuur,
2008; Spurling, 1995), or to consider the personality type of the actor that has to
be persuaded (Chipperfield & Furnell, 2010). Hence, it is possible that an actor’s
attitudinal awareness outweighs their cognitive awareness. The only
impossibility is that attitudinal mitigation awareness occurs without attitudinal
awareness of the threat. To put it in a different way, an actor can only be
motivated to protect themselves against the threat when they perceive the threat
as a significant threat that applies to them.
Applied to the coronavirus, central route processing, or concentrating on
the content of the message, is insufficient to make the population attitudinally
aware of the threat and the threat mitigation, given that some actors continue to
flout the prescribed mitigation measures (Connolly et al., 2020; Noor, 2020;
Terryn, 2020; Tondo, 2020). As a result, government authorities equally engage
in peripheral route processing, focusing on the way the message is
communicated. One of the aspects focused on is the source of the message. The
countermeasures are not only communicated by experts in virology or through
official government channels, but also by famous actors, musicians and social
media influencers (BBC News, 29/03/2020; Maerevoet, 2020), as well as by
people who are highly respected in their cultural or religious community (Brock,
2020; Knack, 22/03/2020), in the hope that they can persuade more people to
adhere to the measures. Still, it can be assumed that simply focusing on peripheral
route processing will usually be equally insufficient and the content of the
message has to be taken into account as well. In general, both what you say (i.e.
central route processing) and how you say it (i.e. peripheral route processing)
needs to be considered in order to persuade the target group and create awareness.
201
5.3. Organizational awareness vs. individual awareness
In the previous section, the typology based on the distinction between
threat and mitigation and the division between cognition and attitude was
outlined. So far awareness was looked at from the perspective of a unitary actor
(Viotti & Kauppi, 2012; Waltz, 1979). Collective awareness can however be
differentiated from individual awareness. Collective awareness refers to the
aggregated knowledge of and attitude toward the issue of a group of individuals.
In an organizational context, it might refer to the awareness of a team, a
department or even the entire organization. In this chapter, I am mainly interested
in the collective awareness of the entire organization, which is denoted here as
‘organizational awareness’. The organization is interpreted as a collective actor
(Searle, 2013; Isaeva et. al., 2019) that is anthropomorphized (Monahan &
Quinn, 2006), acting as if it were a single, united entity. In other words, I perceive
the organization as “a unitary actor in that it is usually assumed (…) to have one
policy at any given time on any particular issue” (Viotti & Kauppi, 2012: 39).
Organizational awareness thus denotes the entire organization’s aggregated
knowledge of and attitude toward the issue, or the organizational policy.
Instead, individual awareness refers to the awareness of the separate
members within the entity, or the knowledge and attitude of the individual
members of the organization on the organizational policies. Organizations are not
necessarily interested in whether their members are aware about the issue in
general, but rather in whether or not their members are aware about the
instructions the organization wants them to be aware about (Haeussinger &
Kranz, 2013). While the focal point of organizational awareness is the aggregated
knowledge and attitude of the organization, the center of attention of individual
awareness is rather on the knowledge about and attitude of individual
202
organizational members toward the prescribed organizational policies related to
the particular threat and threat mitigation.
The distinction between organizational awareness and individual
awareness signifies that the latter can only be examined if the former is present.
In other words, if the entire organization as a unitary actor is not aware of a
particular threat, no organizational policies will be developed on this particular
threat. Individual awareness will be absent by definition, as the individual
members of the organization have nothing to be aware about. In brief,
organizational awareness, or collective awareness of the entire organization, is a
prerequisite for individual awareness.
Referring back to the coronavirus, organizational awareness refers to
questioning the aggregated knowledge about and attitude toward the coronavirus
of for instance the National Railway Company of Belgium (SNCB) as a unitary
actor, or the SNCB policy concerning the coronavirus. If one wants to make an
international comparison of how public transportation companies continue to
work during the public health crisis, interpreting the SNCB as a black box
simplifies the comparison, and would be useful. Individual awareness, on the
other hand, refers to examining the individual knowledge and attitude of the
employees of the SNCB. The SNCB is not necessarily interested in their
knowledge about or attitude toward the coronavirus in general, but rather in their
knowledge about and attitude toward the SNCB policy regarding the coronavirus.
Examining the individual awareness of the employees of the SNCB is, however,
only possible if the SNCB itself is to a certain extent aware of the coronavirus
(i.e. organizational awareness), or if the SNCB has developed policies on the
coronavirus.
203
5.4. Advantages
This chapter so far outlined a four-part security awareness framework,
explaining the four awareness types, and clarified the distinction between
organizational awareness and individual awareness. It is argued that the
theoretical framework is suitable both with respect to organizational awareness
and individual awareness. Concerning organizational awareness, the typology
can be used to compare the degree of awareness of different organizations, like
the aforementioned example of an international comparison of how public
transportation companies continue to work during the public health crisis. In
other words, the awareness typology can be used to examine the organization’s
aggregated knowledge about and attitude toward the threat and threat mitigation,
interpreting the organization as a black box, after which the security awareness
levels of several organizations can be compared. In the next chapter, I apply the
typology to examine and compare the organizational awareness of Belgian
organizations with respect to the insider threat problem.
204
Figure 5.2: Developing tailor-made awareness programs
205
Organizations can also use the typology themselves to assess the security
awareness of their individual members, or to assess individual awareness. Figure
5.2 illustrates that the decomposition of the awareness concept into different
types allows organizations to find the awareness gaps among their members, after
which they can provide their members with tailor-made awareness programs
(Chipperfield & Furnell, 2010; Russel, 2002). It was argued before that even
though each member related to the organization would ideally possess an
extensive level of all the security awareness dimensions, this objective is
probably overambitious, for instance due to budgetary constraints or reasons of
workability. Therefore, it is important that the organization acknowledges that
the relative priority of each security awareness dimension differs according to the
organizational member that is discussed.
In order to balance security with feasibility, the organization has to divide
the organizational members according to their security awareness needs (step 1
figure 5.2) (Hänsch & Benenson, 2014; Nationaal Adviescentrum Vitale
Infrastructuur, 2008; Russel, 2002). The organization has to define the expected
awareness for its organizational members, determining for each organizational
member first which security awareness types are essential and second what the
sufficient level of awareness is for that particular awareness type that is
prioritized. It could for example be assumed that on a tactical level (i.e.
executives) attitudinal awareness is relatively more important than cognitive
awareness to ensure that attention is spent to the threat and resources are made
available. Extensive cognitive awareness, on the other hand, is less of a priority
on the tactical level as this knowledge can be delegated to subordinates on the
operational level that are responsible for the actual mitigation of the threat. Once
the expected awareness of the organizational members is agreed upon, the
organization can measure their actual awareness (step 2 figure 5.2), or what
206
knowledge of and attitude toward the threat and threat mitigation the actor has in
reality. Subsequently, the organization can examine to what extent the awareness
needs are met, analyzing the awareness gaps among their members by comparing
their expected awareness with their actual awareness (step 3 figure 5.2). Finally,
the organization can address the awareness gaps by establishing tailor-made
awareness programs that align the actual awareness levels with the expected
awareness levels (step 4 figure 5.2).
The provision of awareness programs is thus not a one-size-fits-all
approach. I argued before that both the problem-solution distinction (≈ threat-
mitigation distinction) and the descriptive-prescriptive distinction (≈ cognitive-
attitudinal distinction) are on its own insufficient to fully grasp the concept of
security awareness. Applying the threat-mitigation distinction, a deficit in for
instance mitigation awareness does not reveal whether the deficit is related to the
individual’s knowledge or attitude. Similarly, applying the cognitive-attitudinal
distinction, an insufficient level of for instance attitudinal awareness does not
reveal whether the insufficiency lies in downsizing the threat as such or in
refuting the proscribed countermeasures. Only combining the two distinctions
into a four-part typology allows to have a more detailed understanding of the
awareness deficit and subsequently allows to develop a more specified tailor-
made awareness program.
Organizational members that are unconscious of the characteristics of the
threat should be targeted with cognitive threat awareness programs that educate
the members on what the organization expects them to know about the threat. In
contrast, members of the organization that are already sufficiently conscious
about the characteristics of the threat should not be targeted with awareness
programs outlining the knowledge they already possess. Similarly, organizational
members that lack sufficient theoretical or practical knowledge of the measures
207
that mitigate the threat should be engaged with cognitive mitigation awareness
programs that tutor the mitigation measures that the organization prescribes,
while those that are already sufficiently conscious of these prevention, detection
and reaction guidelines should be exempted from it.
Apart from the provision of theoretical and practical information on the
organization’s policies, awareness programs can also be concentrated on altering
the attitude of the organizational member toward these policies (Gemeentelijk
Havenbedrijf Antwerpen, 2012; Pfleeger, Sasse & Furnham, 2014; Siponen &
Kajava, 1998; Siponen, 2000). According to Tsohou, Karyda and Kokolakis
(2015: 129), “security awareness research and practice needs to understand ‘how
to bolster security behavior’, besides identifying what security behavior to
promote. To do that, we need to understand how individuals internalize security
awareness information”. Therefore, attitudinal threat awareness programs should
be concentrated on organizational members that have a negative attitude toward
the threat, or those who do not acknowledge the significance and applicability of
the threat. The main goal of these awareness programs is not so much to inform
the member on the existing policies, but rather to convince the member that the
threat is serious and that they should perceive it as a threat that is applicable to
the organization and therefore also to them. Contrary, members that already have
a positive attitude toward the threat should be exonerated from this attitudinal
threat awareness program. Attitudinal mitigation awareness programs, to
conclude, should be targeted at organizational members that have a negative
attitude toward the organizational mitigation measures. The aim of these
awareness programs is to persuade the member of the advantages of the
prescribed mitigation measures to guarantee their loyalty and to ensure they will
apply them. Again, members already having a positive attitude toward the
208
mitigation measures should be excused from this attitudinal mitigation awareness
program.
In conclusion, by exposing the awareness gaps within the organization,
the four-part typology creates an opportunity for the organization to provide its
members with tailor-made awareness programs. Awareness programs should be
tailor-made in a way that they aim to meet the awareness needs by filling the gap
between the actor’s expected awareness, or to what extent the actor must be aware
of each awareness type, and the actor’s actual awareness, or to what extent the
actor is aware of each awareness type. Although it is recognized that refresher
courses are useful now and then (Gemeentelijk Havenbedrijf Antwerpen, 2012),
it is argued that overkill, or targeting members with awareness programs on
content they are already sufficiently aware off (i.e. awareness needs already met),
would be counterproductive in a sense that it is a waste of resources and might
create boredom or frustration among the members due to repetitiveness, resulting
in reduced motivation (Gemeentelijk Havenbedrijf Antwerpen, 2012; Nationaal
Adviescentrum Vitale Infrastructuur, 2008; Russel, 2002).
The coronavirus can again be used as an example. Although the ideal
situation would be that each stakeholder (i.e. medical experts, governments,
health care services, citizens, …) has extensive awareness of all four types, the
reality is that not each stakeholder will be aware to the same extent. As mentioned
before, a prerequisite is that each stakeholder at least has a slight acquaintance of
the threat. If this condition is fulfilled, the relative priority of the security
awareness dimension depends on the stakeholder’s position. To give an example,
it is assumed that extensive cognitive awareness of the threat is important for
experts in virology and epidemiology, while it is of relatively less importance for
government leaders to know all the details about the virus. Instead, government
leaders need extensive attitudinal threat awareness to make sure that the
209
government understands the sense of urgency. Champion (2020, second
paragraph) indicates that “of the 10 nations hardest hit by the virus in terms of
deaths per 100,000 inhabitants, according to the Johns Hopkins University
School of Medicine, at least three – Brazil at 69, and the U.K. and U.S. at just
above 63 -- are led by politicians who first belittled the coronavirus but were then
infected by it”. With their lack of attitudinal awareness, Bolsonaro, Trump and
Johnson did not only put themselves at risk, but their denial enabled the
proliferation of the virus inside their countries. Similarly, extensive cognitive
mitigation awareness is significant for health care services that are at the forefront
of mitigating the coronavirus, while extensive attitudinal mitigation awareness is
required for the whole population to ensure their engagement and commitment
in the flattening of the curve. In sum, the kind of awareness program will depend
on the stakeholder that is targeted, and the discrepancy between the stakeholder’s
expected awareness and actual awareness.
5.5. Limitations
Notwithstanding the advantages of the typology, it is confronted with one
major shortcoming, namely that the framework is morally biased toward
‘applicable threats’. The bias is moral in the sense that I argue that in theory actors
should strive for the highest possible awareness on all four awareness types.
Striving for the highest possible awareness on all four awareness types is
desirable for threats that are applicable to the actor, while this is not true for non-
applicable threats. The framework is particularly suited for universal threats, like
climate change and the coronavirus, that apply to every actor, but also to assess
threats that only apply to specific organizations.
When the actor is not susceptible to the threat, the current state of the
model is not suitable. To illustrate, think of the threat of unwanted pregnancy for
people who are not yet ready to become parents. Cognitive threat awareness and
210
cognitive mitigation awareness respectively refer to being conscious that unsafe
sex might result in pregnancy and consciousness of the measures that prevent
(i.e. the different birth control methods like condoms or the morning after pill),
detect (i.e. pregnancy tests) or respond (i.e. measures like giving the child for
adoption or abortion) to the threat. Attitudinal awareness, on the other hand,
relates to the attitude toward pregnancy and measures to mitigate pregnancy.
According to the theoretical framework, the highest possible awareness about all
four awareness types should be aimed for. However, not all people will perceive
pregnancy as a threat. People that wish to become parents will not consider
pregnancy as a threat and are therefore not in need of attitudinal awareness as
interpreted here. The shortcoming of the theoretical framework thus lies within
the term applicability, as not all threats are applicable to every actor.
Consequently, in its current form, the framework is only suitable for threats that
are significant and directly applicable to the actor that is analyzed.
Although this shortcoming is acknowledged, the typology can be made
suitable for non-applicable threats by eliminating the applicability aspect from
the attitudinal awareness types, or by solely focusing on the significance aspect.
In other words, the more the actor perceives the ‘Not in My Habitat’ (NIMH)47
threat as important and understands the sense of urgency to mitigate it, the higher
the actor’s attitudinal awareness. In this way, the typology can also be applied to
the actor’s attitudinal awareness of threats that are not directly applicable to the
actor. Take for instance the threat of Ebola that merely occurs on the African
continent. Given that the threat of Ebola infection is close to zero in Europe
(World Health Organization, accessed on 31/03/2020), most Europeans will
justifiably not perceive the threat as a problem applicable to them, and will
47
In the spirit of the ‘Not in My Organization (NIMO) bias (Bunn & Sagan, 2016).
211
therefore not be in need of attitudinal awareness as interpreted in the present
chapter. Nevertheless, the framework can still be used to question the attitudinal
awareness of European citizens on Ebola if one leaves aside the applicability
aspect. It might for instance be interesting to evaluate the extent to which
Europeans are bothered by the Ebola threat in Africa, or gauge the degree of
empathy of the European citizens with their African peers. It is assumed that there
will be differences among the European population regarding the urgency to
mitigate Ebola, as not every European citizen will meet the attitudinal awareness
of charitable organizations like Doctors Without Borders.
Moreover, it was argued that the more factual knowledge the actor
possesses of the characteristics of the threat (or the mitigation), the higher the
cognitive awareness of the threat (or the mitigation), and the more positive the
actor’s attitude toward the threat (or the mitigation), the higher the attitudinal
awareness of the threat (or the mitigation). Urging actors to maximize cognitive
and attitudinal awareness of the threat and threat mitigation should however not
be interpreted as an appeal to actors to solely and excessively concentrate on
these particular threats. Or put in another way: “Security yes, but down to earth,
without the mumbo jumbo, without shouting in utter Panic: “Barbarians at The
Gate”.” (Nationaal Adviescentrum Vitale Infrastructuur, 2008: 9). Being aware
of the threat is thus not equal to using a sledgehammer to crack the nut, or to
becoming overly suspicious. Instead, the more an actor is aware of the threat, the
more the actor can refrain from under- or overestimation of the threat, and the
more the actor can apply the threat to their own situation and take into account
the appropriate context. Likewise, the more the actor is aware of the mitigation
of the threat, the more the actor can assess which mitigation measures are
proportionate to counter this threat.
212
Applied to the coronavirus, I do acknowledge that certain individuals,
perhaps even most of the infected ones, are less prone to experience severe health
issues following infection. Nevertheless, I do believe that the coronavirus is a
universal threat because the highly contagious nature of the virus made it an
epidemic disease with indirect consequences for those individuals that do not
experience serious health concerns. Freeriding behavior will on the one hand put
loved ones belonging to the high-risk group at risk of infection and related health
problems, including death, and will on the other hand increase the number of
simultaneous contaminations, thereby escalating the burden in the short run on
health care services and in the long run on social security in a way that might be
uncontrollable. Individuals that are less directly prone to health problems
resulting from infection must nevertheless play their part in mitigating the
coronavirus and equally develop attitudinal awareness to prevent the indirect
negative consequences described above. Developing attitudinal awareness does,
however, not mean that these individuals should completely withdraw
themselves from public life and live like a hermit. Instead, the more the actor is
attitudinally aware, the more the actor can accurately assesses to what extent they
are prone to not only catch the virus themselves, but also to what extent they are
susceptible to become a (super-)spreader of the virus. Similarly, the more the
actor is aware of the mitigation, the more they are able to assess which mitigation
measures are proportionate to limit the chances of becoming infected and
contaminating others, whereby the proportionality of the measures fluctuates
with the number of simultaneous infections (i.e. degree to which the curve is
flattened).
213
5.6. Conclusion
This chapter shed new light on the conceptualization and categorization
of security awareness. It was demonstrated that awareness of the threat should be
distinguished from awareness of the mitigation of the threat, and that a distinction
should be made between cognitive awareness, or the aspect of security awareness
that concentrates on the actor’s knowledge about the issue, and attitudinal
awareness, or the aspect of security awareness that focuses on the actor’s attitude
toward the issue. Because both the threat-mitigation and the cognitive-attitudinal
distinction are on its own insufficient to fully grasp security awareness, I merged
them to suggest a new typology of security awareness consisting of four
awareness types: (1) cognitive awareness of the threat; (2) attitudinal awareness
of the threat; (3) cognitive awareness of the mitigation and (4) attitudinal
awareness of the mitigation. The typology was explained in greater detail and
illustrated by referring to the threat of COVID-19 that grips the world from 2020.
Subsequently, it was demonstrated that the typology is particularly useful in an
organizational context, as it can be used to study both organizational awareness
and individual awareness. Concerning the former, the typology can be used to
compare the awareness level across organizations. Regarding the latter, the four-
part typology allows to have a more detailed understanding of organizational
members’ awareness deficits (i.e. awareness gaps between the organizational
members’ awareness needs or expected awareness and their actual awareness)
and subsequently allows to develop specified tailor-made awareness programs to
fill these gaps.
The provision of this new security awareness typology paves the way for
new research on security awareness. Future research could for instance
concentrate on the ways through which each individual security awareness type
can be measured. Concerning organizational awareness, chapter five will
214
elaborate on an application of the current typology to assess the awareness of
Belgian organizations with respect to insider threats. By means of an online
questionnaire consisting of a number of statements to which each respondent has
to indicate their position via a 8-point Likert-scale, I analyze the organizational
awareness with respect to the insider threat problem. I encourage other
researchers to find other ways through which each security awareness type can
be measured, not only with respect to organizational awareness but also regarding
individual awareness. In this way, organizations would be able to identify
security awareness gaps within their organization, enabling them to meet the
security awareness needs of their members.
Identifying the awareness gaps within the organization is, however, only
the first step toward increasing awareness. Future research should also
concentrate on the concrete implementation of the tailor-made security awareness
programs related to each security awareness type. As illustrated in figure 5.2,
once the awareness gap is noticed, a security awareness programs has to be
established to fill the gap and align actual awareness with expected awareness.
In this regard, Feldman’s (2011) distinction between central and peripheral route
processing might be an interesting angle to elaborate on. Future research could
discover a correlation between the type of organizational members and
Feldman’s persuasion techniques. so that organizations would be able to know
whether the content of the message (i.e. central route processing) or the way the
message is transmitted (i.e. peripheral route processing) will carry the most
weight to persuade the organizational member that is analyzed. This information
would enable the organization to target each organizational member with the
right persuasion technique, thereby increasing both the effectiveness and the
efficiency of the security awareness program.
215
To conclude, developed and implemented security awareness programs
should be adequately evaluated to analyze its effectiveness and efficiency. Future
research could integrate our typology to increase the accuracy of the existing
evaluation techniques and methods, like the evaluation methodology proposed
by Konstantinos, Konstantinos & Charalampos (2012).
216
Chapter 6
Insider threat awareness in a Belgian context
6.1. Introduction
The four-part typology to assess security awareness elaborated on in the
previous chapter (i.e. chapter five) will form the basis of the present chapter in
which the typology will be applied to the insider threat problem. Although some
organizations recognize the existence of the insider threat but simultaneously
dismiss the applicability of insider threats to their organization, referred to by
Bunn and Sagan (2016) as the NIMO bias, the insider threat problem is applicable
to every organization (Cole & Ring, 2006; Gelles, 2016; Sarkar, 2010). The non-
discriminatory character of the insider threat makes the framework suitable to
assess organizational awareness of the insider threat.
The main goal of this chapter48 is to assess to what extent Belgian
organizations are aware of the insider threat problem, as well as to assess their
behavior with respect to insider threat mitigation. It was mentioned in the
introduction of this dissertation (see chapter one) that while the attention to the
insider threat problem in the US rose due to high-level insider threat incidents
(Gelles, 2016), like the previously mentioned cases of Hasan, Snowden and
Manning, the insider threat problem receives far less attention in Belgium (and
in all likelihood also in Europe), notwithstanding similar large-scale insider threat
incidents like the sabotage of nuclear reactor Doel 4 and the case of Conings.
This is why Belgian organizations are considered to be a suitable target audience
to assess insider threat awareness, and why an online questionnaire was
48
It should be mentioned that most of this chapter was published as a co-authored research report
with Prof. dr Tom Sauer.
217
distributed among Belgian organizations to assess their knowledge about and
attitude and behavior towards insider threats.
In what follows, I will start with an outline of the research design,
clarifying the content of the questionnaire (what do I want to survey?), the target
audience (who do I want to survey?) and the format of the questionnaire (how do
I want to survey them?). After that, I will elaborate on the data collection methods
and the profile of the respondents that completed the online questionnaire.
Subsequently, the center of attention will shift to the results of the study, and will
be concluded with a discussion of the limitations and a conclusion section.
6.2.1. Content of the questionnaire
The content of the online questionnaire is inspired by Kruger and

Kearney’s (2006) knowledge-attitude-behavior (KAB) model. Applying the
model to the insider threat context, awareness of the insider threat is a reflection
of what the respondent knows (K) about insider threats, feels (A) about insider
threats, and intends to do (B) against insider threats. In contrast to Kruger and
Kearney, and drawing upon the information shared in chapter five, I argue that
awareness differs from the actor’s actual behavior because the respondent can be
aware of the insider threat but can be restricted to act upon this awareness because
of multiple reasons, like for instance budget restrictions (Furnell et. al., 2002) or
lack of skills (Furnell & Thomson, 2009; Korovessis et. al., 2017). Still,
respondents were questioned on both awareness and behavior because they both
provide useful insights.
With respect to awareness, the questionnaire draws upon the four-part
security awareness typology outlined in chapter five to assess four different types
of awareness: (1) cognitive awareness of the threat; (2) attitudinal awareness of
the threat; (3) cognitive awareness of the mitigation and (4) attitudinal awareness
218
of the mitigation. This implies that both the knowledge component and attitude
component of the KAB-model are further divided into on the one hand
knowledge about or attitude towards the insider threat problem and on the other
hand knowledge about or attitude towards the mitigation of the insider threat
problem. Each awareness category is briefly discussed below in the context of
the insider threat problem.
(1) Cognitive threat awareness refers to the knowledge the respondent
possesses of the characteristics of what is generally considered to be a threat. In
an insider threat context, it relates to the knowledge the respondent has about the
characteristics of the insider threat. It refers for instance to the respondent’s
knowledge about the potential actors that pose the insider threat (i.e. permanent
employee, subcontractors, former employee, …) (Colwill, 2009; Gelles, 2016;
Nurse et al. 2014), the Modi Operandi through which the insider threat can be
expressed (i.e. theft, sabotage, espionage, social engineering, …) (BaMaung et.
al., 2018; Sarkar, 2010) and the targets of insider threats (i.e. organizational assets
like intellectual property or financial resources) (Bishop et. al., 2009; Bunn &
Sagan, 2016). The more knowledge the respondent possesses of the
characteristics of the insider threat, the higher the cognitive awareness of the
insider threat.
(2) Attitudinal threat awareness signifies the attitude the respondent has
toward the threat, or the respondent’s vision on the significance and applicability
of the threat. In an insider threat context, it signifies the attitude the respondent
has toward the insider threat problem. It not only denotes whether the respondent
believes that the insider threat problem is a matter of concern that deserves
attention, but also relates to whether the respondent believes that the insider threat
problem is applicable to their organization. A positive attitude means that the
respondent considers insider threats a significant problem that is applicable to
219
their organization. A negative attitude indicates that the respondent trivializes the
problem of insider threats, thereby not acknowledging that the problem is
applicable to their organization. The more positive the attitude toward the insider
threat problem, the higher the attitudinal awareness of the insider threat
mitigation.
(3) Cognitive mitigation awareness relates to the knowledge the
respondent possesses about the measures that prevent, detect and respond to the
threat. In an insider threat context, it involves knowledge about the
countermeasures that are needed to prevent insider threats, like for instance
background checks (BaMaung et. al., 2018; Bunn & Sagan, 2016; Klotz et. al.,
2013), countermeasures that are needed to detect insider threats, like for instance
a reporting mechanism (Bell et. al., 2019; Colwill, 2009; UK CPNI, 2011; US
NITTF, 2016) and countermeasures that are needed to limit the potential damage
that can be caused by insider threat incidents, like for instance emergency
response plans (Mehan, 2016). The more knowledge the respondent possesses of
the measures that mitigate insider threats, the higher the cognitive awareness of
the insider threat mitigation.
(4) Attitudinal mitigation awareness refers to the attitude the respondent
has toward the mitigation of the threat. It concerns the respondent’s vision on the
significance of mitigating the threat, their evaluation of the measures that are
prescribed as adequate to mitigate it and their motivation to apply these
mitigation measures to their own situation. In an insider threat context, it denotes
whether the respondent feels a sense of urgency to mitigate the insider threat, has
a favorable evaluation of the generally accepted prescribed countermeasures and
is willing to apply those mitigation measures in their own organization. A
positive attitude means that the respondent perceives the mitigation of the insider
threat as necessary, recognizes the suitability of the generally accepted prescribed
220
countermeasures and is willing to implement the measures. A negative attitude
means that the respondent regards the mitigation of the threat as nonessential,
questions the appropriateness of the prescribed countermeasures and lacks
motivation to put the mitigation into action. The more positive the respondent’s
attitude toward the mitigation of the insider threat, the higher the attitudinal
awareness of the insider threat mitigation.
As stated before, I was also interested in the actual behavior of Belgian
organizations. As a result, the online questionnaire also assesses what
organizations are actually doing to counter the insider threat. On top of that, other
insider threat-related topics were touched upon, like for instance the sources the
organization consults to increase its knowledge on the insider threat problem, or
the organization’s own experiences with insider threat incidents. To conclude,
respondents were asked questions concerning organizational characteristics, like
annual turnover, number of employees or location of the headquarters, as well as
individual characteristics like sex, experience or function within the organization.
6.2.2. Target audience
It was demonstrated in chapter five that in an organizational context, the

typology is applicable to examine both the awareness of the organization and the
awareness within the organization. The former refers to the awareness of the
organization as a unitary actor (Waltz, 1979), whereby an organizational
representative that is knowledgeable of the organizational policy participates as
respondent for their organization. The latter refers to the awareness of the
separate units within the organization, whereby the members of the organization
that have to adhere to the organizational policies participate as respondents. This
study assesses organizational awareness, leaving aside awareness within the
organization. In other words, the organization is interpreted here as a collective
actor (Isaeva et. al., 2019; Searle, 2013) that is anthropomorphized (Monahan &
221
Quinn, 2006), acting as if it were a single, united entity that is represented by one
member of the organization. More concretely, the target audience of our online
questionnaire are organizational representatives related to security49 who are
assumed to be involved to a large extent in the insider threat policy of their
organization.
6.2.3. Format of the online questionnaire
I used the online survey tool Qualtrics to establish the online

questionnaire. Given that the online questionnaire was targeted at Belgian
organizations, the respondent could choose between a Dutch-speaking and a
French-speaking version. The online questionnaire started with a short
introduction outlining the purpose, target audience and time required to complete
the questionnaire, as well as with an informed consent. After accepting the
informed consent, the respondent was redirected to the actual questionnaire,
which consisted of two sorts of questions, namely multiple choice questions and
rating questions. Multiple choice questions were used to collect the information
on the organizations perception of the insider threat landscape, their knowledge
sources, their prioritization of insider threat policy, their experiences with insider
threat and the organizational and individual characteristics of the organization’s
representative. In contrast, each awareness type, as well the part on behavior, was
questioned by way of statements. The respondent was asked to assess each
individual statement on an 8-point Likert-scale ranging from “totally disagree”
to “totally agree”, with an undecided category (“neither agree nor disagree”) and
a “no opinion”/ “I don’t know”/ “Not applicable option” (de Vaus, 2002). The
selection of the statements for both the cognitive threat awareness type and the
49
“security-verantwoordelijke” in Dutch, or « le responsable de la sécurité » in French.
222
cognitive mitigation awareness type was based upon existing insider threat
literature.
Statements relating to cognitive threat awareness question the
organization’s knowledge of the characteristics of the insider threat problem.
Examples of statements are ‘Each employee poses an insider threat to the
organization to the same extent’ and ‘Former employees can still pose an insider
threat’. The more the respondent agrees with the first statement, the lower the
organization’s cognitive threat awareness. The statement refers to the ‘degree of
insiderness’ (Bishop et. al., 2009; Bishop et al., 2010; Probst et. al. 2010), which
was elaborated on in chapter two and states that insiders whose privilege consists
of a large privilege or a privilege that applies to the most important assets of the
organization, pose a greater threat than insiders whose privilege corresponds with
a small privilege or a privilege that applies to less important assets. The more the
respondent agrees with the second statement, the higher the organization’s
cognitive threat awareness. As explained in chapter two, insiders are not only
individuals currently belonging to the organization’s workforce, but are also
individuals that used to be part of personnel and were trusted by the organization
in the past (Krull, 2016; Nurse et al. 2014; Randazzo et. al., 2005).
Similarly, statements related to cognitive mitigation awareness measure
the organization’s knowledge of the mitigation of the insider threat. Examples of
statements are ‘If the insider is evaluated as trustworthy during recruitment, the
trustworthiness of the insider does not have to be re-evaluated during his
employment’ and ‘Evaluating trustworthiness during employment is just as
important as evaluating trustworthiness during recruitment’. The more the
respondent agrees with the first statement, the lower the organization’s cognitive
mitigation awareness. Agreement with the statement implies that aftercare, or
evaluating the trustworthiness of insiders during their employment at the
223
organization, is unnecessary. This overlooks that background checks are only a
snapshot and that the trustworthiness of the insider can change over time (Bunn
& Sagan, 2016; Colwill, 2009; Hegghammer & Hoelstad Daehli, 2016). As
demonstrated in chapter four, aftercare is also a crucial component in the
mitigation of insider threats, given that insiders can be trustworthy when they
join the organization and pass the background check, but become untrustworthy
whilst on the job. The more the respondent agrees with the second statement, the
higher the organization’s cognitive mitigation awareness, since this statement can
be considered the opposite situation of the first statement.
The selection of the statements for both attitudinal threat awareness and
attitudinal mitigation awareness draws upon the attitude model of Zanna and
Rempel (1988), which indicates that attitude is a reflection of what a person
beliefs, feels, and intends to do50. Attitude thus refers to the favorable or
unfavorable appraisal that the organization makes about the particular issue at
stake, whereby the evaluation can be based upon a cognitive, affective and
behavioral component that can separately or combined define the overall
evaluation or attitude. The attitude can be formed through a cognitive component,
referring to the beliefs of the organization about the issue at stake. It is a
comparison of the perceived advantages and disadvantages of the particular issue
that shapes the evaluation (Fishbein & Ajzen, 1975; Khalid & Ramli, 2012; Van
Hiel, 2016). If the advantages outweigh the disadvantages, a positive attitude is
formed, while a negative attitude will be present when the disadvantages exceed
the advantages. Next to the cognitive component, attitude can also be formed on
50
Preference is given to the model of Zanna and Rempel (1988) over the Knowledge-Attitude-
Behavior (KAB) model of information security awareness developed by Kruger and
Kearney (2006) because Zanna and Rempel (1988) focus on past behavior and behavioral
intentions, whereas the KAB model also takes into account the actor’s actual behavior. As
already stated before, it is perceived in this study that behavioral intention is more suitable
than actual behavior in the assessment of attitude and awareness.
224
the basis of the affective component. The affective component signifies the
emotional response to the issue, or the feelings that arouse when confronted with
it. A positive attitude will be present when the issue at stake evokes positive
affect, while a negative attitude will be formed when the particular issue induces
negative feelings (Fishbein & Ajzen, 1975; Maio, Olson, Bernard & Luke, 2003;
Van Hiel, 2016; Zanna & Rempel, 1988). Apart from the cognitive and affective
component, the behavioral component indicates that attitude can be based upon
remembrance of past behavior related to the issue. Positive past experiences
correspond with a positive attitude, while negative past experiences relate to a
negative attitude. The experience can be either direct, meaning that the actor
experienced the event themselves, or indirect, meaning that they were informed
about the experience of someone else. The past behavior will subsequently lead
to an intention to behave in a certain way in the future (Maio et. al., 2003;
Schermerhorn Jr. et. al., 2002; Zanna & Rempel, 1988). To illustrate, Maio et. al.
(2003: 289) refer to a person’s attitude toward environmental rallies, indicating
that “people might form a positive attitude toward participating in a rally for the
environment because they enjoy rallies (affective component) and believe that
the rally will help ensure more green spaces (cognitive component). More subtly,
people might decide that they like to participate in the pro-environment rally
because they can recall past occasions wherein they performed pro-
environmental behaviors (behavioral component)”.
The cognitive, affective and behavioral component of Zanna and Rempel
(1988)’s attitude model were used to construct the statements relating to the
attitudinal awareness types. Regarding attitudinal threat awareness, the cognitive
component questions the beliefs of the respondent concerning the insider threat.
An example of a statement with respect to attitudinal threat awareness is ‘Our
organization believes insider threats need more attention in discussions about
225
safety and security’, which questions the respondent’s perceived significance.
The more the respondent agrees with the statement, the higher the organization’s
perceived significance and the higher the attitudinal threat awareness. The
affective component examines the respondent’s feelings toward insider threat. A
positive feeling corresponds with concern, consideration and attentiveness, while
a negative feeling relates to disregard, minimization and denigration. An
illustration of a statement relating to attitudinal threat awareness is ‘Given that
our organization has no significant conflict with one of its employees, our
organization is not concerned about insider threats’. The more the respondent
agrees with the statement, the more negative the feeling toward insider threats.
In other words, the more the respondent agrees with the statement, the more the
organization denies applicability of insider threats to the own situation, and
therefore the lower the attitudinal threat awareness. The behavioral component
was not used with respect to attitudinal threat awareness.
Regarding attitudinal mitigation awareness, the cognitive component
questions the beliefs of the respondent concerning the prescribed measures to
mitigate insider threats. An example of a statement relating to the cognitive
component is ‘Interviewing employees that leave the organization adds value to
the protection against insider threats’, questioning the organization’s perceived
advantages and disadvantages of exit interviews. The more the respondent agrees
with the statement, the more the organization perceives that the advantages are
higher than the disadvantages and the higher the attitudinal mitigation awareness.
The behavioral component questions the respondent’s behavioral intention to
mitigate insider threats. An example of a statement relating to the behavioral
component is ‘our organization is prepared to investigate each notification of
suspicious behavior’. The more the respondent agrees with the statement, the
higher the organization’s intention to mitigate insider threats and the higher the
226
attitudinal mitigation awareness. The affective component was not used with
respect to attitudinal mitigation awareness.
Apart from assessing the awareness types, it is also interesting to compare
organizational awareness with the actual behavior of the organization. As a result,
the respondent was also asked to assess statements that measure the actual
behavior of the organization. Examples of statements are ‘Our organizations
contacts the references that the future employee provides on his CV’, ‘Our
organization ensures that employees solely have access to the information
needed to perform their job’ and ‘Our organization subjects all employees to the
same trustworthiness evaluation during recruitment’. The more the respondent
agrees with the first statement, the better the organization’s actual behavior to
mitigate insider threats, given that contacting references enhances the adequacy
of background checks (BaMaung et. al., 2018; Mehan, 2016). The more the
respondent agrees with the second statement, the better the organization’s actual
behavior to mitigate insider threats, as the principle of least privilege reduces the
opportunity to misuse sensitive information (Cole & Ring, 2006; Gelles, 2016;
Sarkar, 2010). The more the respondent agrees with the third statement, the worse
the organization’s actual behavior, as it disregards the previously mentioned
‘degree of insiderness’ (Bishop et. al., 2009; Bishop et al., 2010; Probst et. al.
2010). An overview of the full questionnaire (in English) can be found in annex
A.
6.2.4. Data collection
Regarding data collection, the initial goal was to reach a multitude of

organizations that are as wide and as varied as possible. I worked together with
the Federation of Belgian Enterprisis (FEB) to distribute the questionnaire via its
newsletter of November 2020. In this way, I hoped to reach as much of its
members as possible. Moreover, I consulted the network of G4S, one of the
227
sponsors of the overarching research project, and shared a post with my
professional network on LinkedIn. Unfortunately, the response rate following
these channels of distribution was extremely low, with only 35 valid responses.
A possible explanation for this low response rate is that less security-oriented
organizations are not eager to talk about these issues, even in an anonymous way.
In any case, the (too) low response rate implied that I had to find other ways to
collect relevant data.
In an attempt to increase the response rate, I changed tactics from
surveying a population of organizations as wide as possible to organizations of
which it could be assumed that they are (or at least should be) aware of (and
interested in) security-related issues like the insider threat problem. As a result, I
cooperated with the NSA that communicated the online questionnaire in July
2021 to approximately 1.500 security officers51 of Belgian entities, resulting in a
total of 315 valid responses (response rate of 21%). In the remainder of the report,
I will only elaborate on the results of the survey distributed via the NSA.
51
On the website of the NSA it is stated that “any company or administration with access needed
to classified information is required to appoint a security officer. The security officer is the
only official contact for communications between the National Security Authority and its
customers” (see https://www.nvoans.be/en/private-companies/security-officer). Security
officers are in the possession of a security clearance, or almost completed the procedure to
obtain one, whereby “a security clearance is necessary for anyone who for professional
reasons needs access to classified information. Without a security clearance it is illegal to
access, process, or handle classified information” (see https://www.nvoans.be/en/general-
information/what-difference-between-security-clearance-security-certificate-or-security).
228
N %
Association of Consulting
Engineering, Engineering
and Consultancy Firms
(ORI) 42 16,03%
Belgian Confederation of
Motor Vehicle Dealers,
Repairers and Operators in
Related Sectors (TRAXIO) 6 2,29%
Belgian Financial Sector
Federation (FEBELFIN) 1 0,38%
Belgian Precast Concrete
Federation (FEBE) 1 0,38%
Security firms
(APEG/BVBO) 7 2,67%
Construction
(CONFEDERATIE BOUW) 35 13,36%
Belgian Federation for
Chemistry and Life Sciences
Industries (ESSENSCIA) 8 3,05%
Waste and recycling sector
Organizatio- (DENUO) 2 0,76%
Sectoral
nal
federation FEB Miscellaneous Activities
characteristics
(MISCELLANEOUS
ACTIVITIES GROUP) 17 6,49%
Energy: electricity and gas
companies (FEBEG) 5 1,91%
Energy: electricity and gas
network operators
(SYNERGRID) 2 0,76%
Commerce and services
(COMEOS) 8 3,05%
HR services (FEDERGON) 5 1,91%
Steel industry (GSV) 3 1,15%
Cleaning industry
(UGBN/ABSU) 6 2,29%
Social Secretariats (USS) 1 0,38%
Technology industry
(AGORIA) 97 37,02%
Transport: logistic service
providers (FEBETRA) 12 4,58%
Transport: international trade
(FEDERATION OF 2 0,76%
229
EMPLOYERS IN
INTERNATIONAL
TRADE, TRANSPORT
AND LOGISTICS)
Insurance Companies
(ASSURALIA) 1 0,38%
Food Industry Federation
(FEVIA) 1 0,38%
Total 262 100,00%
Less or equal to 2 million 89 29,37%
2.01 million - 10 million 64 21,12%
Annual
10.01 million - 50 million 65 21,45%
Turnover
More than 50 million 85 28,05%
Total 303 100%
Less than 10 79 25,08%
Number of 10-49 64 20,32%
employees 50-249 75 23,81%
(FTE) 250 or more 97 30,79%
Total 315 100%
Flanders 166 52,70%
Wallonia 64 20,32%
Headquarters
Brussels Capital Region 85 26,98%
Total 315 100%
Yes 156 49,68%
Belong to a
No 158 50,32%
group
Total 314 100%
Yes 226 71,75%
Operate
No 89 28,25%
internationally
Total 315 100%
Works fulltime on security 41 13,02%
Combines security with other 62,22%
196
tasks within the organization
Person
Our organization does not 21,59%
responsible for
have a person explicitly 68
security
responsible for security
I don’t know 10 3,17%
Total 315 100%
230
Male 251 79,68%
Female 62 19,68%
Sex
X 2 0,63%
Total 315 100%
Less than 2 16 5,08%
Number of 2-5 years 67 21,27%
years active in 6-10 years 48 15,24%
organization More than 10 years 184 58,41%
Total 315 100%
Number of Less than 2 4 1,27%
Individual years active in 2-5 years 33 10,48%
characteristics sector 6-10 years 36 11,43%
organization More than 10 years 242 76,83%
belongs to Total 315 100%
Employee 78 24,76%
Executive 83 26,35%
Function Management 136 43,17%
Other 18 5,71%
Total 315 100%
Yes 289 91,75%
Security
No 26 8,25%
clearance
Total 315 100%
Table 6.1: Profile of the respondents
Table 6.1 gives an overview of the profile of the respondents, referring to

both organizational characteristics as well as individual ones. Concerning the
organizational factors, the majority of the respondents belongs to the technology
industry. Also consulting engineering and construction count a relatively large
number of respondents. The remainder of the respondents originate from a
variety of sectors, including critical infrastructure sectors like energy and
transport. A relatively large number of respondents (n=53; 17%) did not answer
this question, for instance because they belong to the public sector. Building on
the European Commission’s (2015) definition of Small and Medium Enterprises
(SME), a combination of the annual turnover and the number of employees (FTE)
enabled me to divide the respondents that answered both questions (N=303) in
four groups with respect to organizational size, as illustrated in table 6.2: micro,
231
small, medium and large enterprises. Of these respondents, most represent large
enterprises, while least represented are small enterprises, with micro and medium
enterprises almost equally represented. The headquarter of more than half of the
respondents is situated in Flanders, being almost double the number of
representatives from the organizations situated in the Brussels Capital Region
and more than 2.5 times the number of representatives from Wallonian
organizations. Approximately half of the respondents represents an organization
that belongs to a company group, with the other half not having a parent or
subsidiary relationship with another company. Almost three quarters of the
respondents are representatives from organizations that operate on an
international level, while the remaining quarter sticks to the Belgian market. To
conclude, 13% of the respondents indicates that their person responsible for
security works full-time on security, whereas more than 20% of the respondents
indicates that their organization has no person explicitly responsible for security.
The majority of the respondents indicates the golden mean between the two,
representing an organization where the person responsible for security combines
security with other tasks within the organization.
Organization Definition N %
size (European Commission: 2015, 11)
a) Annual turnover ≤ 2 million 75 24,75%
Micro AND
b) Number of employees < 10
c) Annual turnover ≤ 10 million 52 17.16%
Small AND
d) Number of employees < 50
e) Annual turnover ≤ 50 million 69 22.77%
Medium AND
f) Number of employees < 250
g) Annual turnover > 50 million 107 35.31%
Large OR
h) Number of employees >250
Total 303 100,00%
Table 6.2: Division of respondents according to organization size
232
Concerning the individual factors, the breakdown of the respondents by
sex reveals a considerable imbalance with almost 80% of male respondents. With
respect to experience in their organization and the sector their organization
belongs to, the majority of the respondents has more than 10 years of experience,
with only a small number of respondents having less than two years of
experience. The majority of the respondents occupies a management function in
their organization, while a quarter holds a position as employee or executive. To
conclude, more than 90% of the respondents has a security clearance, as expected
from security officers52.
6.3. Results
The results of the study are outlined below. Throughout the study, N will
be systematically used to refer to the total number of respondents that answered
the question, while n will be systematically used to refer to the number of
respondents that went for a particular answer. For the awareness types, as well as
the part on behavior, each statement is illustrated with a bar chart that for each
possible option on the Likert-scale shows the number of respondents that
answered that particular option. Moreover, a summary table displays the
percentage of respondents that agreed, disagreed or neither disagreed nor agreed
with the statements, as well as missing data. Respondents that somewhat agreed,
agreed or totally agreed with the statement were compiled in an overarching
agreement category, while the respondents that somewhat disagreed, disagreed
or totally disagreed with the statement were compiled in an overarching
disagreement category. Respondents answering the “no opinion, I don’t know or
not applicable” option were considered missing data. For each statement the
52
Remember that the questionnaire was distributed among security officers that are either in the
possession of a security clearance or almost completed the procedure to obtain one. The
latter explains the small number of respondents not (yet) having a security clearance.
233
number of respondents that went for the “no opinion, I don’t know or not
applicable” option is shown in the last column of the table, with the number of
missing values relative to the total number of respondents that answered the
statement between brackets.
Each summary table represents valid percentages. This implies that the
percentage of for instance the agreement category represents the total number of
respondents that somewhat agreed, agreed or totally agreed relative to the number
of respondents that gave a valid answer, excluding missing values. To give a
concrete example: table 6.3 shows that of the total number of 315 respondents
(N) that answered statement one, three respondents (n) went for the option “no
opinion, I don’t know or not applicable” and were therefore considered missing
data for this particular statement. Figure 6.7 demonstrates that 36 respondents
somewhat agreed, 46 respondents agreed and 28 respondents totally agreed with
statement one, implying a total of 110 respondents in the overarching agreement
category. To calculate the percentages of the overarching agreement category
concerning statement one, the total number of respondents that somewhat agreed,
agreed or totally agreed with statement one (110) was not divided by the total
number of respondents (315), but by the total number of respondents minus the
number of missing values for this statement (315-3). Dividing 110 by 312 gets
35.26%, as displayed in table 6.3. The same principle applies to calculate the
percentages of the overarching disagreement category and the neither disagree
nor agree category for statement one, as well as to all other statements of each
awareness type and the statements concerning behavior. The results of the
multiple choice questions is illustrated via a table, a figure or both.
234
6.3.1.Cognitive threat awareness
Cognitive threat awareness relates to the knowledge the respondent has

about the characteristics of the insider threat. Table 6.3 gives an overview of the
statements respondents were asked to rate, simultaneously indicating which
response was interpreted as the correct response (the a or b between brackets).
For statements one, two, four and five, based on the insider threat literature I
expected a rating of “somewhat disagree”, “disagree” or “totally disagree”, while
the opposite was true for statements three, six and seven, where I expected a
rating of “somewhat agree”, “agree” or “totally agree”.
% of % of % of Missing
agree- disagre Neither values ***
ment* e- disagree (% of N)
(% of ment** nor
N (% of N agree
Statement
minus minus (% of N
missin missing minus
g values) missing
values values)
)
1 Each employee of the
. organization poses an insider 35,26
threat of a similar size. (b) % 59,62% 5,13% 3 (0,95%)
2 Temporary employees who do
. not have a permanent
employment contract
(consultants, working students,
agency workers, interns, …)
cannot pose an insider threat.
(b) 4,18% 93,89% 1,93% 4 (1,27%)
3 Former employees can still
. pose an insider threat after their 83,65
employment. (a) % 13,14% 3,21% 3 (0,95%)
4 An insider threat can only be
. called such if the employee
commits a crime (theft, fraud, 14,01
…). (b) % 81,21% 4,78% 1 (0,32%)
235
5 The insider threat problem is
. only applicable to large
enterprises, not to SME’s. (b) 1,29% 98,39% 0,32% 4 (1,27%)
6 An insider threat might
. endanger the survival of the 87,74
organization. (a) % 8,71% 3,55% 5 (1,59%)
7 A consultant who has access to
. sensitive information of the
organization poses a potential 84,98
insider threat. (a) % 8,95% 6,07% 2 (0,63%)
*: agreement = “somewhat agree”, “agree” or “totally agree”
**: disagreement = “somewhat disagree”; “disagree” or “totally disagree”
***: missing value = “no opinion, I don’t know or not applicable”
a : correct answer = agreement
b: correct answer = disagreement
Table 6.3: Statements with respect to cognitive threat awareness (N=315)
On the one hand, table 6.3 shows that of six out of seven statements, more
than 80% of the respondents gave the answer that was expected based on the
literature, thereby indicating high cognitive awareness of the insider threat. In
other words, the large majority of organizations knows (statement two) that
temporary insiders can pose an insider threat53 (Bunn & Sagan, 2016; Noonan,
2018; Nurse et. al., 2014); (statement three) that insiders that used to be part of
the labor pool and were trusted by the organization in the past can still pose an
insider threat if they are still able to misuse their privileged access to the
organizational assets54 (Krull, 2016; Nurse et al. 2014; Randazzo et. al., 2005);
(statement four) that not every insider threat activity is equivalent to a criminal
offence55 (Bunn & Sagan, 2016; Cools, 1994; Wall, 2013); (statement five) that
53
An example is the 15-year-old student that stole a car during his internship (Het Nieuwsblad,
11/12/2019).
54
An example is the employee of a company in Louvain who after his dismissal kept the remote
control of the gate and subsequently stole equipment with a value of almost 600.000 euros
(Het Laatste Nieuws, 04/03/2019).
55
Think for instance of socially engineered insiders that are manipulated by external parties into
giving access to the organizational assets (Wall, 2013). An example is the phished
employee of Bol.com who received a questionable email full of spelling errors that
236
the insider threat applies to every organization (Cole & Ring, 2006; Gelles, 2016;
Sarkar, 2010) including SME56; (statement six) that it is possible that the impact
of the insider threat is so severe that it puts the survival of the organization at risk
if it is targeted at the critical assets of the organization (Bishop et. al., 2009;
Gelles, 2016)57 and (statement seven) that consultants who come into contact
with organizational assets pose a potential insider threat58 (Colwill, 2009; Gelles,
2016; Nurse et. al., 2014). Graphically, figures 6.1 to 6.6 demonstrate the same
conclusions, given that the results of the figures corresponding with statements
where disagreement is considered to be the correct answer (figures 6.1, 6.3 and
6.4) are skewed to the left (disagreement categories), while the results of the
figures corresponding with statements where agreement is considered to be the
correct answer (figures 6.2, 6.5 and 6.6) are skewed to the right (agreement
categories).
requested payment of 750.000 euros to a new bank account, after which the employee
transferred the money without checking the authenticity of the email (Heylen, 2021a).
56
An example is an employee of a bakery that stole money from the vending machines (Het
Laatste Nieuws, 30/01/2018) or an employee of jewelry Orologio in Knokke who
systematically stole from her employer (Het Laatste Nieuws, 14/09/2018).
57
An example is the case of the employee of American Superconductor who stole a crucial
software program and passed it on to the organization’s main consumer Sinovel Wind
Group, who subsequently refrained from using American Superconductor’s services. The
theft of intellectual property and the resulting decrease in sales put the organization on the
brink of insolvency (US NITTF, 2016).
58
An example is Aaron Alexis, who during his employment at the Washington Navy Yard
murdered 12 colleagues. Alexis did not work on a permanent basis for the Navy, but was
instead outsourced to the Navy by one of its prime contractors (Gelles, 2016; Shaw &
Sellers, 2015)
237
Figure 6.1: Cognitive threat awareness – statement 2
238
239
240
On the other hand, the results of the first statement in table 6.3 indicate
that less than 60% (n=186, figure 6.7) of the respondents is familiar (enough)
with what insider threat literature denotes the degree of insiderness59 (see chapter
two) (Bishop et. al.,2009; Bishop et al., 2010; Probst et. al., 2010). The more the
respondent agrees with statement one, the lower the cognitive threat awareness.
As shown in figure 6.7, 110 respondents (35.26%) disregard the ‘degree of
insiderness’ as they “somewhat agree” (n=36), “agree” (n=46) or “totally agree”
(n=28) with the statement that “each employee of the organization poses an
insider threat of a similar size”.
59
To recapitulate, the degree of insiderness (Bishop et. al.,2009; Bishop et al., 2010; Probst et.
al., 2010) implies that the group of insiders should be viewed as a continuum of insiders
that can be sorted on the basis of the scope and application area of the granted privilege to
the organizational assets. Insiders whose privilege consists of a large privilege (i.e. large
amount of access to the organizational assets), or a privilege that applies to the most
important assets of the organization, pose a different (i.e. greater) threat than insiders whose
privilege corresponds with a small privilege (i.e. small amount of access to the
organizational assets) or a privilege that applies to less important assets.
241
6.3.2.Attitudinal threat awareness
Attitudinal threat awareness relates to the respondent’s attitude toward

the insider threat, or their stance on whether the insider threat problem is
significant and applicable to their organization. Table 6.4 indicates that if the
respondent considers insider threats as a significant problem that is applicable to
the organization, the respondent is believed to have a positive attitude toward the
insider threat. Conversely, if the respondent trivializes the insider threat problem,
thereby not considering insider threats as a significant problem and/or not
acknowledging that the problem is applicable to their organization, the
respondent is believed to have a negative attitude toward the threat.
Positive The respondent considers insider threats as a significant problem
attitude that is applicable to the organization.
Negative The respondent trivializes the insider threat problem, thereby not
attitude considering insider threats as a significant problem and/or not
acknowledging that the problem is applicable to the organization.
Table 6.4: Positive vs. negative attitude toward the insider threat problem
Table 6.5 gives an overview of the statements respondents were asked to

rate. While statement one and two give an indication of the respondent’s vision
on significance of the insider threat, statement three to six give an indication of
the respondent’s vision on applicability of the insider threat to their organization.
Statements were framed both in positive and negative ways. Agreement with
positively framed statements (one, two, four and six) indicate a more positive
attitude toward the insider threat and therefore a higher attitudinal threat
awareness, while disagreement with positively framed statements indicate a more
negative attitude toward the insider threat and therefore a lower attitudinal
awareness of the insider threat problem. The opposite is true for the negatively
framed statements (three and five).
242
agree- disagree Neither values
ment* -ment** disagre ***
(% of (% of N e nor (% of N)
N minus agree
Statement
minus missing (% of
missin values) N
g minus
values missing
) values)
1. The insider threat problem
deserves more attention in
discussions on safety and 85,30
security (+) % 3,19% 11,50% 2 (0,63%)
2. A distinction should be made
between insider threats and 85,26
external threats. (+) % 8,01% 6,73% 3 (0,95%)
3. Given that our organization trusts
its employees, the insider threat
problem is not applicable to our
organization. (-) 6,21% 86,93% 6,86% 9 (2,86%)
4. Our organization is worried that
one of its employees will
wittingly misuse his access to the 55,63 13
organizational assets. (+) % 28,48% 15,89% (4,13%)
5. Given that our organization has
no significant conflict with one of
its employees, our organization is
not concerned about insider 17,22 13
threats. (-) % 74,50% 8,28% (4,13%)
6. Employees who have access to
the organizational assets are
considered a potential insider 52,30 11
threat. (+) % 24,01% 23,68% (3,49%)
(+): The more the respondent agrees (disagrees) with the statement, the more positive (negative)
the respondent’s attitude toward the insider threat and the higher (lower) the attitudinal insider
threat awareness.
(-): The more the respondent agrees (disagrees) with the statement, the more negative (positive)
the respondent’s attitude toward the insider threat and the lower (higher) the attitudinal insider
threat awareness.
Table 6.5: Statements with respect to attitudinal threat awareness (N = 315)
243
Table 6.5 shows that the majority of the respondents considers the insider
threat a significant problem, given that 85,26% of the respondents (n=266, figure
6.8) insists on a separation between insider threats and outsider threats. The same
goes for the attention spend to the insider threat problem in discussions on safety
and security, as 85,30% of the respondents (n=267, figure 6.9) urges to put the
insider threat problem higher on the security agenda.
Figure 6.8: Attitudinal threat awareness – statement 2
244
With respect to the respondents’ stance on applicability of the insider

threat to their organization, the majority of respondents acknowledges that their
organization is susceptible to insider threats. Nevertheless, the results also
indicate that a considerable part of respondents shows signs of Bunn and Sagan’s
(2016) NIMO bias (see supra). With respect to the negatively framed statements,
6,21% of the respondents (n=19, figure 6.10) declares that their confidence in the
trustworthiness of its employees eliminates the possibility of insider threats to the
organization, while 17,22% of the respondents (n=52, figure 6.11) believes that
absence of significant conflicts between employer and employee makes the
insider threat problem not applicable to their organization. Concerning the
positively framed statements, 28,48% (n=86, figure 6.12) is not worried that one
of its employees will wittingly misuse their access to the organizational assets,
while 24,01% (n=73, figure 6.13) of the respondents does not consider employees
who have access to the organizational assets a potential insider threat.
245
246
247
The attitude of some respondents seems to depend a bit on the way the
statement is framed, as the number of respondents that disagrees with negatively
framed statements (three & five) that suggest non-applicability of the insider
threat to the own organization is much higher than the number of respondents
that agrees with positively framed statements (four & six) that suggest concern
about insider threats. While 86,93% of the respondents believes that trust in
employees is not sufficient to disregard insider threats and 74,50% of the
respondents perceives that the organization is still vulnerable to insider threats in
the absence of significant employee-employer conflict, the number of
respondents that admit that they consider employees with access to the
organizational assets as a potential insider threat or declare to be worried about
witting misuse of insider access is considerably lower, with 52,30% of the
respondents agreeing with the former statement and 55,63% of the respondents
agreeing with the latter statement (table 6.5). Also graphically the difference
between negatively framed statements and positively framed statements is
noticeable, as the former are more skewed to the left (figure 6.10 and 6.11) while
the latter are more bell-shaped (figure 6.12 and 6.13). Respondents thus seem
more eager to refute negatively framed statements that advocate the organization
is not prone to insider threats than to confirm positively framed statements that
express worry about the organization’s susceptibility to the insider threat
problem. A possible explanation is that the positively framed statements contain
stronger words like ‘worried’ or ‘consider a potential insider threat’, which might
be interpreted in the wrong way by the own workforce or labor unions.
Organizations acknowledge their vulnerability to insider threats, but might be
more careful with these more ‘aggressive’ statements.
248
6.3.3. Cognitive mitigation awareness
Cognitive mitigation awareness relates to the knowledge the respondent

possesses about insider threat mitigation. Table 6.6 gives an overview of the
statements respondents were asked to rate, simultaneously indicating which
response was interpreted as the correct response (a or b between brackets). Based
on insider threat literature, a rating of “somewhat disagree”, “disagree” or “totally
disagree” was expected for statements one, two, six and eight, while the opposite
was true for statements three, four, five and seven, where a rating of “somewhat
agree”, “agree” or “totally agree” was expected.
% of % of % of Missi
agree disagre Neither ng
- e- disagree value
ment ment** nor agree s ***
* (% of (% of N (%
(% N minus of N)
Statement of N minus missing
minu missing values)
s values)
missi
ng
value
s)
1 Measures taken to protect the
organization from external threats are 5
sufficient to protect the organization 13,55 (1,59
from insider threats. (b) % 79,03% 7,42% %)
2 If an employee is judged trustworthy
during the recruitment process, the
trustworthiness of the that employee 4
should not be re-evaluated during 3,86 (1,27
employment. (b) % 91,64% 4,50% %)
3 The trustworthiness evaluation
should be proportionate to the extent
to which the employee has access to
the organizational assets (= more 6
access/knowledge means more strict 79,94 (1,90
trustworthiness evaluation). (a) % 14,89% 5,18% %)
249
4 Evaluating trustworthiness during
employment is just as important as 6
evaluating trustworthiness during 88,67 (1,90
recruitment. (a) % 7,12% 4,21% %)
5 Employees who suddenly exhibit a
remarkable change to their normal
behavior (like odd working hours, or
sudden unexplained wealth), should 5
be extra monitored by the 83,87 (1,59
organization. (a) % 6,45% 9,68% %)
6 An employee that in good faith
reports suspicious behavior of a
colleague, should be sanctioned if the
investigation reveals that the reported 7
employee has done nothing wrong. 2,60 (2,22
(b) % 89,61% 7,79% %)
7 The network account (login &
password) of employees that leave the 8
organization should immediately be 97,39 (2,54
made inaccessible. (a) % 1,63% 0,98% %)
8 Protecting the organization from
insider threats is the sole 2
responsibility of employees that are 5,75 (0,63
involved with security. (b) % 90,10% 4,15% %)
Table 6.6: Statements with respect to cognitive mitigation awareness (N=315)
Table 6.6 shows that the majority of respondents displays high cognitive
mitigation awareness with respect to so-called aftercare, which according to the
literature is a crucial component in the mitigation of insider threats (Bunn &
Sagan, 2016; Colwill, 2009; Hegghammer & Hoelstad Daehli, 2016). More
specifically, 88,67% of the respondents (n=274, figure 6.14) rightly believes that
evaluating trustworthiness during employment is just as important as evaluation
trustworthiness during recruitment, thereby understanding that insider threat
mitigation is more than performing pre-employment screenings. Since
250
background checks are only a snapshot and the trustworthiness of the employee
can change over time, it is important to keep evaluating the trustworthiness of the
employee during employment. 91,64% of the respondents (n=285, figure 6.15)
acknowledge this, given that they refute the idea that employees that were judged
trustworthy during recruitment should be exempted from re-evaluation during
employment.
Figure 6.14: Cognitive mitigation awareness – statement 4
251
Furthermore, table 6.6 shows that 83,87% of the respondents (n=260,

figure 6.16) understands that detecting changes to the employee’s normal
behavior pattern forms the basis of insider threat mitigation. According to the
literature, a good measure to mitigate insider threats is to keep a closer eye on
these employees, given that many insiders exhibit changes in behavior prior to
their decision to commit intentional misconduct (BaMaung et. al., 2018; Gelles,
2016; Shaw & Sellers, 2015). Although not every employee that shows
behavioral change, like odd working hours or sudden unexplained wealth, will
commit intentional misconduct, it is recommended to remain vigilant for
employees that deviate from their normal or baseline behavior to increase the
odds of detecting signals of inferior trustworthiness (so-called ‘red flags’) (Costa,
Collins, Perl, Albrethsen, Silowash & Spooner, 2014; Gelles, 2016; Greitzer et.
al., 2012; Greitzer et al, 2016; Ho et. al., 2018).
252
Moreover, it can be deducted from table 6.6 that 90,10% of the

respondents (n=282, figure 6.17) rightly refuses to put the responsibility of
insider threat mitigation solely on employees that within the organization are
involved with security. Agreement with the statement would overlook the role of
other important stakeholders in insider threat mitigation. On the one hand, Gelles
(2016: 17) indicates that “it is critical today that leaders demonstrate a
commitment to an insider threat program”. Buy-in from executives and (senior)
management who set the tone for the rest of the organization is vital for adequate
insider threat mitigation. If these stakeholders perceive insider threat mitigation
as trivial, it will be reflected throughout the rest of the organization. Therefore,
from the literature we know that commitment from executives and (senior)
management, who ‘lead by example’, is critical in order to introduce a successful
253
insider threat mitigation program (Mehan, 2016; Thompson & Friedlander, 2016;
United Kingdom Centre for the Protection of National Infrastructure60, 2011).
On the other hand, Cole and Ring (2006: 30) stipulate that “firefighters
are responsible for putting out the fires not for detecting the fires. The population
is responsible for detecting the fires and calling them in so the experts can do
their jobs”. Likewise, responsibility to detect insider threats lies not solely with
the security department. From the literature we know that the entire workforce
bears responsibility for the mitigation of insider threats (Gelles, 2016; Thompson,
2018). Employees play a key role in observing changes in behavior, as they
function as the eyes and ears of the organization and are considered the
organization’s first line of defense against insider threats. Literature therefore
60
Hereafter referred to as UK CPNI
254
suggests that creating an effective reporting culture where employees are given
the opportunity to report behavioral changes they notice, or report conduct they
find suspicious, is an important aspect of insider threat mitigation (Bell et. al.,
2019; Nitsch, Baetz and Hughes, 2005; Murphy, 2019; Reason, 1998; UK CPNI,
2011). In this regard, it is reassuring to see in table 6.6 that 89,61% of the
respondents (n=276, figure 6.18) would not punish employees that speak up in
good faith about behavioral changes that turn out to be innocent.
Even more reassuring is that 97,39% of the respondents (n=299; figure

6.19) realizes that making sure that employees that have left the organization and
that no longer need access to the organizational assets are unable to use their
network account is important. As already discussed with respect to statement
three of the cognitive threat awareness section, former employees that still have
access to the organizational assets might still pose a threat to the organization.
255
Therefore, according to insider threat literature, applying proper exit procedures,
like the immediate closure of network accounts related to departing employees,
is pivotal in insider threat mitigation (Beattie & BaMaung, 2015; Elifoglu et. al.,
2018; Power & Forte, 2006; UK CPNI, 2019).
The least reassuring are the results shown in table 6.6 that correspond
with statement one and statement three, even though in both cases the majority
still gave the correct answer. Concerning statement one, more than 10% of the
respondents (n=42, figure 6.20) believes that measures taken to protect the
organization from external threats are sufficient to protect the organization from
insider threats. However, from the literature we know that the majority of
protection measures against external threats, like access badges and password
protection, do not adequately protect against insider threats given that insiders
are trusted with badges and passwords (Cole & Ring, 2006; Colwill, 2009;
256
Sarkar, 2010). In other words, the idea of the protection measures against external
threats is to build a security perimeter around the organizational assets that
unauthorized outsiders cannot enter. Given that insiders are allowed by the
organization to enter this security perimeter, these measures do not suffice to
mitigate insider threats. The more the respondent agrees with the statement, the
lower the cognitive mitigation awareness of the organization.
Concerning statement three, almost 15% of the respondents (n=46, figure

6.21) thinks it is not necessary to relate the rigor of the trustworthiness evaluation
to the extent to which the employee has access to the organizational assets. This
again refers to the degree of insiderness, which was already elaborated on a few
times in this dissertation. Here, the statement urges to take into account the degree
of insiderness when allocating the limited budgetary resources for
trustworthiness evaluation in order to optimize efficiency. The more the
257
respondent disagrees with the statement, the lower the cognitive mitigation
awareness of the organization.
6.3.4. Attitudinal mitigation awareness
Attitudinal mitigation awareness relates to the respondent’s attitude

toward the mitigation of the threat, or their vision on the significance of
mitigating the threat, their evaluation of the measures that are prescribed in
literature as adequate to mitigate it and their motivation to apply these mitigation
measures. Table 6.7 indicates that if the respondent perceives the mitigation of
insider threats as necessary, acknowledges the usefulness of the prescribed
countermeasures and is willing to contribute to the implementation of these
measures, the respondent is believed to have a positive attitude toward insider
threat mitigation. Conversely, if the respondent regards insider threat mitigation
as non-urgent, questions the appropriateness of the prescribed countermeasures
258
and lacks motivation to contribute to the mitigation of insider threats, the
respondent is believed to have a negative attitude toward insider threat
mitigation.
Positive A positive attitude signifies that the respondent perceives the
attitude mitigation of insider threats as necessary, acknowledges the
usefulness of the prescribed countermeasures and is willing to
contribute to the implementation of these measures.
Negative A negative attitude indicates that that the respondent regards insider
attitude threat mitigation as non-urgent, questions the appropriateness of the
prescribed countermeasures and lacks motivation to contribute to the
mitigation of insider threats.
Table 6.7: Positive vs. negative attitude toward insider threat mitigation
Table 6.8 gives an overview of the statements respondents were asked to

rate. While statement one and two give an indication of the respondent’s vision
on the prioritization of insider threat mitigation relative to external threat
mitigation, statements three to six give an indication of the respondent’s vision
on some of the countermeasures currently prescribed by insider threat literature.
Statement seven gives an indication of the motivation to implement mitigation
measures.
Statements were again framed in both positive and negative ways.
Agreement with positively framed statements (two, four, five and seven) indicate
a more positive attitude toward insider threat mitigation and therefore a higher
attitudinal mitigation awareness, while disagreement with positively framed
statements indicate a more negative attitude toward insider threat mitigation and
therefore a lower attitudinal awareness of insider threat mitigation. The opposite
is true for the negatively framed statements (one, three and six).
259
agree- disagree- Neithe values
ment* ment** r ***
(% of N (% of N disagr (% of N)
minus minus ee nor
missing missing agree
Statement values) values) (% of
N
minus
missin
g
values
)
. insider threats is inferior to
protecting the organization from 15,64
external threats. (-) 14,66% 69,71% % 8 (2,54%)
. insider threats is just as important as
protecting the organization from
external threats. (+) 90,73% 6,39% 2,88% 2 (0,63%)
3 It is an exaggeration to ask future
. employees that will have access to
organizational assets to sign a non-
disclosure agreement. (-) 6,05% 89,49% 4,46% 1 (0,32%)
4 It is necessary to check the
. background of applicants that apply
for roles that give access to 10
organizational assets. (+) 87,21% 5,25% 7,54% (3,17%)
5 Interviewing employees that leave
. the organization adds value to the
protection against insider threats. 18,42 11
(+) 70,07% 11,51% % (3,49%)
6 The presence of a point of contact
. where employees can report
suspicious behavior of colleagues is 12,75
unnecessary. (-) 12,75% 74,51% % 9 (2,86%)
7 Our organization is prepared to
. investigate each notification of 16
suspicious behavior. (+) 87,63% 6,02% 6,35% (5,08%)
***: missing value = no opinion, I don’t know or not applicable
260
(+): The more the respondent agrees (disagrees) with the statement, the more positive (negative)
the respondent’s attitude toward the insider threat and the higher (lower) the attitudinal insider
threat awareness.
(-): The more the respondent agrees (disagrees) with the statement, the more negative (positive)
the respondent’s attitude toward the insider threat and the lower (higher) the attitudinal insider
threat awareness.
Table 6.8: Statements with respect to attitudinal mitigation awareness (N=315)
Concerning prioritization of insider threat mitigation, table 6.8 shows that

the respondents sent some mixed signals. On the one hand, 90,73% of the
respondents (n=284, figure 6.22) agreed that protecting the organization from
insider threats is just as important as protecting the organization from external
threats, while on the other hand only 69,71% of the respondents (n=214, figure
6.23) refuted that protecting the organization from insider threats is inferior to
protecting the organization from external threats. This implies that some of the
respondents seem to contradict themselves. The conclusion on the prioritization
of insider threat mitigation therefore depends on which of the two statements you
follow, given that the results of statement two (figure 6.22) point to a higher sense
of urgency to mitigate the insider threat than the results of statement one (figure
6.23).
261
Figure 6.22: Attitudinal mitigation awareness – statement 2
262
Regarding some of the countermeasures currently prescribed by insider
threat literature, table 6.8 illustrates that 89,49% of the respondents (n=281,
figure 6.24) indicates that asking future employees that will have access to the
organizational assets to sign a non-disclosure agreement is not an exaggeration,
while 87,21% of the respondents (n=266, figure 6.25) agrees that applicants that
apply for roles that give access to organizational assets need to complete a
background check.
263
Relative to the previous mitigation measures discussed, support for

reporting platforms and exit interviews is fewer, with only three quarters of the
respondents (n=228, figure 6.26) opposing the idea that a platform to report
suspicious behavior is unnecessary and only 70,07% of the respondents (N=213,
figure 6.27) supporting the suggestion that interviewing employees that leave the
organization adds value to insider threat mitigation. In other words, respondents
seem more convinced about the usefulness of non-disclosure agreements and
background checks to counter insider threats than of the usefulness of a contact
point for employees to report suspicious behavior and exit interviews.
264
265
With respect to the respondents’ motivation to apply the prescribed
insider threat mitigation measures, 87,63% of the respondents (n=262, figure
6.28) indicates a willingness to investigate each notification of suspicious
behavior. The majority of the respondents thus believes in the benefits of a system
to report misconduct, having a rather positive attitude toward the insider threat
mitigation measure.
6.3.5. Behavior
Apart from assessing to what extent Belgian organizations are aware of

the insider threat problem and the ways to mitigate it, the questionnaire also
surveyed their behavior with respect to insider threat mitigation. Table 6.9 gives
an overview of the statements respondents were asked to rate. It is argued that
the more the respondent agrees with the statement, the better the organization’s
behavior to mitigate insider threats. This applies to all statements, except for
266
statements three and six, where the more the respondent agrees with the
statement, the worse the organization’s behavior to mitigate insider threats is.
agree- disagree- Neither values
ment* ment** disagree ***
(% of (% of N nor (% of N)
Statement N minus agree
minus missing (% of N
missing values) minus
values) missing
values)
Our organization has made a
1. threat assessment on insider 57
threats. (a) 57,75% 30,62% 11,63% (18,10%)
Our organization simulates
2. insider threats to test its insider 64
threat policy. (a) 25,10% 61,75% 13,15% (20,32%)
Our organization subjects all
employees to the same
3.
trustworthiness evaluation during 48
recruitment. (b) 55,43% 35,21% 9,36% (15,24%)
Our organizations contacts the
references that the future
4.
employee provides on his CV. 57
(a) 68,22% 18,60% 13,18% (18,10%)
Our organization checks during
recruitment the non-work-related
social media profiles (Facebook,
5.
Twitter, Instagram, …) of
employees who will have access 70
to the organizational assets. (a) 59,59% 24,49% 15,92% (22,22%)
Our organization subjects all
employees to the same
6.
trustworthiness evaluation during 46
employment. (b) 56,13% 33,09% 10,78% (14,60%)
Our organization checks the non-
work-related social media
profiles (Facebook, Twitter,
7.
Instagram, …) of employees who
have access to the organizational 75
assets. (a) 43,75% 39,17% 17,08% (23,81%)
267
Our organization ensures that
employees solely have access to
8.
the information needed to 19
perform their job. (a) 85,14% 10,47% 4,39% (6,03%)
Our organization trains its
employees so that they have the
9.
necessary skills to report insider 33
threats. (a) 56,58% 31,67% 11,74% (10,51%)
Our organization has a point of
contact where employees can
10.
report suspicious behavior of 34
colleagues. (a) 63,57% 27,14% 9,29% (10,83%)
Our organization surveys its
11. employees on their general job 23
satisfaction. (a) 91,41% 5,50% 3,09% (7,32%)
Our organization offers
employees with personal
problems (alcohol addiction,
12.
gambling addiction, debts,
bereavement, …) professional 55
help. (a) 77,22% 12,74% 10,04% (17,52%)
Our organization performs an
13. exit interview with employees 33
that leave the organization. (a) 75,09% 19,22% 5,69% (10,51%)
Our organization immediately
shuts down all accesses from
14.
employees that leave the 24
organization. (a) 95,17% 2,76% 2,07% (7,64%)
Table 6.9: Statements with respect to behavior (statement 1-8 N= 315; statement 9-14
N=314)
It can be deducted from table 6.9 that some insider threat mitigation
practices are more popular than others. Firstly, there are the most popular insider
threat mitigation measures that are well-established among the organizations of
the respondents. More than 90% of the respondents indicates that their
organization immediately shuts down all accesses from employees that leave the
268
organization (95,17%; n=276, figure 6.29) and monitors employee satisfaction
(91,41%; n=266, figure 6.30). The utility of the former was already discussed
before, while we know from the literature that the latter is believed to be an
appropriate insider threat mitigation measure given that insiders responsible for
insider threat incidents are often motivated by disgruntlement or grievances
toward their organization (Greitzer et. al., 2012; Nurse et. al., 2014; Willison &
Warkentin, 2013). Moreover, as suggested by the literature, 85,14% of the
respondents (n=252, figure 6.31) announced that their organization applies the
principle of least privilege (Cole & Ring, 2006; IAEA, 2008), making sure
employees solely have access to the information needed to perform their job.
Approximately three quarters of the respondents mentioned that their
organization offers employees with personal problems professional help
(77,22%; n=200, figure 6.32) and that their organization performs exit interviews
(75,09%; n=211, figure 6.33). Concerning the former, we know from the
literature (and from chapter four of this dissertation) that personal strains are also
considered to be a breeding ground for insider threat incidents (Elangovan &
Shapiro, 1998; Greitzer et. al., 2012; Shaw & Sellers, 2015; Sarkar, 2010), which
can be countered by offering professional support (Nurse et. al., 2014).
Concerning the latter, literature suggests that interviewing employees that leave
the organization might provide useful information on the organizational climate
(Beattie & BaMaung, 2015; Elifoglu et. al., 2018, Sarkar, 2010; UK CPNI, 2019).
269
Figure 6.29: Behavior – statement 14
270
271
Secondly, there are the semi-popular insider threat mitigation measures

that are less embedded in the organizations of the respondents, of which some
are rather surprising and others were rather expected. Table 6.9 shows that only
57,75% (n=149, figure 6.34) of the respondents declared that their organization
has made a threat assessment on insider threats, which means that a large
proportion of organizations remains in the dark on the organization’s
vulnerability to insider threats. Regarding recruitment practices, contacting the
references that future employees mention on their CV, according to the literature
one of the basic elements of pre-employment screening (Power & Forte, 2006;
Sarkar, 2010; US NITTF, 2016), is for instance applied by only 68,22% of the
respondents (n= 176, figure 6.35). Given that references might contain a valuable
information about the future employee, this number was expected to be higher.
Non-work-related social media profiles, on the other hand, are checked by
59,59% of the respondents (n=146, figure 6.36) during recruitment. This is,
272
however, less surprising, given that “many organizations do not review
candidate’s social media accounts due to privacy concerns, potential
discrimination claims, and the fact that information may not be accurate” (George
et. al., 2019: 10). Moreover, “consistent protocols have yet to emerge for
employing [social networking site] and [Open source intelligence] analytics as a
component of pre-employment background investigations” (Montaquila &
Godwin, 2016: 158). Nevertheless, we know from literature that social media can
equally help to identify potential insider risk factors (Brown, Watkins & Greitzer,
2013; Elifoglu et. al., 2018).
273
274
Regarding reporting of red flags, it is surprising that only 63.57% of the
respondents (n=178, figure 6.37) indicates that their organization has a point of
contact where employees can report suspicious behavior of colleagues. One
would expect this percentage to be much higher, as in the literature a reporting
platform is considered to be one of the most basic measures organizations can
implement to counter insider threats (Bell et. al., 2019; Colwill, 2009; UK CPNI,
2011; US NITTF, 2016). In line with this, 56,58% of the respondents (n=159,
figure 6.38) mentions that their organization trains its employees so that they
have the necessary skills to report insider threats. Because colleagues and line
managers are the first line of defense against insider threats, literature suggests
to educate them on the ways to detect possible red flags, as well as on the
adequate way to inform the organization about the potential warning signals in
order to prevent insider threats from happening (Gelles, 2016; Mehan, 2016;
Steele & Wargo, 2007).
275
Lastly, there are the least popular insider threat mitigation measures that
less than half of the organizations of the respondents implements, like the
monitoring of non-work-related social media profiles of employees who have
access to the organizational assets during employment, with only 43.75% of the
respondents (n=105, figure 6.39) declaring to do it. Even worse is the use of
insider threat simulations, which barely a quarter of the respondents (25,10%;
n=63, figure 6.40) uses, although the literature states that testing insider policies
through red teaming or tabletop exercises might provide useful insights (Long,
2016; US NITTF, 2016; Stern & Schouten, 2016). To conclude, the lack of
awareness of the ‘degree of insiderness’ is also observed with respect to behavior,
given that more than half of the respondents declares to subject all employees to
the same trustworthiness evaluation during recruitment (55,43%; n=148, figure
6.41) and during employment (56,13%; n=151, figure 6.42).
276
Figure 6.40 : Behavior – statement 2
277
278
6.3.6. Other
Apart from surveying awareness and behavior, other insider threat-related

topics were touched upon, namely the organizations’ perceptions about the
insider threat landscape (6.3.6.1.), the sources they consult to increase their
knowledge on the insider threat problem (6.3.6.2.), questions regarding their
insider threat policy (6.3.6.3.) and finally their own experience with respect to
the insider threat problem (6.3.6.4.). Each of these topics will be elaborated on
below.
6.3.6.1. Perceptions about the insider threat landscape
Concerning the perceptions of organizations about the insider threat

landscape, respondents were asked two questions, namely (1) which types of
insider threat worry their organizations the most and (2) what the main factors
are behind insider threats. The results of the first question are outlined in table
6.10 (%) and figure 6.43 (n). The results show that theft (60,63%; n=191),
negligence (57,78%; n=182) and fraud/corruption (57,46%; n=181) are among
the top three insider threat types organizations fear the most, with employees that
spy (45,40%; n=143) or commit sabotage (40,32%; n=127) completing the top
five. One third of the organizations (33.65%; n=106) is concerned about the
possibility that employees radicalize or commit extremist or terrorist activities.
About a quarter of the organizations worries that employees might blow the
whistle by publicly leaking sensitive information about the organization
(25.08%; n=79) or that employees will engage in interpersonal violence (24.13%;
n=76). Sexual misconduct was mentioned by approximately one fifth of the
organizations (21.90%; n=69). In line with earlier results, almost 10% of the
organizations suffers NIMO bias (Bunn & Sagan, 2016), not being concerned
about insider threats to their organization (9,21%; n=29). Insider threat types
279
respondents referred to in the ‘other’ category related to ignorant employees, or
employees who are unaware of the organizational procedures or who lack
cybersecurity awareness and are therefore vulnerable to ransomware (and who
are actually perceived in this dissertation as insider hazards, see chapter two).
Insider threat type % of
respondents
Theft 60,63%
Negligence 57,78%
Fraud/corruption 57,46%
Espionage 45,40%
Sabotage 40,32%
Radicalization/extremism/terrorism 33,65%
Whistleblowing (public leakage of sensitive information) 25,08%
Interpersonal violence 24,13%
Sexual misconduct 21,90%
Our organization is not concerned about insider threats 9,21%
Other 5,71%
Table 6.10: Which of the insider threats outlined below worry your organization the most
(multiple answers possible)? (N=315)
280
Figure 6.43: Which of the insider threats outlined below worry your organization the
most (multiple answers possible)?
281
The results of the second question are outlined in table 6.11 (%) and figure
6.44 (n). In line with the insider threat literature (Bunn & Sagan, 2016; Noonan,
2018; Nurse et. al., 2014; Sarkar, 2010), respondents indicate that the underlying
reasons of insider threat incidents are both ‘malicious’ and ‘non-malicious’
(interpreted as explained in chapter two). Concerning the former, 43.81% of the
respondents (n=138) considers revenge out of disgruntlement with the
organization a driving factor of insider threats. Concerning the latter, even more
respondents (44,76%; n=141) believe that social engineering forms a basis of the
insider threat problem, while 37,46% of the respondents (n=118) referred to
negligence. Furthermore, over one third of the respondents mentioned classical
motives like greed (36,83%; n=116) or personal problems (35,56%; n=112).
More surprisingly is the rather high score of coercion by external parties and
rather low score of ideology and religion, with respectively one third (32,38%;
n=102) and one fifth (20,63%; n=65) of the respondents making reference to
these factors. Other driving factors of insider threat that were put forward by less
than 15% of the respondents are personal relationship (13,65%; n=43),
personality disorders (13,02%; n=41), concerns with organizational practices
(12,06%; n=38) and moral concerns with organizational activities (10,79%;
n=34). Approximately 11% of the respondents declares not to be concerned about
insider threats to their organization (11,11%; n=32). Factors referred to in the
‘other’ category related among other things to carelessness, nonchalance or
deliberate infiltrations.
282
Factors behind insider threats % of respondents
Social engineering 44,76%
Revenge out of disgruntlement with the 43,81%
organization
Negligence 37,46%
Greed 36,83%
Personal problems (like addictions) 35,56%
Coercion by external party 32,38%
Ideology or religion 20,63%
Personal relationship (love, empathy, …) 13,65%
Personality disorder (like narcissism or 13,02%
psychopathy)
Concerns with organizational security practices 12,06%
Our organization is not concerned about insider 11,11%
threats
Moral concerns with organizational activities 10,79%
Other 4,44%
Table 6.11: What are the main factors behind insider threats (multiple answers possible)?
(N=315)
283
Figure 6.44: What are the main factors behind insider threats (multiple answers
possible)?
284
6.3.6.2. Knowledge sources
Regarding the sources organizations consult to increase their knowledge

on the insider threat problem, table 6.12 (%) and figure 6.45 (n) show that almost
two thirds of the respondents (63,49%; n=200) indicate that their organization
draws upon its own experiences, followed by the government that is identified as
information source by half of the respondents (50,48%; n=159). Information
exchange within the sector is mentioned by 38,73% (n=122) of the respondents,
whereas a quarter of the respondents (24,13%; n=76) turns to media for
inspiration on the insider threat problem. Both academia (14,92%; n=47) and the
FEB (8.89%; n=28) are considered less important sources to learn about insider
threats. A multitude of alternative information sources are mentioned in the
“other” category, both national ones like the NSA, intelligence and military
services and the FANC, and international ones like the IAEA, the North Atlantic
Treaty Organization and the American Society for Industrial Security. Reference
is also made to parent enterprises or (IT-related) external expertise.
Knowledge source % of respondents
Own experiences 63,49%
The government 50,48%
Fellow companies within the sector 38,73%
Media 24,13%
Other 16,19%
Academia 14,92%
The Federation of Belgian Enterprises (FEB) 8,89%
Table 6.12: The knowledge our organization has on insider threats originates from
(multiple answers possible)? (N=315)
285
Figure 6.45: The knowledge our organization has on insider threats originates from
(multiple answers possible)?
6.3.6.3. Insider threat policy
With respect to insider threat policies, respondents were on the one hand
asked who is responsible for the protection against insider threats within their
organization, and on the other hand asked to choose between discouraging
employees to pose an insider threat (‘motivation’) or averting that employees
have opportunities to pose insider threats (‘opportunity’) as insider threat
strategy. Table 6.13 (%) and figure 6.46 (n) illustrate that management is
considered to be the key actor of insider threat mitigation by 61,27% of the
respondents (n=193), followed by Security and ICT who are both mentioned by
41,59% of the respondents (n=131). One third of the respondents (33,97%;
n=107) refers to Human Resources as having responsibility in insider threat
policies. The Legal department is least involved in insider threat mitigation, being
only mentioned by 14,29% of the respondents (n=45). 2,86% of the respondents
286
(n=9) indicated that nobody is responsible for insider threat protection in their
organization. Actors that respondents referred to in the ‘Other’ category are
among others Quality, Health, Safety and Environment (QHSE), internal audit,
operations and accounting.
Actor % of respondents
Management 61,27%
Security 41,59%
ICT 41,59%
Human Resources 33,97%
Legal 14,29%
Other 13,97%
Nobody 2,86%
Table 6.13: Within your organization, who is responsible for the protection against
insider threats (multiple answers possible)? (N=315)
Figure 6.46: Within your organization, who is responsible for the protection against
insider threats (multiple answers possible)?
287
The second question refers to the three key attributes that contribute to
insider threat incidents, namely capability, motivation and opportunity (Nurse et.
al., 2014; Sarkar, 2010). Given that insiders automatically possess the capability
to commit an insider attack due to their access to the organizational assets, the
question focused on the other two aspects, asking respondents to choose which
of the attributes they would focus on: motivation or opportunity. The obvious
answer to the question would be ‘both’, given that both opportunity reduction
and motivation management are complementary insider threat mitigation
strategies that on its own might not suffice. On the one hand, reducing
opportunities to strike might be a solution in the short run, but if the insider keeps
being motivated to commit an insider attack, it can be assumed that they will
eventually find a way to strike. On the other hand, solely concentrating on
motivation leaves the door open for opportunistic crimes61, ignoring the
‘opportunity makes the thief’ paradigm (Mehan, 2016).
Notwithstanding the complementarity of both strategies, I deliberately
left out the ‘both’ option to force respondents to face the choice between
opportunity reduction and motivation management. In line with Padayachee
(2016), who argues that “opportunity is more tangible than motive” (ibid: 47) and
that “it is more pragmatic to reflect on opportunity-reducing measures” (ibid: 47)
than on managing motivation management, figure 6.47 shows that the majority
of the respondents (57,01%; n=179) prioritizes opportunity reduction techniques.
In contrast, 37,58% of the respondents (n=118) would rather spend attention to
motivation, discouraging employees to pose an insider threat. 5,41% of the
respondents (n= 17) had no opinion.
61
An example is the working student that sole over 7.000 euros from his employer because the
vault was open (Het Laatste Nieuws, 16/12/2019).
288
Figure 6.47: What should be the main focus of insider threat policy? (N=314)
6.3.6.4. Insider threat experience
The final part of the questionnaire asked respondents about their

organization’s experience with insider threat incidents. Figure 6.48 shows that
more than half of the respondents (56,69%; n=178) declares that their
organization spends more attention to insider threats now than before, which is
in line with Gelles’ (2016) suggestion that attention to the problem has relatively
recently increased (see supra – chapter one).
289
Figure 6.48: Does your organization spend more attention to the insider threat problem
now than before? (N=314)
Figure 6.49 shows that more than half of the respondents (51,27%;
n=161) indicates that so far, their organization has been spared of insider threat
incidents, whereas 20,70% of the respondents (n=65) denies nor confirms
whether their organization has encountered an insider threat incident. The
remaining 28,03% of the respondents (n=88) admitted that their organization
already experienced an insider threat incident.
290
Figure 6.49: Has your organization already experienced an insider threat incident?
(N=314)
Of the last group, 82 respondents were willing to share how large the
material damage was resulting from the insider threat incident, as illustrated by
figure 6.50. Although it can be deducted from figure 6.50 that the material
damage was in the majority of the cases absent (n=44) or at least confined to
maximum 10% of the turnover (n=37), one of the respondents admitted that the
material damage amounted to more than 50% of turnover. This again confirms
that an insider threat might endanger the survival of the organization (see supra
– cognitive threat awareness – statement 6).
291
Figure 6.50: How large was the material damage resulting from the insider threat
incident? (N=82)
6.4. Limitations
Apart from the shortcomings related to the four-part typology on which
this study is based that were mentioned in chapter five, one of the shortcomings
of this particular study is the assumption that the respondent can speak on behalf
of the organization. This assumption is questionable, given that there is no
assurance that the answers given in the online survey accurately represent the
organization’s stance on the insider threat. While the study is interested in the
opinion of the organization as such, the online questionnaire is answered by only
one member of the organization. As a result, there is no guarantee that the survey
is filled in by someone who is conscious of the organization’s position on the
insider threat problem. As a result, it was explicitly requested from organizations
to fill in the online questionnaire via a representative that has sufficient
knowledge on the organizational insider threat policy. The target audience of our
questionnaire were therefore organizational representatives related to security,
292
namely security officers, who can be assumed to be involved to a large extent in
the insider threat policy of their organization. In this way, I presume that the
respondent is knowledgeable of the organization’s stance on insider threats and
can speak with one voice for the whole organization (Viotti & Kauppi, 2012).
Furthermore, it should be acknowledged that since attitude can be formed
through multiple components (Zanna & Rempel, 1998), the attitude formation
can be based upon one single component or a combination of the different
components. Some actors will shape their attitude solely by what their mind tells
them (cognitive), while others might entirely depend upon their feelings
(affective) or past experiences and behavioral intentions (behavioral). It is,
however, also possible that the attitude formation results from a combination of
two or three sources. As a consequence, the general evaluation, or the general
attitude, will correspond with a summation of the different components of
attitude formation. The summation of the different attitude components does not
mean that each source equally contributes to the general attitude. Indeed, the
magnitude of the impact that the source has on the formation of the attitude might
vary. For example, the actor might consider all three components, but might give
higher weight to the cognitive component than to the two other components
(Zanna & Rempel, 1988). The summation of the different components implies
that there are four possible outcomes with respect to the overall attitude. Firstly,
it could be the case that the actor has no significant attitude toward the issue.
Secondly, the overall attitude can be consistently positive when all components
are assessed in a positive way. Thirdly, the cognitive, affective and behavioral
component can all be negative, leading to an overall negative attitude toward the
issue. Lastly, the possibility exists that the cognitive, affective and behavioral
source are contradictory. It could for instance be the case that the actor recognizes
that the disadvantages of the issue outweigh the advantages (i.e. indicating a
293
negative attitude), but that the issue arouses a feeling of joy and excitement (i.e.
resulting in a positive attitude). Subsequently, an ambivalent situation occurs in
which mind (cognitive) and heart (affective) contradict each other. The overall
attitude can be positive if the positive attitude components prevail, negative when
the negative components dominate or undecided when the positive and negative
components cancel each other out (Maio et. al., 2003). Although the strength of
each individual attitude component was not measured, the study nevertheless
takes into account this shortcoming by using all three components to construct
the statements with regard to the attitudinal awareness types.
In any case, it should be acknowledged that the present study was only
the first attempt to operationalize the four-part typology, and that the goal of the
study was exploratory, simply describing the results. Future research is needed
to refine the content of the statements and to construct knowledge and attitude
scales that do not measure the awareness per statement, as was done here, but
rather measure the aggregate awareness over the different statements of one
awareness type. This would not only increase the user-friendliness of the security
awareness assessment model, but would also increase the accuracy of the
assessment. Furthermore, future research should also go beyond description,
trying to explain differences of insider threat awareness between groups of
stakeholders.
6.5. Conclusion
This insider threat awareness and behavior survey questioned 315 Belgian
security officers acting as representatives for their organizations’ knowledge
about and attitude and behavior toward insider threats. The results of the study
offer insights into what these organizations know about insider threats (cognitive
threat awareness), whether they consider themselves to be vulnerable to insider
threats (attitudinal threat awareness), what they know about measures that
294
mitigate insider threats (cognitive mitigation awareness), their attitude toward
insider threat mitigation (attitudinal mitigation awareness) and what they
currently do to mitigate insider threats to their organizations (behavior).
Moreover, the survey maps the organizations’ perception of the insider threat
landscape, their knowledge sources of the insider threat problem, their
prioritization of insider threat policy and their experiences with insider threat
incidents.
The results show that the knowledge level of the survey population on the
characteristics of the insider threat problem is in general satisfactory, except for
familiarity with what insider threat literature denotes the ‘degree of insiderness’.
Moreover, it can be deducted from the results that the large majority of the
respondents (+85%) considers the insider threat a significant problem their
organizations are susceptible to. Nevertheless, the results also indicate that a
considerable part of the respondents denies vulnerability to insider threats. Also
the knowledge level of the survey population on the measures that mitigate
insider threats is, generally speaking, satisfactory. Still, there is room for
improvement, as more than 10% of the respondents believes that measures taken
to protect the organization from external threats are sufficient to protect the
organization from insider threats and almost 15% of the respondents thinks it is
not necessary to relate the rigor of the trustworthiness evaluation to the extent to
which the employee has access to the organizational assets. Concerning
prioritization of insider threat mitigation in relation to external threat mitigation,
nine out of ten respondents agreed that protecting the organization from insider
threats is just as important as protecting the organization from external threats,
while only seven out of ten respondents refuted inferiority of insider threat
mitigation vis-à-vis external threat mitigation. Regarding the countermeasures
currently prescribed by insider threat literature, respondents seem more
295
convinced about the usefulness of non-disclosure agreements and background
checks to counter insider threats than of the usefulness of a contact point for
employees to report suspicious behavior and exit interviews.
Concerning insider threat mitigation behavior, it can be deducted from
the results that some insider threat mitigation practices are more popular than
others among the survey population. The most popular insider threat mitigation
measures (+75%) include making sure employees solely have access to the
information needed to perform their job, surveying general job satisfaction,
offering employees with personal problems professional help, performing exit
interviews and shutting down accesses from employees that leave. The semi-
popular insider threat mitigation measures (between 74% and 50%) include
making a threat assessment on insider threats, contacting the references that
future employees mention on their CV, checking non-work-related social media
profiles during recruitment, having a point of contact where employees can report
suspicious behavior of colleagues and training employees so that they have the
necessary skills to report insider threats. Least popular insider threat mitigation
measures (-50%) include checking non-work-related social media profiles during
employment, using insider threat simulations and applying a risk-based approach
to trustworthiness evaluation during recruitment and employment.
Furthermore, it was found that theft, negligence and fraud/corruption are
among the top three insider threat types organizations fear the most. Respondents
indicate that the underlying reasons of insider threat incidents are both
‘malicious’, referring to revenge out of disgruntlement with the organization, and
‘non-malicious’, referring to social engineering and negligence. Approximately
10% of the respondents declares not to be concerned about insider threats to their
organization. Almost two thirds of the respondents indicates that their
organization draws upon its own experiences to learn about insider threats,
296
followed by the government that is identified as information source by half of the
respondents. Information exchange within the sector, media, academia and the
FEB are considered less important sources to learn about insider threats.
Furthermore, management is considered to be the key actor of insider threat
mitigation, followed by Security and ICT. The Legal Department is least
involved in insider threat mitigation, with Human Resources playing a role in a
third of the organizations. Asking respondents to choose between motivation
management and opportunity reduction as insider threat mitigation strategy, the
majority of the respondents prioritizes the former. More than half of the
respondents indicates that so far, their organization has been spared of insider
threat incidents, whereas 28,03% of the respondents admitted that their
organization already experienced an insider threat incident. With the exception
of one respondent, the material damage was either absent or confined to
maximum 10% of the turnover. The remaining respondent, however, admitted
that the material damage amounted to more than 50% of turnover, confirming
that an insider threat might endanger the survival of the organization.
The respondents were expected to display high scores on insider threat
awareness and behavior, given that the target audience consisted of organizations
of which it could be assumed that they are (or at least should be) aware of
security-related issues like the insider threat problem. The results show that the
majority of our survey population displays a satisfactory level of insider threat
awareness and behavior. Still, the results equally show that there is room for
improvement. Two common threads seem to run through the results of the
survey. On the one hand, there is the absence of knowledge about the degree of
insiderness. Awareness raising initiatives on insider threat should therefore focus
on communicating the importance of risk-based approaches to insider threat
mitigation when allocating the limited budgetary resources for insider threat
297
mitigation to optimize efficiency of the insider threat mitigation policy. On the
other hand, there is the presence of the NIMO-bias among a considerable part of
the survey population. Awareness raising initiatives on insider threat should
target this audience to make clear that insider threats exist within every
organization.
To conclude, I hope my study paves the way for more research on insider
threat awareness and behavior, especially in Belgium and by extension the whole
of Europe. Concerning the former, the study should be replicated to a less
security-minded audience that is not expected to be aware of the insider threat
problem, given that insider threat is universal. Concerning the latter, it would be
interesting to perform a comparative study among European organizations to
detect similarities and differences with the results obtained from the Belgian
survey population.
298
PART IV: INSIDER THREAT MITIGATION
Chapter 7
A conceptual model for insider threat mitigation
7.1. Introduction
The dissertation so far elaborated on the meaning, scope and
characteristics of the insider threat problem (part II) and on insider threat
awareness (part III). In chapter one it was argued that, apart from assessing
insider threat awareness in Belgium, the second goal of the dissertation was to
provide organizations with mitigation measures to better secure themselves
against insider threats. This will be the main focus of part four of this dissertation,
that starts with a chapter that outlines a conceptual model for insider threat
mitigation that came into existence based on a review of the literature.
299
I. Recruitment II. Org. Socialization
•Confirm the • Persuade the insider of
trustworthiness of the the organizational
insider. culture to obtain norm
internalization.
IV. Investigation III. Observation

• Investigate the validity • Observe potential red
of the red flag. flags.
V. Anticipation VI. Damage Limitation

• Anticipate the red flag • Limit the harm resulting
to preempt what is from the insider threat
perceived to be a likely incident.
insider threat.
VII. Reconstruction
VIII. Deliberation
• Reconstruct the incident
•Deliberate whether trust to discover the reason
can be restored or behind the intentional
whether the insider can misconduct and to
remain employed. determine culpability.
IX. Termination
• Terminate the insider if
it is believed that trust
cannot be restored in the
future.
Figure 7.1: Conceptual insider threat mitigation model
300
Figure 7.1 shows that the conceptual insider threat mitigation framework
consists of nine stages, namely recruitment (I), organizational socialization (II),
observation (III), investigation (IV), anticipation (V), damage limitation (VI),
reconstruction (VII), deliberation (VIII) and finally termination (IX). The main
goal of the conceptual model is to get an understanding of the different stages of
an insider threat incident. The idea behind the conceptual model is a bit similar
to the typology outlined in chapter four of this dissertation, where the objective
was to get a deeper understanding of the different characteristics of the insider
threat problem. Here, the objective of the conceptual model is to get a deeper
understanding of the characteristics of insider threat mitigation, or to get a more
holistic understanding of the different aspects of insider threat mitigation
organizations should take into account. For the sake of clarity, the conceptual
model should not be regarded as a ready-to-use mitigation model that provides
organizations with concrete mitigation measures it can implement. It is therefore
not my intention to already formulate concrete policy recommendations
corresponding with each step of the framework in this chapter, as this will be the
goal of the remaining chapters of the part IV of this dissertation (i.e. chapter eight
and chapter nine). The main objective of the conceptual model is to provide an
intuitively straightforward overview of the different moments an organization
can take decisions that might influence the risk that an insider threat incident
occurs.
In the remainder of this chapter, at each stage of the framework reference
is made to the insider’s trustworthiness level (i.e. the criticality of the situation),
as well as to the strategy that corresponds with that stage. Concerning the
insider’s trustworthiness level (see chapter three), the criticality of the situation
is classified using different color codes. Based on a mix of the color codes of the
Belgian Royal Meteorological Institute (RMI, accessed on 05/15/2021) with the
301
colors that are used in triage systems (Khan, 2018), existing traffic light risk
classifications62 (Beattie & BaMaung, 2015; Gemeentelijk Havenbedrijf
Antwerpen, 2012; Rehak et. al., 2020) are adapted and extended into a new risk
classification containing seven colors (i.e. green, yellow, orange, red, dark red,
grey and black). Table 7.1 illustrates the risk classification on the basis of the
insider’s trustworthiness level. Concerning the insider threat mitigation
strategies, table 7.2 shows that four strategies are distinguished, namely
prevention (Cole & Ring, 2005; Charney, 2018), detection (Cole & Ring, 2005;
Charney, 2018), pre-emption (Freedman, 2003; Sauer, 1998) and remedy (Bunn
& Sagan, 2016; Mehan, 2016; Willison & Warkentin, 2013).
Insider trustworthiness level Meaning
The level is above the desirable
Satisfactory threshold, the organization should
consolidate the trustworthiness level.
The level is (slightly) below the desirable
Inferior threshold, the organization should remain
vigilant.
The level is worrisome, the organization
Alarming should investigate whether action is
required.
The level is precarious, the organization
Critical should take immediate action to avert
damage.
The level is damaging, the organization
Grievous should recover from the damage
incurred.
The level is beyond repair, the
Incurable organization should terminate the
contract of the insider.
62
Green represents low risk, yellow medium risk and red high risk.
302
The level is inconclusive, the
organization should re-examine the
Unknown trustworthiness level and contemplate
whether the level can be restored above
the satisfactory threshold.
Table 7.1: Criticality of the situation - classification on the basis of the insiders
trustworthiness level
Strategy Meaning
Prevention The organization takes initiatives to
confirm that the future insider is
trustworthy and then consolidates the
trustworthiness level of its insiders above
the satisfactory threshold.
Detection The organization intervenes early to
detect higher-than-average risks of
intentional misconduct.
Pre-emption The organization perceives the insider is
about to commit intentional misconduct
and anticipates this imminent insider
threat incident.
Remedy The organization limits the harm resulting
from the insider threat incident and takes
measures to prevent the recurrence of
similar incidents.
Table 7.2: Insider threat mitigation strategies
Moreover, for each stage of the framework not only the appropriate way
to manage the situation is discussed, but also the possibilities of mismanagement
(Eoyang, 1994; Goold, 2002; Hogan & Hogan, 1994; Shaw & Sellers, 2015).
Martinez-Moyano, Rich, Conrad, Andersen & Stewart (2008) indicate that a
distinction should be made between four possibilities to judge a potential threat
situation, namely true positives, true negatives, false positives and false
negatives. Ideally, the organization always separates the threatful situations (i.e.
true positives) from the non-threatful situations (i.e. true negatives). It is,
however, possible that the organization misjudges the actual condition of the
303
situation by incorrectly interpreting non-threats as threats (i.e. false positives) or
by dismissing real threats as non-threats (i.e. false negatives). One aspect missing
in the theory of Martinez-Moyano et. al. (2008) that is added in this conceptual
model is the possibility that the organization simply refrains from making a
judgement at all, which is denoted here as ‘null’. Table 7.3 shows the different
ways organizations can judge the potential threat situation.
Judgement of the Meaning
potential threat situation
True positive Correct judgement of a threat as a threat
True negative Correct judgement of a non-threat as a non-threat
False positive Incorrect judgement of a non-threat as a threat
False negative Incorrect judgement of a threat as a non-threat
Null Oversight of the threat or omission of the threat
mitigation
Table 7.3: Judgement of the potential threat situation (adapted from Martinez-Moyano
et. al., 2008: 7:5)
In the remainder of this chapter, each stage of the framework will be

elaborated on in detail, explaining the criticality of the situation, the insider threat
mitigation strategy and the different possibilities to judge a potential threat
situation in the particular stage by referring to real case examples. Regarding
these examples, I would like to stress that in hindsight it is always easy to tell
whether the organization handled the potential threat situation in the right or
wrong way, and that it is not my intention to name and shame organizations that
in hindsight made a wrong judgement. I would therefore like to emphasize that
referring to these examples is not a moral judgment about these organizations,
but just a way of illustrating the ideas and concepts used in this chapter.
304
7.2. The conceptual model
7.2.1. Recruitment (I)
In the recruitment stage, the goal of the organization is to evaluate the

trustworthiness of potential future employees to confirm that only trustworthy
candidates are recruited (Afolabi, 2017; Klotz et. al., 2013; Waltz, 2003). The
strategy applied by the organization is prevention (Cole & Ring, 2005; Charney,
2018), or making sure the trustworthiness level of the insider is above the
satisfactory threshold. More specifically, the organization performs pre-
employment screenings (PES) to ensure that new recruits are trustworthy
(BaMaung et. al., 2018; Beattie & BaMaung, 2015; Cohen et. al., 2016; Power
& Forte, 2006). Candidates of which the trustworthiness is perceived to be below
the satisfactory level are rejected. If the future insider needs authorization or
advice from government authorities, like a government security clearance, also
vetting should be taken into account during this stage (Afolabi, 2017; Van
Laethem, 2005).
The recruitment stage is not only applicable to new recruits, but also to
insiders that transfer within the organization, for instance due to a promotion
(Beattie & BaMaung, 2015). In other words, internally displaced insiders should
be treated as new ones, and should equally undergo the pre-employment
screenings, not least if the extent to which they come into contact with
organizational assets increases (i.e. larger insider privilege) or changes content-
wise (i.e. different insider privilege).
In an ideal situation, the organization always takes the right decisions,
hiring trustworthy candidates and rejecting untrustworthy ones. In reality,
however, management runs the risk of false positives, false negatives and null
(Martinez-Moyano et. al., 2008). False positives refer to candidates that are
trustworthy but that are nevertheless rejected. Here, the organization loses a
305
valuable employee. False negatives relate to candidates that are not trustworthy
but that are still recruited by management. A false negative is for instance an
employee that infiltrates a critical infrastructure facility, like a nuclear site, on
behalf of a terrorist organization (Catrantzos, 2010; Hegghammer & Hoelstad
Daehli, 2016). Think for instance of the previously mentioned case of Takuma
Owuo-Hagood who started a career as baggage handler at Delta Airlines in order
to feed the Taliban sensitive information (Krull, 2016). Null refers to omission
of pre-employment screenings, which occurs when the organization does not
evaluate the trustworthiness of future employees and remains in the dark on
whether or not the candidate can be trusted with the insider privilege. An example
is the aforementioned case of the French reporter who deliberately infiltrated the
police to expose a culture of racism and violence. According to the reporter, “the
police recruiters did not delve into his background” (Willsher, 2020, 18th
paragraph). Also sport clubs that do not ask their volunteers a certificate of good
conduct (Joris, 2022; NOS Nieuws, 19/12/2019), simply assuming their
trustworthiness, can be considered an example of null.
Insider threat mitigation is, however, more than performing pre-
employment screenings and (if necessary) vetting by government authorities. It
was demonstrated earlier in this dissertation that background checks are only a
snapshot and that the trustworthiness of the insider can change over time.
Consequently, it is important to continuously keep evaluating the trustworthiness
of the insider during employment, or to spend attention to so-called ‘aftercare’
(Bunn & Sagan, 2016; Colwill, 2009). The remainder of the insider threat
mitigation framework is about aftercare, and the first step of aftercare is
organizational socialization.
306
7.2.2. Organizational socialization (II)
In the organizational socialization stage, the organization develops a

preventive strategy (Cole & Ring, 2005; Charney, 2018) that intends to
consolidate the trustworthiness level of the insider above the satisfactory
threshold. Earlier in this dissertation, cognitive awareness was distinguished from
attitudinal awareness (see chapter five). In terms of organizational socialization,
the former relates to an introduction to the organizational culture via
communication, education and training, while the latter relates to compliance
with the organizational culture through norm enforcement and norm acceptance.
In this regard, Siponen and Kajava (1998: 330) correctly argue that “often users
know the guidelines, but they fail to apply them correctly (…). Successful
organizational awareness requires more action than the giving of a set of rules
(…)“. Therefore, organizational socialization here does not refer to the creation
of cognitive awareness of the organizational culture but instead refers to the
creation of attitudinal awareness of the organizational culture. It is assumed that
insiders are competent, meaning that they are already conscious of the specific
organizational norms and are competent to adhere to them.
To give a concrete example, employees often know they have to secure
their account with strong passwords (i.e. cognitive awareness), but fail to comply
with this rule (i.e. attitudinal awareness). Organizational socialization, as
interpreted here, aims at addressing this discrepancy between cognitive and
attitudinal awareness of organizational norms. In the organizational socialization
stage, the goal of the organization is that insiders develop a favorable attitude
toward the organizational culture. As illustrated in chapter three of this
dissertation, this attitude can stem from extrinsic motivation where the favorable
attitude is enforced through positive or negative stimuli or intrinsic motivation
where the favorable attitude is created regardless of any stimuli (Weibel, 2007).
307
In the latter case, insiders internalize the prescribed specific organizational norms
(Pfleeger et. al., 2014; Siponen, 2000; Von Solms & Von Solms, 2004), which is
perceived by the insider “as a matter which they are bound and obliged to follow”
(Siponen & Kajava, 1998: 330). The objective of organizational socialization is
thus to convince the insider that conducting themselves according to the specific
organizational norms is the appropriate way to use the insider privilege. There is,
however, a possibility of omission of organizational socialization (i.e. null) when
the organization makes no attempt to socialize the insider.
7.2.3. Observation (III)
Apart from prevention, also detection (Cole & Ring, 2005; Charney,
2018) should be taken into account as an insider threat mitigation strategy,
whereby the organization is vigilant for so-called ‘red flags’ or factors that may
point to insider threats (Costa et. al. 2014; Gelles, 2016; Greitzer et. al., 2012;
Greitzer et al, 2016; Ho et. al., 2018). In other words, the organization has to
remain vigilant to pick up signals that might indicate inferior trustworthiness, or
a decline in the trustworthiness level below the desirable threshold. Gelles (2016)
distinguishes virtual from nonvirtual red flags, whereby the former for instance
refers to anomalous encryption activity or use of USB on classified system, and
the latter for instance relates to history of reprimands or odd work hours. After
becoming aware of the red flag, the organization has to assess whether it concerns
misinformation that can be closed without further action (Gelles, 2016), or
whether the red flag is worth to investigate in more detail (see infra 7.2.4).
In similarity with the recruitment stage, management runs the risk of false
positives, false negatives and null (Martinez-Moyano et. al., 2008). False
positives refer to red flags that, (in hindsight) are wrongfully considered worth
investigating. An example is the case of Nambi Narayanan, a top scientist in the
Indian space program that was wrongly accused of being a spy and selling “rocket
308
technology to Pakistan, after falling into a honey trap set by two women from the
Maldives” (Biswas, 2020, 14th paragraph), even though “none of the information
he dealt with was classified” (ibid, 35th paragraph). False negatives, on the other
hand, refer to red flags that should have been investigated but that were
incorrectly judged by the organization as misinformation. In this regard,
reference can for instance be made to the case of Frits Veerman, the
whistleblower who alerted his employer on the espionage activities committed
by A.Q. Khan (see chapter four, 4.4.3.1.) but whose concerns were not taken
serious (NOS Nieuws, 24/02/2021). Null, or oversight of red flags, implies that
the organization is only knowledgeable of the situation when it is already too late.
An example is the knife-attack at the police station in Paris (Strynckx, 2019).
Over the years, the offender of the attack showed some behavioral changes that
should have raised some questions. Apparently, the insider was in the possession
of propaganda videos of Islamic State in his workplace, justified the terrorist
attacks committed by Islamic State over the years, refused to welcome female
colleagues and had contact with Salafists (De Morgen, 09/10/2019; Strynckx,
2019). Yet, these changes where not (formally) observed by the organization (De
Morgen, 09/10/2019).
7.2.4. Investigation (IV)
The situation becomes concerning if the organization interprets the red

flag as a signal that is worth to investigate in more detail. The organization starts
an investigation to discover whether the red flag requires (immediate)
counteraction. In similarity with intelligence services that analyze information
gathered to assess threats to national security (Lanssens, 2020; Zegart, 2016),
organizations analyze in the investigation stage the observed red flag(s) to assess
whether the situation is moving toward an insider threat incident, thereby posing
a threat to corporate security (Gelles, 2016).
309
The second leg of the detection strategy (Cole & Ring, 2005; Charney,
2018) should thus not be conducted from a police/judicial perspective by looking
for evidence of already committed misconduct (i.e. what happened?), but should
rather be driven by an intelligence approach whereby the raw information that
was observed in the previous stage is contextualized and transformed into
intelligence upon which the organization can take an informed decision (i.e. what
will likely happen?) (De Graaff, 2019; George et al., 2019; Lanssens, 2020, US
NITTF, 2016; Waltz, 2003). In concrete terms, this implies that the organization
checks the validity of the red flag (Steneck, 1994) to determine whether it
misinterpreted the red flag and the insider is still trustworthy (Gelles, 2016), like
the case of the Dutch member of parliament whereby the investigation revealed
that she was unfairly suspected of leaking classified information (NOS Nieuws,
23/12/2014).or whether the investigation does reveal traces of insider alienation
from the organization that the organization needs to worry about and needs to
(immediately) act upon.
According to Zegart (2016), absence of an adequate intelligence approach
in the investigation of red flags contributed to the previously mentioned Fort
Hood shooting in 2009 caused by Army Psychiatrist Nidal Malik Hasan.
Although authorities were informed about red flags, like for instance Hasan’s
email correspondence with Al Qaida member al-Awlaqi, “instead of searching
for intelligence about Hasan’s connection to al-Awlaqi and what that relationship
might suggest about radicalization generally or Hasan’s emerging danger
specifically, the [Joint Terrorism Task Forces] searched for evidence that Hasan
was actively engaged in terrorist activities. The FBI was not collecting
intelligence; it was hunting a suspected criminal. (…)” (ibid: 69). Due to the lack
of intelligence perspective during the investigation stage, Hasan became a false
negative (Martinez-Moyano et. al., 2008), as red flags were incorrectly judged as
310
a misinterpretation while they should have been considered red flags that needed
to be anticipated. For the sake of completeness, it should be mentioned that also
the opposite situation (i.e. false positives) might occur when red flags are
wrongly labelled as an imminent insider threat incident.
7.2.5. Anticipation (V)
If the investigation reveals that the red flag needs counteraction, the
situation becomes critical. This is when the anticipation stage enters into force,
implying that the organization perceives the insider is about to intentionally
misconduct in the near future (US NITTF, 2018; Lee and Kulkarni, 2011). In
contrast to the observation and investigation stage, where “the primary goal is to
identify individuals moving along the idea-to-action continuum” (Gelles, 2016:
177), the main objective in the anticipation stage is “to bring them back into the
fold, before an incident occurs” (ibid: 177).
In this stage, the insider threat mitigation strategy of the organization
switches from detection to preemption (Sauer, 1998). Drawing upon Freedman’s
(2003) notion of preemptive war, which “takes place at some point between the
moment when an enemy decides to attack—or, more precisely, is perceived to be
about to attack—and when the attack is actually launched” (ibid: 106), it is argued
that the current stage of the conceptual insider threat mitigation model
corresponds with preempting what is perceived to be a likely insider threat
incident.
More specifically, anticipation can take place either via re-orientation or
neutralization through dismissal. In other words, is it possible to re-orientate the
trustworthiness level of the insider and restore it above the desirable threshold?
Or has the trust between the insider and the organization petered out and does the
organization have to dismiss the insider before any damage is done? In case of
the latter, it should however be emphasized that “employees cannot be suspended
311
or fired based on a couple of indicators or mere suspicion” (Malik, 2020: 10). In
other words, dismissal can only take place if the organization can legally
underpin its decision to dismiss the insider. An example of an insider threat that
was anticipated in time through dismissal is the former soldier that was addicted
to drugs and tried to kill his parents (Provoost, 2022). If the soldier was still
employed by the Belgian army, he could have caused a similar incident in an
organizational context. Also cases where undercover agents pose as a competitor
to expose double-agents that intend to spy for that competitor, like the previously
mentioned case of Jonathan Toebbe63 (Barnes et. al., 2022), are examples of
successful anticipation.
Still, also in the anticipation stage the organization runs the risk of false
positives and false negatives (Martinez-Moyano et. al., 2008). False positives
refer to employees that should be re-orientated but that are instead neutralized
and removed from the organization. False negatives, on the other hand, concern
employees that should have been fired but that were kept within the organization.
In other words, the organization tries to re-orientate the insider, but the re-
orientation (in hindsight) turns out to be unsuccessful. Think for instance of the
Belgian soldier Conings, who showed many red flags before he decided to misuse
his access to the army barracks to steal heavy weaponry. The Belgian army was
aware of his affiliations with right-wing extremism since Conings appeared on
the list of the Belgian Coordination Unit for Threat Analysis that identifies
potentially violent extremists (El Bakkali & Arnoudt, 2021). Attempts were made
to restore Conings’ trustworthiness level above the desirable threshold by giving
Conings a disciplinary sanction and by deciding not to renew his security
63
As a reminder, Jonathan Toebbe was arrested by the FBI when he tried to sell sensitive
information on US nuclear submarines to Brazil (Barnes et. al., 2022).
312
clearance (Franssen, 2021), but in hindsight, neutralization through dismissal
would have been the better solution.
7.2.6. Damage Limitation (VI)
In an ideal situation, the conceptual insider threat mitigation framework

would stop here and no insider threat incidents happen. It is, however, utopian to
think that every insider threat incident will be anticipated and pre-empted
(Mehan, 2016). “It is important to have programs that screen employees for
trustworthiness and monitor their behavior once employed, but no one should
ever assume that these programs will be perfectly effective” (Bunn & Sagan,
2016: 151). If the organization is unable to observe and anticipate the red flags
in time, the situation will eventually escalate and the insider will commit
intentional misconduct. As a result, the current conceptual insider threat
mitigation model also considers the insider threat aftermath, or the remedy of an
insider threat incident. This will be outlined in the remainder of the chapter.
When the trustworthiness of the insider declines to the point where it
becomes grievous because an insider threat incident occurs, the primary concern
of the organization is limiting the damage resulting from the incident to a
minimum (Bunn & Sagan, 2016; Mehan, 2016). The organization should
maximize organizational resilience, enabling the organization to control the harm
resulting from the insider incident by responding as quickly as possible to stop
the intentional misconduct and the corresponding negative consequences.
However, not every insider threat will be noticed. There is a possibility
of oversight of intentional misconduct (i.e. null), meaning that the organization
does not notice that the insider is committing misconduct. Think for instance of
an insider who is able to commit fraud (Oltermann, 2020), or spy (Bunn & Sagan,
2016) for years without getting caught. If the insider incident remains under the
organization’s radar, the mitigation process does not reach the stage ‘damage
313
limitation’ until the deviations from the specific organizational norm (or
sequence of norm deviations) is noticed by the organization.
7.2.7. Reconstruction (VII)
Once the damage resulting from the insider threat incident has been
ceased and the dust settles, it is time for the organization to reconstruct the
incident. In other words, the organization performs a retrospective analysis of the
incident and its (root) causes to learn from it and prevent its recurrence (Bies &
Tripp, 1995; Smallman, 1996). Apart from looking for the person responsible for
the incident and looking into the specific circumstances that allowed the insider
to intentionally commit misconduct (Ho et. al., 2018), reconstruction includes
holding the person accountable to find out the reason behind the intentional
misconduct, and adjudicating the insider’s justification (Steneck, 1994).
Reconstruction is therefore aimed at re-examining the currently unknown
trustworthiness level of the insider responsible for the insider threat incident.
The organization should give the insider the possibility to give the reason
behind the intentional misconduct and defend and justify their decision to deviate
from the specific organizational norm. The organization should debrief the
insider, but should not immediately label the insider guilty. As stated in chapter
two, a distinction can be made between three phases, namely accountability,
culpability and trust repairability, whereby accountability means that the insider
is expected to explain and defend their decision to misuse the insider privilege,
culpability refers to the assessment of the validity of the insider’s justification to
commit intentional misconduct and trust repairability to whether or not the
insider can be forgiven for the incident.
It could thus be that an insider is held accountable for the intentional
misconduct, but is not found culpable because they had a valid reason to commit
misconduct. Think for instance of the example of Els De Weerdt who as a nurse
314
misused her access to medication to euthanize a terminally ill family member.
She was held accountable for the misuse of her insider privilege by the Belgian
Court of assize, questioning the reasons behind her intentional misconduct, but
eventually was not found culpable of the death of her aunt because the jury
deemed her actions legitimate (Gazet van Antwerpen, 13/02/2006). Likewise,
coerced insiders that are pressured by a third person to execute a certain action
that hurts the organization (BaMaung et. al., 2018; Bunn & Sagan, 2016), should
be held accountable but are not necessarily culpable.
Yet again, the organization may misjudge the situation, resulting in false
positives and false negatives (Martinez-Moyano et. al., 2008). False positives
relate to employees that are judged culpable while they should be exonerated,
either because they are wrongly accused of intentional misconduct, or because
they had a valid reason to deviate from the organizational norm. An example of
such a situation are the accusations made against employees from the UK Post
Office, who, after unexplained irregularities in the accountancy of the
organization that were caused by flaws in the IT system, were wrongly accused
of theft and fraud (BBC News, 16/12/2019). False negatives occur when
employees are wrongly exonerated from intentional misconduct.
7.2.8. Deliberation (VIII)
After reconstructing the incident in a detailed manner, taking into

consideration both evidence in favor and evidence against the offender and
making an adjudication, the organization has to deliberate the fate of the offender
at the organization (Cools, 1994; Steneck, 1994), determining to what extent it
can forgive the offender (Finkel et. al., 2002). Similar to reconstruction,
deliberation is aimed at re-examining the currently unknown trustworthiness
level of the insider, whereby the organization has to determine whether the trust
315
relationship with the offender can be repaired (Dekker, 2017; Lewicki & Bunker,
1996).
As explained in chapter two of this dissertation when elaborating on trust
repairability, restoring the insider’s trustworthiness level above the desirable
threshold, denoted here as reconciliation, can be done with or without punishment
(Cools, 1994). To put it in a different way, retributive reconciliation emphasizes
payback and retaliation, whereas restorative reconciliation concentrates on
ensuring the engagement of the insider in the improvement of the organization’s
framework of specific organizational norms in order to increase the future
adherence to the specific organizational norms and avoid prospective violations
that inflict harm to the organization.
If, on the other hand, it is assessed that the trust relationship simply has
no chance for survival, terminating the contract of the insider is the only suitable
action the organization can take. An example is the previously mentioned
employee from the healthcare facility that was aware that a colleague had a love
relationship with a patient, but did not report this to the organization (NOS
Nieuws, 13/10/2020). Apparently the organization tried to restore the trust
relationship with the insider that kept silent, but eventually decided that the trust
relationship was beyond repair.
The deliberation of the insider’s position at the organization equally
engenders risks of false positives and false negatives (Martinez-Moyano et. al.,
2008). False positives refer to insiders which contract is terminated while they
could have been reconciled or given a second chance. In contrast, false negatives
concern employees that should have been dismissed but were instead reconciled,
leaving the door open for new insider incidents caused by that particular offender.
An example is the former director of Plus Point Marketing who, via falsified
invoices in which the company’s bank account was replaced with his own bank
316
account, committed fraud to the value of 170.000 euros. Although his employer
believed that the trust relationship could be repaired and the offender was given
a second chance, he relapsed into old habits and again frauded to the value of
200.000 euros (Reyntjens, 2020).
7.2.9. Termination (IX)
When the trust relationship is beyond repair, the organization comes to

the conclusion that it has to terminate the insider’s contract, and might even
decide to enter into litigation (Cools, 1994) and/or refer to regulatory or police
authorities in case of serious intentional misconduct. In the termination stage, it
is pivotal that dismissal occurs in an appropriate way, by applying proper exit
procedures (Beattie & BaMaung, 2015; Information Security Forum, 2015;
Power & Forte, 2006; UK CPNI, 2019; US NITTF, 2016). To give an example,
the organization should immediately seize the insider’s access to the
organizational assets and recollect all organizational property that is still in the
possession of the insider.
Like in all other stages of the conceptual model, the organization can also
mismanage the situation in the termination stage, more specifically when the exit
procedures are not followed. Omission of the exit procedures (i.e. null) thus
means that the organization is still vulnerable to insider threats, given that the
dismissed insider still has the opportunity to misuse their insider privilege. To
illustrate, reference can be made to the previously mentioned case of David
Burke, the man who was responsible for the crash of the Pacific Southwest
Airlines Flight 1771. Although Burke was dismissed from the airline company,
he was still able to retain both his identification badge and uniform. As a result,
Burke misused this privileged access to bypass security screening, smuggle a gun
on board, kill his former manager and finally crash the plane (Greco, 2017; Loffi
and Wallace, 2014).
317
7.2.10. Summary of the conceptual model
If the organization properly follows the exit procedures, the insider threat
mitigation process (usually) returns to the recruitment stage as, at least in the
majority of the situations, a new insider has to be recruited to fill the open spot.
This means that the whole insider threat mitigation process restarts from the
beginning (i.e. the recruitment stage), and that the conceptual model outlined in
this chapter concerns a cyclical process. To summarize, table 7.4 provides a
schematic overview of the conceptual insider threat mitigation model,
synthesizing the information that was provided in this chapter.
Stage
Trustworthi Required
of the Strategy Possible outcomes
-ness action
framework
Unjustified
False
rejection of
Positive
employment
Rejection Justified
True
OR rejection of
Positive
Confirmation employment
False Unjustified
I. Satisfactory
Prevention 64 IF negativ recruitment
Recruitment
Confirmation e
THEN True Justified
Organizational negativ recruitment
socialization e
Omission of
Null trustworthiness
evaluation
Organizational Initiative to
socialization assimilate the
II.
VIA Action insider to the
Organizatio-
Prevention Satisfactory Norm organizational
nal
enforcement culture
socialization
and norm No initiative to
Null
acceptance assimilate
64
The satisfactory level can in its turn be divided further into several levels ranging from good to
excellent.
318
insider to the
BUT organizational
Also vigilance culture
VIA
Observation
Unjustified
judgement of
False
red flag as
Positive
worth
investigating
Justified
judgement of
True
red flag as
Positive
Misinformatio worth
III. n investigating
Detection Inferior
Observation OR Unjustified
False
Investigation judgement of
negativ
red flag as
e
misinformation
Justified
True
judgement of
negativ
red flag as
e
misinformation
Oversight of red
Null
flag
Unjustified
conclusion of
False
red flag
Positive
investigation as
worrisome
Justified
Misinterpretati conclusion of
IV. True
on red flag
Investigatio Detection Alarming Positive
OR investigation as
n
Anticipation worrisome
Unjustified
conclusion of
False
red flag
negativ
investigation as
e
misinterpretatio
n
319
Justified
conclusion of
True
red flag
negativ
investigation as
e
misinterpretatio
n
Null /
Unjustified
False neutralization
Re-orientation Positive via termination
OR of contract
Termination of Justified
contract True neutralization
Positive via termination
V. IF of contract
Pre-emption Critical
Anticipation Mismanageme False Unjustified
nt by negativ re-orientation
organization e
THEN True Justified
Insider Threat negativ re-orientation
Incident e
/
Null
Damage Initiative to
limitation limit damage
THEN resulting from
Reconstruction Action insider threat
VIA incident
VI. Damage Contextualizat
Remedy Grievous
Limitation ion of the
incident Oversight of
Debriefing insider threat
with the Null incident
offender
Introspection
320
False Unjustified
Positive deliberation
True Justified
Positive deliberation
Unjustified
False
Exoneration exoneration of
VII. negativ
OR accountability
Reconstruc- Remedy Unknown e
Deliberation or culpability
tion
Justified
True exoneration of
negativ accountability
e or culpability
Null /
Unjustified
False
termination of
Positive
contract
Justified
True
termination of
Reconciliation Positive
contract
VIII. OR
Remedy Unknown False Unjustified
Deliberation Termination of
negativ reconciliation
contract
e
True Justified
negativ reconciliation
e
Null /
Termination of Implementation
contract Action of exit
AND procedures
Possibly No
litigation implementation
IX. Beyond
Remedy of exit
Termination repair
THEN procedures
Null
(usually)
return to
recruitment
stage
Table 7.4: Synthesis of the conceptual insider threat mitigation model
321
7.3. Limitations
The main shortcoming of the conceptual model is that its focus is (too
much) on ‘bad apples’, largely disregarding the question whether or not the barrel
is corrupted (Searle et. al., 2017). By referring to deliberation and termination as
stages in the conceptual model, the framework mainly concentrates on the
prevention of the recurrence of insider incidents caused by one and the same
insider (i.e. the bad apple), not on preventing the recurrence of similar situations
caused by other insiders (i.e. corrupting barrels). Otherwise put, the current
model ignores the role of organizational factors in insider misconduct (BaMaung
et al., 2018; Greitzer et. al., 2016).
Although this shortcoming is acknowledged, it is argued that the typology
can easily be made suitable to include organizational factors by replacing the
deliberation and termination phase with an introspection phase. To prevent
repetition of similar insider incidents by different insider offenders, the
reconstruction of the insider incident should include introspection, whereby the
organization looks at its own role in the insider threat incident. While deliberation
and termination concentrate on the individual factors that contribute to insider
misconduct, introspection will allow organizations to identify organizational
factors that might facilitate insiders to commit insider incident (Greitzer et. al.,
2016). In chapter three, it was for instance argued that high sanction probability
corresponds with a higher inhibiting situation to commit intentional misconduct,
while a low sanction probability is a more facilitating situation to wittingly
deviate from specific organizational norms. As a result, reconstruction might
reveal that the sanction probability within the organization is too low, indicating
that employees almost certainly get away with their deviant behavior without any
sanction. Consequently, introspection could lead to an increase in the sanction
probability to create a more inhibiting situation for insider misconduct.
322
7.4. Conclusion
It can be concluded from this chapter that a first attempt was made to
construct a intuitively straightforward framework for insider threat mitigation. I
do acknowledge that valuable insider threat mitigation models exists, like for
instance the Critical Pathway (Shaw & Sellers, 2015), the framework developed
by Nurse et. al. (2014) or the insider threat maturity model developed by the US
NITTF (2018). Although I do not deny the value of these models, I did not
perceive them as suitable for my dissertation. Since insider threat is a relatively
new topic and most organizations do not have much experience with insider
threat mitigation, at least in comparison with external threat mitigation, I was
looking for an intuitively easy understandable model that provided organizations
a roadmap of insider threat mitigation. It was perceived that the models
mentioned above did not meet this requirement. The purpose of this conceptual
model was not only to develop a framework that would form one of the building
blocks to answer the second main research question of my dissertation (see
chapter one), but also to provide organizations with a step-by-step guide that
helps them think about insider threat mitigation in their organization, whereby
the different stages of the step-by-step model correspond with different moments
an organization can take decisions that might influence the risk that an insider
threat incident occurs. The added value of the conceptual model therefore lies in
the guidance it gives to organizations that start thinking about insider threat
mitigation policy, with each step of the framework considered a point of
departure for further thinking about insider threat mitigation. I mentioned in the
introduction of the chapter that I acknowledge that the conceptual model as such
is not enough, and that more theoretical and empirical research is needed to
further calibrate the model. I already took the first step with two empirical studies
that are outlined in chapter eight and nine of this dissertation.
323
Chapter 8
A Delphi study on insider threat mitigation
8.1. Introduction
The conceptual model suggested in the previous chapter addressed at each
step of the model what organizations should do (and what happens if they do it
wrong or refrain from doing it), but fell short on elaborating on how organizations
should do this. To give an example: at the recruitment stage, it is recommended
to do PES, without specifying how PES is done. This chapter65 will therefore take
the first step toward transforming the conceptual model into an insider threat
mitigation framework with more practical usability, concretizing the rather
abstract conceptual model with more detailed policy recommendations. The main
goal of the chapter is to discover (1) potential ‘red flags’ of insider threat
incidents (i.e. factors that may point to insider threat), (2) good practices on
insider threat mitigation throughout the employee life cycle (before, during and
after employment), (3) actors responsible for insider threat mitigation and (4)
difficulties related to insider threat mitigation.
To achieve this goal, the study employs the Delphi technique, “a widely
used method of gathering group consensus from a panel of knowledgeable
persons” (Stone Fish & Busby, 2005: 238) that is often used in the context of
doctoral projects (Landeta, 2006; Skulmoski, Hartman & Krahn, 2007). The
three-round Delphi study iteratively compares the opinions of prominent insider
threat experts on the different steps of the conceptual model outlined in chapter
seven. In concrete terms, a multidisciplinary panel of 25 experts in a field related
65
It should be mentioned that most of this chapter was published as a co-authored research report
with Prof. dr Tom Sauer.
324
to insider threats, like corporate security, counterintelligence, nuclear security,
insider threat training, and so on, is asked to complete three rounds of online
questionnaires. The questionnaire of round one concerns open-ended, level-
setting questions, whereby the different panelist individually brainstorm for
important issues regarding the mitigation of insider threats. The questionnaire of
round two outlines all relevant issues identified by the panel in round one and
asks each expert to individually rate each issue. The questionnaire of round three,
to conclude, provides the panelists with a list of issues that received a high rating
from the panel and asks each member of the panel to indicate whether they agree
or disagree with the panel’s decision to give that particular issue a high rating.
In what follows, the chapter starts with a thorough description of the
research design, elaborating on the different steps of the Delphi process.
Subsequently, the center of attention will shift to the results of the study. The
study will eventually be completed with a discussion of the limitations and a
conclusion section.
Since the conceptual model alone is too abstract for organizations to make
use of it in practice, I considered it necessary to supplement the theoretical
framework with empirical research to concretize the different steps of the
conceptual model. The main goal of this study is therefore to dig deeper into the
conceptual insider threat mitigation model to refine the abstract terms and make
it more user-friendly for organizations. To reach this goal, I used the Delphi
technique, “a widely used method of gathering group consensus from a panel of
knowledgeable persons” (Stone Fish & Busby, 2005: 238).
325
8.2.1. The Delphi technique
According to Hasson and Keeney (2011: 1696), “Delphi is a method for

the systematic collection and aggregation of informed judgement from a group
of experts on specific questions and issues”. The absence of standardized
methodological guidelines makes that a range of different interpretations and
approaches of the Delphi technique exist (Hasson, Keeney & McKenna, 2000;
Hasson & Keeney, 2011; Keeney, Hasson & McKenna, 2006; Skulmoski et. al.,
2007). Nevertheless, generally four conditions have to be met when applying the
Delphi technique (Foth et. al., 2016; Gossler, Sigala, Wakolbinger & Buber,
2019; Kozak & Iefremova, 2014; Landeta, 2006; Skulmoski et. al., 2007; Rowe
& Wright, 2001; von der Gracht, 2012):
A first characteristic is anonymity. Since true anonymity is impossible
because the research team has to be aware of the identity of the panel members
to allow targeted reminders (Keeney et. al., 2006), reference is often made to
quasi-anonymity (Chuenjitwongsa; 2017; Hasson et. al., 2000). Delphi studies
use quasi-anonymity to reduce the negative effects related to other methods of
group communication (e.g. focus groups), like for instance groupthink or
dominant panel members (Dalkey & Helmer, 1963; Hsu & Sandford, 2007;
Turoff, 2002). Quasi anonymity can either refer to anonymity of the panel or only
to anonymity of the responses of the panel. In case of the former, participating
experts are unaware of the identity of the fellow members of the panel as well as
of the individual answers of each expert. Concerning the latter, members of the
panel are not informed on the identity behind each particular opinion addressed
in the context of the study, but are aware of the composition of the panel.
A second characteristic is iteration, which means that the study has to
consist of at least two rounds to give the members of the panel the opportunity to
rethink their answer to the previous round(s).
326
A third characteristic is controlled feedback, whereby the researchers
inform the panel of experts on the results of the previous round. Since “there are
still no agreed guidelines about how to provide feedback in a Delphi study”
(Barrios, Guilera, Nuño, Gómez-Benito, 2021: 2), it is usually up to the
researchers to decide the type of feedback (von der Gracht, 2012). The controlled
feedback should however stick with essential information necessary to complete
the next round of the study, eliminating irrelevant information or ‘noise’ (Hsu &
Sandford, 2007).
A fourth and last characteristic is statistical aggregation, which implies
that a number of statistics are used to determine the degree of consensus among
the expert panel. To determine the opinion of the group, often reference is made
to statistical indicators of central tendency and dispersion (Hsu & Sandford,
2007; von der Gracht, 2012) which are presented in a numerical or graphical way
(Hasson et. al., 2000; Schmidt, 1997).
To conclude, it is worth noting that “while all Delphi studies share these
common characteristics, the flexibility of the Delphi method has led to a high
diversity of methodological variants” (Gossler et. al., 2019). Later in this report
I will thoroughly explain the ‘methodological variant’ of the Delphi technique
that was applied here, but I will start by explaining why I wanted to use the Delphi
technique in the first place.
8.2.2. Why the Delphi technique?
The Delphi technique fits the research purpose for several reasons. From
a practical point of view, the technique allows to include insights from a
geographically dispersed panel of experts (Okoli & Pawlowski, 2004; Rowe &
Wright, 2001; Stone Fish & Busby, 2005) without the need to gather them in an
(online) event. Bringing together experts from around the globe in online
meetings would be challenging given the busy schedules of the experts and the
327
different time zones, while gathering them in multiple face-to-face events would
require a lot of funding and would be complicated during the COVID-19
pandemic. Instead, the Delphi technique gives the panel members considerable
freedom to complete each online questionnaire at their own pace, making it a
more time- and cost-efficient method for all stakeholders of the research project.
The choice for the Delphi technique was, however, not solely based on
reasons of practicality, as the decision to use the Delphi technique has also
substantive underpinnings. The tendency to avoid public announcements in order
to safeguard the organization’s reputation (Sarkar, 2010; Mehan, 2016) implies
a rather high dark or hidden number of insider threats, which in its turn causes
empirical data to be scarce. Insider threat incidents are therefore statistically rare
phenomena (Catrantzos, 2009; Pfleeger, 2008), making a purely quantitative
approach difficult. In contrast to hindsight investigations of insider threats66 that
“work their way back in history to find out what happened” (van de Linde & van
der Duin, 2011: 1558), it was decided to take a different road by looking forward
to potential indicators of insider threat, mitigation measures or obstacles of
insider threat mitigation (ibid). The quest for such an alternative approach led me
to the Delphi method because the use of expert judgement is an appropriate
alternative when statistical models are problematic due to insufficient empirical
data (Barrios et. al. 2021; Catrantzos, 2009; Rowe & Wright 2001). Moreover,
the use of the Delphi technique is considered to be appropriate in a risk analysis
context (von der Gracht, 2012) and has already been used by other researchers to
explore insider threat mitigation, with Catrantzos (2009) employing it in the
context of critical infrastructure protection, Dupuis and Khadeer (2016) using it
to compare the psychological profile of malicious and non-malicious insiders and
66
See for instance Randazzo et. al. (2005) and Bunn & Sagan (2016)
328
Padayachee (2016) using it to explore opportunity-reducing measures to mitigate
insider threats related to information security.
I want to use the technique to refine the theoretical framework with broad-
based practical guidelines on insider threat mitigation. The Delphi technique
allows to explore the insider threat topic (Gossler et. al., 2019; Padayachee, 2016)
by compiling insights from experts that look at the insider threat problem from a
range of perspectives (Van Dolderen, Stoffers, Kleefstra 2017). Consulting a
multidisciplinary team of experts in a range of insider threat fields allows to first
identify a variety of potential early warning signals (i.e. red flags) of insider threat
(van de Linde & van der Duin, 2011) and to subsequently find agreement among
this multidisciplinary panel on which of the potential red flags are insider threat
indicators organizations should be vigilant of (Mukherjee et. al., 2015). The same
principle applies to the identification of ‘good practices’ on insider threat
mitigation, as the Delphi technique allows to identify a variety of potential insider
threat mitigation measures (Cantrantzos, 2009; Mukherjee et. al., 2015), followed
by a triage of these suggested mitigation measures according to desirability for
insider threat policy (Baker, Lovell & Harris, 2006; Gossler et. al., 2019;
Padayachee, 2016). In brief, the use of expert judgements allows to pool insights
from a broad spectrum of insider threat researchers and practitioners (Hsu &
Sandford, 2007; Mukherjee et. al., 2015; Skulmoski et. al., 2007), making the
technique valuable to discover the state-of-the-art insider threat mitigation
information.
8.2.3.Research sample
In view of the foregoing, the prominent role of the expert panel in the
Delphi technique implies that the credibility of the research outcome largely
depends on the research sample, i.e. the composition of the panel of experts
(Baker et. al., 2006; Chuenjitwongsa, 2017; Kozak & Iefremova, 2014; Stone
329
Fish & Busby, 2005). Still, Okoli and Pawlowski (2004: 16) indicate that
choosing appropriate experts is “perhaps the most important yet most neglected
aspect of the Delphi method”. Indeed, “literature fails to debate the practicalities
of defining 'experts' for use within Delphi panel research” (Baker et. al., 2006:
59), which means that firm rules on the composition of the expert panel are
currently absent. Therefore, it is important to explain the reasoning behind the
selection of the panel of experts in greater detail, not only to give readers the
opportunity to judge the quality of the panel (Schmidt, 1997) but also in view of
reproducibility of the study (Diamond et. al., 2014; Santaguida et. al., 2018).
8.3.3.1. Purposive sampling
The absence of standardized guidance on the composition of the expert

panel implies that the research sample could be gathered in a number of ways.
One possibility is to follow the example of Hackett, Masson and Phillips (2006),
who used contacts from their professional network. I refrained from this option
because it is recommended in literature to use official selection criteria to select
the members of the expert panel (Keeney et. al., 2006; Mukherjee et. al., 2015).
I used purposive sampling strategies (Hasson et. al., 2000; Padayachee, 2016;
Santaguida et. al., 2018; Vogel, Zwolinsky, Griffiths, Hobbs, Henderson &
Wilkins, 2019) to compose the research sample, supplemented with opportunity
sampling (Gossler et. al., 2019). Although standardized guidelines regarding the
selection criteria for the criterion-based sampling are currently absent (Gossler
et. al., 2019; Keeney et. al., 2006, Steurer, 2011; Stevenson, 2010), Skulmoski
et. al. (2007) and Giannarou and Zervas (2014) recommend to select panelists on
the basis of four attributes:
The first attribute is capability, determined by an individual’s knowledge
(Mukherjee et. al., 2015; Rowe & Wright, 2001; Santaguida et. al., 2018; Stone
Fish & Busby, 2005) and experience (Catrantzos, 2009; Gossler et. al., 2019; Hsu
330
& Sandford, 2007; Kozak & Iefremova, 2014; Mukherjee et. al., 2015). Here, the
panel of experts consisted of individuals with at least five years of experience in
a field related to insider threat or with at least five years of experience in research
related to insider threats. It is however worth noting that two experts that
participated did not fulfill the selection criteria because these experts were
recommended by experts that were initially contacted (that met the selection
criteria) but that were not able to participate themselves. Given that
recommendation by other participants can also be used to select panel members
(Baker et. al., 2006), I decided to combine criterion-based sampling with
opportunity sampling (Gossler et. al., 2019) and included the recommended
experts in the panel.
The second attribute is willingness, implying that the incentive to
participate in the study primarily originates from professional interest in the topic
(van de Linde & van der Duin, 2011). The individual is intrinsically motivated to
contribute to the study, without getting much in return besides the results of the
study (Landeta, 2006; Kozak & Iefremova, 2014).
The third attribute is time-commitment, as it is “important that those who
have agreed to participate, maintain involvement until the process is completed”
(Hasson et. al., 2000: 1011), limiting the number of drop-outs.
The final attribute is communication skills, which means that the
participants should be skilled in writing (Keeney et. al., 2006) as well as in
English (Vogel et. al. 2019) to be able to explain their opinions to their fellow
panelists.
8.3.3.2. Sample size
Concerning the number of experts to include in the panel, a variety of

recommendations are given in the literature. Skulmoski et. al. (2007) show the
wide variety in panel sizes that was used in previously published Delphi research,
331
with a lower limit of three participants and an upper limit of 171 participants.
While Gossler et. al. (2019) argue that most Delphi studies are composed of
eleven to 50 panelists, Kozak and Iefremova (2014) limit the range to 15 à 35
experts. Vogel et. al. (2019) rather set the lower limit of the sample size on twelve
respondents, whereas Baker et. al. (2006: 66) indicate that “most reliable samples
for Delphi studies should be small - fewer than 20 participants”. This upper limit
of 20 respondents is echoed by Rowe and Wright (2001) and Hsu and Sandford
(2007), who respectively recommend a lower limit of five and 15 participants.
Giannarou and Zervas (2014) and Van Dolderen et. al. (2017), on the other hand,
argue that the sample size in Delphi studies usually consists of seven to 30
participants, an upper limit that is endorsed by Rayens and Hahn (2000), though
they suggest a lower limit of ten participants. Chuenjitwongsa (2017), to
conclude, increases the lower limit to 30, arguing that “the minimum number of
samples needs to be at least 30 to provide rigour for statistical analysis” (ibid: 1).
Trying to find a golden mean in the diverse set of recommendations, I aimed for
a panel of at least 20 experts because “20 panelists may be adequate for the
development of diagnostic indicators” (Steurer, 2011: 960), one of the main goals
of this study, and because “it is believed that a sample size of 20 tending to retain
the members” (Giannarou & Zervas, 2014: 67).
8.3.3.3. Procedure for selecting the panelists
To identify potential candidates for the panel of experts, inspiration was

drawn from the procedure for selecting experts outlined by Okoli and Pawlowksi
(2004), although not following the procedure down to the last detail. Their
procedure consists of five steps. The first step is to make an overview of relevant
disciplines that relate to the main subject of the Delphi study. In the second step,
each discipline mentioned in step one is populated with names of potential
candidates. The third step consists of contacting the list of potential experts to
332
obtain extra nominations. In the fourth step, all experts are ranked according to
their suitability, which is determined by their qualifications. Step five, to
conclude, consists of inviting the experts to participate in the study.
As prescribed by Okoli and Pawlowksi (2004), I started with an
examination of the disciplines related to the insider threat problem (i.e. step one),
leading me to fields like corporate security, national security, nuclear security,
counterterrorism, whistleblowing, private investigation, counterintelligence and
so on. Subsequently, the quest for names started (i.e. step two) to construct a
shortlist of experts, whereby both national (i.e. Belgian) and international experts
were taken into account to enable the composition of a heterogenous,
multidisciplinary panel (Baker et. al., 2006; Catrantzos, 2009; Gossler et. al.,
2019; Mukherjee et. al., 2015; Padayachee, 2016; Rowe & Wright, 2001). The
target audience consisted of both academics and field practitioners (Foth et. al.,
2016; Vogel et. al., 2019). Therefore, inspiration mainly originated from (1)
relevant academic and practitioner literature on insider threats, (2) international
insider threat events like the 2019 ‘Insider Threat Mitigation Symposium’67 and
the 2020 ‘Insider Risk Summit’68, and (3) a LinkedIn search on the search terms
‘insider threat’ and ‘insider risk’.
Instead of contacting the approximately 100 experts on our initial shortlist
(i.e. step three), I decided to pilot (see infra 8.2.4.1) the shortlist to a group of
practitioners69 and academics70 that would not be part of the expert panel to get
67
For more information, see http://insiderthreatmitigation.org/program
68
For more information, see https://www.code42.com/news-releases/code42-to-host-inaugural-
insider-risk-summit-in-september-2020/
69
The sponsors of our research project.
70
Colleagues of the research team as well as the members of the doctoral committee. Concerning
the former, dr. Marlies Sas and prof. dr. Kenneth Lasoen were consulted for feedback on
the content of questionnaire one, while prof. dr. Jarl Kampen was consulted for
methodological questions. Concerning the latter, em. prof. dr. Rona Beattie and prof. dr.
Genserik Reniers serve in the doctoral commission and also provided their feedback on the
shortlist.
333
feedback on the shortlisted experts (Steurer, 2011). Participants to the pilot study
were asked to go through the shortlist of candidates to indicate which experts
they endorsed or opposed, as well as to suggest any experts not appearing on the
shortlist. On the basis of the pilot feedback, 75 experts were selected (i.e. step
four) and subsequently invited to be part of our panel (i.e. step five), hoping to
get at least 20 positive responses. The invitation included a brief outline (one
page) of the procedure and the estimated timing of the research study. Although
the difference between the number of invitations (75) and the expected number
of experts that would commit themselves to participate the entire study (20)
might seem extensive, I anticipated the potential for a low response rate (Hsu &
Sandford, 2007; Keeney et. al., 2006), taking into consideration a high rejection
rate as the experts invited are all professionals with busy schedules not
necessarily able to make the commitment to a multiple-round Delphi study
(Keeney et. al., 2006; Okoli & Pawlowski, 2004; Skulmoski et. al., 2007; van de
Linde & van der Duin, 2011).
8.3.3.4. The composition of the expert panel
In the end, 29 experts of the 75 experts that were invited indicated their
willingness to participate in the study, implying a 39% response rate to our initial
call (Schmidt, 1997; Santaguida et. al., 2018). This was well above the initial
goal of 20 participations, implying a buffer for potential drop-outs (Okoli &
Pawlowski, 2004). All 29 experts received the first round of our Delphi study
(see infra 8.2.4.2). As illustrated in table 8.1, 25 experts eventually completed the
online questionnaire of the first round.
334
Name Affiliation
Dr. BaMaung Honorary Professor at Glasgow Caledonian University
David
Dr. Bongiovanni Lecturer at the University of Queensland Business School
Ivano
Associate Professor in Cyber Security - School of Computing
Dr. Buckley Oli
Sciences, University of East Anglia
Catrantzos Nick StratCoLab.org
Psychiatrist and Medical Director, Roundhouse Square
Charney L. David,
Counseling Center
M.D.
and President, NOIR for USA
Director of i-Force and Vice-president of the Institute of Fraud
De Bie Bart
Auditors (IFA)
Competence center manager at Robrechts & Thienpont at the
De Greef Stefanie
time of the study but not anymore at time of publication.
Engels J. Owner of Engels & Partners Detectives
Prof. Furnell Steven Professor at the University of Nottingham, UK
Professor at the Ghent University Faculty of Law and
Dr. Haelterman
Criminology
Harald
Department of Criminology, Criminal Law and Social Law
Dr. Homan Zenobia Project Coordinator & Research Fellow at the Centre for
S. Science & Security Studies (CSSS), King’s College London.
Proximus Group Dept Lead Corporate Prevention &
Moris Marc
Protection.
Dr. Noonan Pacific Northwest National Laboratory
Christine
European Commission, Security Directorate
Rettig Stefan
Seconded National Expert - Germany
CISSP, CCII, SAC (Retired)
Chief Engineer, Strategic Engagements
Theis Michael C.
National Insider Threat Center at the CERT Division,
Software Engineering Institute (an FFRDC)
Staff researcher at the National Consortium for the Study of
Terrorism and Responses to Terrorism (START) at the time of
the study
Tinsley Herbert
Currently PhD student at the University of Arizona’s School
of Government and Public Policy
Van Hauwe Managing Consultant OpSeC BV
Stephan
Van Limbergen Crime Control
Kris
335
Forensic auditor - Centre for Integrity - federal Ombudsman
Dr. Vande Walle and
Gudrun Visiting professor Integrity Management at Ghent University,
Faculty of Economics and Business Administration
Vanhoey Herwig Security Manager bpost
Partner Forensic & Integrity Services at EY Bedrijfsrevisoren
Verhasselt Frederik
BV
Anonymous Anonymous UK Government expert
Anonymous /
Anonymous* /
Anonymous** /
* Participated in the first round only
** Participated in the first and second round only
Table 8.1: Members of the panel of experts
As required in a Delphi study, quasi-anonymity was applied (Hasson et.

al., 2000; Chuenjitwongsa; 2017; Keeney et. al., 2006), which implies that
throughout the study participating experts were unaware of the identity of the
other members of the panel. At the end of the study, experts were ask to provide
an informed consent in which they were asked whether they wanted to forego
anonymity (Mukherjee et. al., 2015). Acceptance of this opportunity means that
their participation as expert in the Delphi research is made public in the final
report of the study, whereas refusal of this opportunity means that their
participation in the study remains anonymous71. Table 8.1 shows that the majority
of the experts agreed to reveal their participation as member of the panel, which
provides the reader with additional information to interpret the quality of the
research results (Foth et. al., 2016; Schmidt, 1997).
Moreover, table 8.1 shows that the attrition rate, a major challenge in
Delphi studies (Giannarou & Zervas, 2014; Kozak & Iefremova, 2014;
Stevenson, 2010), was minimal with only one expert dropping out after round
one and another one after round two of the study. Follow-up on the respondents
71
Regardless of the response, no one except me is provided with the individual responses.
336
that dropped out (Keeney et. al., 2006) taught me that the reasons for not
continuing their participation were not substantive but practical, with one
referring to sick leave and one referring to busy work schedules. Since only
experts that completed the previous round were allowed to complete the
subsequent round (Vogel et. al., 2019), round two was completed by 24 experts
and round three was completed by 23 experts. This attrition rate implies that for
each Delphi round, the response rate is well above the recommended 70 to 75%72
(Chuenjitwongsa, 2017; Hasson et. al., 2000; Santaguida et. al., 2018).
Table 8.2 gives an overview of the demographics of the panel
(Padayachee, 2016; Raskin, 1994; Schmidt, 1997; Stevenson, 2010; Vogel et. al.,
2019). It shows that the panel was equally divided between national (Belgian)
and international experts, with the latter predominantly coming from the US and
the UK. The breakdown of the respondents by sex reveals an imbalance with 76%
of male experts. As stated before, the panel consisted of both academics and
practitioners, as well as of a significant number of experts that is double-hatted.
Looking at the different backgrounds of the members of the panel, table 8.2
shows that a multidisciplinary panel was composed of experts from a range of
insider threat fields. A number of experts indicated affiliation with more than one
insider threat domain. Finally, more than 70% of the panel indicated that they
had more than 10 years of experience in their respective insider threat domain(s).
As previously explained, two of the experts that participated in the study had less
than five years of experience (see supra 8.3.3.1).
72
Round one: 86% (25/29); Round two: 96% (24/25); Round three: 92% (23/25).
337
N
Australia 1
Belgium 12
Germany 1
Country of residence the Netherlands 1
United Kingdom (UK) 5
United States of America (USA) 5
Total 25
Male 19
Female 6
Sex
x 0
Total 25
Academic 4
Practitioner 11
Origin of Expertise
Both 10
Total 25
Academia 4
Corporate security 4
National Security 3
Private investigation 3
Security consultancy 2
Whistleblowing 2
Insider threat domain
Insider threat training 2
Legal 1
Counterintelligence 1
Counterextremism/terrorism 1
Nuclear security training 1
Total 25
Less than 1 year 1
2-3 years 0
3-4 years 1
5-6 years 3
Level of experience
7-8 years 2
9-10 years 0
More than 10 years 18
Total 25
Table 8.2: Profile of the panel of experts
338
8.2.4. The Delphi process
The flexibility of the research design of the Delphi technique implies that
there are “no formal, universally agreed guidelines on the use of the Delphi
technique nor does any standardization of methodology exist” (Keeney et. al.
2006: 208). Consequently, it is crucial to discuss in detail the interpretation of the
technique that was used in this study to leave an audit trial (Gossler et. al., 2019;
Skulmoski et. al., 2007).
The interpretation of the Delphi technique used in this chapter is based
upon a thorough examination of existing literature on the technique. One study
particularly inspired the philosophy behind my application of the technique,
namely the study of Padayachee (2016) that can be summarized as follows:
“Round 1 (Brainstorming), Round 2 (Consolidation) and Round 3 (Refinement)”
(ibid: 50). It is, however, important to note that it does not concern an exact copy
of Padayachee (2016)’s research design. The flexibility of the technique allowed
me to incorporate insights from other Delphi studies and adapt the research
design according to my own study objectives (Keeney et. al., 2006).
Table 8.3 gives an overview of the Delphi process used in this chapter,
discussing the different steps of the process in relation to the time frame to
complete the step, the goal of the step and the method used to reach that particular
goal. It shows that the Delphi study consists of three rounds, whereby round one
is preceded by a pilot. This format is in conformity with the number of rounds
suggested in the literature on the Delphi technique (Giannarou & Zervas, 2014;
Gossler et. al., 2019; Hsu & Sandford, 2007; Skulmoski et. al., 2007; Turoff,
2002), as well as with the number of rounds used in previous Delphi studies (e.g.
Catrantzos, 2009; Padayachee, 2016; Stone Fish & Busby 2005; Vogel et. al.
2019).
339
The number of rounds was defined prior to the start of the study (Kozak
& Iefremova, 2014). For each round, the online survey tool Qualtrics was used
to establish an online questionnaire, making it an e-Delphi study (Gossler et. al.,
2019). After receiving the link to the questionnaire via e-mail, the panelists were
expected to submit their responses within 12 days73. To guarantee quasi-
anonymity, a coding system was used (Hasson et. al. 2000) to assign each expert
an expert number (Catrantzos, 2009; Santaguida et. al., 2018) that had to be filled
in to enable access to the questionnaire. Each questionnaire then started with a
short introduction outlining the purpose and estimated time required to complete
it. After that the panelist was redirected to the actual questionnaire of the
particular round of the study. The remainder of this section will discuss each step
of the Delphi process in greater detail, starting with the pilot study.
Delphi Time Goal Method
Round frame
Feedback on both the Consult academics and
selection of the expert panel practitioners that are not part
Pilot February
as well as on the of the expert panel
study 2021
development of the first
questionnaire.
Each expert individually Open-ended questions
Round brainstorms for issues (i.e.
March 2021
one red flags, good practices,
actors and difficulties)
Divide the lists of issues Rating questions
collected in round 1 in:
1. high-rated 1. 5-point
Round
June 2021 issues; Likert-scale
two
2. medium- (agree-
rated issues; disagree)
3. low-rated 2. Number of
issues. starts (0-5)
73
Due to the summer holidays, the deadline for round 3 was extended to 18 days.
340
Check to what extent each Provide experts with a list of
expert agrees with the the high-rated issues and ask
panel’s list of high-rated 1. to select the
issues issue if they
disagree
Round August with the
three 2021 panel
2. to explain
their
reasoning
behind that
disagreement
Table 8.3: The Delphi process
8.3.4.1. The pilot study
According to Skulmoski et. al. (2007: 4), “the Delphi pilot is especially
important for inexperienced researchers who may be overly ambitious regarding
the scope of their research or underestimate the time it will take a Delphi research
participant to fully respond to the Delphi survey”. Consequently, during the pilot
study practitioners and academics74 that would not be part of the expert panel
were consulted to get feedback on the pre-selection of the panel and to pre-test
the online questionnaire of round one. Participants to the pilot study were asked
to go through the shortlist of the research sample to indicate which experts they
endorsed or opposed and to suggest any experts not appearing on the shortlist.
Moreover, they were requested to comment on the questions of the first
questionnaire, both with respect to the content of the questions as to the way they
were formulated since the wording of the question matters as well (Christie &
Barela, 2005; Hasson & Keeney, 2011). The pilot study allowed me to finetune
both the expert panel and the first questionnaire.
74
See footnote 69 and 70
341
8.3.4.2. Round one
Round one corresponds with the brainstorming phase of the study

(Padayachee, 2016). It can be deduced from the literature that the design of the
questionnaire can be either quantitative or qualitative (Chuenjitwongsa, 2017;
Steurer, 2011). A quantitative design is based upon an examination of relevant
literature on the subject of the Delphi study, whereby the panel is asked to rate
existing ideas and opinions generated from this literature (Keeney et. al., 2006;
Santaguida et. al., 2018; van de Linde & van der Duin, 2011; Vogel et. al., 2019).
A qualitative design, on the other hand, allows the panel freedom to generate its
own ideas and opinions (Catrantzos, 2009; Hasson et. al., 2000; Hsu & Sandford,
2007; Okoli & Pawlowski, 2004; Padayachee, 2016). I opted for the qualitative
approach. The first round contained level-setting questions whereby the different
panelists individually brainstormed about the mitigation of insider threats. In
concrete terms, the questionnaire consisted of 16 open-ended questions (see table
8.4) that addressed four kinds of research questions:
1. What are important ‘red flags’ (i.e. factors that may point to
insider threat) of insider threat (question 1 and 6 in table 8.4)?
2. What good practices can organizations implement to mitigate

insider threats (question 2, 4, 5, 7, 9, 11, 13, 14, 15 and 16 in table
8.4)?
3. Who should be responsible for insider threat mitigation (question

10 and 12 in table 8.4)?
4. What (legal or non-legal) difficulties do organizations encounter

in the mitigation of insider threats (question 3 and 8 in table 8.4)?
342
Insider threat Step Questions
mitigation theoretical
phase framework
1. What are important 'red
flags' (= factors that may
point to insider threat) that
organizations should check
during the recruitment of
new insiders?
2. What good practices can

organizations implement to
detect the above-mentioned
I. Recruitment red flags during
recruitment?
3. What (legal or non-legal)

difficulties do organizations
encounter in the detection of
the above-mentioned red
a) Prevention flags during recruitment?

communicate their
expectations regarding
appropriate conduct to
(new) insiders?
II.
Organizational
Socialization
ensure that insiders not only
know what conduct is
expected but actually live up
to these expectations?
343
6. What are important 'red
flags' (= factors that may
point to insider threat) that
organizations should be
vigilant of during
employment?

III. Observation detect the above-mentioned
red flags during
employment?
8. What (legal or non-legal)

difficulties do organizations
encounter in the detection of
the above-mentioned red
b) Detection
flags during employment?

investigate the validity of
red flags (= factors that may
point to insider threat) to
avoid making false
accusations?
IV.
Investigation
10. Which organizational
department (HR, Security,
...) should lead this
investigation, and why?
344
counteract an imminent
insider threat (= act to
prevent it from happening)?
c) Pre-emption V. Anticipation
12. Which organizational
department (HR, Security,
...) should lead this
counteraction, and why?
13. If an insider threat incident

VI. Damage happens, what good
limitation & practices can organizations
VII. implement to limit the
Reconstruction damage resulting from the
incident?

VIII. respond to insiders that are
Deliberation responsible for an insider
d) Remedy threat incident?

IX. Termination
dismiss insiders?

X. respond to insiders that are
Mismanagement wrongly accused of being
responsible for an incident
(= false positives)?
Table 8.4: Questions round one
345
Table 8.4 shows that the questions of the first questionnaire relate to the
different steps of the conceptual insider threat mitigation model (I-X) outlined in
chapter seven. For each step of the framework75, at least one type of question (i.e.
red flags, good practices, responsible actor and/or difficulties) was asked to the
panel. I decided not to inform the panel on the conceptual model as this would
lead us too far. Instead, table 8.4 shows that the different steps of the theoretical
model were grouped in the four insider threat mitigation strategies of the
conceptual model (a-d) discussed in the previous chapter, namely prevention,
detection, pre-emption and remedy.
8.3.4.3. Round two
Round two corresponds with the consolidation phase of the study

(Padayachee, 2016). The panel gets the opportunity to evaluate the answers of
other experts to reconsider their own responses in light of the information the
other panelists provided. The questionnaire of round two is therefore made up of
the analysis of the responses to the questions asked in round one, whereby the
information was used to construct a structured, quantitative questionnaire
(Chuenjitwongsa, 2017). In round two, the questionnaire design was slightly
modified in comparison to the questionnaire of round one. First of all, the
questions concerning organizational socialization (see supra table 8.4 questions
four and five) were combined into one single question76. Moreover, the questions
regarding the actors responsible for insider threat mitigation (see supra table 8.4
questions eight and ten) were equally grouped into one single question surveying
75
Damage Limitation (step VI) and Reconstruction (step VII) were grouped in one question,
while also the possibility of mismanagement (see chapter seven) was addressed by asking
a question about false positives.
76
The question was: “Please rate the following practices to make employees aware of and willing
to live up to the organization's expectations regarding appropriate conduct”.
346
the panel on the necessity of a formal insider threat mitigation team. Finally, the
wording of some of the questions was slightly changed for reasons of clarity77.
The responses to the questions asked in round one were per question
consolidated in an overall list of issues (Padayachee, 2016; Stone Fish & Busby,
2005). Similar to Gossler et. al. (2019: 443), who indicate that they used NVivo
“to organize, store and retrieve the data [while] the actual analysis was carried
out manually by the research team”, I used Qualtrics for data repository purposes
but manually analyzed the data using paper and pencil, Word and Excel. While
some authors, like for instance Hasson et. al. (2000), Okoli and Pawlowski (2004)
and Gossler et. al. (2019), suggest to group the issues of round one into broader
categories, Stone Fish and Busby (2005: 250) argue that “if responses are
grouped together into categories that are too broad, significance can be sacrificed
for consensus”. Also Keeney et. al. (2006) take part in the debate, indicating that
returning the large list of items in a raw, non-categorized form could frighten the
panelists and encourage them to drop out while simultaneously arguing that
grouping responses can produce a halo effect “where the responses are about the
general category, rather than about the individual issues raised by participants”
(ibid: 207). I decided not to group the issues in categories. The information
provided in round one was presented as authentic as possible, retaining the
language of the panelists as much as possible (Keeney et. al., 2006; Stone Fish &
Busby; 2005) while still trying to keep the issues to the point and unambiguous
(Stevenson, 2010).
After cataloguing a list of issues for each question presented to the panel
in round two, the different lists of issues were fed back to the panel to give each
individual panelist the opportunity to validate and reject ideas generated in round
77
For instance ‘dismiss’ was replaced with ‘terminate the contract of’, or it was specified between
brackets whether the incident had already happened or not.
347
one. In more concrete terms, the panel was asked to judge the value of each issue
on the list for that particular question, whereby the rating could take place in two
different ways. As illustrated in figure 8.1, questions related to possible red flags
or to difficulties concerning insider threat mitigation were rated on a five-point
Likert scale with one indicating strong disagreement with the issue and five
indicating strong agreement with the issue (Giannarou & Zervas, 2014;
Mukherjee et. al., 2015). Questions related to good practices, on the other hand,
had to be rated by rewarding the proposed practice with a number of stars ranging
from one to five, with one indicating strong opposition to the proposed practice
and five indicating strong endorsement of the proposed practice, as illustrated in
figure 8.2. To verify whether all ideas generated in round one were included in
the list of issues (Hasson & Keeney, 2011; Schmidt, 1997), panelists were
explicitly asked at the end of each question to add any crucial information they
provided in round one that was missing in round two.
Figure 8.1: Questionnaire design round two - example Likert-scale questions
Figure 8.2: Questionnaire design round two - example star-rating questions
348
While the main goal of the first round of the study was to discover as
much issues as possible (Schmidt, 1997), the goal of the second round was to
measure the degree of consensus between the panelists, looking at consensus on
an item level (Christie & Barela, 2005; Polit, Beck & Owen, 2007). von der
Gracht (2012: 1528) indicates that “consensus is one of the most contentious
components of the Delphi method, and its measurement greatly varies”, which
implies that “standards for consensus in Delphi research have never been
rigorously established” (ibid: 1528) and that “this part of the methodology is also
often poorly explained by researchers” (ibid: 1528). To avoid this mistake, it is
necessary to first explain in detail my understanding of consensus. Given that
literature recommends to use simple statistical summaries (Hasson et. al., 2000;
Keeney et. al., 2006; Polit et. al., 2007), more advanced statistical measures78 for
consensus were perceived not suitable for this study. Instead, Hackett et. al.’s
(2006) consensus definition was used, interpreting consensus on the basis of three
of the most basic statistical measures, namely percentage of agreement, median
(MDN) and interquartile range (IQR), thereby meeting Giannarou and Zervas’
(2014: 77) recommendation to use “more than one statistical measures in order
to assess the consensus”.
The most common definition for consensus in Delphi studies is
percentage of agreement (Diamond et. al., 2014; Mukherjee et al., 2015), a
measure associated with “ease of computation, understandability and ease of
communication” (Polit et. al., 2007: 462). Given that consensus implies a 100%
78
Think for instance of Chi square (Jakobsson & Westergren, 2005), Cronbach’s alfa (Meijering
et. al., 2013; Steurer, 2011), (multi-rater) Kappa coefficient (Barrios et. al., 2021; Meijering
et. al., 2013; Polit et. al., 2007; Wynd, Schmidt & Schaefer, 2003), Cohen’s K-coefficient
(Jakobsson & Westergren, 2005), Kendall W (Meijering et. al., 2013; Okoli & Pawlowski,
2004; Skulmoski et. al., 2007; Schmidt, 1997), Kendall T (Schmidt, 1997), McNamar test
(Okoli & Pawlowski, 2004) or Spearman’s rank order correlation (Jacobssen &
Westergren, 2005; Lange et. al., 2020).
349
agreement among the members of the panel, whereby all experts rate the same
issue in exactly the same way, consensus in the theoretical sense of the word is
rarely reached in practice (Keeney et. al., 2006; Meijering, Kampen & Tobi,
2013). As a result, Delphi studies, including this one, tend to apply a more
practical interpretation of the concept by relating it to the less strict concept of
‘agreement’ (Meijering et. al. 2013). Indeed, Polit et. al. (2007: 460) indicate that
“when there are more than five experts, there can be a modest amount of
disagreement”. Moreover, von der Gracht (2012: 1529-1530) stipulates that “the
determination of consensus by a certain level of agreement is particularly
meaningful if nominal scales or Likert scales are used for the degree of
agreement”, as it is the case in this study.
In line with other Delphi studies (e.g. Hackett et. al., 2006; Lange et. al.
2020), the five-point Likert scale was transformed into a three-point scale for
analysis purposes. Panelists that ‘agreed’ or ‘totally agreed’ with the issue were
compiled in an overarching ‘agreement’ category, while panelists that
‘disagreed’ or ‘totally disagreed’ with the issue were compiled in an overarching
‘disagreement’ category (Vogel et. al., 2019). The same principle applied to the
star-rating, where the panelists that rated the practice ‘four stars’ or ‘five stars’
were compiled in an overarching ‘good practice’ category, while panelists that
rated the practice ‘one star’ or ‘two stars’ were compiled in the overarching ‘bad
practice’ category. Panelists that ‘neither disagreed nor agreed’ with the issue or
that rated the practice ‘three stars’ were considered in the ‘neutral’ category.
It was argued before that “when there are more than five experts, there
can be a modest amount of disagreement” (Polit et. al., 2007: 460). Still, the
question remains how large the ‘modest amount of disagreement’ may at most be
to speak of consensus. Put in another way, “what percentage agreement would a
researcher accept as synonymous with consensus” (Keeney et. al., 2006: 210)?
350
Like many other guidelines on the Delphi procedure, guidelines on the threshold
percentage of agreement that proxies consensus differ from study to study.
According to Hasson et. al. (2000), Chuenjitwongsa (2017) and Keeney et. al.
(2006), the threshold value can range from 51% to 80%, whereby the latter
indicate that the decision should depend on the importance of the research
subject79. Okoli and Pawlowski (2004) and Christie and Barela (2005) use the
lowest percentage of agreement, applying ‘more than 50%’ as cut-off point.
Likewise, Giannaro and Zervas (2014) and Padayachee (2016) lean toward the
lower limit of the range with a threshold value of 51% and 55% respectively.
Rayens and Hahn (2000) situate in between with a threshold value of ‘more than
60%’, while Raskin (1994) and Vogel et. al. (2019) move toward the upper limit
of the range with 70% and ‘more than 70%’ respectively. Polit et. al. ’s (2007)
recommended percentage of agreement is even higher, indicating that “any I-
CVI80 greater than .78 would fall into the range considered excellent, regardless
of the number of experts” (ibid: 466).
In this study, a percentage of agreement of 75% agreement is used to
determine consensus (see infra table 8.5). While Keeney et. al. (2006) intuitively
suggested 75% to be the minimal cut-off point, Barrios et. al. (2021) gave a
scientific rationale to use it as a threshold value. Aiming to “examine the
influence of controlled feedback on opinion change between two Delphi rounds
and how it may favor or hinder the reaching of consensus among participants”
(ibid: 2), they found that the “recommended threshold based on [their] results
79
Keeney et. al. (2006: 210) for instance indicate that “if it were a life and death issue such as
whether or not to switch off a respirator in an intensive care unit, a 100% consensus level
may be desirable. Alternatively, if the topic was related to the selection of a new nurses’
uniform, a consensus of 51% may be acceptable”.
80
Polit et. al. (2007) refer to percentage of agreement as the content validity index (CVI), and to
the percentage of agreement for each individual issue as the item-level content validity
index (I-CVI).
351
would be 75% agreement” (ibid: 8). Polit et. al. (2007) too argue that a percentage
of agreement of 75% is suitable for an expert panel of at least 16 people (as is the
case here), as it reduces the risk of chance agreement. Additionally, according to
Diamond et. al. (2014), Mukherjee et al. (2015), Foth et. al. (2016) and Lange et.
al. (2020), the most common threshold percentage used in Delphi studies is 75%.
For the sake of clarity, it should be mentioned that a distinction should be
made between agreement with the issue and agreement with each other when
discussing percentage of agreement (Keeney et. al., 2006). In other words,
agreement with each other “can be either agreement or disagreement with a
statement” (von der Gracht, 2012: 1530). The emphasis in this study is on
agreement with each other in the form of agreement with the issues, spending
relatively less attention on agreement with each other in the form of disagreement
with the issues. As a result, the percentage of agreement for each issue presented
in round two “is computed as the number of experts giving a rating of either [four]
or [five]81, divided by the number of experts—that is, the proportion in agreement
about relevance” (Polit et. al., 2007: 460).
Apart from the percentage of agreement, also measures of central
tendency can be used to determine consensus (Hasson et. al., 2000; Hsu &
Sandford, 2007; Rayens & Hahn, 2000; von der Gracht, 2012). Reference is often
made to summary statistics like the mean and the median (Barrios et. al., 2021;
Keeney et. al., 2006; Kozak & Iefremova, 2014; Rowe & Wright, 2001; Steurer,
2011), and sometimes also the mode (Giannarou & Zervas, 2014; Stevenson,
2010). Some studies (suggest to) solely use the mean (e.g. Gossler et. al., 2019;
Okoli & Pawlowski, 2004; Rayens & Hahn, 2000), whereas other studies
(suggest to) solely use the median (e.g. Landeta, 2006; Raskin, 1994; Stone Fish
81
Polit et. al. (2007) use a 4-point scale, meaning they accumulate the number of experts rating
the issue 3 or 4. Since this study uses a 5-point Likert scale, I accumulate the number of
experts rating the issue 4 or 5.
352
& Busby, 2005; van de Linde & van der Duin, 2011). In this study, preference is
given to the median (MDN) over the mean because Hsu and Sandford (2007)
indicate that the use of the median is recommended by the literature when using
Likert-type questions. Moreover, von der Gracht (2012) explains the choice for
median rather than mean as follows:
“The fact that the mean is solely valid with interval/ratio data needs to be
accounted for. In many Delphi studies, the mean is calculated without
considering that the scales used are actually ordinal scales. (…). The
general understanding is that Likert data is similar to that of an interval
scale and that the degree of resultant measurement error is not significant.
However, Argyrous stresses that the calculation of the mean for ordinal
data is, strictly speaking, not a correct procedure” (ibid: 1530).
Consequently, it is argued that the median is a better fit than the mean to
measure central tendency in this study. The median represents the value that
separates the upper half of the data from the lower half of the data and can be
found by listing the data in order from smallest to greatest and selecting the
middle number (Stone Fish & Busby, 2005).
Next to the percentage of agreement and the median, also a measure of
dispersion can be used to determine consensus (Hasson et. al., 2000; Hsu &
Sandford, 2007; Rayens & Hahn, 2000; von der Gracht, 2012). With respect to
dispersion, reference is often made to summary statistics like the interquartile
range and the standard deviation (Giannarou & Zervas, 2014; Hasson et. al.,
2000; Hsu & Sandford, 2007; Steurer, 2011; Stevenson, 2010). While some
studies (suggest to) solely use the interquartile range (e.g. Landeta, 200682;
Kozak & Iefremova, 2014; Stone Fish & Busby, 2005), other studies (suggest to)
solely use the standard deviation (e.g. Christie & Barela, 2005; Chuenjitwongsa,
82
Landeta (2006) refers to the relative interquartile range (i.e. the interquartile range divided by
the mean).
353
2017). Here, preference is given to the interquartile range (IQR) because, similar
to the mean, the standard deviation should not be applied to ordinal data
(Meijering et. al., 2013). According to Schmidt (1997: 771), “standard deviation
does not apply to ordinal level data. There are no fixed intervals between ranks
and no absolute reference point to calibrate ranks between panelists. Providing
such data to the experts, or using it in research reports, is misleading”. In contrast,
the interquartile range “is a frequently used measure in Delphi studies, and it is
generally accepted as an objective and rigorous way of determining consensus”
(von der Gracht, 2012: 1530). Consequently, it is argued that the interquartile
range is a better fit than the standard deviation as dispersion measure. The
computation of the interquartile range goes as follows:
“Interquartile ranges are calculated by taking half the difference between
the “upper quartile,” or the point in the distribution below which 75% of
the cases lie (the 75th percentile), and the “lower quartile,” the point below
which 25% of the cases lie (the 25th percentile). This type of statistic
provides information about the range of scores that lie in the middle 50%
of the cases, and in doing so provides information about the consensus of
response on a particular item” (Stone Fish & Busby, 2005: 247).
In view of the foregoing, each individual issue could be assigned to a
certain category on the basis of the three consensus measures. In contrast to
Hackett et. al. (2006), who differentiate four categories83, I opted to divide every
list of issues in three categories, namely high-rated, medium-rated and low-rated
issues. Regarding percentage of agreement, 75% agreement was used as cut-off
point for the high-rated issues (Barrios et. al., 2021; Diamond et. al., 2014; Foth
et. al., 2016; Lange et. al., 2020; Mukherjee et al., 2015), while 51% agreement
was used as threshold value for the medium-rated issues (Christie & Barela,
83
These four categories are ‘essential’, ‘desirable’, ‘additional’ and ‘not indicated’ (Hackett et.
al., 2006: 148).
354
2005; Giannaro & Zervas, 2014; Okoli & Pawlowski, 2004). With respect to
central tendency, a median of at least four was needed to assign the issue to the
high-rated or medium-rated category, with a median below four resulting in a
low-rated categorization (Hackett et. al., 2006). Regarding dispersion, to
conclude, an interquartile range of at most one was used as cut-off point for the
high-rated category, given that “an IQR of 1 or less is usually found to be a
suitable consensus indicator for 4- or 5-unit scales” (von der Gracht, 2012: 1531).
An interquartile range of two was the threshold value for the medium-rated
category, whereas issues with an interquartile range above two were assigned to
the low-rated category (Hackett et. al., 2006).
Table 8.5 summarizes the reasoning behind assigning each issue to a
specific category. Firstly, proposed red flags/difficulties/practices that were rated
‘four’ or higher by at least 75% of the panel, that had a median score of ‘four’ or
higher and that had an interquartile range of at most one were assigned to the
high-rated category. Secondly, proposed red flags/difficulties/practices that were
rated ‘four’ or higher by between 74% and 51% of the panel, that had a median
score of ‘four’ or higher and that had an interquartile range of at most two were
assigned to the medium-rated category. Finally, proposed red
flags/difficulties/practices that were rated ‘four’ or higher by at most 50% of the
panel, that had a median score of less than ‘four’ or that had an interquartile range
of more than two were assigned to the low-rated category.
355
Criterium High-rated Medium-rated Low-rated
At least 75% of the Between 74% and 50% or less of the
panel 51% of the panel: panel:
• Agrees (4) or • Agrees (4) or • Agrees (4) or

strongly strongly strongly
agrees (5) agrees (5) agrees (5)
Percentage
with the issue with the issue with the issue
of
agreement
• Rates the • Rates the • Rates the
issue issue issue
4 or 5 stars 4 or 5 stars 4 or 5 stars
AND AND OR
The median is at least The median is at least The median is less
Central
4 4 than 4
tendency
(MDN)
AND AND OR
Dispersion
IQR is at most 1 IQR is at most 2 IQR is higher than 2
(IQR)
Table 8.5: Criteria to categorize the issues
8.3.4.4. Round three
Round three, to conclude, corresponds with the refinement phase of the

study (Padayachee, 2016). One last time, panelists get the opportunity to
reconsider their own opinion in view of the collective expert opinion. The
questionnaire of round three is based upon the analysis of the results of round
two. In contrast to the analysis of round one, the analysis of the data of round two
was not done manually but via SPSS and Excel. As recommended by Diamond
et. al. (2014), who indicate that “clear criteria for dropping or combining items
should also be specified based on the level of agreement or disagreement with
individual items”, the previously explained categorization was used to reduce the
extensive lists of issues handled in round two to a more manageable size for round
three.
356
On the basis of the categorization, round three could go two ways. On the
one hand, I could dig deeper into the issues on which consensus was reached in
round two (i.e. high-rated issues), like Okoli and Pawlowksi (2014) and
Padayachee (2016). On the other hand, I could explore the issues on which no
consensus was reached in round two (i.e. medium-rated and low-rated issues),
like Rayens and Hahn (2000), Christie and Barela (2005) and van de Linde and
van der Duin (2011). Given that the main emphasis in this study is on consensus
in the form of agreement with the issues (see supra), the examples of Okoli and
Pawlowski (2004) and Padayachee (2016) were followed, thereby solely
concentrating on the issues in the high-rated category and leaving aside the
medium-rated and low-rated categories.
While the main goal of the second round was to measure the degree of
consensus between the panelists in the form of agreement with the issues, the
goal of the third round is to check to what extent each individual expert agreed
with the panel’s list of high-rated issues. Figure 8.3 shows that per question, the
panel is provided with a list of the issues assigned to the high-rated category,
whereby each member of the panel is asked to select the issue if they disagree
with the panel’s decision to assign the issue to the high-rated category and asked
to explain their reasoning behind that disagreement. The questionnaire of round
three also consists of questions regarding the characteristics of the panel (see
supra table 8.2), as well as questions gauging the panelists’ evaluation of the
Delphi technique (Raskin, 1994; Van Doldereren et. al., 2017), both in general
as with respect to the present study.
357
Figure 8.3: Questionnaire design round three
8.2.5. Methodological rigor
It is often said that “in its design and use Delphi is more of an art than a
science” (Linestone & Turoff, 2002: 3) because “it is impossible to eliminate all
problems associated with Delphi” (ibid, 2002: 7). It is true that, due to the
flexibility of the research design of the Delphi technique and the absence of
standardized guidelines, “identifying and gauging methodological rigour for the
Delphi technique remains elusive” (Hasson & Keeney, 2011: 1695), a criticism
that by the way applies to other consensus methods as well (Foth et. al., 2016).
As a result, a distinction can be made between Delphi purists and Delphi
cynics (Hasson & Keeney, 2011; Keeney et. al., 2006), or believers and non-
believers of the research method. Non-believers will argue that “expert opinion
is considered as the lowest level in the hierarchy of available evidence” (Foth et.
al., 2016: 119) and that “it is the least-confident individuals who change their
358
estimates the most over rounds, rather than the least expert” (Rowe & Wright,
2001: 140). Believers, on the other hand, will argue that experts judgements are
a “valuable and underrated source of knowledge” (Steurer, 2011: 959) and that
“panel members change their minds and move towards consensus because they
see that someone else has identified a more relevant issue that they had not
thought of” (Keeney et. al., 2006: 210).
Even though I am closer to the believers of the Delphi technique than to
the non-believers, throughout this chapter I repeatedly criticized the lack of
methodological standardization of the technique that has led to a proliferation of
applications of the method, and emphasized the need for universal guidance. Still,
I do not want to go as far as throwing away the baby with the bathwater. The fact
that the technique requires methodological standardization does not alter the fact
that “the scientific community has accepted this [Delphi] technique as another
research technique” (Landeta, 2006: 471). “The Delphi technique is widely
accepted as a research technique today and its value has been scientifically and
practically proven” (von der Gracht, 2012: 1526).
Still, this does not imply that every Delphi study meets the quality
requirements. Researchers tend to underestimate the workload related to the
Delphi technique (Keeney et. al., 2006), which leads to poor applications of the
method (Rowe & Wright, 2001). This criticism is echoed by Turoff (2002: 89)
who indicates that “the Delphi concept seems so simple that many people have
thought it an easy thing to do. Consequently there have probably been more
poorly done Delphis than ones that have been well done.”. To maximize the
quality of the Delphi study outlined in this chapter, I tried to meet the four
requirements of trustworthiness of qualitative research (i.e. credibility,
dependability, confirmability and transferability) as much as possible (Gossler
et. al., 2019). According to Hasson and Keeney (2011),
359
“there are four main strategies to establish trustworthiness credibility,
dependability, confirmability and transferability. Engles and Kennedy
suggested credibility of a Delphi can be enhanced by ongoing iteration
and feedback given to panellists, which can be viewed as member checks
and by undertaking additional research methods. Cornick proposed that
dependability can be achieved, by including a range and representative
sample of experts in a Delphi study. Confirmability can be assessed by
maintaining a detailed description of the Delphi collection and analysis
process, whilst transferability can be established through the use of
verification of the applicability of Delphi findings” (ibid: 1700).
It is argued that this Delphi study to a large extent meets this
trustworthiness criteria. Regarding credibility, the Delphi study consisted of three
iterations whereby the panel was provided with feedback, thereby applying the
suggested member check. Moreover, it will be illustrated in chapter nine that
additional research methods were undertaken in the form of tabletop exercises.
Concerning dependability, a multidisciplinary panel of experts was composed
that covers the insider threat problem from a range of perspectives. Moreover,
the fact that the majority of the experts agreed to reveal their participation in the
panel (see supra table 8.1) provides the reader with additional information to
interpret the dependability of the research results (Foth et. al., 2016; Schmidt,
1997). With respect to confirmability, “a clear decision trail of all key theoretical,
methodological and analytical decisions made in the research from beginning to
end” (Skulmoski et. al., 2007: 11) was provided in the research design section of
this chapter. Moreover, I not only took into account the methodological checklist
outlined by Hasson et al. (2000), but also met the key methodological criteria
outlined by Diamond et. al. (2014), thoroughly explaining the study objective,
selection of participants, consensus definition and the Delphi process of the
study. Regarding transferability, to conclude, it is acknowledged that the results
in the present study “provide a snapshot of expert opinion at a specific moment
360
in time” (Gossler et. al., 2019: 447), which implies limitations with respect to the
generalizability of the results (Giannarou & Zervas, 2014; Skulmoski et. al.,
2007). To validate the outcomes of the Delphi study, it is recommended to do a
follow-up study (Keeney et. al., 2006), complementing the Delphi technique with
other research methods like literature study (Mukherjee et. al., 2015; Raskin,
1994), focus groups (Gossler et. al., 2019; Hasson & Keeney, 2011; van de Linde
& van der Duin, 2011) or vignette studies exploring insider threat scenarios
(Grime & Wright, 2016; Stevenson, 2010; von der Gracht, 2012). Another
possibility to verify the validity of the research output is to replicate the Delphi
study, either by providing the exact same panel with the same questionnaire at a
different moment in time (for instance a year later) or by composing a new panel
with similar characteristics and comparing the results from those two groups
(Hasson & Keeney, 2011). Also measurement of post-group consensus (von der
Gracht, 2012), whereby the panel is presented with the results of the Delphi study
and asked to what extent they agree with the results, can be used as a verification
mechanism. In this study, validation is not only based upon a comparison of the
results with the insights found in the insider threat literature, but also on
additional follow-up research that will be elaborated on in the next chapter.
361
8.3. Results
The results of the study are outlined below. In contrast to Hasson et. al.’s
(2000) recommendation to report the results of each round of the study
separately, preference is given to the conceptual model as a guide to report the
results of the study, as illustrated in table 8.6.
Total
Conceptual Content High-rated Medium- Low-rated
#
model question Issues rated issues issues
issues
Stage Issue type # % # % # % #
Red flags 22 39,29 12 21,43 22 39,29 56
Good
I. Recruitment 15 36,59 12 29,27 14 34,15 41
practices
Difficulties 10 29,41 14 41,18 10 29,41 34
II.
Good
Organizational 17 34,69 19 38,78 13 26,53 49
practices
Socialization
Red flags 27 36,99 25 34,25 21 28,77 73
Good
III. Observation 20 33,90 21 35,59 18 30,51 59
practices
Difficulties 10 32,26 13 41,94 8 25,81 31
Good
IV. Investigation 11 32,35 15 44,12 8 23,53 34
practices
Good
V. Anticipation 4 10,81 10 27,03 23 62,16 37
practices
VI. Damage
Limitation & Good
21 42,86 18 36,73 10 20,41 49
VII. practices
Reconstruction
VIII. Good
8 42,11 7 36,84 4 21,05 19
Deliberation practices
Good
IX. Termination 16 50,00 8 25,00 8 25,00 32
practices
Good
X. False positives 9 56,25 6 37,50 1 6,25 16
practices
Formal insider
threat mitigation
team*
Total 190 35,85 180 33,96 160 30,19 530
*The panel was asked a dichotomous question (yes/no).
Table 8.6: Categorization of issues per question
362
Table 8.6 shows that the manual coding of the information provided by
the panel in round one resulted in a total of 530 issues that were presented to the
panel in round two. It simultaneously displays the quantitative analysis of round
two, illustrating that the 530 issues were more or less equally divided between
the high-rated, medium-rated and low-rated categories, with 36% of the issues
rated high, 34% rated medium and 30% rated low.
Noteworthy is that in comparison with the other stages of the framework,
the total number of practices with respect to deliberation (VIII) and false positives
(X) was relatively scarce, with only 19 and 16 suggested practices respectively.
Notwithstanding the limited number of proposed practices, the panel assigned a
high number of these suggested practices to the high-rated category. In general,
the proportion of high-rated issues at the stages of the framework that relate to
the aftermath of an insider threat incident was higher (between 40% and 50%)
than those relating to the stages preceding an insider threat incident (between
30% and 40%). The issues related to good practices to anticipate an imminent
insider threat incident were a negative outlier in this respect with only four out of
37 suggested practices (11%) that received a high rating.
To avoid the “danger of placing too much reliance upon the final results”
(Keeney et. al., 2006: 210), I do not want to solely focus on round three of the
study and insist on presenting the results of round two in its entirety. In this way,
the reader is informed on the panel’s rating of all 530 issues, and not only on the
high-rated ones. Still, an in-depth discussion of every single issue would lead us
too far. Therefore, in the remainder of the chapter each step of the conceptual
model is discussed by on the one hand providing the reader with summary tables
of the categorization of all issues for that particular step, and on the other hand
zooming in on the results of round two that I find noteworthy as well as the high-
363
rated practices that were subject to discussion in round three of the study84.
Throughout the results section, quotes of panelists will appear in italics.
8.3.1. Recruitment - Red flags
The first question related to the recruitment stage, asking the panelists to
what extent they agree or disagree to treat the listed issues as a red flag during
the recruitment of new insiders. Tables 8.7, 8.8 and 8.9 respectively show the red
flags that receive a high-, medium- and low rating from the panel.
% Interquartile
High-rated red flags Median
4 or 5 Range
False information on professional history
100,00% 5 0,75
(work/education)
Membership of certain illegal or illegitimate
100,00% 5 1
organizations/associations
False reason for ending previous job(s) 95,83% 5 1
Current or previous extremist ideology 95,83% 5 1
Negative advice following security
clearance screening by government 95,83% 5 1
authorities
Reluctance to approve background screening 95,83% 4 1
False criminal record 91,67% 5 0
Conflict of interest 91,67% 4 0
Low score on integrity 91,67% 4 1
Gambling addiction 87,50% 5 1
Indiscretion 87,50% 4 0,75
Current or previous interpersonal violence
87,50% 4 0,75
(harm to self or others)
Being dishonest/incomplete about
87,50% 4 1
involvement in bankruptcy
Drug addiction 87,50% 4 1
Alcohol addiction 87,50% 4 1
Manipulative nature 83,33% 4 0
Having been fired from similar jobs before 79,17% 4 0,75
Negative references (conflict with previous
manager/employer, violations of policies in 79,17% 4 1
previous workplaces, …)
84
While some of the nuances put forward in round three are discussed in the main text, others are
discussed in a footnote.
364
Maladaptive behaviors in current or
previous affiliations outside workplace 79,17% 4 0
(school, church,..)
Reluctance to provide references 79,17% 4 1
Candidate supported societal upheaval in the
79,17% 4 1
past
Inadequate/deviating responses to questions
75,00% 4 0,75
during interview
Table 8.7: High-rated red flags during recruitment
Table 8.7 shows that issues appearing in the high-rated category for
instance relate to different kinds of falsifications, like false information on
professional history, false reasons for ending previous job(s) or false criminal
records. Related to falsifications is low integrity, which is also perceived by the
panel as a potential red flag. Likewise, the panel considers addictions to drugs,
alcohol and gambling to be factors that may point to insider threat. The same
applies to current or previous affinity with extremist ideology, membership of
illegal or illegitimate organizations and negative advice concerning the
candidate’s application, the latter either stemming from the candidate’s
references or following a security clearance screening by government authorities.
The provision of inadequate or deviating responses to questions asked during the
job interview falls just above the threshold of the high-rated category and is
therefore too considered to be a potential red flag of insider threat during
recruitment.
In round three of the study, several high-rated issues were put into
perspective. Six panelists indicated that considering dismissal at a similar job a
potential red flag of intentional misconduct largely depends on the reason behind
that dismissal, as dismissal can also be due to other reasons like performance
issues, incompetence or economic reasons. Additionally, six panelists argued that
support for societal upheaval in the past is only considered problematic when it
happened in the recent past and/or when the theme of the activism was related to
365
the insider’s function. A similar argument is used by three panelists who believe
the context of the interpersonal violence determines whether it has to be regarded
as a red flag, or by one member of the panel who urged to evaluate maladaptive
behaviors in current or previous affiliations outside the workplace on a case by
case approach, taking into account the context.
Also the suspicion on applicants that show an unresponsive attitude
during the recruitment process, either by showing reluctance to approve
background screening or reluctance to provide references, was nuanced.
Concerning the former, one panelist urged to make “a distinction between
reluctance, especially if the background screening in question is unusually
invasive and inadequately justified, as opposed to outright refusal to participate
in any background screening whatsoever”. Concerning the latter, one panelist
pointed out that the applicant might want to keep their application for a new job
secret for their current employer. Related to the relativization of
unresponsiveness is one panelist’s stance on the relevance of dishonesty or
incompleteness about involvement in bankruptcy, arguing that withholding this
information can originate from shame rather than from bad faith85.
Moreover, three panelists argued that ‘conflict of interest’ and
‘indiscretion’ were too ambiguously worded and needed further clarification,
whereas one expert considered manipulative nature to be “highly subjective,
hence open to inconsistent and highly variable interpretation”. One panelist
echoed this remark as a general concern of detection of red flags, indicating that
apart from the red flags related to falsification, the high-rated potential red flags
“appear to allow for highly subjective interpretation, which could lead to
85
Two panel members did not see bankruptcy as such as a potential red flag, with one expert
arguing that “Bankruptcy does not have a direct logical connection to individual insider
behaviors, as such” and the other one arguing that bankruptcy can be a sign of
entrepreneurship.
366
unreliable determinations. People are fallible creatures, and not all fallible
creatures turn into insider threats by virtue of having made reversible mistakes”.
In relation to this subjective interpretation, one panelist wrote the following
comment in the context of round two of the study I find noteworthy to share: “the
content of the open position is important (a conviction for driving under influence
may be relevant for a chauffeur but less for a office clerk). All the information
has to be contextualized (some behavior can be accepted for a youngster,
schoolboy/girl, but not for an adult)”. To conclude, two panelists emphasized the
difference in strength of the red flags, whereas one panelist argued that “the
biggest ‘red flag’ is a combination of multiple of these ‘red flags’”.
% Interquartile
Medium-rated red flags Median
4 or 5 Range
Unexplained periods of unemployment 70,83% 4 1
Unclear reason for ending previous job(s) 70,83% 4 1
Incomplete information on professional history
66,67% 4 1
(work/education)
Inappropriate social media footprint 66,67% 4 1
Current or previous anger management issues 66,67% 4 1
No background information available for the
66,67% 4 1,75
candidate
Non-blanco criminal record 62,50% 4 1
Illogical responses to questions during
62,50% 4 1
interview
Lack of financial stability 62,50% 4 1
Irrelevant/sensitive questions asked by
58,33% 4 1
candidate during interview
High score on narcissism 58,33% 4 1
High score on immaturity 54,17% 4 1
Table 8.8: Medium-rated red flags during recruitment
367
% Interquartile
Low-rated red flags Median
4 or 5 Range
Illogical motivation why candidate wants to
50,00% 3,5 1
work for the organization
High score on arrogance 50,00% 3,5 1
Social network risks (like family, friends or
45,83% 3 1
foreign contacts)
Inability to receive constructive criticism 45,83% 3 1
Cold applications (without open/announced
37,50% 3 2
vacancy) for critical positions
Low score on conscientiousness 33,33% 3 1,75
Abnormal educational path (lot of courses,
courses abroad, courses not 29,17% 3 1
completed/stopped abruptly, ...)
High frequency of moves between employers
29,17% 3 2
(job-hopping)
Mental health issues (like depression) 29,17% 3 2
No clear motivation why candidate wants to
25,00% 3 0,75
work for the organization
Instable relationship status (frequent different
25,00% 3 1,5
partners, divorce, ...)
Previous employment for a competitor 25,00% 3 1,75
Low score on resilience 16,67% 3 0,75
Discrepancy between educational and
16,67% 3 1
professional career path
Father-deficiency (abusive or absent father) 16,67% 3 1
Low score on friendliness 16,67% 3 1
Low score on humility 16,67% 3 1
Excessive social media footprint 12,50% 3 1
Multiple citizenship 12,50% 3 1
History of intensive travel 8,33% 3 1
Physical health issues 8,33% 2 1
No social media footprint 0,00% 2 1
Table 8.9: Low-rated red flags during recruitment
Whereas falsifications are rated high by the panel, incompleteness of

information, like incomplete information on professional history, unclear reasons
for ending previous job(s) or unexplained periods of employment, is rated
medium by the panel, being considered a potential red flag by more than two
thirds of the panel. Providing illogical responses to questions asked during the
368
job interview, as well as asking irrelevant or sensitive questions during the job
interview, too receive a medium rating from the panel, with respectively 63% and
58% of the panel perceiving it as a potential red flag. Other issues that can be
found in the group that receives a medium rating are for instance the possession
of a non-blanco criminal record86 or current or previous anger management
issues. Issues appearing in the low-rated category, on the other hand, are for
example previous employment for a competitor, job-hopping and applying for
critical positions without an announced vacancy, with less than 40% of the
panelists considering it factors that may point to insider threat. Also abnormal
education paths or discrepancies between educational and career path are much
less perceived as potential red flags. Furthermore, it is noteworthy that
personality characteristics other than low score on integrity and manipulative
nature are either rated medium by the panel, like narcissism and immaturity, or
rated low, like arrogance and lack of humility, consciousness or friendliness.
Also the applicant’s social media footprint is discussed by the panel, whereby an
inappropriate footprint is rated relatively higher (medium-rated) than an
excessive or absent footprint (low-rated), with none of the experts considering
absence of a social media footprint a potential indicator of insider threat.
A bit to my surprise, the panel gave relatively little attention to the
applicant’s motivation to work for the organization, with an illogical motivation
and absence of a clear motivation respectively being perceived as a red flag by
only half and a quarter of the panel. Likewise, apart from addictions, low priority
is given to the applicant’s personal problems, given that issues like lack of
financial stability (medium-rated) and instable relationship status (low-rated) did
not make the high-rated category. The same goes for mental health and physical
86
Blanco criminal record means lack of a criminal record, so non-blanco means that the person
has been convicted of a criminal offence in the past.
369
health issues, which is perceived to be a potential red flag during recruitment by
less than 30% and less than 10% of the panelists respectively, and other aspects
related to the applicant’s private life like social network risks and multiple
citizenship, which also received a low rating from the panel. Nevertheless, it was
argued before in this dissertation that the insider threat literature considers
personal problems a possible breeding ground of insider threats (i.e. more
facilitating situation, see chapter three), and that also in our survey on insider
threat awareness and behavior personal problems were among the top five
underlying causes of insider threats (mentioned by 36% of the respondents, see
chapter six).
8.3.2. Recruitment - Good practices
The second question too related to the recruitment stage, this time asking
the panelists to rate practices to detect red flags during recruitment. Tables 8.10,
8.11 and 8.12 respectively show the practices that receive a high-, medium- and
low rating from the panel.
Interquartile
High-rated practices % 4 or 5 Median
Range
Take screening seriously instead of pro-
100,00% 5 0,75
forma
Do an identity check 95,83% 5 0,75
Adopt a risk-based approach (adjust
95,83% 5 1
screening depending on the position)
Be transparent to the candidate on the
recruitment and screening process,
95,83% 5 1
including consequences for missing/false
information
Check criminal record 91,67% 5 0,75
Make a thorough screening procedure
91,67% 5 1
common practice
Have a coherent list of non-acceptable
91,67% 5 1
convictions
Verify CV 87,50% 5 1
Check open sources like the internet 87,50% 4 1
370
Check listed professional references (like
87,50% 4,5 1
previous employers/co-workers)
Training and awareness of recruiters
(investigative interviewing, insider threat 83,33% 5 0,75
indicators, ...)
Follow-up on any issues raised by
83,33% 5 1
references
Let trained interviewers conduct an in-depth
83,33% 5 1
interview with the candidate
Let multiple actors within the organization
79,17% 4 1
decide upon a hire
Verify every single credential (diplomas,
79,17% 4 1
licenses, professional certifications, ...)
Table 8.10: High-rated practices to detect red flags during recruitment
The good practice that the panel unanimously agrees upon is taking
screening seriously instead of carrying it out pro-forma87. Furthermore, the high-
rated category contains practices that correspond with recommendations found
in the insider threat literature (e.g. BaMaung et. al., 2018; Power & Forte, 2006),
like verification of curriculum vitae (CV), credentials, identity and criminal
record. One panelist, however, emphasized in round three that all checks should
occur within the constraints of the applicable laws, whereas another one urged to
not only check the criminal record, but also the civil record of the applicant.
Moreover, more than 90% of the panelists recommends to adopt a risk-
based approach during recruitment, adjusting screening depending on the
position of the applicant. Several panelists put extra emphasis on this practice,
with one panelist already arguing in round two of the study that “a risk based
approach will dictate what’s most important for a certain role”. In round three
of the study, one panelist emphasized the importance of a risk-based approach
with respect to several of the recommended practices, whereas two panelists
highlighted it as a general comment. These panelists point to what the insider
87
Pro-forma means that something is “carried out in a perfunctory manner or as a formality”
(definition Merriam Webster).
371
threat literature denotes the ‘degree of insiderness’ (Bishop et. al.,2009; Bishop
et al., 2010; Probst et. al., 2010), a concept referred to several times in this
dissertation. Here, it implies that applicants whose privilege will consist of a large
privilege (i.e. large amount of access to the organizational assets), or a privilege
that will apply to the most important assets of the organization, pose a greater
threat than applicants whose privilege will correspond with a small privilege (i.e.
small amount of access to the organizational assets) or a privilege that will apply
to less important assets, and should therefore be subject to a tougher screening
procedure (George et. al., 2019). Remember that the results of the insider threat
survey outlined in chapter six showed a lack of awareness of the ‘degree of
insiderness’ among the respondents, given that more than half of the respondents
declared to subject all employees to the same pre-employment and in-
employment screening.
Furthermore, transparency about the recruitment and screening process,
as well as letting multiple actors within the organization decide upon a hire, are
put forward by the panel as valuable practices to detect red flags during
recruitment. The same goes for control of open sources like internet in general
and more specifically social media, though a check of social media falls just
below the threshold of the high-rated category and was therefore rated medium.
We know from the literature (Brown et. al., 2013; Elifoglu et. al., 2018) that
social media can equally help to identify potential insider threat indicators, even
though the insider threat awareness and behavior survey showed that during
recruitment only 60% of the organizations checks the non-work related social
media profile of applicants that will have access to the organizational assets.
Chapter six also showed that 68% of the respondents indicated that their
organization contacts the references that future employees provide on their CV.
It can be deducted from the results of this Delphi study that checks with listed
372
professional references (high-rated) (i.e. provided by the applicant) are more
popular among the panelists than checks with non-listed references (i.e. not
provided by the panelist) elicited from listed references (medium-rated), or
checks with social network references like family and friends (low-rated). One
panel member however questioned the reliability of professional references,
indicating that “it is often based on a deal: you leave and [I] promise to write a
positive reference on you”. In relation to reference checks, the panel equally
advises to follow-up on any issues raised by references.
To conclude, although a non-blanco criminal record was not necessarily
perceived as factor that may point to insider threat, the panel nevertheless
recommends organizations to have a coherent list of non-acceptable convictions,
even though one panelist questioned both the necessity and feasibility of this
recommendation. Another high-rated practice that was criticized by one panelist
in round three was training and awareness of recruiters, as the expert perceived
this as “tipping the balance between risk management and being overly invasive.
This seems like it comes from the perspective of assuming everyone is a threat”.
In line with this, one expert wondered who should be trained to conduct in-depth
interviews with the candidates and what kind of training they should receive.
% Interquartile
Medium-rated practices Median
4 or 5 Range
Implement a government security clearance
70,83% 5 2
program if possible
Check social media 70,83% 4 2
Use probationary periods 70,83% 4 2
Make clear that passing from probationary
66,67% 4 2
status is by no means automatic
Check psychological or mental fitness for
62,50% 4 1
duty
Check financial records 62,50% 4 1,75
Give the candidate a questionnaire with a lot
58,33% 4 1
of open questions
373
Let candidates reflect on integrity dilemma
58,33% 4 1,75
cases
Conduct an interview with the manager of the
58,33% 4 2
team the candidate will be assigned to
Request only original documents of
educational and professional paths (do not 54,17% 4 1
allow copies)
Check non-listed references elicited from
54,17% 4 2
listed references
Conduct an integrity interview 54,17% 4 2
Table 8.11: Medium-rated practices to detect red flags during recruitment
% Interquartile
Low-rated practices Median
4 or 5 Range
Request written documentation of educational
62,50% 4 2,75
and professional paths (allow copies)
Check vulnerability for manipulation by a
54,17% 4 2,75
hostile party (social engineering)
Use standard application forms for the
50,00% 3,5 1,75
recruitment process
Conduct a drug screening 50,00% 3,5 3
Verify self-reported claims (like salary
45,83% 3 2
history)
Outsource background screening 45,83% 3 2
Conduct an alcohol screening 45,83% 3 2,75
Check listed social network references (like
45,83% 3 3
friends and family)
Ask personal letters of recommendation (no
37,50% 3 3
standard letters)
Ask non work-related questions (job of
partner, number of recent house moves, 37,50% 3 3
hobbies, ...)
Use personality tests (like Hexaco) 33,33% 3 1
Conduct a group interview with the team the
29,17% 2 3
candidate will be assigned to
Check with the desk clerk if the candidate
25,00% 3 1,75
was friendly
Conduct a group interview with the managers
of the teams that often interact with the team 20,83% 2,5 2
the candidate will be assigned to
Table 8.12: Low-rated practices to detect red flags during recruitment
374
With respect to the remaining suggestions to detect red flags during
recruitment, it is noteworthy that apart from checking social media also the
implementation of a government security clearance program and the use of
probation periods narrowly miss a high-rating. Furthermore, conducting an
interview with the manager of the team the candidate will be assigned to
(medium-rated) receives a relatively higher rating than performing group
interviews with (managers of) the team(s) the applicant will be assigned to (low-
rated), the latter being supported by less than one third of the panel. Other low-
rated practices are outsourcing background screening and asking personal letters
of recommendation.
In line with the results of the first question on red flags during recruitment,
the panel gives relatively little importance to the applicant’s private life, given
that less than half of the panel recommends to ask non work-related questions
during the recruitment process (low-rated). The same applies to the relatively
moderate ratings of checking financial records and mental fitness for duty, which
respectively correspond with the moderate priority the panel gave to lack of
financial stability as a potential red flag and the low priority the panel gave to
mental health issues as a potential indicator of insider threat.
In contrast to the results on red flags during recruitment, where addiction
to drugs and alcohol were considered a high-rated potential red flag, alcohol- and
drug screenings are not considered to be high-rated practices to detect red flags.
A possible explanation that was suggested by one of the panelists in round two
of the study is that alcohol and drugs screenings are not commonly accepted
recruitment tools in all countries, either for cultural or legal reasons. Likewise, a
low score on integrity was perceived to be a potential red flag, whereas the ways
to evaluate the candidate’s integrity, like reflection on integrity dilemmas
375
(medium-rated), conducting an integrity interview (medium-rated) or personality
tests (low-rated), were not included in the high-rated category.
To conclude, the relatively low rating of the suggestion to check the
applicant’s vulnerability to social engineering goes against the findings of
chapter six, given that social engineering was the number one type of insider
threat that organizations worried about in the online questionnaire (mentioned by
45% of the respondents). A possible explanation for this is that the panel might
perceive that it is relatively difficult to test vulnerability for social engineering
during the recruitment process.
8.3.3. Recruitment - Difficulties
The final question with respect to the recruitment stage questions the
panel on the difficulties to detect red flags during recruitment. Tables 8.13, 8.14
and 8.15 respectively show the difficulties that receive a high-, medium- and low
rating from the panel.
% Interquartile
High-rated difficulties Median
4 or 5 Range
Lack of access to information (for instance
95,83% 4 0
foreign documentation)
Veracity of information from listed and non-
91,67% 4 0
listed references is unclear
Doubt about the accuracy of information of
79,17% 4 0
background screening
Recruiters may have positive or negative
79,17% 4 0
biases/pre-conceived judgements
It may not be possible to physically check
79,17% 4 0
with referees
Resource limitations 79,17% 4 0,75
No willingness of previous employers to
79,17% 4 0,75
share needed information
Background screening is not possible for all
75,00% 4 0,75
candidates
Candidate may seek to conceal or
75,00% 4 0,75
misrepresent information
376
Awareness and actions on insider threat are
75,00% 4 0,75
significantly dragging behind the actual threat
Table 8.13: High-rated difficulties to detect red flags during recruitment
According to the panel, the main difficulty to detect red flags during
recruitment lies within gathering reliable information necessary to perform a
background check. Although one panel member argued in round three of the
study that every applicant can be subjected to a minimum of checks and another
one indicated that “access should be possible/provided if the candidate is
applying for a sensitive position”, the majority of the panel believes that lack of
access to information and unclarity about the accuracy of the information
obtained hinders the detection of red flags during recruitment. Lack of access to
information can for instance stem from the unwillingness of previous employers
to share the needed information due to fear of lawsuits. Doubt about the accuracy
of the information obtained can relate to information provided by the applicant,
who may conceal or misrepresent information, as well as to information provided
by (non-)listed references. In addition to this information deficit, resource
limitations were put forward as constraining the detection of red flags during
recruitment.
Furthermore, two panelists opposed in round three of the study that the
detection of red flags during recruitment is restricted when awareness and actions
on insider threat are significantly dragging behind the actual threat, rather
perceiving it as an incentive to establish an insider threat awareness program
within the organization. Moreover, one expert disputes the presence of recruiter
biases, as organizations should ensure that recruiters receive the necessary
training to remain objective during the recruitment process and should give clear
instructions on possible conflicts of interest. To conclude, a difficulty that did not
appear in the high-rated list of difficulties but that was suggested by one panelist
in round three was unclarity about legal restrictions.
377
% Interquartile
Medium-rated difficulties Median
4 or 5 Range
Recruitment staff is not appropriately
qualified/trained to conduct thorough 75,00% 4 1,5
Actual court cases are not mentioned on the
75,00% 4 1,5
extract of criminal record (only convictions)
Technical advancements make forged
70,83% 4 1
documents difficult to detect
Social media check of publicly available
social media does not truly reflect the 70,83% 4 1
candidate's internet activity
Not all sectors can use a government security
66,67% 4 1,75
clearance system
If recruitment has been outsourced, it is
difficult to confirm how extensive the 66,67% 4 1,75
screening has been
Candidate may refuse permission for
66,67% 4 2
Laws and regulations are too much focused
62,50% 4 1
on privacy
Candidate may feel pressure to sufficiently
demonstrate passion for the organization 58,33% 4 1
(hiding motivation or risks they bring)
It is not clear on what base the authorized
government gives a positive or negative 58,33% 4 1
security screening advice
Authorities are behind in updating the extract
58,33% 4 1
of the criminal record
Authorized government intelligence and
security services are not equipped to conduct 54,17% 4 1,75
a proper government security screening
Prohibition to access and use government
54,17% 4 2
databases
Manager of team the candidate will be
assigned to plays no substantive role in 54,17% 4 2
screening the candidate
Table 8.14: Medium-rated difficulties to detect red flags during recruitment
378
% Interquartile
Low-rated difficulties Median
4 or 5 Range
Primary goal is to find efficient workers 50,00% 3,5 1
The hiring process becomes too time-intensive 50,00% 3,5 1
Lower level positions do not have to disclose
50,00% 3,5 1,75
certain issues (like gambling addiction)
It is not allowed to keep a copy of the extract of
50,00% 3,5 2
the criminal record
Bank confidentiality 45,83% 3 1
Government security clearance system takes
45,83% 3 1
too much time
Difficult to evaluate whether recruitment
policies are effectively defending against 45,83% 3 1
insider threats
Inability to verify forbidden domains (religion,
45,83% 3 2
politics, ...) without explicit permission
Candidate will feel some discomfort about the
41,67% 3 2
questions
No intrusion methods can be used 29,17% 3 2
Table 8.15: Low-rated difficulties to detect red flags during recruitment
Regarding the medium-rated difficulties, it is noteworthy that lack of

qualifications or training among recruitment staff falls just short of the high-rated
category, with three quarters of the panel believing that the competence level of
recruitment staff is, generally speaking, insufficient to perform adequate
background screenings. The detection of forged documents, which has become
difficult due to technological advancement, and the screening of public social
media profiles, which do not truly reflect the candidate’s internet activity, too
narrowly miss the high-rated category, with 71% of the panel that regards it as a
constraining factor.
Furthermore, while the lack of access to information was rated high by
the panel, explanations for this lack of access, like the prohibition to access and
use government databases and the over-emphasis of laws and regulations on
privacy, score relatively lower (medium-rated). The same applies to the inability
379
to verify forbidden domains (religion, politics, …) without explicit permission or
to bank confidentiality, issues that are rated even lower by the panel (low-rated).
One panelists, however, emphasized in round two of the study that “privacy rules
are never too stringent. The employee needs protection as well”.
Also notable is that a number of medium-rated difficulties relate to the
government security clearance system, like the inability for certain sectors to use
the system, the fact that authorized government intelligence and security services
are not equipped to conduct a proper security screening, or the fact that it is not
clear on what base the authorized government gives a positive or negative advice.
On the other hand, less than half of the panel believes that the government
security clearance system takes too much time (low-rated).
Other practices assigned to the medium-rated category relate to the
criminal record, with the panel referring to the fact that only convictions are
mentioned on it instead of actual court cases88 (close to a high rating), as well as
the fact that authorities are behind in updating the extract of the criminal record.
Only half of the panel argued that the inability to keep a copy of the extract of
the criminal record complicates the detection of red flags during recruitment
(low-rated).
Other issues that put relatively less strain on the detection of red flags
during recruitment are among other things the fact that the primary goal of
organizations is to find efficient workers, the fact that the hiring process becomes
too time-intensive or the fact that the applicant might feel some discomfort about
the questions.
88
In this regard, reference can be made to the teacher that was found guilty of sexual misconduct
yet received the favor or suspension of penalty (Pattyn, 2020), or to the Belgian football
trainer who made an out-of-court settlement in the context of the big Belgian football
scandal on financial fraud in Belgian football (Geril, 2022), which made that these incidents
were not added on the criminal record.
380
8.3.4. Organizational Socialization – Good practices
The next list of issues the panel was asked to rate concerned practices to
make insiders aware of and willing to live up to the organization's expectations
regarding appropriate conduct. Tables 8.16, 8.17 and 8.18 respectively show the
practices that receive a high-, medium- and low rating from the panel. Before
elaborating on the results, it is noteworthy that one panelist argued in round two
of the study that the list of practices suggested in the context of organizational
socialization “clearly shows that there is a gray zone between pure HR tools and
programs and detection of insider threat”, and that “finding a good balance
between both is essential”.
% 4 or Interquartile
High-rated practices Median
5 Range
Have a clear code of conduct that
undiscussable89 states expectations regarding 95,83% 5 0,75
appropriate conduct
Take appropriate measures if there are
95,83% 5 1
violations of the code of conduct
Lead by example by senior leadership 91,67% 5 0
Lead by example by middle management 91,67% 5 0
Organize mandatory onboarding training that
provides detailed information on expectations 91,67% 5 1
regarding appropriate conduct
Clarify not only appropriate conduct, but also
what conduct is considered as inappropriate 91,67% 5 1
(including reasons for termination)
Create an open culture where employees can
91,67% 5 1
ask questions about integrity issues
Employ a strong security culture within the
organization so that expectations are 91,67% 5 1
reinforced through colleagues
Orientate new employees to their unit and
their role in the larger organization (ensure 91,67% 4 1
inclusion)
Be transparent on control measures 87,50% 4 1
Make expectations concrete and achievable 83,33% 5 1
89
For reasons of clarity, one expert suggested to change ‘undiscussable’ with ‘clearly’.
381
Installation of a point of contact for questions 83,33% 5 1
Build trust between supervisors and
83,33% 5 1
employees
Foster a spirit of belonging (being part of the
83,33% 4,5 1
team)
Have a welcome policy outlining the
79,17% 5 1
organization's history, mission, values, ...
Show that you care about the employee 79,17% 5 1
Use the code of conduct and policies and
79,17% 5 1
procedures in case of detected issues
Table 8.16: High-rated practices to socialize insiders to the organizational culture
Regarding the high-rated practices of organizational socialization, in

round three of the study one panelist drew attention to the overlap between the
suggested practices which according to panelist leads to “the impression that the
newly hired employee is going to be bombarded by rules, codes, policies, and
manuals”. As a result, the panelist recommends organizations to apply the
Aristotelian method, characterized by precept, by habit and by demonstration. Or
to put it in the words of the panelist:
“(…) avoid being heavy-handed with lectures and policy documents
(precept) as the exclusive means of acculturation. Instead, provide
foundational references for the employee (precept) and then proceed to
immerse that employee in a work unit where the desired behaviors are on
daily display (habit) and where managers and supervisors lead by
example (demonstration)”.
The panel seems to agree with the suggestion to use the Aristotelian
method, as the list of high-rated practices includes practices related to precept,
habit and demonstration. With regard to precept, the list of high-rated practices
includes the possession of a code of conduct in which concrete and achievable
expectations regarding both appropriate and inappropriate conduct are explained.
Moreover, the panel suggests to combine a welcome policy that outlines the
organization's history, mission and values with mandatory onboarding training to
provide the new insider more detailed information on the code of conduct at the
382
start of the insider’s employment. Concerning habit, a number of cultural
recommendations were given by the panel, like the creation of a strong security
culture so that expectations are reinforced through colleagues, or the presence of
an open culture where insiders can ask questions about integrity issues. In line
with this is the recommendation to install a point of contact for questions on
appropriate conduct, although one expert argued that “formal channels are useful
but informal channels may be more useful and should be protected by the
company”. Regarding demonstration, the panel mentions the necessity to lead by
example, both by senior leadership and middle management, while two thirds of
the panel recommend the use of a mentor/buddy system (medium-rated).
Other high-rated practices, apart from the Aristotelian method, revolve
around a supportive attitude toward the insider, whereby the organization
orientates new insiders to their unit and their role in the larger organization,
fosters a spirit of belonging, builds trust between supervisors and employees and
shows care when needed. Furthermore, in similarity with transparency about the
recruitment process, also transparency about control measures during
employment is encouraged by the panel. To conclude, the panel advises
organizations to use the code of conduct in case of detected issues, and to take
appropriate measures if there are violations of the code of conduct.
% Interquartile
4 or 5 Range
Use positive reinforcement (reward
75,00% 5 1,75
appropriate conduct)
Translate policy requirements in internal
75,00% 4 1,75
regulations or employee handbooks
Recurrent company-wide awareness
campaigns on expectations regarding 75,00% 4 1,75
appropriate conduct
Make integrity part of the regular evaluation
75,00% 4 1,75
procedure by management
Explain the code of conduct in more detail in
70,83% 4,5 2
policies and procedures
383
Develop a small but clear document with
70,83% 4 2
'golden rules'
Casual/informal reminders on expectations
during ongoing communications from line 70,83% 4 2
managers (like staff briefings)
Underline open feedback culture and
70,83% 4 2
transparency
Regular employee performance evaluation
66,67% 5 2
conducted by management
Recurrent security awareness programs 66,67% 4,5 2
Use a mentor/buddy system 66,67% 4 1,75
Let employees accept policies and procedures
62,50% 4,5 2
in written
Use a meaningful professional development
62,50% 4 1,75
process
Visibility of integrity as a core value on
corporate website/social media/recruitment 62,50% 4 2
campaigns
Install a culture of social control and
58,33% 4 1,75
confidentiality
Have an appeal process to resolve
management-employee disputes before they 54,17% 4 1
fester
Have compliance registers 54,17% 4 1
Communication of sanctions taken against
54,17% 4 1
misconduct by an employee
Regular formal meeting with line manager to
ensure employees are aware of expectations 54,17% 4 2
Table 8.17: Medium-rated practices to socialize insiders to the organizational culture
% Interquartile
4 or 5 Range
Create a culture of constructive dissent 62,50% 4 2,5
Enquire employees on a regular basis to get a
50,00% 3,5 1
feeling of general mood
Team building events/days 50,00% 3,5 2
Embrace continuous improvement principles
to rapidly respond to changing needs of the 45,83% 3 1
workforce
Use peer or '360' evaluation 45,83% 3 1,75
Use intranet to communicate expectations
45,83% 3 2,5
Ask explicit consent for control 41,67% 3 1
384
Use negative reinforcement (punish
41,67% 3 2,5
inappropriate conduct)
Phase in granting of access to more privileges
37,50% 3 1,75
and responsibilities based on performance
Develop newsletters, email campaigns,
posters, screen savers, with key rules 37,50% 3 2,75
Use game-design elements and game
29,17% 3 2
principles (Gamification)
Use self-evaluation 25,00% 3 1,5
Foster friendly competition between work
25,00% 3 1,75
units
Table 8.18: Low-rated practices to socialize insiders to the organizational culture
Regarding medium-rated practices of organizational socialization, it is

noteworthy that positive reinforcement falls just below the threshold of the high-
rated category, thereby scoring significantly better than negative reinforcement
that is rated relatively low by the panel. Additionally, notwithstanding the
previously discussed concern of one of the panelists to place too much emphasis
on acculturation via policy documents (i.e. precept), a number of initiatives to
refine the code of conduct in additional documents, like policies and procedures,
internal regulations, employee handbooks or ‘golden rules’, are close to a high
rating. Letting employees accept policies and procedures in written is relatively
less of a priority, being recommended by less than two thirds of the panel.
Similarly, whereas transparency on control measures is encouraged, the panel
considers it less necessary to ask explicit consent to implement these control
measures (low-rated).
Furthermore, except for recurrent company-wide awareness campaigns
on the code of conduct, a practice that falls just short of the high-rated category,
instruments to communicate the expectations outlined in the code of conduct, like
the use of intranet, newsletters, email campaigns, posters and screen savers,
receive a relatively low rating from the panel. The same applies to the usefulness
of team building events, gamification or fostering friendly competition between
385
work units, which the panel perceives as less appropriate practices for
organizational socialization. Regarding bilateral communication on the code of
conduct between employees and line managers, it is notable that informal
reminders on expectations during ongoing communications from line managers
are relatively more important than regular formal meetings in the context of
organizational socialization.
When it comes to evaluating the insider’s affiliation with the
organizational culture, the panel has relatively more confidence in evaluations
conducted by management than in peer- or self-evaluations. Related to this is the
panel’s advice to make integrity part of the regular evaluation procedure by
management, which is also close to a high rating from the panel. Ensuring
visibility of integrity as a core value in public communication, to conclude,
received a relatively moderate rating from the panel, with less than two thirds of
the panel recommending it.
8.3.5. Observation - Red flags
Apart from the question related to red flags during recruitment, the panel
members were also asked to indicate to what extent they agree or disagree to treat
issues as a red flag during employment. Tables 8.19, 8.20 and 8.21 respectively
show the red flags that receive a high-, medium- and low rating from the panel.
% Interquartile
High-rated red flags Median
4 or 5 Range
Attempts to remove sensitive data
100,00% 5 0
(physical and cyber methods)
Participating in illegal activities 100,00% 5 0
Making threats against employer or other
100,00% 5 1
employees
Warnings received from other employees,
clients or third parties on the behavior of 100,00% 4,5 1
the employee
Making or defending statements of
100,00% 4,5 1
extremist/radical point of view
386
Unauthorized access attempts to systems
or physical locations not necessary for the 95,83% 5 1
job
Unnecessary copying of material (physical
95,83% 5 1
or digital)
Abnormal cyber activities on- and off-site
95,83% 5 1
(for example large up/downloads)
Vulnerability to blackmail 95,83% 5 1
Participating in manifestations of extreme
95,83% 5 1
organizations
Signals of radicalization (like change in
95,83% 4 1
physical appearance)
Unexplained wealth 95,83% 4 1
Negative security screening advice from
91,67% 5 1
government authorities
Employee is not open to audits 91,67% 4 1
Unexplained irregularities in the
91,67% 4 1
accountancy of the organization
Organizational culture of fear and silence 91,67% 4 1
Being flexible with ethics or morals90 87,50% 4 0
Employee pushes rules to see whether
he/she can get away with it (boundary 87,50% 4 0,75
probing)
Gambling 87,50% 4 0,75
Increase in organizational losses 83,33% 4 0
Drug abuse 83,33% 4 1
Alcohol abuse 83,33% 4 1
Remotely accessing systems at
79,17% 4 1
uncharacteristic hours
Not complying to safety and
79,17% 4 1
(cyber)security policies and procedures
Disgruntlement as a result of career
75,00% 4 0,75
disappointment
Inappropriate communications (in person
75,00% 4 0,75
or online)
Changes in lifestyle (new car, expensive
75,00% 4 0,75
clothes, ...)
Table 8.19: High-rated red flags during employment
90
One panelist argues that this “depends on agreed ethics and morals in the organisational
culture”
387
In line with the insider threat literature, the high-rated red flags during
employment concern both individual and organizational factors (Greitzer et. al.,
2012; Greitzer et. al., 2016), with the majority relating to the former. The most
obvious warning signals that were unanimously accepted by the panel in round
two of the study are situations when insiders make threats against their employer
or co-workers, when organizations receive warnings from other stakeholders
(e.g. employees, clients or third parties) about the conduct of the insider or when
the insider participates in illegal activities. Other examples of potential early
warnings during employment that received a high-rating from more than 90% of
the panel in round two are attempts to remove sensitive data, unnecessary
copying of material and unauthorized access attempts to systems or physical
locations not necessary for the job. One panelist emphasized in round three of the
study that the “interpretation of what is uncharacteristic or unnecessary should
be set against the individual's role and norms, rather than the norms for the staff
base as a whole”.
The latter comment also applies to another branch of high-rated red flags
during employment that relates to insiders that deviate from their normal or
baseline conduct. It is equally in line with the insider threat literature to consider
deviation from baseline conduct a factor that may point to insider threat
(BaMaung et. al., 2018; Gelles, 2016; Shaw & Sellers, 2015). Unexplained
wealth and changes in lifestyle91 therefore receive a high rating from the panel,
as well as abnormal cyber activities on- and off-side92, boundary probing93 and
lack of compliance with safety and security policies and procedures. Likewise,
91
One panelist nuanced by stating that it depends on the change, indicating that the example of
the new car was not convincing.
92
One panelist wondered how the organization will observe this off-site considering privacy
regulations.
93
Insiders that push the rules to see whether they can get away with it.
388
the panel’s recommendation to remain vigilant of grievance, and more
specifically disgruntlement as a result of a career disappointment94, is in line with
both the insider threat literature that considers it one of the main motivators of
insider threat (Greitzer et al., 2012; Randazzo et. al., 2005; Willison &
Warkentin, 2013) and with the earlier findings of this dissertation. Both the
typology of insider threat characteristics (chapter four) and the survey on insider
threat awareness and behavior95 (chapter six) discussed revenge out of
disgruntlement with the organization as a possible breeding ground of insider
threat.
In similarity with the list of red flags during recruitment (see supra 8.3.1),
alcohol- and drug abuse, as well as gambling96, are rated high. The same applies
to affiliation with extremist organizations, expressed by insiders who make or
defend statements of extremist/radical point of view, show signals of
radicalization97 or participate in manifestations of extreme organizations. The
latter was, however, refined in round three, as two panelists argued that it should
only be considered problematic when the manifestations are in any way related
to the insider’s function within the organization.
Also in round three, one panelist shared the following noteworthy general
comment that relates to the interpretation of red flags:
“While all of these seem useful on the surface, some could be
counterproductive depending on who makes the interpretation at issue.
For example, who determines what is an "extreme point of view" as
opposed to one that just happens to reflect a political disagreement? Also,
94
One panelist believed that this kind of disgruntlement is difficult to detect.
95
Disgruntlement was considered to be the second greatest motivator of insider threats in the
survey (44% of the respondents).
96
One panelist argued that only gambling abuse is problematic, as small scale gambling can be
tolerated.
97
One panelist argued that care needs to be taken not to discriminate when interpreting changes
in physical appearance.
389
who determines when a communication is inappropriate rather than just
unpopular? For such red flags to provide useful value, there must be in
place a means of assuring that the people making threat determinations
are not abusing their discretion or asserting their personal or political
preferences at the expense of the employee being assessed.”
The concern regarding inappropriate communications was echoed by
another panelist in round three. Other issues that were put into perspective during
round three of the study are vulnerability to blackmail and negative security
screening advice from government authorities. Concerning the former, one
panelist thought it to be difficult to discover whether an insider is vulnerable to
blackmail, whereas another one viewed it rather as a trigger “to ‘harden’ the
employee”. Concerning the latter, one panelist argued that the reliability of the
screening procedure has to be taken into account when evaluating the negative
advice. To conclude, remotely accessing systems at uncharacteristic hours was
put into perspective by one panelist who stated that the difficult circumstances of
the COVID-19 pandemic have made unusual working hours normal rather than
deviant conduct.
Even though the majority of the issues that receive a high rating from the
panel relate to the insider, some of the issues are related to the organization, more
particularly the presence of an organizational culture of fear and silence, of
unexplained irregularities in the accountancy of the organization and of increases
in organizational losses. The latter two were nuanced in round three, with one
panelist indicating that irregularities in the accountancy can have a variety of
reasons and are not necessarily the result of intentional misconduct, and two
panelists applying the exact same reasoning with respect to increases in
organizational losses.
390
% Interquartile
Medium-rated red flags Median
4 or 5 Range
Sudden and unexplained change in
75,00% 4 1,75
performance
Abnormal high absenteeism 70,83% 4 1
Directly expressing negative feelings toward
70,83% 4 1
employer/co-workers online
Time pressure leading to unwanted shortcuts 70,83% 4 1
Red tape leading to unwanted shortcuts 70,83% 4 1
Unauthorized absence 70,83% 4 1,75
Impending termination of contract 70,83% 4 1,75
Working a lot of overtime (come early/stay
66,67% 4 1
late)
Maladaptive behaviors outside workplace 66,67% 4 1
Repeatedly declining to allow others to serve
as back-up for handling responsibilities 66,67% 4 1
(control freak)
Financial difficulties 66,67% 4 2
Indirectly expressing negative feelings toward
employer/co-workers instead of openly 62,50% 4 1
addressing them (passive aggression)
Indications of unmet personal expectations
62,50% 4 1
(personal stressors)
Sudden changes in working hours 62,50% 4 1
Directly expressing negative feelings toward
58,33% 4 1
employer/co-workers in person
Absence of interest by employer/co-workers
58,33% 4 1
in the employee's frustrations about the job
Changes in mental health 58,33% 4 1
Compulsive behavior 58,33% 4 1
Being easily frustrated or disappointed (anger
58,33% 4 1
management issues)
Working less than expected (come late/leave
54,17% 4 1
early)
Employee receives strange phone calls 54,17% 4 1
Changes in online or social media behavior 54,17% 4 1
Narcissism 54,17% 4 1
Lack of responsibility 54,17% 4 1
Team members leaving the organization 54,17% 4 1
Table 8.20: Medium-rated red flags during employment
391
% Interquartile
Low-rated red flags Median
4 or 5 Range
Sudden intensive travel 50,00% 3,5 1
Repeatedly declining to take annual leave 50,00% 3,5 1
Employee wants to define his/her job him-
50,00% 3,5 1
/herself
Not being able to deal with criticism 50,00% 3,5 1
Changes in the way an employee expresses
45,83% 3 1
him-/herself
Lone wolves who have contact with
37,50% 3 1
colleagues
Too heavy workload 37,50% 3 1
High level of competitiveness 37,50% 3 1
Changes in physical health 37,50% 3 2
Uneasiness with fellow employees 33,33% 3 1
Lack of adaptability in adverse circumstances 33,33% 3 1
Interest in matters outside of the scope of
33,33% 3 2
his/her job
Changes in personal status (divorce, new
33,33% 3 2
partner, ...)
Employee volunteers for new sensitive
29,17% 3 1
projects
Burn-out 29,17% 3 2
Not responding well under stress or during
29,17% 3 2
crises
Love relationship with a colleague 25,00% 3 1,75
Poor personal hygiene 20,83% 3 1
Not being very empathetic 20,83% 3 1
Employee takes long lunch breaks without
12,50% 3 1
colleagues
Introversion 8,33% 2 1
Table 8.21: Low-rated red flags during employment
It is again noteworthy that a number of issues fall just short of the

threshold of the high-rated category. Similar to the high-rated issues, some of
them relate to the insider, like sudden and unexplained changes in performance,
abnormal high absenteeism and unauthorized absence, while others relate to the
organization, like time pressure and red tape that leads to unwanted shortcuts.
Also impending termination of contract is close to the high-rated category, which
is in line with the findings of the CERT that “found that an individual is most
392
likely to steal intellectual property within 30 days of termination” (Luckey,
Stebbins, Orrie, Rebhan, Bhatt & Beaghley, 2019: 33).
Concerning underlying reasons of insider threats, the panel rates
disgruntlement with the organization (high-rated) relatively higher than personal
strains other than addictions, like financial difficulties or unmet personal
expectations, as well as personality disorders like narcissism, something that is
in line with the results of the insider threat awareness and behavior survey. In
relation to disgruntlement, it is notable that the panel considers directly
expressing negative feelings toward employer/co-workers online relatively more
worrying than directly expressing negative feelings toward employer/co-workers
in person, with indirectly expressing negative feelings toward employer/co-
workers instead of openly addressing them (i.e. passive aggression) scoring in
between the two.
Furthermore, even though it was argued that deviation from normal or
baseline conduct can be considered a potential early warning of insider threat, the
results show that not all deviant conduct is worrisome. Behavioral changes that
were rated medium are sudden changes in working hours, with working a lot of
overtime scoring relatively higher than working less than expected but relatively
lower than absenteeism. Also changes in online or social media behavior and
changes in mental health are considered worrisome by only part of the panel
(respectively 54% and 58%). Concerning the latter, mental health issues are rated
relatively higher as red flag during employment (medium-rated) than as red flag
during recruitment (low-rated). Behavioral changes receiving a relatively low
rating from the panel are for instance sudden intensive travel, changes in personal
status (divorce, new partner, …) or changes in physical health.
Additionally, a number of personality characteristics were less regarded
by the panel as a potential red flag of intentional misconduct. In concrete terms,
393
this concerns not being able to deal with criticism, not being very empathetic and
introversion, which all were rated low by the panel. Similarly, conduct related to
control freaks did not receive a high rating from the panel, with repeatedly
declining to allow others to serve as back-up for handling responsibilities
receiving a relatively moderate rating and repeatedly declining to take annual
leave being rated relatively low. To conclude, it is noteworthy that a number of
organizational factors were not considered to be indicative of future insider threat
incidents, like for instance too heavy workloads and high levels of
competitiveness.
8.3.6. Observation - Good practices
After identifying red flags that organizations should be vigilant of during

employment, the panel was asked to rate practices to observe those red flags.
Tables 8.22, 8.23 and 8.24 respectively show the practices that receive a high-,
medium- and low rating from the panel.
% Interquartile
4 or 5 Range
Use a system to monitor the use of
badges/access rights (electronic access 95,83% 5 1
control)
Restrict access for critical
91,67% 5 0
systems/applications/sites
Avoid that an employee can consult
data/facilities he/she doesn't need for his/her 91,67% 5 0,75
job (role-based access)
Audit access registration systems 91,67% 5 1
Four-eyes principle/two-person rule 91,67% 4,5 1
Put in place alarms on access systems 87,50% 5 1
Secure endpoints or entry points of end-user
devices such as desktops, laptops, and mobile 87,50% 5 1
devices (endpoint security tools)
Invest in a culture of open feedback and trust 87,50% 5 1
Create a culture of reporting where
employees know they are actually helping co- 87,50% 5 1
workers by disclosing concerns
394
Repeat screening when employee moves to a
83,33% 5 1
more vulnerable position
Ensure insider threat awareness on Board,
83,33% 5 1
CEO and management levels
Have various means to report red flags 83,33% 5 1
Do not punish employees that make a wrong
83,33% 4,5 1
call when reporting red flags in good faith
Tailor-made training for managers and staff
83,33% 4 1
to detect and report red flags in their context
Ensure an active role of line
manager/supervisor following-up if someone 83,33% 4 1
appears unhappy or different from usual
Risk analysis based on access and impact 79,17% 5 1
Physical protection and technical measures
79,17% 5 1
(decent camera systems, ...)
Installation of a point of contact to report red
79,17% 4,5 1
flags
Require management sign-off for potentially
79,17% 4 1
disruptive actions
Structure coordination and communication
along the organization (avoid information 79,17% 4 1
silos)
Table 8.22: High-rated practices to observe red flags during employment
The panel puts emphasis on internal reporting to observe red flags during
employment, a recommendation that is also present in the insider threat literature
(Bell et. al., 2019; Colwill, 2009; Mehan, 2016; UK CPNI, 2011; US NITTF,
2016). In concrete terms, the panel recommends organizations to organize tailor-
made training for managers and staff to detect and report red flags in their
context, to have various means to report red flags98 including a point of contact,
to create a culture of reporting where employees know they are actually helping
co-workers by disclosing concerns, and to not punish employees that make a
wrong call when reporting red flags in good faith99. Contrary to the panel’s
advice, the results of the insider threat awareness and behavior survey show that
98
According to one panelist not too many because this might lead to confusion.
99
According to one panelist only if it happens occasionally.
395
less than two thirds of the respondents indicated that their organization has a point
of contact where employees can report suspicious behavior of colleagues, or that
their organization trains its employees so that they have the necessary skills to
report insider threats (respectively 64% and 57% of the respondents).
Among the high-rated practices to observe red flags during employment
are also other practices that the insider threat literature recommends, like the risk-
based approach already discussed in relation to the detection of red flags during
recruitment (see supra 8.3.2) and the principle of least privilege (Cole & Ring,
2006; IAEA, 2008; Mehan, 2016). Concerning the former, the panel urges
organizations to restrict access for critical organizational assets. Concerning the
latter, the panel urges to avoid that an employee can consult data/facilities that
are not needed for the job. In contrast to internal reporting practices, the insider
threat awareness and behavior survey shows that the principle of least privilege
seems to be more embedded, given that 85% of the respondents indicated that
their organization ensures that employees solely have access to the information
needed to perform their job. More or less related to the principle of least privilege
is the panel’s recommendation to require management sign-off for potentially
disruptive actions.
To observe unauthorized access attempts, the panel recommends
organizations to not only implement electronic access control systems but to also
place alarms on these systems and to audit them. One expert, however,
discouraged alarms on access systems, arguing that an employment relationship
has to be based on trust between employee and employer. Also the
implementation of endpoint security tools are highly recommended by the panel,
with the use of data loss prevention tools being recommended by two thirds of
the panel (medium-rated). Furthermore, with disgruntlement perceived as a
potential red flag, the panel advises line managers and supervisors to take an
396
active role in following-up employees that are unhappy or different from usual.
The final recommendation included in the high-rated category is structuring
coordination and communication along the organization (i.e. avoid information
silos) to make sure it has all the pieces to solve the insider threat puzzle in time.
Apart from the role of line managers and supervisors, the role of Human
Resources was pointed out by one panelist in round three of the study, a practice
not appearing in the high-rated list. In concrete terms, the panelist indicated that
insider threat indicators should be taken into account during performance
evaluations. Additionally, several high-rated practices were subject to discussion
in round three. One panel member for instance suggested that ensuring insider
threat awareness on Board, CEO and management levels often turns into a token
activity rather than a meaningful contribution to insider threat mitigation. The
same applies to the four-eyes principle, which one panelist believed to give a
false sense of security “as the second reviewer often relies on the first and
approves without reviewing”.
With respect to the suggestion to repeat screening when the employee
moves to a more vulnerable position opinions were divided, with the majority
supporting the practice, two experts advocating an even stricter practice of
repetitive screening irrespective of an internal promotion or transfer, and one
expert opposing repetition of screening because an employment relationship has
to be based on trust between employee and employer. To conclude, one panelist
believed physical protection measures are more effective against external
perpetrators, while another expert would only use it in case of huge money
transactions.
397
% Interquartile
4 or 5 Range
Implement an anonymous whistleblower
system (compliant with relevant legislation 75,00% 5 1,75
and not only ticking the box)
Create a supportive culture 75,00% 5 1,75
External audit 75,00% 4 1,5
Put in place a hotline to report red flags 75,00% 4 1,75
Separation of key roles/duties 70,83% 5 2
Put responsibility for monitoring behavior
with all members of staff, not just the 70,83% 5 2
security team (vigilant managers & staff)
Development of a formal threat assessment 70,83% 4,5 2
Insist on a regular use of vacation and
70,83% 4 2
holiday time off from work
Internal audit 66,67% 4 1,75
Periodic and variable workplace climate
66,67% 4 1,75
surveys
Scrutinize workforce segments that have
66,67% 4 2
wider access/greater impact
Data loss prevention (DPL) tools 66,67% 4 2
Oversight of line management 66,67% 4 2
Let employees work in teams 66,67% 4 2
Conduct red team tests 62,50% 4 1
Job rotation 62,50% 4 1
Promote self-reporting 62,50% 4 2
Trustworthiness evaluation/investigation by
58,33% 4 1
police, military, or intelligence services
Stage manipulation by a hostile third party
54,17% 4 1
(social engineering)
Conduct random tests 54,17% 4 1
Drug screening 54,17% 4 2
Table 8.23: Medium-rated practices to detect red flags during employment
398
% Interquartile
4 or 5 Range
Conduct desktop simulations 50,00% 3,5 1
Annual professional development interviews 50,00% 3,5 2
Utilize a formal appraisal process supported by
50,00% 3,5 2
regular catch-up sessions
Declaration by the organization of assets and
45,83% 3 1
interests
Use artificial intelligence/machine learning to
45,83% 3 1,75
find red flags
Scrutiny of internet use and social media
45,83% 3 1
activity
Computationally identify unexpected items or
events in data sets which differ from the norm 45,83% 3 2
(anomaly detection)
Periodic and variable psychological assessment
45,83% 3 2
(fitness for duty screening)
Let security report directly to the CEO 45,83% 3 2
Formally inform employees that use of time
during work hours can be checked by private 41,67% 3 2
investigators
Alcohol screening 41,67% 3 2
Encourage isolated or withdrawn employees to
37,50% 3 1
participate in informal gatherings
Track company vehicles during work hours (in
37,50% 3 2
a legal manner)
User and entity behavior analytics (UEBA)
33,33% 3 2
tools
Reward employees that report red flags 29,17% 2,5 2
Behavior observation program 25,00% 3 0,75
Keyword matching (emails, chats, web usage) 20,83% 3 1,75
Computationally analyze employee's opinions,
sentiments and emotions expressed in text 8,33% 2 2
(sentiment analysis)
Table 8.24: Low-rated practices to detect red flags during employment
399
The fact that the suggestions to implement an anonymous whistleblower
system and a hotline to report red flags fall just below the threshold of the high-
rated category again reflects the value the panel attributes to internal reporting in
the observation of red flags during employment. The same applies to putting
responsibility for monitoring not just with the security team but with all members
of staff, even though I expected the latter to receive an even high(er) rating
because we know from the literature that the entire workforce bears responsibility
in insider threat mitigation (Gelles, 2016; Thompson, 2018). While reporting of
red flags is considered to be important, the panel simultaneously recommends
organizations not to go as far as to reward employees that report red flags (low-
rated). Furthermore, it is worth noting that separation of key roles also narrowly
misses the high-rated category, another practice expected to be assigned to the
high-rated category based on the insider threat literature (Cole & Ring, 2005;
Mehan, 2016; Sarkar, 2010). External audits too were close to the high-rated
category, receiving a relatively higher score than internal audits which is
supported by two thirds of the panel.
Moreover, the relatively low importance given by the panel to drug- and
alcohol screening during employment is similar to the moderate evaluation of
these practices to detect red flags during recruitment (see supra 8.3.2). Also the
relatively little importance given to fitness for duty screenings corresponds with
the relatively low rating of it as a practice to detect red flags during recruitment.
Likewise, the relatively moderate rating of the suggestion to stage social
engineering attacks is in line with the relatively low rating the panel gave to
testing vulnerability for social engineering during the recruitment process.
Nevertheless, the findings of the insider threat awareness and behavior survey
illustrate that social engineering was the number one type of insider threat that
organizations worried about (45% of the respondents). While the difficulty of
400
testing vulnerability for manipulation by a hostile third party during recruitment
is acknowledged, I expected this suggestion to be more popular among the panel
as a practice during employment (for instance staging phishing attacks).
Less in line with earlier results of the Delphi study is the relatively high
score of insisting on a regular use of vacation and holiday time off from work,
since repeatedly declining to take annual leave was not really perceived as a red
flag during employment. Additionally, the use of work climate surveys, which
might give an indication of possible insider disgruntlement, is only endorsed by
two thirds of the panel and is therefore moderately recommended to detect red
flags during employment. Also scrutiny of social media activity is considered to
be less suitable to observe red flags during employment, especially in comparison
with detection of red flags during recruitment. This is in line with the results of
the survey on insider threat awareness and behavior, where 60% of the
respondents indicated that their organization checks the non-work-related social
media profiles of future employees who will have access to organizational assets
during recruitment, while that number decreases to 44% for non-work-related
social media checks during employment.
The results of the survey also show that only 25% of the respondents
indicates that their organization tests its insider threat policy via simulations.
Regarding simulations, it can be deducted from the results of this Delphi study
that the panel has relatively more confidence in red team tests and staging of
social engineering attacks than in desktop simulations to observe red flags during
employment, although all of them score relatively moderate with less than two
thirds of the panel recommending them.
To conclude, one of the most striking results, if not the biggest one, is that
the panel is reluctant to the use of artificial intelligence and machine learning
tools, in particular anomaly detection, user and entity behavior analytics (UEBA),
401
keyword matching and sentiment analysis, to observe red flags during
employment, given that less than half of the panel recommends them. This is in
contrast to the literature on insider threat, where the use of artificial intelligence
to automatically detect red flags of insider threats receives considerable attention
(e.g. Brown et. al., 2013; Koutsouvelis, Shiaeles, Ghita & Bendiab, 2020; Le &
Zincir-Heywood, 2019).
8.3.7. Observation - Difficulties
In similarity with the difficulties to detect red flags during recruitment,

the panel was questioned on difficulties to observe red flags during employment.
Tables 8.25, 8.26 and 8.27 respectively show the difficulties that receive a high-
, medium- and low rating from the panel.
% Interquartile
High-rated difficulties Median
4 or 5 Range
Lack of managerial support 91,67% 4 1
What may appear suspicious to one observer
is a sign of initiative to another observer 87,50% 4 0
(subjective interpretation of red flags)
Push back from unions/labor groups100 83,33% 4 0
Cultural change needed for accepting in-
83,33% 4 0
employment screening
Manager and staff are not appropriately
83,33% 4 0
qualified/trained to detect red flags
Resource limitations 83,33% 4 0
A tool is only as good as its follow-up 79,17% 4 0
Cultural change needed for accepting
whistleblowing as a professional 79,17% 4 1
responsibility (unwillingness to report)
Unequal treatment of employees in controls 75,00% 4 0,75
Employer is most of time not or very late
informed on changes in private life/situation 75,00% 4 0,75
of employees (hard to detect)
Table 8.25: High-rated difficulties to detect red flags during employment
100
Two experts believed this issue was formulated too ambiguously.
402
One of the main difficulties in the observation of red flags during
employment, that to some extent was discussed in relation to detection of red
flags during recruitment, is the fact that observation of a red flag depends on the
subjective interpretation of the observer. This implies that what may appear
suspicious to one observer might be a sign of initiative (i.e. a positive sign) to
another observer.
Moreover, a number of high-rated difficulties identified by the panel
actually relate to previously mentioned good practices, whereby the panel either
identifies reasons that complicate the implementation of these recommended
practices or identifies a discrepancy between the recommended situation and the
actual situation. Regarding the former, the panel for instance recommends to
adopt a risk-based approach, but also recognizes that this implies unequal
treatment of employees. The unequal treatment of employees might also explain
the pushback from unions/labor groups, which is equally identified by the panel
as a major difficulty in the observation of red flags during employment.
Regarding the latter, the panel emphasized the importance of creating a
culture of reporting to observe red flags during employment, whereas it
simultaneously claims that internal reporting is currently not culturally accepted
as a professional responsibility, leading to an unwillingness to report. Likewise,
the panel recommends a number of in-employment screening practices (e.g.
electronic access control, alarms on access systems, …), but simultaneously
believes a cultural change is needed for accepting these practices. Additionally,
the panel identified awareness of the insider threat problem on senior and middle
management levels as a good practice, but at the same time puts lack of
managerial support forward as a factor significantly constraining insider threat
detection. A similar discrepancy between the recommended situation and the
actual situation is present with respect to tailor-made training for managers and
403
staff, with the panel identifying tailor-made training to observe and report red
flags in their context as a good practice but simultaneously concluding that at the
moment, manager and staff are not appropriately qualified/trained. The latter is
in line with earlier findings regarding lack of qualifications of recruitment staff
to conduct background screenings. Another similarity with the difficulties related
to the detection of red flags during recruitment is resource limitations that
similarly constrain the detection of red flags during employment.
% Interquartile
Medium-rated difficulties Median
4 or 5 Range
Time-consuming 70,83% 4 1
Organizations downplay the role of work
70,83% 4 1
climate in security
Dysfunctional work environment might lead to
70,83% 4 1
multiplication or oversight of insider threat
Information is not always legally available 66,67% 4 1
Organizations do not always see concrete
66,67% 4 1
return on investment
Relying too much on one employee to perform
66,67% 4 1
a task (monopoly position)
Risk of creating a negative workplace culture
if staff in general feel that they are being 66,67% 4 2
unduly controlled/surveilled
Possibility of abuse of the reporting system by
62,50% 4 1
anyone bearing a grudge against the employee
Leadership-level personnel tends to protect
62,50% 4 1
itself from monitoring and controls
Lack of law, policy or regulation that enables
58,33% 4 1
post-employment screening
No access to government databases 58,33% 4 1,75
Incorporation of (legal) precautions is often
implemented when organizations are already 54,17% 4 1
confronted with red flags (too reactive)
Laws and regulations are too much focused on
54,17% 4 2
privacy
Table 8.26: Medium-rated difficulties to detect red flags during employment
404
% Interquartile
Low-rated difficulties Median
4 or 5 Range
Assumption of trustworthiness 50,00% 3,5 1
Follow-up procedure for internal job
rotation/newcomers/consultants/contractors is 45,83% 3 1
complex
Private investigator may be necessary 41,67% 3 1
Forcing isolated employees to socialize is an
37,50% 3 1
unacceptable intrusion.
If suspect is reported by a colleague it is
difficult to protect that colleague from
37,50% 3 1,75
criticism or threats by suspect or other
employees
Difficult to investigate suspicions without
leaving the organization open to (legal) 29,17% 3 2
challenges
Not ethical to monitor an employee 29,17% 2,5 2
Anonymous hotline has not a lot of success 20,83% 3 0,75
Table 8.27: Low-rated difficulties to detect red flags during employment
Table 8.26 shows that the medium-rated category contains rather straight-
forward difficulties like the fact that detection of red flags is time-consuming,
that organizations do not always see concrete return on investment or that there
is a possibility of abuse of the reporting system by anyone bearing a grudge
against an employee.
Furthermore, some of the suggestions resemble the difficulties mentioned
when discussing the detection of red flags during recruitment, like the over-
emphasis of laws and regulations on privacy and the prohibition to access
government databases. Additionally, the relatively high score of the statement
that organizations downplay the role of workplace climate in security, which
narrowly missed the high-rated category, relates to disgruntlement as a red flag
of insider threats.
More striking results are the relatively high score of the statement that
leadership-level personnel tends to protect itself from monitoring and controls,
as well as the relatively low score of fear of reprisal. In relation to the former,
405
two thirds of the panel highlights the risk of creating a negative workplace culture
if staff feels that they are being unduly controlled (medium-rated). Concerning
the latter, for instance Cools (1994), Nitsch et. al. (2005) and Bell et. al. (2019)
found that fear of reprisal is one of the main barriers to report red flags, a finding
echoed by one of the panelists who indicated that “a recent case has shown our
company that other employees knew the incident was happening but kept silent
to avoid conflict with the offenders”.
8.3.8. Investigation - Good practices
Subsequent to the observation of red flags during employment, the panel

was asked to rate practices to investigate the validity of potential red flags that
were observed during employment. Tables 8.28, 8.29 and 8.30 respectively show
the practices that receive a high-, medium- and low rating from the panel.
% Interquartile
4 or 5 Range
Respect the (legal) rights of the suspect 100,00% 5 0,75
Have an internal investigation protocol
regarding concerns reported through the 95,83% 4 1
whistleblowing system
Have trained and experienced staff to conduct
91,67% 5 0
the investigation
Detect and use only what is legally authorized 91,67% 5 1
Avoid a witch hunt 91,67% 5 1
Have a formal investigation policy,
procedures and process (who conducts 83,33% 5 1
investigation and how)
Not act in a haste unless the situation appears
79,17% 5 1
urgent
Make sure unauthorized staff members do not
conduct their own investigation and make 79,17% 5 1
accusations
Provide sufficient resources to conduct
79,17% 4,5 1
investigations
Ensure you know what the normal situation is
meant to be like to allow audit trails (like
79,17% 4 1
material inventories if suspicion of stolen
material)
406
Review emails and ICT history of the suspect 79,17% 4 1
Table 8.28: High-rated practices to investigate the validity of red flags observed during
employment
Most of the high-rated practices suggested by the panel seem rather

straight-forward, like for instance respecting the (legal) rights of the suspect,
knowing what the normal situation is meant to be like, the provision of sufficient
resources to conduct investigations and the avoidance of a witch hunt.
Furthermore, the panel advises organizations to have a formal
investigation policy that outlines who conducts the investigation and how the
investigation proceeds. The panel continues to give priority to internal reporting,
this time by recommending organizations to have an internal investigation
protocol regarding concerns reported through the internal whistleblowing
system. More or less in relation to the latter two recommendations is the
recommendation of one panelist to find a balance between having trained and
experienced staff to conduct the investigation and making sure unauthorized staff
members do not conduct their own investigation. Or to say it in the panelist’s
words:
“They [expert investigators] must prioritize, which makes it extremely
unlikely that they will become involved at the earliest stage of a potential
problem when it is still capable of being mitigated. While untrained
employees should not be encouraged to make accusations, nor should
they be encouraged to abdicate all responsibility for defeating insider
threats by leaving it to the experts. The co-worker in a team who asks a
team mate what is wrong and shows enough concern to address problems
at the lowest level does more good to mitigate a budding insider threat
than that same member does by channeling the same concerns to an
elaborate whistleblower reporting system or by becoming an informant
to a sanctioned investigator. Not that there is not room enough for
overlapping and mutually supporting systems to work in concert to
address insider threats.”
407
Apart from the above-mentioned commentary, three other high-rated
practices where subject to discussion in round three of the study. Firstly, one
expert agreed that detecting and using only what is legally authorized should be
the general rule, but simultaneously argued that complying with this rule will not
always be possible in reality, leaving the door open for “grey and darker means”.
Secondly, not acting in a haste unless the situation appears urgent was put into
perspective by one expert, arguing that “there is a difference between not acting
in a haste and immediately taking the possible situation seriously and following
up on it”. Finally, the panel’s suggestion to review emails and ICT history of the
suspect was refined by four panelists, with one member of the panel arguing that
the intrusiveness of the practice implies the need for proportionality with the risk
of intentional misconduct, two other panelist adding that it should always be
applied within the constraints of the applicable laws, and yet another one urging
to use it as “a second line of investigation, if other indicators have already given
a basis to proceed”. To conclude, one expert stressed in round three that
“investigations should always be à charge and à décharge”, a practice endorsed
by less than two thirds of the panel and that therefore received a medium rating
from the panel in round two of the study.
% Interquartile
4 or 5 Range
Mask the identity of the suspect until
75,00% 4,5 1,75
anomalies and allegations are confirmed
Be transparent on the investigative process 75,00% 4 1,75
Senior ownership of the investigation process 70,83% 4 2
Culture of presumption of innocence 70,83% 4 2

Compare observed behavior with duties and
66,67% 4 1
tasks of the suspect
Regularly interact with applicable police,
prosecutor, security and intelligence services 66,67% 4 2
(proactive rapport)
408
Have a formal conversation with the suspect 66,67% 4 2
Interview other stakeholders (like co-
66,67% 4 2
workers/managers)
Triangulate information sources 66,67% 4 2
Have policies and procedures in place to
determine if the behavior is concerning enough 66,67% 4 2
to warrant a response
Assess whether there is a link with external
criminality (suspect providing help to criminals 62,50% 4 2
outside the organization)
Use a team approach 58,33% 4 2
Investigate à charge and à décharge 58,33% 4 2

Automate data aggregation rather than asking
for data from different data owners for each 54,17% 4 1
new investigation
Involve as few people as possible until
54,17% 4 2
anomalies and allegations are confirmed
Table 8.29: Medium-rated practices to investigate the validity of red flags observed
during employment
% Interquartile
4 or 5 Range
Explicitly define threshold of concerning
behaviors that must be met before an 50,00% 3,5 1
investigation is launched
Temporary reassignment of the suspect to a
less sensitive area during the investigation 50,00% 3,5 1
(time-out)
Review financial circumstances of the suspect 45,83% 3 1
Inform prosecutor & police 41,67% 3 2
Approval of formal investigation policies and
37,50% 3 1
procedures by social partners
Have an informal conversation with the
33,33% 3 3
suspect
Involve external expertise from the beginning
25,00% 2,5 2,75
(like a private investigator)
Make sure different entities must give their
16,67% 3 1
consent to start an investigation
Table 8.30: Low-rated practices to investigate the validity of red flags observed during
employment
409
Medium-rated practices that were close to a high rating are transparency
about the investigative process, masking the identity of the suspect until
anomalies and allegations are confirmed and senior ownership of the
investigation process. Moreover, in line with the medium rating of the suggestion
to investigate à charge and à décharge is the medium rating of culture of
presumption of innocence. Although this practice falls just below the threshold
of the high-rated category, it was expected to be assigned to the high-rated
category rather than the medium-rated one, taking into account the generally
accepted principle that someone is ‘innocent until proven otherwise’.
While the panel highly recommends organizations to have a formal
investigation policy that outlines how the investigation process proceeds, it is to
a lesser extent recommended to formally outline what conduct would trigger the
investigation process. This may be concluded from the relatively moderate rating
of the suggestion to have policies and procedures to determine if the conduct is
concerning enough to warrant a response, as well as the relatively low rating of
the suggestion to explicitly define the threshold of concerning conduct that must
be met before an investigation is launched, respectively supported by two thirds
and half of the panel. Other practices receiving a relatively moderate score are
triangulation of information sources and assessing whether the suspect is
providing help to criminals outside the organization.
A striking observation is that formal and informal conversations with the
suspect did not make the high-rated category, respectively receiving support from
two thirds and one third of the panel. Also interviewing other stakeholders than
the suspect receives only a medium rating to investigate the validity of red flags,
being encouraged by two thirds of the panel. Approval of formal investigation
policies and procedures by social partners too scores relatively low, with only
38% of the panelists recommending it. Referring back to the identification of
410
pushback from unions/labor groups as a significant difficulty to observe red flags,
this relatively low rating is striking, as one could assume that letting social
partners approve formal investigation policies and procedures could help to
reduce the pushback from unions/labor groups.
To conclude, the panel considers it less necessary that different entities
have to give their consent to start an investigation, to involve external expertise
from the beginning or to temporary reassign the suspect to a less sensitive area
during the investigation.
8.3.9. Anticipation - Good practices
The conceptual insider threat mitigation framework outlined earlier in

chapter seven illustrated that the insider threat process can evolve to the point
where an insider threat incident is imminent. Therefore, the panel was asked to
rate practices to anticipate red flags that were observed and investigated during
employment, or to pre-empt what is perceived to be an imminent insider threat
incident. Tables 8.31, 8.32 and 8.33 respectively show the practices that receive
a high-, medium- and low rating from the panel.
% Interquartile
4 or 5 Range
Ensure a respectful work culture (no bullying
87,50% 5 1
or harassment)
See if further confirmatory evidence can be
87,50% 4 1
gathered before counteraction
Have a response plan to concerns reported
83,33% 4 1
through the whistleblowing system
Use a graded approach (consider threat level
79,17% 4 1
and potential consequences)
Table 8.31: High-rated practices to anticipate red flags observed and investigated during
employment
As discussed earlier in this results section (see table 8.6), the anticipation
stage contains considerably fewer high-rated practices in comparison with the
other stages of the conceptual model, with only four out of the in total 37 practices
411
listed in round two assigned to the high-rated category. A possible explanation
for the relatively few recommended practices is the lack of contextualization of
the insider threat situation, like the type of insider threat (sabotage, espionage,
theft, …) or the type of organization (public or private) (see 8.4). Still, the low
number of recommended practices implies that the panel finds it easier to show
which practices are less recommended to pre-empt imminent insider threats than
which practices are highly recommended.
Of the four high-rated practices, it is noteworthy that in similarity with
the observation and investigation stage, the panel again refers to internal
reporting, recommending organizations to have a response plan to concerns
reported through the internal whistleblowing system. However, in round three of
the study one panelist argued that the high-rated practices outlined in table 8.31
“suggest over-reliance on a whistle-blowing system, which may not necessarily
be optimized for preemption”. The same expert also pointed out that looking for
confirmatory evidence before proceeding with counteraction will probably have
as a result that the organization will lag behind the insider threat attack, failing to
preempt it. This critique was more or less echoed by another expert, who argued
that the practices “may contradict each other in some cases (e.g. if the graded
approach indicates no time to collect further evidence)”.
To conclude, one panelist urged to include positive incentives in the high-
rated category, particularly referring to employee assistance programs that might
halt the insider’s path to intentional misconduct and might get the insider back
on the right track before an incident occurs. These positive incentives received a
medium rating from the panel in round two of the study.
412
% Interquartile
4 or 5 Range
Develop policies and procedures for
75,00% 5 1,75
counteraction (who, when, how, ...)
Withdraw access of the suspect (virtual and
70,83% 4 2
physical)
Implement the four-eyes principle/two-person
70,83% 4 2
rule
Engage emergency procedures 66,67% 4 2
Involve social/psychological support to seek
resolution before incident develops 62,50% 4 2
(employee assistance program)
Include technology for remote disconnect and
58,33% 4 1
alarm response
Confiscate the suspect's organizational
58,33% 4 2
equipment (mobile, computer, ...)
Exchange information within the organization 58,33% 4 2
Institute positive incentives to seek
58,33% 4 2
resolution before incident develops
Apply track and trace systems 54,17% 4 1
Table 8.32: Medium-rated practices to anticipate red flags observed and investigated
during employment
% Interquartile
4 or 5 Range
Regularly update policies and procedures for
75,00% 5 2,5
counteraction
Raise general awareness on expectations of
54,17% 4 2
appropriate conduct
Develop policies that encourage employees to
intervene expeditiously when they suspect a 50,00% 4 2
threat
Monitor movements in real time using CCTV
45,83% 3 1
(remote surveillance)
Review current deterrence practices 45,83% 3 1
Intervention by the line manager/supervisor 45,83% 3 1
Use additional physical protection measures 45,83% 3 1
Shut/lock down specific section/area of the
45,83% 3 2
organization
Extra deterrence through reminder of applied
45,83% 3 2
monitoring practices
Develop policies that encourage employees to
45,83% 3 2
operate as a team
Recognize that mistakes will happen 45,83% 3 2
413
Monitor social dynamics (inter-group relations) 41,67% 3 1
Address the suspect directly (interview with
41,67% 3 2
hierarchy)
Confront the suspect at the first opportunity
37,50% 3 1
before allowing a situation to fester
Offer the suspect time off the job 37,50% 3 1
Request support and intervention by
police/prosecutor, security or intelligence 33,33% 3 2,75
services
Raise awareness in the direct environment of
29,17% 3 1,75
the suspect
Physically intercept (without the use of
29,17% 3 2
violence) the suspect
Suspend the suspect 29,17% 3 2
Terminate the contract of the suspect 20,83% 2 2
Send the suspect a document ordering him/her
not to commit misconduct (cease-and-desist 16,67% 3 1
order)
Set up a controlled decoy to monitor and
16,67% 3 1
expose a potentially larger group or network
Transfer the suspect internally 16,67% 3 1,75
Table 8.33: Low-rated practices to anticipate red flags observed and investigated during
employment
Issues that narrowly missed the high-rated category are the development
of policies and procedures for counteraction, withdrawal of the suspect’s access
and implementation of the four-eyes principle. Regularly updating policies and
procedures for counteraction was recommended by three quarters of the panel,
but was vetoed by the remaining quarter of the panel that rated the practice one
or two stars, which explains the assignment to the low-rated category.
As mentioned before, the positive incentives one panelist referred to in
round three of the study received a medium rating in round two, with both
institution of positive incentives to seek resolution before an incident develops
and involvement of social/psychological support being supported by less than
two thirds of the panel. In contrast to these positive incentives, other practices
that received a medium rating from the panel rather relate to negative incentives,
414
like confiscating the suspect’s organizational equipment, applying track and trace
systems and other technology for remote disconnect and alarm response, and
engaging emergency procedures.
In similarity with the recommendations to investigate the validity of red
flags, relatively little importance is given to interaction with the suspect, as
intervention by the line manager/supervisor, addressing the suspect directly via
an interview with hierarchy and confronting the suspect all received support from
less than half of the panel. On the other hand, contrary to the recommendation to
structure coordination and communication along the organization in the
observation of red flags during employment, exchanging information within the
organization in the anticipation stage is only recommended by 58% of the
panelists.
Furthermore, the panel gives preference to raising general awareness on
expectations of appropriate conduct over awareness-raising in the direct
environment of the suspect, though both receive a relatively low score with
respectively 54% and 29% of the panel recommending it. The same applies to
practices related to deterrence, given that less than half of the panel is convinced
that reviewing current deterrence practices and implementing extra deterrence
through a reminder of the applied monitoring practices could contribute to the
preemption of imminent insider threat incidents.
To conclude, apart from withdrawing the suspect’s access, other measures
taken to keep the suspect (temporarily) away from their insider position, like
suspension, offering the suspect time off the job, transferring the suspect
internally or terminating the contract of the suspect, receive a relatively low
rating with less than half of the panelists recommending it.
415
8.3.10. Damage Limitation & Reconstruction - Good practices
Since organizations are not always able to preempt insider threat

incidents, the conceptual insider threat mitigation model also takes into account
the aftermath of the insider threat incident. The primary concern of the
organization is limiting the harm resulting from the insider threat incident to a
minimum, while the subsequent goal is to reconstruct the incident to learn from
it. The panel was therefore asked to rate practices to remedy an insider threat
% Interquartile
4 or 5 Range
Have a business continuity plan 91,67% 5 1
Collect and secure direct and indirect
91,67% 5 1
evidence
Have trained staff in crisis communication 91,67% 4 1
Minimize damage to organization's reputation
91,67% 4 1
and public trust
Identify systems, work areas or information
87,50% 5 1
affected by the insider incident
Remove the offender's access (virtual and
87,50% 5 1
physical)
Have an event notification tree (know who to
87,50% 5 1
call and notify after an incident)
Implement lessons learned 87,50% 5 1
Have an internal crisis communications plan 87,50% 4 1
Have an external crisis communications plan 87,50% 4 1
Change compromised processes (like
83,33% 5 0
passwords/accesses)
Conduct a post-incident analysis 83,33% 5 1
Define root causes of the incident101 83,33% 5 1
Implement quick and decisive action (tackle
83,33% 4 1
the incident immediately)
Conduct a risk analysis upfront 79,17% 5 1
101
One expert argued that defining the root causes of the incident is part of the post-incident
analysis.
416
Brief the public information officer on what
79,17% 5 1
can/should be declared
Designate a crisis management team upfront 79,17% 4,5 1
Regularly update the incident playbook 79,17% 4 1
Implement a multidisciplinary taskforce to
79,17% 4 1
improve policies and procedures102
Designate someone as public information
75,00% 5 1
officer to deal with media
Train employees to react appropriately to a
75,00% 4 0,75
malicious offender
Table 8.34: High-rated practices to limit the damage from an insider threat incident
Table 8.35 shows that the high-rated category includes both preparatory
and reactive practices. Concerning the former, reference can be made to
preparatory plans like a business continuity plan, an event notification tree and
the designation of a crisis team upfront. Concerning the latter, reference can be
made to collecting and securing evidence, conducting a post-incident analysis,
identifying and changing compromised processes and implementing lessons
learned.
Furthermore, the panel spends considerable attention to practices related
to incident communication, urging organizations to develop internal- and
external crisis communication plans and to have trained staff in crisis
communication, with for instance a public information officer who after the
incident is briefed on what can or should be declared. The importance given to
communication relates to the panel’s recommendation to minimize the damage
to the organization’s reputation. The recommendation to control public
announcements in order to safeguard the organization’s reputation also seems to
explain why the dark or hidden number of insider threats remains high (see supra
8.2.2).
102
One expert argued that implementing a multidisciplinary taskforce to improve policies and
procedures is part of the post-incident analysis.
417
A number of high-rated practices were discussed during round three of
the study. One panelist for instance stressed that implementing quick and decisive
action is not always the appropriate solution, as sometimes other stakeholders,
like for instance police forces, have to be involved. Another panelist specified
that training employees to react appropriately to a malicious offender should be
limited to reporting red flags to a designated team responsible for counteraction.
Additionally, one panelist emphasized that removing the offender’s access can
only happen if the offender is proven guilty of the incident. Finally, two experts
provided a general criticism regarding the high-rated practices, pointing out that
the suggested practices relate to general crisis management, rather than
management of insider threat incidents specifically.
On top of the high-rated practices that were put into perspective in round
three of the study, three practices currently absent in the high-rated category were
suggested. One expert pointed out the necessity of a plan to deal with
victimization, whereas another expert suggested to add both confrontation of the
person and termination of the employee’s contract.
% Interquartile
4 or 5 Range
Review identity access management practices
75,00% 5 1,75
(IAM)
Review privileged access management
75,00% 5 1,75
practices (PAM)
Use a standardized approach to command and
coordinate the emergency response (Incident 75,00% 4 1,75
Command System)
Invest in resilience upfront 70,83% 5 2
Assess the crisis situation 70,83% 4,5 2
Use case study archives for training 70,83% 4,5 2
Advise all affected customers and partner
70,83% 4 2
organizations
Suspend the offender 70,83% 4 2
Develop a case study archive (and add incident
70,83% 4 2
to it)
418
Routinely conduct incident simulations (drills,
66,67% 4 1,75
table top, ...)
Check the financial records of the organization
66,67% 4 1,75
(forensic audit)
Develop a playbook for each type of insider
62,50% 4 2
incident that can occur upfront
Assign a senior incident manager as single
62,50% 4 2
point of contact for incident management
Organize aftercare for direct and indirect
62,50% 4 2
stakeholders (for instance co-workers)
Inform police/prosecutor, security or
58,33% 4 2
intelligence services
Refrain from private justice 58,33% 4 2
Take out insurance upfront 54,17% 4 2
Share lessons learned with entire organization
54,17% 4 2
as a form of reinforced learning
Table 8.35: Medium-rated practices to limit the damage from an insider threat incident
% Interquartile
4 or 5 Range
Present the incident as a lesson to everyone 50,00% 3,5 1
Deal with incidents in an anonymous way 45,83% 3 1
Apply a reimbursement plan for the financial
45,83% 3 1
damage
Be transparent throughout the whole
45,83% 3 1,75
organization as to what happened
Confront the offender with the evidence 41,67% 3 1
Communicate with media and the public in a
41,67% 3 1
preemptive fashion (stealing thunder)
File a complaint 37,50% 3 1,75
Consult external expertise (like a private
33,33% 3 2
investigator)
Full and frank disclosure of the incident so that
25,00% 3 0,75
other organizations can learn from it
Send the offender a document ordering him/her
16,67% 3 1
to stop the misconduct (cease-and-desist order)
Table 8.36: Low-rated practices to limit the damage from an insider threat incident
Similar to the high-rated category, practices in the medium-rated category

relate to preparatory and reactive practices. Examples of preparatory practices
that narrowly missed the high-rated category are the use of a standardized
approach to command and coordinate emergency response, as well as investment
419
in resilience upfront. Other examples of medium-rated preparatory practices are
developing a playbook for each type of insider threat incident that can occur,
routinely conducting incident simulations and taking out insurance upfront, all
practices recommended by at most two thirds of the panel.
Examples of reactive practices that are close to the high-rated category
are short-run countermeasures like reviewing identity- and privileged access
management, suspending the offender and advising all affected customers and
partner organizations, as well as long-run countermeasures like adding the
incident to a case study archive that should be used for training purposes. Other
examples of medium-rated reactive practices supported by at most two thirds of
the panel are forensic audits and organizing aftercare for direct and indirect
stakeholders.
With respect to communication on the insider threat incident, it is
noteworthy that whereas transparency was considered important by the panel in
the stages that precede an insider threat incident (i.e. about the recruitment and
screening process, about the in-employment control measures and about the
investigation process), transparency is less recommended in the aftermath of an
insider threat incident, both internally and externally. Regarding internal
communication, only 54% of the panelists encourages organizations to share
lessons learned with the entire organization. Regarding external communication,
informing government authorities receives a medium rating, whereas
communicating with media and the public in a preemptive fashion (i.e. stealing
thunder) and full and frank disclosure of the incident so that other organizations
can learn from it both receive a low score from the panel, being recommended
by less than half of the panelists.
To conclude, the relatively low score of involvement of external expertise
is in line with earlier results related to the investigation stage. Another similarity
420
with the practices suggested with respect to the investigation and anticipation
stage is that, with the exception of the one panelist advocating it in round three
of the study, the panel considers interaction with the offender less necessary, as
confronting the offender with the evidence is only recommended by 42% of the
panelists.
8.3.11. Deliberation - Good practices
In the aftermath of an insider threat incident, the organization also has to

decide how it will deal with the offender. Consequently, the panel was asked to
rate practices to deal with an insider that is responsible for an insider threat
% Interquartile
4 or 5 Range
Have a fair & consistent disciplinary system 91,67% 5 1
Respect the rights of the offender (among
87,50% 5 1
others through the unions)
Discuss different options with relevant
stakeholders (Security, HR, IT, Legal, ...) and 87,50% 5 1
develop plan A/B/C
Incorporate separation of duties 87,50% 5 1
Review access permissions 87,50% 4,5 1
Keep well-maintained personnel/contractor
83,33% 5 1
files
Focus on acts, not on people 83,33% 4 1
Make sure other employees know appropriate
79,17% 4,5 1
measures are taken
Table 8.37: High-rated practices to deal with an offender of an insider threat incident
As discussed earlier in this results section (see table 8.6), the total number
of practices related to the deliberation stage was scarce in comparison with the
other stages of the conceptual model (except for the practices related to
mismanagement, see infra 8.13), with only 19 suggested practices deduced from
round one. Still, of those 19 proposed practices, almost half received a high rating
421
from the panel. More in particular, the panel for instance recommends to have a
fair & consistent disciplinary system whereby the rights of the offender are
respected. Other practices worth noting include focusing on acts and not on
people, discussing different options with relevant stakeholders to develop plan
A/B/C and reviewing access permissions.
In round three of the study, one panelist emphasized the importance of
making sure other employees know that appropriate measures are taken,
indicating that “a recent case has shown our company that other employees knew
the incident was happening but kept silent to avoid conflict with the offenders.
After termination of the offenders, the other employees were "relieved" the "bad
apples" were weeded out. Therefore it is important, in my opinion, that other
employees know appropriate measures are taken”. Moreover, in similarity with
the previous question on damage limitation and reconstruction, one expert
suggested to add confrontation of the person concerned and termination of the
contract to the high-rated category, the latter receiving a medium rating in round
two of the study.
Also in round three, one expert touched upon one of the main
shortcomings of the conceptual model that was already addressed in chapter
seven, namely that the focus of the model is (too much) on ‘bad apples’, largely
disregarding the question whether or not the barrel is corrupted. Although this
shortcoming is again acknowledged, it is argued that the guidance to prevent
repetition of similar insider threat incidents by different insiders was more or less
discussed in the context of the previous question on practices related to the
damage limitation and reconstruction stages. In any case, introspection whereby
an organization looks at its own role in the insider threat incident is important as
well.
422
% Interquartile
4 or 5 Range
Handle the offender with care 70,83% 4 2
Consider motives and means by which insider
incident is committed in harmony with 66,67% 4 1,75
considering the impact
Try to stay on speaking terms with the
66,67% 4 2
offender
Severity of the impact should inform the
62,50% 4 2
punishment
Train extra on security rules/appropriate
62,50% 4 2
conduct on a regular basis
Suspend the offender 54,17% 4 1
Terminate the contract of the offender 54,17% 4 1,75
Table 8.38: Medium-rated practices to deal with an offender of an insider threat incident
% Interquartile
4 or 5 Range
Question the offender applying a hear and
45,83% 3 1
confront approach
File a complaint 41,67% 3 3
Issue a reprimand 37,50% 3 1,75
Transfer the offender internally 16,67% 2 2
Table 8.39: Low-rated practices to deal with an offender of an insider threat incident
The remaining practices that did not make the high-rated category
concern both constructive and destructive practices. Examples of the former are
handling the offender with care, trying to stay on speaking terms with the
offender, and training extra on security rules/appropriate conduct on a regular
basis. Examples of the latter are suspending the offender (medium-rated), filing
a complaint (low-rated) and issuing a reprimand (low-rated). Moreover, it is
striking that less than half of the panel recommends to question the offender by
applying a hear and confront approach, given that the low rating does not appear
to be compatible with the generally accepted principle that an offender has the
right to defend themselves. Still, it is to some extent in line with the earlier
recommendations to limit interaction with suspects and offenders of insider threat
423
incidents and the limited support for an à charge and à décharge strategy during
the investigation stage (see supra 8.3.8).
Also the fact that 63% of the panel believes that the severity of the impact
should have an influence on the level of punishment is notable. Although
intuitively it is indeed reasonable to relate punishment to the harm resulting from
the incident, it was shown in chapter three that the focus should not be on the
impact of the insider’s witting decision to commit intentional misconduct, but
rather on the decision itself (Elangovan & Shapiro, 1998; Goold, 2002; Hawley,
2014; Ho & Katukoori, 2013; Morris & Moberg, 1994), which was illustrated by
making reference to the espionage case of Jonathan Toebbe in which the practical
damage was averted in time but the sense of betrayal remained. Considering
motives and means by which the insider incident is committed in harmony with
considering the impact, a practice supported by two thirds of the panel, might
therefore be more in line with the insider threat literature.
8.3.12. Termination - Good practices
When the organization comes to the conclusion that the trust relationship
cannot be restored because the insider is perceived to be no longer trustworthy,
it has to terminate the insider’s contract. Remember that impending termination
of contract fell just short of the category of high-rated red flags of insider threat
during employment (see supra 8.3.5) and that “an individual is most likely to steal
intellectual property within 30 days of termination” (Luckey et. al., 2019: 33). As
a result, it is important that the insider’s dismissal proceeds in accordance with
proper exit procedures. The panelists were therefore provided with a list of
potential exit procedures, asking them to what extent these practices are
recommended when terminating the contract of insiders. Tables 8.44, 8.45 and
8.46 respectively show the practices that receive a high-, medium- and low rating
from the panel.
424
Interquartile
High-rated practices % 4 or 5 Median
Range
Comply with applicable laws 100,00% 5 0
Document the incident preceding the
termination as fully as possible to motivate 95,83% 5 0
termination (strong factual basis)
Reclaim equipment from the terminated
employee (keys, badges, uniform, computer, 95,83% 5 0
books, ...)
Develop termination procedures 95,83% 5 1
Have clear policies on appropriate and
inappropriate conduct to ensure employees 91,67% 5 0
are aware of implications
Document terminations 91,67% 5 0
Revoke access of the terminated employee
91,67% 5 0
(virtual and physical)
Apply termination procedures consistently 91,67% 5 0,75
Escort the terminated employee to the exit if
he/she is not permitted to return to his/her 87,50% 5 0,75
desk
Keep well-maintained employee/contractor
87,50% 5 1
files
Train termination procedures 83,33% 5 1
Regularly update termination procedures 83,33% 5 1
Give the terminated employee the
83,33% 5 1
possibility to defend him-/herself
Consult legal support (internal or external) 83,33% 4 1
Document the history of what the
organization has done to inform the 79,17% 5 1
terminated employee
Conduct an exit interview 79,17% 4,5 1
Table 8.40: High-rated practices to terminate the contract of insiders
Some of the high-rated exit procedures outlined by the panel again seem
straightforward, like the unanimously agreed upon recommendation to comply
with the applicable laws and the development, consistent application and regular
update of termination procedures. Furthermore, documentation is important for
425
the panel, referring both to general guidelines like keeping well-maintained
employee/contractor files and documenting terminations in general, as well as to
guidelines related to an insider threat incident like documenting the incident that
precedes the termination of the insider’s contract.
Other high-rated exit procedures resemble practices suggested in the
insider threat literature, like for instance reclaiming equipment from the
terminated insider, revoking the insider’s virtual and physical access or
conducting an exit interview (Beattie & BaMaung, 2015; Power & Forte, 2006;
UK CPNI, 2019). One panelist specifically emphasized the suitability of the latter
practice in round three, regarding it as a chance to “terminate the employee
without them thinking or acting hostile toward the organization after
termination”. As a reminder, the results of the insider threat awareness and
behavior survey outlined in chapter six of this dissertation show that 95% of the
respondents indicates that their organization immediately shuts down all accesses
from employees that leave the organization, while 75% of the respondents states
that their organization performs exit interviews.
In line with a comment shared with respect to the damage limitation and
reconstruction stage, one expert argued in round three of the study that the high-
rated practices are not specifically related to insider threat incidents but are rather
procedures suitable for exits in general. Furthermore, one panelist questioned the
relevance of giving the terminated employee the possibility to defend themselves,
arguing that “if you are at the point of terminating an individual there is no need
for the individual to defend him/herself”. Moreover, two panelists elaborated on
the recommendation to escort the terminated employee to the exit if the employee
is not permitted to return to their desk. While both experts agreed that the
suitability of the practice depends on the circumstances, one panelist put more
emphasis on the negative aspect of the practice, perceiving it as public shaming,
426
whereas the other expert rather highlighted that “it may be prudent to arrange
for a special escort for the terminated employee. (…). In a number of cases I have
personally handled, such escorts were also armed, but not conspicuously so.
Involuntary terminations can become last-straw events that turn violent”.
Cultural differences may underlie this difference of opinion. Finally, one expert
pleaded to add conducting a social network analysis of the terminated employee
within the organization to the high-rated category, a practice supported by only
54% of the panel in round two of the study.
% Interquartile
4 or 5 Range
Report protocols for eventual future attempts
75,00% 4 1,75
by the terminated employee
Do not treat the terminated employee as a
70,83% 4 2
special type of criminal
Discuss termination options 66,67% 4 2
Have a caring attitude to prevent
66,67% 4 2
repercussions
Protect the terminated employee's future as
well as the interest of the organization 62,50% 4 1,75
(mutually agreed termination)
Inform police/prosecutor in case of litigation 62,50% 4 2
Have the terminated employee re-sign a non-
54,17% 4 2
disclosure agreement (NDA)
Identify and analyze the terminated
employee's social network within the 54,17% 4 2
organization
Table 8.41: Medium-rated practices to terminate the contract of insiders
% Interquartile
4 or 5 Range
Use termination as an opportunity to
reinforce expectations regarding appropriate 62,50% 4 2,75
conduct with other employees
Post-monitor social media 50,00% 3,5 1
Provide the terminated employee with
50,00% 3,5 1,75
appropriate guidance and counseling
Post-monitor open sources like internet 45,83% 3 1
427
Share lessons learned with broader
community (industry partners, law 45,83% 3 1
enforcement, ...)
Inform the terminated employee’s social
network within the organization of the 45,83% 3 2,75
departure
Have a transparent but confidential debriefing
with the terminated employee's social 45,83% 3 2,75
network within the organization
Offer the terminated employee career
16,67% 3 2
management support
Table 8.42: Low-rated practices to terminate the contract of insiders
Practices that are close to the high-rated category are the development of
reporting protocols in case the terminated employee attempts to regain access to
the organizational assets and the recommendation to not treat the terminated
employee as a special type of criminal. Other practices supported by at most two
thirds of the panel include ‘hard’ approaches like re-assignment of non-disclosure
agreements or litigation by informing police forces, and rather ‘soft’ approaches
like having a caring attitude to prevent repercussions and protecting the
terminated employee's future. Practices supporting the terminated insider in
finding a new job, like providing the terminated insider with appropriate
guidance and counseling and offering the terminated insider career management
support, are rated relatively low by the panel.
In line with earlier recommendations from the panel, internal and external
transparency is again not recommended in the aftermath of an insider threat
incident, given that a debriefing with the terminated insider’s social network
within the organization and sharing lessons learned with the broader community
is supported by less than half of the panel. In line with this, 63% of the panel
recommends organizations to use termination as an opportunity to reinforce
expectations regarding appropriate conduct with other employees, while a quarter
of the panel discourages this practice (i.e. rating of only one or two stars), which
428
explains the assignment to the low-rated category. To conclude, just like with
respect to the recommendations to observe red flags during employment,
monitoring social media and other open sources post-employment receives a
relatively low rating with less than half of the panel recommending it.
8.3.13. Mismanagement - Good practices
It was mentioned before in chapter seven that organizations run the risk
of mismanaging an insider threat incident (Martinez-Moyano et. al., 2008), for
instance by incorrectly judging non-threats as threats. As a result, I was also
interested in the panel’s opinion on practices to deal with insiders that are
wrongly accused of being responsible for an insider threat incident (i.e. false
positives). Tables 8.41, 8.42 and 8.43 respectively show the practices that receive
% Interquartile
4 or 5 Range
Ensure that the incident is not recorded on the
91,67% 5 0,75
employee's record
Explain why the organization suspected the
91,67% 5 1
employee
Have a positive security culture so that wrong
accusations are not interpreted as a negative 87,50% 5 0
judgement toward the employee
Offer the employee welfare/psychological
87,50% 5 1
support
Rehabilitate the employee (full restoration) 87,50% 5 1
Review the indicators and/or the reporting
87,50% 5 1
route that led to the false assessment
Be aware of possible repercussions 87,50% 4,5 1
Offer the employee a personal apology 83,33% 4,5 1
Find out whether the accusations were made
79,17% 5 1
maliciously (debriefing with the reporter)
Table 8.43: High-rated practices to deal with false positives
429
The number of suggested practices to deal with false positives was with
only 16 practices the lowest number of all questions asked to the panel.
Notwithstanding the limited number of proposed practices, more than half of the
suggested practices were assigned to the high-rated category. While some
practices are aimed at restoring the relation with the wrongly accused insider,
others are targeted at preventing the reoccurrence of similar false positives.
Restorative practices are for instance the full rehabilitation of the insider,
whereby the wrongly accused insider is offered a personal apology 103 and/or
welfare/psychological support, and is ensured that the incident is not recorded on
the insider’s record. Preventive practices, on the other hand, are for instance
reviewing the indicators, and if applicable the reporting route, that led to the false
assessment, and the implementation of a positive security culture so that wrong
accusations are not interpreted as a negative judgement toward the insider.
During round three of the study, one panelist mentioned that for safety
reasons, organizations cannot always explain to the wrongly accused insider why
the organization suspected the insider. Moreover, one panelist urged
organizations to seek legal advice, a practice supported by two thirds of the panel
in round two. The same panelist put an additional spotlight on the need to be
aware of possible repercussions, and recommended organizations to retrain staff
in case of false positives. Another panelist rather highlighted the necessity to
inform colleagues that the accusations were false, a practice that narrowly missed
the high-rated category in round two.
103
One panelist argued that ”if your investigation is done correctly you don't need to apology”
430
Medium-rated practices % 4 or Median Interquartile
5 Range
Debriefing with the team 75,00% 4 1,75
Seek legal advice 66,67% 4 1
Offer the employee time and space to have
some distance from the workplace 66,67% 4 2
Register the incident in the organization
incident database 66,67% 4 2
Debriefing with social partners 62,50% 4 1
Offer the employee public apologies 54,17% 4 1
Table 8.44: Medium-rated practices to deal with false positives
Low-rated practices % 4 or Median Interquartile

5 Range
Offer the employee (financial)
compensation 37,50% 3 2
Table 8.45: Low-rated practices to deal with false positives
While a debriefing with the team is close to a high rating, a debriefing

with social partners is rated relatively moderate by the panel with 63% supporting
it. Moreover, the panel considers offering the insider a public apology less
appropriate than offering the insider a personal apology, but more appropriate
than offering the insider a (financial) compensation.
8.3.14. Formal insider threat mitigation team
As a more general question transcending the different steps of the

conceptual model, I wanted to know whether the panel recommended
organizations to implement a formal insider threat mitigation team. In contrast to
the other questions, this question concerned a yes or no question in round two of
the study whereby the panelist was also offered the opportunity to abstain (‘no
comment’). In round three of the study, the panelists were offered the possibility
to explain the reasoning behind their answer.
431
Insider threat mitigation team Yes No No
comment
Do you recommend organizations to 79,20% 16,70% 4,20%
implement a formal insider threat
mitigation team?
Table 8.46: Recommendation on the formation of a formal insider threat mitigation team
Table 8.34 shows that in round two of the study, a large majority of the
panel recommended the creation of a formal insider threat mitigation team. This
recommendation was, however, put into perspective. First of all, in round three
of the study it was argued by six panelists that the formation of a formal insider
threat mitigation team depends on the size and type of the organization, indicating
that only for large organizations the benefits of such a team outweigh the costs.
Furthermore, one panelist commented in round two of the study that “any
management or analytical team assembled to evaluate or deal with an insider
threat should draw its members and resources from existing staff and functions,
rather than develop a standing army of specialists who will be destined to be seen
as impediments to productive work in the eyes of the core business of the
organization”. This was echoed by one panelist in round three of the study, who
stated that the formal insider threat mitigation team should not necessarily be a
distinct team, but can equally reside in an already existing team.
Which team this should be was subject to debate. While one member of
the panel stressed that line management should be the owner of insider threat
mitigation oversight, another one urged to embed it in the security/investigation
team. This is in line with the results of the survey on insider threat awareness and
behavior that illustrated that management is considered to be the key actor of
insider threat mitigation by 61% of the respondents, followed by Security (and
ICT) that are both mentioned by 42% of the respondents.
432
To conclude, one panelist indicated in round three of the study that “if the
threat mitigation team becomes the sole arbiter and expert body solely
responsible for dealing with insider threats, the threats will invariably over
match the defenses”. As a result, the panelist recommended to incorporate
involvement from co-workers and line-management. Another member of the
panel echoed cooperation of the formal insider threat mitigation team with other
relevant stakeholders, specifically referring to social partners.
8.3.15. Evaluation of the Delphi study
Apart from the primary aim to discover potential red flags of insider threat
incidents and good practices, relevant actors and difficulties related to insider
threat mitigation, the secondary objective of the study was to “explore the
applicability of the [Delphi] research method” (Gossler et. al., 2019: 440). In
other words, both the panel’s stance on the suitability of the Delphi technique for
insider threat research in general as well as the panel’s expectations regarding the
results of the present study (Van Dolderen et al., 2017) was questioned.
Concerning the former, table 8.47 shows that the large majority of the panelists
perceives the Delphi technique as an appropriate method to research the insider
threat problem. Concerning the latter, table 48 shows that the majority of the
panel was confident that the current study would provide significant results.
Question Rating N %
Very poor 0 0,0%
Please indicate to what extent Poor 1 4,3%
you consider the Delphi method Average 0 0,0%
in general an appropriate means Good 19 82,6%
to research the insider threat Excellent 3 13,0%
problem
Total 23 100%
Table 8.47: Evaluation of the Delphi technique as a means to research the insider threat
problem
433
Question Rating N %
Very poor 0 0,0%
Poor 1 4,3%
Please indicate whether you
Average 2 8,7%
think our Delphi study will
Good 16 69,6%
provide significant results.
Excellent 4 17,4%
Total 23 100%
Table 8.48: Prediction of the significance of the results of the current Delphi study
8.4 Limitations
In spite of the efforts to take the elements of trustworthiness of qualitative
research into consideration (see supra 8.2.5.), it should be acknowledged that the
study is limited by some weaknesses, both with respect to the research design and
to the results.
8.4.1. Research design
First of all, I did not completely fulfill the recommendation to use a

research team of at least two researchers who equally contributed to the data
analysis (Landeta, 2006; Turoff, 2002). The reason for this is that this study was
performed in the context of a doctoral project, which implies that the study
consisted of one principal researcher (i.e. the PhD-candidate) that was
responsible for the qualitative analysis of round one and round three and the
quantitative analysis of round two, and one secondary researcher (i.e. the
supervisor) who provided feedback and assisted with the interpretation of the
results. The lack of inter-coder reliability increases the risk of investigator bias
(Grime & Wright, 2016). In this regard, Turoff (2002: 96) indicates that “there
are many ways to abuse the use of the Policy Delphi: the manner in which
comments are edited, the neglect of items, the organization of the results”.
Although it is acknowledged that a research team can in principle try to bend the
results in a certain direction of their preference (Dalkey & Helmer, 1963), Turoff
434
(2002) simultaneously argues that such research fraud is unlikely in practice
because “such a process is a rather dangerous game and not likely to go unnoticed
by some segment of the respondents” (ibid: 96). In this regard, I can only say that
the I performed every step of the Delphi study in good faith, without any attempts
to steer the panel in a certain direction, and that I did not receive any negative
reactions from the panel.
Furthermore, one of the main characteristics of the Delphi technique can
be subject to discussion, namely anonymity. Landeta (2006: 469) for instance
identifies “impunity conferred by the anonymity with respect to irresponsible
actions on the part of the experts” as a weakness of the Delphi technique. This
worry is echoed by Foth et. al. (2016: 115), who state that “due to the anonymity
of the process, it has been argued that experts are not accountable for the views
they express and the judgements they make”. Still, it can be argued that the panel
is to some extent accountable to the research team due to the fact that the study
was not completely anonymous (i.e. quasi-anonymity).
Related to anonymity is the limited interaction between the panelists,
which is also a point of potential criticism. While the limited interaction is seen
as a strength of the Delphi technique because it reduces the risk of groupthink or
dominant individuals (Dalkey & Helmer, 1963; Hsu & Sandford, 2007; Turoff,
2002), the other side of the coin is that the risk of ambiguity is higher because
there is less opportunity to discuss differences of opinion or to clarify vague
statements (Landeta, 2006; Steurer, 2011; Lange et. al., 2020). Both the positive
and negative aspects where echoed by the expert panel in their evaluation of the
Delphi technique. One expert for instance indicated that the technique allowed
“for diverse points of view and experience to be considered in a non-
challenging/threatening way (everyone’s voice is heard and no egos are
bruised)”, while another expert pointed out that “there may still be some issues
435
in terms of how different respondents are interpreting the statements and so
agreement at the level of the survey may still mask divergences that would emerge
if the issues were to be discussed more fully”.
The selection of the panel can be criticized as well. Delphi studies
inherently suffer selection bias (Steurer, 2011) as “those who respond to the
initial invitation are those who are more likely to be interested in the subject
matter” (Keeney et. al., 2006: 208). Put in a different way, the composition of the
panel, like the number of experts and their level of expertise, influences the
results of the study, even though this problem is not unique to the Delphi
technique (Hasson et. al., 2000). Also the heterogeneity of the panel has both
positive and negative implications. One expert for instance believes the Delphi
technique “is an interesting method to gather information from a panel of experts
when a variety of experts from different fields is consulted”, whereas another
expert expressed their concern about a “potential lack of consistency in
terminology used in the study as respondents are from around the globe”. With
respect to the present study, one can also argue that it suffers from Eurocentrism,
as the African and Asian continent were not represented in the panel of experts
(Gossler et. al., 2019). To include these experts could have resulted in another
outcome (Lange et. al., 2020).
Moreover, while I looked to the level of experience to evaluate the
capability of potential experts, Baker et. al. (2006) question whether this
characteristic adequately measures capability. They argue that “it is tenuous to
suggest that a certain number of years' experience means that an individual can
be considered an expert” (ibid: 64). Although I do not necessarily disagree with
their statement, I believe a certain amount of experience is one of the few leads
suggested in the literature on the Delphi technique to select an expert panel. It is
true that round one could have been preceded with a round that formally validated
436
the expertise of each individual panel member (Gossler et. al., 2019), but to lessen
the already quite high burden104 on the expert panel, I preferred to do a pilot study
in which the qualification of the shortlisted candidates was evaluated by others
(see 8.2.4.1.). On top of that, possible miscasts of the expert panel could have
been detected during the analysis of round one, with panelists providing
inappropriate answers being eliminated for future rounds (which was not the case
in this study). In any case, Baker et. al. (2006)’s recommendation that “until clear
consensus appears within the literature, researchers need to be able to justify their
decisions in order for readers to ascertain the expertness of the panel” (ibid: 68)
was fulfilled by clearly outlining the procedure to select the research sample (see
8.2.3.).
Furthermore, it can be argued that the online questionnaire of round one
contained (too) vague questions that provided little information on contextual
factors, making it difficult to answer these questions (Christie & Barela, 2005;
Dalkey & Helmer, 1963). The expert that believed this study would provide poor
results perceived “the quality of findings to be largely biased by the way in which
the different questions were formulated. In most cases, my answer to the different
questions would have been "It depends", and would have needed more
information about the context of the question”. This remark was echoed by other
experts, with for instance one expert arguing that they “did find it difficult to
answer questions without context” and another one indicating that it is “important
to address/define stakeholders first (private organization/public bodies)”. It is
true that I for instance never specified the kind of misconduct (theft, espionage,
sabotage, …), the severity of the intentional misconduct (minor or major
violation of the specific organizational norm) or the type of organization that
experiences the intentional misconduct (SME, multinational, public organization,
104
In each round, the completion of the questionnaire took on average approximately one hour.
437
…). When discussing the limitations concerning the results (see infra 8.4.2.), I
will explain why this decision was made.
The questionnaire of round two also suffered from a certain degree of
ambiguity, mostly because the statements were framed in the language of the
respondents (Keeney et. al., 2006; Stone Fish & Busby; 2005). Even though all
panelists were sufficiently skilled in English and writing, biased translations and
linguistic misperceptions between natives and non-natives could not be
completely eliminated (Gossler et. al., 2019). This was also mentioned by several
experts. One expert for instance indicated that “there were a number of
statements which were difficult to understand because they were not presented in
the clearest terms. In some cases this is because of phraseology and in other
cases because of mistranslations or portions of a statement that had not been
translated”. Another one stated that as a non-native speaker of English, “it is also
difficult to understand the nuances of the English language”. In combination with
the heterogeneity of the panel, these language problems might have resulted in a
lack of consistent terminology. To give an example, one panelist suggested in
round two that “it would be helpful if you defined 'screening.' This process is not
standardized across industries and certainly not at the international level and is
therefore open to interpretation by the survey respondent”. The concern with
respect to a lack of consistent terminology was echoed by two experts in their
evaluation of the study. Moreover, the decision not to group the information
gathered in round one resulted in an overlap between some of the issues, making
it sometimes difficult for panelists to distinguish them.
Another criticism with respect to round two can be targeted at the decision
to use a five-point Likert scale to rate the questions. First of all, the different items
on the scale were not carefully defined, which contradicts Turoff’s (2002)
recommendation to do this. Given that the goal was to aggregate those categories
438
in overall ‘agreement’ and ‘disagreement’ categories, I perceived that a
clarification of the difference between on the one hand ‘agree’ and ‘totally agree’
and on the other hand ‘disagree’ and ‘totally disagree’ would have had limited
added value. Furthermore, Rayens and Hahn’s (2000) and Turoff’s (2002)
recommendation to force panelists to form an opinion by using a four-point
Likert scale that does not permit neutral answers was not followed. Since there is
“no clear evidence of the superiority of one scale based on reliability” (Lange et.
al., 2020: 9), my preference was the five-point Likert scale because a five-point
Likert scale turns out to be the preferred scale among respondents (Lange et. al.,
2020). In any case, it is acknowledged that presenting the issues on another scale
(three-point105, four-point106, seven-point107, nine-point108 or ten-point109) could
have resulted in different results (Lange et. al., 2020). Lange et. al. (2020) even
question the use of ordinal scales tout court, arguing that “it remains unresolved
whether it is better to define a scale-cutoff and then generate a dichotomous result
or whether that result should be queried in a context-based dichotomous manner,
e.g. whether one should formulate all questions in a yes/ no manner” (ibid: 7).
Future research will have to clarify which option provides the best results.
The use of rating scales in round two also implies that panelists were not
asked to explain their reasoning behind their rating. This means that “in an effort
to complete a long survey, responses might be selected without full
consideration” (Christie & Barela, 2005: 111). Although knowing the arguments
behind the ratings in round two would definitely have added value to the study, I
estimated that the burden on the panel was already extensive (Landeta, 2006),
105
See for instance Lange et. al. (2020) and Barrios et. al. (2021)
106
See for instance Rayens & Hahn (2000), Vogel et. al. (2019) and Gossler et. al. (2019)
107
See for instance Turoff (2002)
108
See for instance Lange et. al. (2020) and Barrios et. al. (2021)
109
See for instance Hackett et. al. (2006) and Giannarou & Zervas (2014)
439
having to process all steps of the conceptual model110. Although I could have
freed up time for argumentation by presenting the panel with only a fraction of
the theoretical framework, my preference was questioning the entire model
without argumentative feedback from the panelists in round two, asking for
argumentation in round three instead. This decision implies that unlike
(recommendations from) other Delphi studies (e.g. Barrios et. al., 2021;
Chuenjitwongsa, 2017; Gossler et. al., 2019; Rowe & Wright, 2001), I did not
provide panelists with a summary of the arguments of other panelists (Lange et.
al., 2020) or with individual feedback on the answers the expert provided in
previous rounds (Barrios et. al., 2021; Stone Fish & Busby, 2005; Vogel et. al.,
2019). The feedback provided to the panel was limited to stating that the
questionnaire of round two contained all relevant issues mentioned by the panel
in round one, and that the questionnaire of round three contained the list of high-
rated issues that met the selection criteria regarding percentage of agreement,
central tendency and dispersion (see supra table 8.5).
Another potential criticism is the way consensus was measured. A weak
point in this regard is that while the stability of the group response was taken into
account (at least with respect to the high-rated issues), I did not take into account
individual consistency (Vogel et. al., 2019), being the extent that the responses
of each expert was consistent between the different rounds of the study (Barrios
et. al, 2021). According to von der Gracht (2012: 1527), this means that “group
stability can happen although significant individual changes might have taken
place, which compensate for each other”. Moreover, the consensus definition in
the present study implies that “certain items may fall just below the threshold for
what is fundamentally an arbitrary cut off” (Diamond et. al., 2014: 405), as was
110
As stated before, it took approximately one hour to rate all 530 issues, meaning that asking for
arguments behind these ratings would have been overkill and would have resulted in a large
drop-out.
440
demonstrated multiple times in the results section. In other words, it could be that
issues were dropped in round three that fell just short of the high-rated category
but that would have been valuable to discuss in round three. To compensate for
this shortcoming, I did not solely focus on round three of the study and presented
the results of round two in its entirety so that the reader is informed on all (530)
issues suggested by the panel in round one.
To conclude, it is acknowledged that round three of the study should in
principle consist of the same content as round two111 and that omission of issues
goes against the spirit of the Delphi technique (Hasson et. al., 2000). Moreover,
it is acknowledged that exploring consensus in the form of disagreement with the
issues (e.g. Christie & Barela, 2005; Hackett et. al., 2006; Rayens & Hahn, 2000;
van de Linde & van der Duin, 2011) would have added value to the study.
Nevertheless, it is argued that a reduction of the number of issues in combination
with a focus on consensus in the form of agreement with the issue was necessary
due to time pressure (Dalkey & Helmer, 1963; van de Linde & van der Duin,
2011), as well as to reduce the risk of drop-outs due to participant fatigue
(Chuenjitwongsa, 2017; Gossler et. al., 2019; Keeney et. al., 2006; Kozak &
Iefremova, 2014; Mukherjee et. al., 2015). In other words, I did not want to repeat
the mistake made by Stevenson (2010) who in retrospect believed to have
included too many topics in the study, with direct consequences concerning
response rate. The trade-off between feasibility and potential gains (Mukherjee
et. al., 2015; Schmidt, 1997; Skulmoski et. al., 2007) therefore made that I had to
“sacrifice questions and rounds in order to guarantee panel participation and
continuity” (Landeta, 2006: 479).
111
Like in the studies of for instance Stone Fish & Busby (2005), Hackett et. al. (2006) and Vogel
et. al. (2019).
441
8.4.2. Results
Apart from the limitations concerning the research design, also the results
of the study can be subject to debate. It was discussed before that the lack of
contextualization of the questions made it difficult for experts to provide specific
answers to those questions. One panelist summarized this concern as follows in
relation to the answers provided in round two: “While I attempted to give an
honest evaluation of each statement or suggested policy option, there were a
large number which I may have evaluated differently given a specific scenario or
context. Policies and responses to insider risks and incidences must differ
considerably in respect to the types of risks, the consequences involved, and the
organizations concerned.” It should be mentioned that, although not with the
exact same words, the above-mentioned commentary seems to represent the view
of the majority of the panel, given that the lack of contextualization was brought
up by basically every panelist at some point during the study. This means that a
number of answers contained the disclaimer ‘it depends’ and that specification
of the contextual characteristics could have led to different ratings. One panelist
even explicitly questioned the reliability of the own answers to the questionnaire
of round two for this reason112.
In line with the debate about the (lack of) contextualization, one of the
panelists systematically argued in round three of the study that whether or not an
issue should be considered a red flag depends on the type of the insider. In other
words, red flags related to infiltrators are for instance different from red flags
related to disgruntled insiders. In concrete terms, this panelist for instance
indicated with respect to the detection of red flags during recruitment that “the
112
For reasons of transparency, it should be mentioned that this panelist did not participate in
round three of the study, although the reason the panelist gave for dropping out was lack of
time rather than substantive reasons.
442
goal of f.e. an infiltrator would be to get into the organization and to be trusted”
and that “reluctance to approve with background screening would not be in line
with this goal.” With respect to observation of red flags during employment, the
identification of reluctance to audits was also considered to be dependent on the
type of the insider, as “some insiders would not have anything against audits”.
Let me start by saying that I certainly acknowledge that contextualizing
the questions might have generated different results, with practices receiving a
low score from the panel possibly receiving a higher score when discussed in
relation to a specific scenario. However, in similarity with Gossler et al. (2019:
447), who indicate that “reflecting all contextual factors of humanitarian logistics
in the results would be nearly impossible”, I perceived that taking into account
all contextual factors of insider threats (see chapter four) would not only have
been nearly impossible but even impractical, since providing the expert panel
with too much context would not have suited the purpose of the study.
Remember that the goal of the Delphi research is to dig deeper into the
conceptual insider threat mitigation model to make it more user-friendly for
organizations, formulating more concrete policy recommendations for each step
of the model. Given that the typology of insider threat characteristics outlined in
chapter four illustrated that insider threat should be interpreted as a class of
threats and not as a single distinct threat, it was not my goal to develop a single
offender profile or a one-size-fits-all insider threat mitigation model. Previous
research (e.g. Randazzo et. al., 2005) namely showed that “there is no one
accepted profile of an insider” (Noonan, 2018: 2.4), and that there is not one holy
grail or silver bullet that can mitigate the insider threat problem (BaMaung,
2018). To put it in a different way, it is not my intention to establish an insider
threat mitigation model that organizations can simply copy-paste to their
organization. Instead, it was my intention to provide organizations with a
443
framework to get started with insider threat mitigation in their organization.
Instead of cataloguing a list of potential red flags that apply to all types of
insiders or insider threat cases, or cataloguing a list of measures that mitigate all
kinds of insider threats, the goal of this study was limited to the composition of
a list of factors that may point to insider threats and a list of measures that may
help organization in mitigating insider threats.
As a result, I agree with the panelist that stated in round three of the study
that not all insiders that are responsible for insider threats have a history of illegal
activities or that not all insiders that engage in intentional misconduct display
signals of radicalization, but I do believe that participating in illegal activities or
displaying signals of radicalization are factors that may point to an insider threat
and that therefore require vigilance from the organization. The same principle
applies to the insider threat mitigation measures proposed in this study, as the
objective of the study was not the development of a ‘one-size-fits-all’ insider
threat mitigation model, but providing organizations with a point of departure for
further thinking about insider threat mitigation in their specific organizational
context. The added value of the conceptual model therefore lies in the input it
gives organizations that are thinking about insider threat mitigation policy, more
specifically in the form of an inventory of possible insider threat mitigation
measures that they can chose from to develop their tailor-made insider threat
mitigation policy.
I did not want to include too many specifications because this would make
the conceptual model too much focused on one particular aspect of insider threat,
missing the broader picture I was looking for. Rather than creating a theoretical
framework solely dedicated to a particular kind of insider threat (theft, fraud,
sabotage, ..) or a particular kind of organization (SME, multinational, …),
preference was given to the creation of a more general insider threat mitigation
444
model that each individual organization can interpret within its own
organizational context. Therefore, the main merit of this study, which was
adequately summarized by one panelist in the evaluation of the study, is that it
“brings a huge number of possible reactions to the insider threat together, who
have all their interest, and who can be chosen depending the context”.
At the same time, I do believe that this study paves the way for parallel
(Delphi) studies (Gossler et. al., 2019) that can add the contextualization that the
panel requested and that can interpret the insider threat concept more narrowly,
for instance solely asking questions to mitigate one particular insider threat type
(e.g. insider theft), solely finding insider threat mitigation measures that suit one
particular kind of organization (e.g. insider threat mitigation policy for SME), or
exploring one step of the conceptual model in greater depth.
In any case, it is important to remember that the results in the present
study are indicative rather than conclusive (Hacket et. al., 2006). One panelist
made an interesting comment in the evaluation of the study in this regard:
“This is a sound study which should offer much food for thought. While it
has surfaced a number of useful indicators, it must nevertheless contend
with the dilemma of avoiding false positives. All of the indicators
identified to date offer some value. However, some offer more than others.
The ones which are open to subjective interpretation of what constitutes
inappropriate behavior or affiliation in circumstances where the
individuals making that determination have the discretion to label as
inappropriate either beliefs or affiliations that run counter to their own
personal preferences represent a potential Achilles' heel. This flaw,
however, can be corrected by assuring some measure of oversight and
alternative analysis, so that personal animosity is not allowed to infuse
bias into the determination of a potential threat”.
To put it in a different way, the results of the present study should be
interpreted with some caution and should not be viewed as definitive guidance
(Vogel et. al., 2019). The fact that the expert panel composed a top-rated list of
445
issues to be vigilant of does not mean that the presence of these issues
indisputably implies that an insider threat is imminent (Keeney et. al., 2006;
Landeta, 2006; Mukherjee et. al., 2015). The same principle applies to the top-
rated list of good practices. Moreover, it is important to remember that the results
“provide a snapshot of expert opinion at a specific moment in time” (Gossler et.
al., 2019: 447) and “that the existence of a consensus does not mean that the
correct answer, opinion or judgement has been found (…) [but] merely helps to
identify areas that one group of participants or `experts' considers important in
relation to that topic” (Hasson et. al., 2000: 1013).
Furthermore, it remains to some extent unclear whether “the findings
represent the aspirations of experienced practitioners about how practice should
be [or] a description of the ways in which current practice is limited or
constrained” (Hackett et. al., 2006: 155), or to what extent all experts took into
consideration the feasibility of the suggested or endorsed practices. In this regard,
one panelist indicated in relation to round two that “we can check all boxes in an
ideal situation but it depends on what’s allowed in the country and what
resources you can allocate”, while another one argued in the evaluation of the
study that “sometimes the proposed solutions are not always realistic for certain
organizations”.
It is therefore possible that certain issues received a medium or low score
because a number of panelist questioned the legal feasibility or cultural
desirability in their specific region, which does not alter the fact that the issue
might be relevant for insider threat mitigation in another region where it is
culturally and legally accepted. Think for instance of drug- or alcohol screenings,
which are subject to local laws and are therefore not legally (but also culturally)
acceptable in all countries. The same principle applies to the difficulties related
to insider threat mitigation, as a suggested difficulty can be present in one country
446
but absent in another. A possible solution for future research is to keep track of
subgroups within a larger panel (Turoff, 2002), or to use parallel panels based on
cultural background (Gossler et. al., 2019). In any case, it is important to keep in
mind the earlier mentioned recommendation from Keeney et. al. (2006) to not
solely look at the final results of this study (i.e. the high-rated practices), but to
spend attention to the knowledge gathered throughout the different rounds of the
study.
To conclude, one expert questioned the novelty of the results, indicating
to not be “sure the study is bringing any new insights to the surface [but] only
confirming existing methods”. While I do not necessarily agree with the latter
statement, I argue that even if the results are limited to a summary of existing
methods, it provides useful insights on the state-of-the-art of insider threat
prevention, detection and mitigation from the perspective of a multidisciplinary
expert panel. As mentioned before, the study does not only provide organizations
with a catalogue of red flags they should be vigilant of and possible insider threat
mitigation measures that they can chose from to develop their tailor-made insider
threat mitigation policy, but also paves the way for further research on insider
threat mitigation, as “the method and results should be used as a means for
structuring group discussion and as a means of raising issues for debate” (Hasson
et. al., 2000: 1013).
8.5. Conclusion
This chapter elaborated on a three-round Delphi study on insider threat
mitigation. The aim of the study was to take the first step toward transforming
the conceptual insider threat mitigation model (chapter seven) into a tool with
more practical usability. In concrete terms, the main goal was to discover
potential ‘red flags’ of insider threat incidents and good practices, actors and
difficulties related to insider threat mitigation. The study employed the Delphi
447
technique to iteratively compare the opinions of insider threat experts. A
multidisciplinary (e.g. corporate security, counterintelligence, insider threat
training, …) panel of 25 international experts completed three rounds of online
questionnaires. Round one concerned open-ended, level-setting questions with
panelists asked to share their expertise. In round two, experts were presented with
a list of all relevant information shared by the panel in round one in the form of
a structured questionnaire whereby they were asked to rate each individual issue
listed. The questionnaire of round three, to conclude, provided the experts with
the list of high-rated issues, after which they were asked whether they agreed or
disagreed with the panel’s decision and to explain their reasoning in case of
disagreement.
Regarding the evaluation of potential insider threat indicators, the
panel considers addictions to drugs, alcohol and gambling, as well as affinity with
extremist ideology, potential red flags of insider threats, both during recruitment
and employment. Other factors that require vigilance from the organization
during recruitment are falsifications of background information that indicates
low integrity, an unresponsive attitude during the recruitment process and
negative advice from either government authorities or references, while previous
employment for a competitor, job-hopping, discrepancies between educational
and career path and mental- and physical health issues were less worrisome
factors. Furthermore, personality characteristics other than low score on integrity
and manipulative nature (e.g. arrogance and lack of humility, consciousness or
friendliness) are less perceived as factors that may point to insider threat.
Surprisingly, the panel spent little attention to the applicant’s motivation to work
for the organization and (apart from addictions) to the applicant’s personal
problems. The latter finding is contrary to both the insights from the insider threat
literature (Noonan, 2018; Shaw & Sellers, 2015) and the survey on insider threat
448
awareness and behavior where personal problems are seen as a possible breeding
ground of insider threats.
Factors that may point to insider threat during employment concern both
individual and organizational factors (Greitzer et. al., 2012; Greitzer et. al.,
2016), with the majority relating to the former. The most obvious warning signals
that were unanimously accepted by the panel in round two of the study are
threatening employers or co-workers and receiving warnings from stakeholders
about the behavior of insiders. In line with the insider threat literature (BaMaung
et. al., 2018; Gelles, 2016; Shaw & Sellers, 2015), the panel considers deviation
from normal or baseline conduct an early warning of insider threat, although the
results show that not all deviant conduct is worrisome. Anomalies like attempts
to remove sensitive data, unauthorized access attempts to systems or physical
locations not necessary for the job, unexplained wealth and changes in lifestyle
all received a high rating from the panel. In contrast, sudden changes in working
hours, changes in online or social media behavior and changes in mental health
are considered worrisome by only part of the panel, while changes in personal
status (e.g. divorce, new partner, …) or changes in physical health are considered
alarming by less than half of the panel. Moreover, personality characteristics (e.g.
not being able to deal with criticism, not being very empathetic and introversion)
were less regarded by the panel as a potential red flag during employment.
Concerning underlying reasons of insider threats, the panel rates disgruntlement
with the organization relatively higher than personal strains (apart from
addictions) like financial difficulties or unmet personal expectations, as well as
personality disorders like narcissism, which is in line with the results of the
insider threat awareness and behavior survey. Regarding organizational factors,
the presence of an organizational culture of fear and silence, unexplained
irregularities in the accountancy of the organization and increases in
449
organizational losses are considered to be factors that may point to insider threat,
while a number of organizational factors, like too heavy workloads and high
levels of competitiveness, were considered by the panel as not necessarily
indicative of future insider threat incidents.
Important with respect to red flags are subjective interpretation and
contextualization. Concerning the former, it should be acknowledged that
observation of a red flag depends on the subjective interpretation of the observer,
which implies that what may appear suspicious to one observer might be a
positive sign to another observer. Concerning the latter, whether a potential red
flag is considered to be an indicator of insider threat depends on contextual
factors. The panel for instance identified dismissal at a similar job and support
for societal upheaval in the past as factors that may point to insider threat, but
simultaneously argued that the context will determine whether it is actually
considered a red flag of insider threat. In concrete terms, this means that the
reason behind the dismissal (i.e. previous intentional misconduct or other reason
not related to insider threat like performance issues, incompetence or economic
reasons), the time frame (i.e. distant past or recent past) and/or theme of the
activism (i.e. related or unrelated to the insider’s position) are important to
determine whether it concerns an early warning signal of insider threat.
Regarding the evaluation of insider threat mitigation measures, the
study resulted in a catalogue of possible insider threat mitigation measures that
organizations can chose from to develop their tailor-made insider threat
mitigation policy, organized according to the different steps of the conceptual
model outlined in chapter seven. Regarding insider threat prevention,
recommended practices in the recruitment stage (I) relate to screening
background information of applicants (e.g. verifying CV, credentials, identity
and criminal record) whereby organizations need to take screening seriously
450
instead of carrying it out in a perfunctory manner, but also need to apply a risk-
based approach. In the organizational socialization stage (II), the panel
recommends organizations to apply the Aristotelian method, characterized by
precept (e.g. a code of conduct), habit (e.g. a strong security culture) and
demonstration (e.g. lead by example), as well as to have a supportive attitude
(e.g. show care when needed) toward employees while simultaneously being
strict but fair when it comes to violations of the code of conduct.
Concerning insider threat detection, the panel considers in the
observation stage (III) internal reporting to be more effective than artificial
intelligence tools to observe red flags of insider threat, although it does not
completely disregard technology given that (alarms on) electronic access systems
and endpoint security tools are recommended, for instance to guard the principle
of least privilege. In the investigation stage (IV), the panel advises organizations
to have a formal investigation policy that outlines who conducts the investigation
and how the investigation proceeds, but does not necessarily recommend to
formally outline in policies and procedures what conduct would trigger the
investigation process.
Regarding insider threat preemption, it is noteworthy that in the
anticipation stage (V) only four out of the in total 37 proposed practices are
recommended by the panel, meaning that the panel rather showed which practices
are less useful to pre-empt imminent insider threats (e.g. positive incentives to
seek resolution before an incident develops, deterrence practices, and awareness-
raising initiatives) than which practices are useful.
Concerning insider threat remedy, both preparatory practices (e.g. a
business continuity plan and an event notification tree) and reactive practices
(e.g. collecting evidence, identifying and changing compromised processes and
conducting a post-incident analysis) are suggested by the panel in the damage
451
limitation (VI) and reconstruction stage (VII), as well as practices related to
internal and external incident communication (e.g. crisis communication plans
and staff). In the deliberation stage (VIII), the panel mainly recommends to have
a fair and consistent disciplinary system that respects the rights of the offender,
to focus on acts and not on people, to discuss different options with relevant
stakeholders to develop plan A/B/C, to review access permissions and to make
sure other employees know appropriate measures are taken. In the termination
stage (IX), some high-rated exit procedures outlined by the panel are
straightforward (e.g. compliance with applicable laws and the development,
consistent application and regular update of termination procedures), whereas
others resemble practices suggested in the insider threat literature (e.g. reclaiming
equipment from the terminated employee, revoking virtual and physical access
and conducting exit interviews).
Regarding mismanagement (X), practices that the panel recommends to
deal with false positives concern both practices aimed at restoring the relation
with the wrongly accused insider (e.g. full rehabilitation and
welfare/psychological support) and practices targeted at preventing the
reoccurrence of similar false positives (e.g. reviewing the indicators and/or the
reporting route that led to the false assessment and awareness of possible
repercussions).
Regarding the implementation of a formal insider threat mitigation team,
the panel puts its own recommendation in perspective, with panelists indicating
that the desirability of a formal insider threat mitigation team depends on the size
and type of the organization, that the formal insider threat mitigation team should
not necessarily be a distinct team but can equally reside in an already existing
team, and that the formal insider threat mitigation team should cooperate with
other relevant stakeholders like co-workers, line management and social partners.
452
It is notable that two common threads seem to run through the
recommendations from the panel. The first one is the suggestion to adopt a risk-
based approach. During recruitment, this means that background screenings are
adjusted depending on the ‘degree of insiderness’ related to the role of the new
insider (Bishop et. al.,2009; Bishop et al., 2010; Probst et. al., 2010). Applicants
that will have a large amount of access to the organizational assets or access that
will apply to the most important assets of the organization should be subjected to
a tougher screening procedure (George et. al., 2019). During employment, this
means that organizations scrutinize access to critical assets and apply and monitor
the principle of least privilege. Access is role-based so that insiders can only
consult organizational assets that they need for their job, risk analyses check the
possible impact of misuse of this access and (alarms on) electronic access
systems detect unauthorized access attempts. The second common thread is
internal reporting. The panel not only puts considerable emphasis on internal
reporting to observe red flags during employment, as recommended in the insider
threat literature (Bell et. al., 2019; Colwill, 2009; Mehan, 2016; UK CPNI, 2011;
US NITTF, 2016), but also advises organizations to have both an internal
investigation protocol and a response plan to concerns reported through the
internal whistleblowing system.
Another aspects that transcends the steps of the conceptual model is
transparency, which is considered important by the panel in the stages preceding
an insider threat incident, but is less recommended in the aftermath of an insider
threat incident, both internally and externally. This does not mean that internal
and external communication is trivial, given that the panel spends considerable
attention to practices related to incident communication. The recommendation to
control public announcements in order to safeguard the organization’s reputation
seems to explain the relatively high number of dark or hidden insider threats.
453
Additionally, scrutiny of social media activity is considered to be suitable with
respect to pre-employment screening, but less suitable for in- and post-
employment screening, which is in line with the results of the survey on insider
threat awareness and behavior. Apart from external audits, outsourcing insider
threat mitigation activities is less recommended by the panel, both with respect
to background screening during recruitment as to the involvement of external
expertise during the investigation stage or the damage limitation and
reconstruction stage.
One of the most surprising results, if not the biggest one, is that the panel
is reluctant to the use of artificial intelligence and machine learning tools to
automatically observe red flags during employment. This is in contrast to insider
threat literature, where the use of artificial intelligence receives considerable
attention (e.g. Brown et. al., 2013; Koutsouvelis et. al., 2020; Le & Zincir-
Heywood, 2019). A possible explanation for this low rating might be that the
panel perceives that the quality of the existing artificial intelligence tools at the
moment is not sufficient, with the risk of false positives being still too high.
Moreover, it can be assumed that a panel specifically composed of experts on
cybersecurity, with more specific expertise on these tools, might have rated
artificial intelligence tools higher. In any case, the discrepancy between the
priority given to artificial intelligence in the insider threat literature and the minor
role the panel assigns to these tools should be explored in further research.
Other striking results include the relatively limited interest the panel has
in motivation of the employee to work for the organization, in the potential
personal problems related to the private life of the insider (except for addictions),
in the fear of retaliation against internal reporters of red flags and in the insider’s
vulnerability to social engineering, as well as the relatively high priority the panel
gives to the impact of an incident in the determination of an offender’s
454
punishment. While the limited attention spent to vulnerability to social
engineering seems to contradict the results of the survey on insider threat
awareness and behavior, the other oddities are in conflict with the
recommendations found in the insider threat literature.
Also noteworthy is the panel’s recommendation to limit interaction with
suspects and offenders of insider threat incidents, and that although addiction to
drugs and alcohol and low integrity were considered worrisome, practices to
discover these red flags were not endorsed by the panel. A possible explanation
is that these mitigation measures are not commonly accepted in all countries,
either culturally or legally. It is therefore important to remember the possibility
that certain issues received a medium or low score from the panel because a
number of panelist questioned the legal feasibility or cultural desirability in their
specific region, which does not alter the fact that the issue might be relevant for
insider threat mitigation in regions where it is culturally/legally accepted. As a
result, it is important to not solely look at the final results of this study (i.e. the
high-rated practices), but to spend attention to the knowledge gathered
throughout the different rounds of the study (Keeney et. al., 2006).
Additionally, it is striking to see that in a number of cases, the panel either
identifies reasons that complicate the implementation of its own recommended
practices or identifies a discrepancy between the recommended situation and the
actual situation. Concerning the former, the panel for instance recommends to
adopt a risk-based approach, but simultaneously recognizes that this implies
unequal treatment of employees that might in its turn lead to push back from
unions/labor groups. Concerning the latter, the panel emphasizes the importance
of creating a culture of reporting to observe red flags during employment, but
simultaneously claims that internal reporting is currently not culturally accepted,
leading to an unwillingness to report. A similar discrepancy between the
455
recommended situation and the actual situation is present with respect to tailor-
made training for managers and staff to observe and report red flags, cultural
acceptance of in-employment screening practices (e.g. electronic access control,
alarms on access systems, …) and awareness of the insider threat problem on
senior and middle management levels, which are all recommended by the panel
but are also believed to be currently absent. Future research should therefore look
at ways to bring the actual situation more in line with the recommendations from
the panel.
In conclusion, although it is “unlikely that a clear-cut (to all concerned)
resolution of a policy issue will result from such an analysis”, I believe that the
results of the present Delphi study are valuable both for theoretical and practical
purposes (Okoli & Pawlowski, 2004; Hasson & Keeney, 2011), as well as to
bridge the gap between the two (Stone Fish & Busby, 2005). The results of the
study provide participants with useful insights on what experts consider to be
potential red flags, as well as with an inventory of insider threat mitigation
measures to better secure organizations against insider threats. In any case, the
insights derived from this Delphi study should be interpreted as complementary
to other insider threat insights, as they further broaden the knowledge on the
insider threat problem and stimulate debate on ways to mitigate it (Mukherjee et.
al., 2015). Implementation of results of Delphi studies in real life remains a
challenge (Kozak & Iefremova, 2014), which makes it important that “findings
of consensus methods (…) are further explored, discussed, deliberated and put
into theoretical context before being implemented into practice” (Foth et. al.,
2016: 119). This was exactly the aim of this study, as the Delphi study was a first
step in the refinement of the theoretical insider threat mitigation model presented
in chapter seven, allowing me to give the abstract terms used within the
conceptual model (e.g. ‘pre-employment screening’) a more concrete meaning.
456
Still, it can be argued that the practical usability of the theoretical framework can
still be further improved by verifying the results from this Delphi study. Chapter
nine will elaborate on the follow-up study I did in this regard, but I nevertheless
urge other researchers to verify the results of this study by additional research,
either using the Delphi technique or other research methods.
457
Chapter 9
Table-top exercise(s) on insider threat mitigation
9.1. Introduction
The Delphi study outlined in chapter eight resulted in (1) insights on what
experts consider worrisome (high-rated) and less worrisome (medium- or low-
rated) potential red flags of insider threat incidents, as well as in (2) an inventory
of recommended (high-rated) and less recommended (medium- or low-rated)
insider threat mitigation practices. It was, however, mentioned in that chapter that
it would be beneficial to supplement the Delphi study with additional follow-up
research. In this chapter, I will therefore elaborate on the follow-up study that
was done by means of a tabletop exercise (TTX).
The main goal of the follow-up research is to re-examine the Delphi
panel’s evaluation of insider threat mitigation practices and potential red flags of
insider threat incidents, this time by Human Resources (HR) and security
professionals in organizations belonging to a critical infrastructure sector 113. Or
to put it in the words of Peters, Vissers & Heijne (1998), the conceptual insider
threat mitigation model, and the Delphi study related to, it function as “the
reference system” (ibid: 21) of the TTX study that is
“translated into a usable game. That is, we have to get a good
understanding of the characteristics of the reference system and transform
these characteristics into the elements that constitute a game. Next, the
game is played by participants; this will result in new information and/or
new knowledge and experiences. Depending on the kind of application
and the objectives of the game, the output of playing the game can be of
113
See chapter four for the interpretation of the concept ‘critical infrastructure’.
458
interest for the researcher or for the participants themselves. For this,
observations and experiences made in the simulation have to be translated
back to the reference system” (ibid: 21).
In simpler terms, a TTX is designed whereby the outcome of the Delphi
study is used as input for the TTX study to see whether the players of the TTX
come to the same or to different conclusions as the Delphi panel. In what follows,
the chapter will start with a brief outline of the research design, clarifying TTX
as a method and why TTX was used, the script of the TTX (what was played
during the TTX?), the participants of the TTX (who played the TTX?), the format
of the TTX (how was the TTX played?) and the data collection methods. After
that, the center of attention shifts to first the expected outcome of the TTX and
subsequently to the actual results of the study. As with the previous chapters, the
study will end with a discussion on the limitations and a conclusion section.
9.2.1. TTX as a method
In chapter eight it was mentioned that the Delphi technique was used
because insider threat is difficult to research by ways of statistical analyses of
large amounts of data, simply because this data is absent. The same reasoning
applies to the choice for TTX as a research method, since TTX is considered to
be suitable for rare and complex phenomena (Hofmeier & Lechner, 2021; Lin-
Greenberg, Pauly & Schneider, 2022; Pace, 1991; Pauly, 2018; Perla &
McGrady, 2011; Wibeck & Neset, 2020). Also in other aspects TTX to a large
extent resembles the Delphi technique, namely in the sense that the absence of
standardized methodological guidelines results in a lack of consensus on what
constitutes a TTX (Hobbs, Lentini & Moran, 2016), in a range of different
interpretations and approaches of TTX (Dausey, Buehler & Lurie, 2007) and in
reference to TTX as an art rather than a science (Pace, 1991; Pournelle, 2017).
459
Rubel (2006) clarifies that it “does not mean that the majority of games are fatally
flawed; it does mean that there is no accepted set of criteria to determine whether
they are or not” (ibid: 109), a conclusion echoed by Harteveld, Guimaraes, Mayer
and Bidarra (2010). Bottom line is that, in line with the Delphi technique, the tool
has to be adapted to the purpose of the study (Perla & McGrady, 2011) and its
interpretation and operationalization has to be clearly indicated.
Here, TTX is defined as “a discussion-based interactive exercise during
which participants engage with a hypothetical scenario in a controlled learning
environment” (Hobbs et. al., 2016: 2). TTX therefore relates to the concept of
‘serious gaming’, since the game is not solely used for entertaining purposes
(Alvarez & Djaouti, 2011; Harteveld et. al., 2010). A concrete example of serious
gaming can be found in a military context, where serious gaming is referred to as
‘wargaming’ or simulations of military operations to understand the strengths and
weaknesses of military structures (Evensen, Martinussen, Halsør & Bentsen,
2019). Meanwhile, also in non-military contexts “serious games have built
reputation for getting employees of companies involved in security activities in
an enjoyable and sustainable way” (Beckers & Pape, 2016: 17), whereby
TTX/serious games are used to think about “real-life problems, their
characteristics and their solutions” (Hobbs et. al., 2016: 2). This can range from
vulnerability assessment in the nuclear sector (Bunn, 2022) to simulations of
public health emergencies (Khan, 2018; Wendelboe et. al., 2020).
Likewise, TTX/serious gaming has been used to study the insider threat
problem, with Beckers & Pape (2016) for instance developing a card game on
social engineering and Hofmeier & Lechner (2021) establishing a TTX that
explored the insider threat problem in relation to the food supply chain. Later in
this chapter, the design of the TTX used in this study will be elaborated on (see
infra 9.2.4), but for now, it is enough to know the purpose was to gather human
460
players to sit around a table to play an exercise on insider threat mitigation on top
of the table, hence ‘tabletop exercise’.
9.2.2. Script of the TTX
Before discussing how the TTX was played, I believe it is necessary to

first clarify the script of the TTX, or what was played during the TTX. Because
the goal of the TTX is to re-examine the Delphi panel’s evaluation of insider
threat mitigation practices and of possible red flags of insider threat incidents, the
goals during the TTX are (1) to evaluate possible insider threat mitigation
practices and (2) to evaluate the level of concern of potential red flags of insider
threat incidents. The main idea is that the TTX audience acts as an ‘advisory
team’ for their organization that wishes to implement a formal insider threat
mitigation policy, whereby the team is asked to give its advice on a number of
concrete decisions their organization has to take throughout the employee
lifecycle (Bunn, 2020; Wendelboe et. al., 2020).
Although it is acknowledged that the TTX should cover all steps of the
conceptual model outlined in chapter seven to allow full comparison with the
Delphi study, organizing such a TTX was not possible for practical reasons. The
time and budget available made that pragmatic choices had to be made and that
only parts of the conceptual model could be included in the TTX design (see
infra). Nevertheless, a script for such an ‘all-inclusive TTX’ was developed as a
guideline to other researchers having the time and resources to organize it in the
future. In the remainder of the chapter, I will first outline the all-inclusive TTX
design, which is inspired by the knowledge gathered during my attendance at the
Summer School on ‘Serious Games for Analysing and Supporting Complex
Decision making’ in July 2022 at the Radboud University in the Netherlands, as
well as by consultations with scholars with practical knowledge on the
461
organization of TTX, in particular Dr. Jean-Pascal Zanders114. After that, the
pragmatic decisions that had to be made will be elaborated on.
9.2.2.1. All-inclusive TTX
In chapter seven it was argued that the conceptual model can be divided
in four insider threat mitigation strategies, namely prevention, detection, pre-
emption and remedy (see supra table 7.4). As illustrated in figure 9.1, these four
strategies form the building block of the all-inclusive TTX design, whereby each
strategy is evaluated in a separate session. Below each session will be elaborated
on in further detail.
114
Senior Research Associate with the Fondation pour la recherche stratégique (FRS) that
organized multiple TTXs on the Implementation of Article VII of the Biological and Toxin
Weapons Convention (BTWC). Also Dr. Banks, lecturer at King's College London on the
topic of ‘wargaming’, and Hasan Suzen, PhD student at Universiteit Antwerpen with
experience in TTX, were contacted for advice.
462
• Introduction to the TTX.
Session A:
Introduction
• Step 1: Evaluation of measures to be used during the recruitment of new insiders.

• Step 2: Evaluation of red flags of insider threat during recruitment.
Session B: • Step 3: Evaluation of measures for organizational socialization of (new) insiders.
Prevention
• Step 1: Evaluation of measures to detect red flags during employment.

• Step 2: Evaluation of red flags of insider threat during employment.
Session C: • Step 3: Evaluation of measures to investigate the validity of observed red flags.
Detection
• Step 1: Evaluation of measures to pre-empt what is perceived to be an imminent insider

Session D: threat incident.
Pre-emption
• Step 1: Evaluation of measures for damage limitation and reconstruction of an insider

threat incident.
• Step 2: Evaluation of measures to deal with an insider that is responsible for an insider
Session E: threat incident.
Remedy • Step 3: Evaluation of measures to terminate the contract of insiders.
• Debriefing of the TTX.

Session F:
Debriefing
Figure 9.1: All-inclusive TTX design
The all-inclusive TTX starts with an introductory Session A whereby

participants are briefed about the TTX (Hobbs et. al., 2016). The introduction
includes information on the interpretation of the insider threat problem, the
conceptual insider threat mitigation model on which the TTX is based, the
participants’ role as the ‘advisory team’ and what is expected from the
463
participants during the TTX. The idea is to keep the introductory session as basic
as possible (Dausey et. al., 2007), without much detail, simply what they need to
know to play the TTX. As a result, the participants will know that the goal of the
TTX is to find policy recommendations to refine the theoretical insider threat
mitigation model, but there will be no mentioning of the Delphi study or the
intention to compare their decisions with the recommendations from the Delphi
expert panel. The latter will be addressed only during the debriefing of the TTX
(see infra Session F). In this way, any possible influence on the participants prior
to the study is avoided to prevent that participants concentrate on what they ought
to do according to the expert panel rather than on what they would do simply
being themselves (Pauly, 2018). The same principle of minimal involvement of
the facilitator (Dausey et. al., 2007; Hobbs et. al., 2016) is applied during the
other sessions of the TTX (for instance only answering questions).
Session B focuses on the prevention of insider threat incidents and touches
upon (I) Recruitment and (II) Organizational Socialization in terms of the
conceptual insider threat mitigation model. In step one, participants are asked to
give their advice concerning the practices to be taken during the recruitment of
new insiders. In step two, advice is requested from the participants on the level
of vigilance needed for potential red flags of insider threat during recruitment. In
step three the participants give their advice regarding the socialization of (new)
insiders to the organizational culture. The main idea of this session is thus that
participants think about possible warning signals of insider threat during
recruitment, about ways to detect these warning signals during recruitment and
about ways to assimilate insiders to, and persuade insiders to comply with, the
organizational norms.
Session C concentrates on the detection of insider threat incidents. In
terms of the conceptual insider threat mitigation model, it covers the (III)
464
Observation and (IV) Investigation stage. In step one, the participants have to
give their advice on possible practices to detect red flags of insider threats during
employment. In step two, the participants are asked to evaluate the level of
concern their organization should give to potential red flags of insider threat
during employment. In step three, the participants are informed that one of the
detection practices implemented in step one picks up one of the potential warning
signal identified in step two, and subsequently asked how to proceed the
investigation on the validity of the observed red flag. The main idea of this
session is thus that participants think about possible warning signals of insider
threats during employment, about ways to detect these warning signals during
employment, and about ways to investigate suspicious situations.
Session D focuses on the pre-emption of insider threat incidents and
relates to the (V) Anticipation stage in terms of the conceptual insider threat
mitigation model. At the start of this session, the participants are informed that
the investigation confirmed the validity of the observed red flag and that an
insider threat incident is imminent. As a result, the participants are asked to give
their advice on ways to anticipate this imminent insider threat incident. The main
idea of this session is thus that participants think about ways to neutralize the
situation before an incident occurs.
Session E concentrates on the remedy of insider threat incidents. In terms
of the conceptual insider threat mitigation model, it touches upon (VI) Damage
Limitation, (VII) Reconstruction, (VIII) Deliberation and (IX) Termination. At
the start of this session, the participants are informed that their organization
suffered an insider threat incident and that they are asked for advice to react to
this incident. In step one, the participants have to indicate their recommended
practices to limit the harm resulting from the insider threat incident as well as to
reconstruct the incident to learn from it. In step two, they give advice on how the
465
organization should deal with the insider responsible for the insider threat
incident. In step three, the participants have to advice their organization on the
practices that need to be implemented to terminate the contract of insiders. The
main idea of this session is thus that participants think about ways to respond to
and recover from an insider threat incident, as well as to deal with offenders,
including proper exit procedures in case termination of contract is required.
Session F, to conclude the all-inclusive TTX, relates to the debriefing
(Beckers & Pape, 2016; Frank, 2012; Wendelboe et. al., 2020). Here, participants
present their decisions taken during each session played. On top of that, they are
informed on the ‘actual’ goal of the TTX and presented with a short briefing on
the results from the Delphi study. Finally, a discussion takes place between the
participants in which their decisions are compared with the expected outcome
based on results from the Delphi study (see infra 9.3).
It follows from the above that the script is simple and abstract and lacks
contextualization (Dausey et. al., 2007), a critique that was also mentioned in the
context of the Delphi study. In Session C, it is for instance mentioned that a red
flag is observed, without specifying the content of this red flag. Likewise, in
Session E it is mentioned that the organization suffers an insider threat incident,
without further information on the context of this incident. Still, also in line with
the Delphi study, this lack of contextualization was a deliberate decision because
“scholars should lean toward realism and specificity for research questions about
particular cases (e.g. how might the United States respond to an Iranian-
sponsored cyberattack) and make more abstract scenario choices for broader
questions that are applicable across a wide swath of cases (e.g. are cyberattacks
viewed differently than conventional attacks)” (Lin-Greenberg et. al., 2022: 96).
It was already thoroughly explained in chapter eight that I did not want to include
too many specifications because this would make the conceptual model too much
466
focused on one particular aspect of insider threat, missing the broader picture I
am looking for. Rather than creating a theoretical framework solely dedicated to
for instance a particular kind of insider threat (theft, fraud, sabotage, ..)
preference is given to the creation of a more general insider threat mitigation
model that each individual organization can interpret within its own
organizational context. The choice for an abstract or generalized script therefore
fits the purpose of this research (Curry, 2020; Rubel, 2006). Worth noting is that,
in contrast to the expert panel during the Delphi study, no comments were made
by the TTX participants about lack of contextualization or on the script being too
abstract.
9.2.2.2. Pragmatic TTXs
Since the doctoral project is supported by sponsors related to critical

infrastructure, I wanted to engage them in the TTX and contacted them to ask
whether they were interested to take part in a TTX on the insider threat problem.
Even though ideally multiple sponsors would play all sections outlined above
successively in one single TTX to allow full comparison with the Delphi study,
it quickly became clear that this was far too ambitious because this would require
at least two days investment from the sponsors. Consequently, the all-inclusive
TTX design was put aside and the two sponsors that showed interest were offered
a tailor-made design that met their specific needs. In the remainder of the chapter,
I will therefore elaborate on these tailor-made TTXs in greater detail.
The inspiration for the tailor-made TTXs is drawn from the all-inclusive
TTX design, whereby each sponsor was able to adjust the exercise to its own
preferences. For example, sponsor one wanted two separate exercises on
prevention and detection of insider threats, while sponsor two preferred to
include both strategies in one single exercise. Furthermore, sponsor one asked to
include both the evaluation of mitigation practices and the evaluation of potential
467
red flags in their exercises, whereas sponsor two chose to solely focus on
evaluation of mitigation practices. Moreover, sponsor one did not request a
formal debriefing session, while sponsor two was in favor of a debriefing session
at the end of the exercise.
Whereas the specific script of the TTXs differed from sponsor to sponsor,
table 9.1 illustrates that the structure and time schedule of the exercises was,
except for the debriefing session, identical. The first exercise of sponsor one fully
resembled session B of the all-inclusive TTX design. The second exercise of
sponsor one fully resembled session C of the all-inclusive TTX design. The
exercise of sponsor two consisted of a mix of session B and session C, followed
by a debriefing session.
Pragma-
Exercise one Exercise two Exercise sponsor
tic TTX
sponsor one sponsor one two
design
Introduc
Session A Session A Session A
-tion
Session B step one Session B step one
Session C step one
• Evaluation of • Evaluation
• Evaluation
measures to of measures
of measures
be used to be used
Part 1 to detect red
during the during the
flags during
recruitment recruitment
employment
of new of new
.
insiders. insiders.
Session C step two Session C step one
Session B step two • Evaluation • Evaluation
• Evaluation of of red flags of measures
red flags of of insider to detect red
Part 2
insider threat threat flags during
during during employment
recruitment. employment .
.
468
Session B step three Session C step Session C step
• Evaluation of three three
measures for • Evaluation • Evaluation
of measures of measures
organizationa
Part 3 to to
l
investigate investigate
socialization
the validity the validity
of (new) of observed of observed
insiders. red flags. red flags.
Debrie-
/ / Session F
fing
Table 9.1: Pragmatic TTX designs
9.2.3. The participants
The target audience of the TTX is practitioners from fields related to

insider threat mitigation. Remember that during the insider threat awareness and
behavior questionnaire discussed in chapter six, respondents were asked
who/which department is responsible for the protection against insider threats
within their organization (see supra 6.3.6.3). Respondents made reference to a
multitude of fields, like Management, HR, Security, IT, Legal, Security officers,
Risk management, QHSE, Information security officer, Internal audit, Data
protection officer, Operations, Accountancy, …. As a result, the sponsors of the
project were free to delegate any person with enough experience in any of those
fields. Eventually, both sponsors decided to delegate practitioners with
experience in HR and/or Security for their respective TTX.
469
Sponsor one Sponsor two -
Mix of 14
Exercise two –
Exercise one – HR and Security
five Security
five HR professionals professionals
professionals
Three participants Three participants Three participants
(Dutch) (Dutch) (Dutch)
Two participants Two participants Five participants115

(Dutch) (Dutch) (Dutch)
Six participants116
/ /
(French)
Table 9.2: Number of participants pragmatic TTXs
The exact number of participants that participated in the TTXs is shown

in table 9.2. It shows that the total number of participants remained limited
(Dausey et. al., 2007) and far below the maximum of 25 participants suggested
by Hobbs et. al. (2016). In each TTX the participants were divided in smaller
groups because this not only made it more probable that every participant would
actively participate but also kept discussion within each group on the
categorization of the practices/red flags manageable.
9.2.4. Format of the TTX
While the goal of the TTX is to re-examine the conclusions that can be
drawn from the Delphi study, the question, however, remains how participants
make their evaluation of possible insider threat mitigation practices and potential
red flags of insider threat during the TTX. It follows from the script that, in more
115
Participants were asked whether they wanted to split in two groups (2-3) but they preferred to
do it in one single group. In hindsight, it might have been better to split the groups 4-4
instead of 3-5.
116
The French group was not divided into two groups (3-3) because, based upon the registration,
the French group was believed to consist of four people. As a result, I prepared only one
set of play material in French (see infra 2.4.).
470
technical terms, the TTX concerns a one-sided observational exercise with
formulaic adjudication (Lin-Greenberg et. al., 2022). The exercise is one-sided
in the sense that only one perspective of an insider threat incident is taken into
account, namely the organization that needs to defend itself against insider
threats. In contrast, TTX can also be one-sided interpreting the incident from the
perspective of the insider that perpetrates an insider attack (Bunn, 2022; Beckers
& Pape, 2016; Perla & McGrady, 2011) or multi-sided, whereby both
perspectives are taken into account (Lin-Greenberg et. al., 2022; Pace, 1991). The
exercise is observational because there is no manipulation of the script during the
TTX, with all participants receiving the same information. If manipulation was
present and the participants would be divided in a ‘treatment’ and ‘control’ group,
it would have been an experimental design instead (Lin-Greenberg et. al., 2022).
Formulaic adjudication implies that decision-making by the participants is
structured according to standardized rules (see infra) (Lin-Greenberg et. al.,
2022). In less technical terms, the objective was to construct an informal security
game that is “simple to learn, (…) accessible, require[s] no special equipment,
and [that is] attractive to a variety of [professionals]” (Gondree, Peterson &
Demming, 2013: 65).
More concretely, the participants received for each part of their exercise
a pre-defined sample of mitigation practices/potential red flags that was based on
existing research (Beckers & Pape, 2016), namely the Delphi study. Even though
each sample contained both recommended/worrisome (high-rated) and less
recommended/less worrisome (medium and low-rated) practices/red flags from
the Delphi study, it was impossible to include all practices/red flags suggested by
the panel in the Delphi study. Some practices/red flags were therefore merged
471
into one overarching item117, while others were considered to be either unclear118,
too specific119, too obvious120 or impossible in a Belgian context121, and were
therefore not included in the pre-defined samples given to the participants. To
compensate this flaw in the research design, participants were given the
opportunity to provide extra suggestions of practices that could be implemented
or extra red flags that require vigilance from the organization. Only practices/red
flags that received the same rating during the Delphi study could be merged (i.e.
high with high, medium with medium and low with low) because it would
otherwise be impossible to compare the Delphi results with the TTX results.
Table 9.3. shows a quantitative summary of the differences between the number
of items suggested in the Delphi study and the number of items included in the
pre-defined samples of the mitigation practices/potential red flags in each part of
the TTX. It also includes a division of the selected items for the TTX according
to the rating (i.e. high, medium or low) that was given by the Delphi panel. A
more detailed comparison of the item-selection for the TTX can be found in
appendix B.
117
To give an example with respect to red flags during recruitment, alcohol abuse, drug abuse
and gambling abuse were grouped in the red flag ‘addiction problem’.
118
To give an example with respect to red flags during recruitment, ‘conflict of interest’ and
‘indiscretion’ were not included, also because some of the experts indicated the lack of
clarity during round three of the Delphi study.
119
To give an example with respect to red flags during recruitment, father deficiency was not
included.
120
To give an example with respect to red flags during recruitment, falsification of criminal record
was not included.
121
To give an example with respect to measures during recruitment, alcohol or drug screening
was not included.
472
Total Total number
number of of items used
items in TTX
Part of the exercise suggested in
Medium
the Delphi
High
Low
study
32
Recruitment – Good practices 41
11 11 10
43
Recruitment – Red flags 56
11 12 20
40
Organization socialization – Good practices 49
15 15 10
45
Observation – Good practices 59
18 17 10
54
Observation – Red flags 73
20 17 17
34
Investigation – Good practices 34
11 15 8
Table 9.3: Item-selection for the TTX
Subsequently, the participants were asked to categorize each item

included in the pre-defined lists of practices/red flags. On the one hand, possible
insider threat mitigation practices could be categorized in four categories, namely
473
‘essential’, ‘desirable’, ‘additional’ and ‘not recommended’ (Hackett et. al,
2006), whereby
1. Essential practices refer to practices that should definitely be

implemented by the organization and are indicated with a green color;
2. Desirable practices refer to practices that should be implemented in
second instance and are indicated with a yellow color;
3. Additional practices refer to practices that may be implemented but are
not really necessary and are indicated with an orange color;
4. Not recommended practices refer to practices that should not be
implemented by the organization and are indicated with a red color.
On the other hand, potential red flags could be categorized in three categories,
namely ‘deeply concerning’, ‘slightly alarming’ or ‘innocent’, whereby
1. Deeply concerning red flags refer to warning signals that should be taken
very seriously by the organization and are indicated with an orange color;
2. Slightly alarming red flags refer to warning signals that must be followed
up but are not yet critical and are indicated with a yellow color;
3. Innocent red flags refer to warning signals that can be closed without
further action and are indicated with a green color.
In line with Dausey et. al.’s (2007) recommendation to make decision-

making forced, targeted and time delineated, a number of categorization rules
were introduced. The number of practices/red flags that could be categorized in
on the one hand the ‘essential’ and ‘desirable’ category and on the other hand the
‘deeply concerning’ and ‘slightly alarming’ category was limited to force the
participants to make prioritizations and to avoid that every practice/red flag ends
up in the these categories. Regarding time delineation, the categorization had to
474
be completed in maximum 45 minutes. Table 9.4. summarizes the categorization
rules of the TTX.
Categorization Categorization TTX
TTX – Mitigation –
practices Potential red flags
Deeply concerning (1)

Not recommended (4)
Slightly alarming (2)

Additional (3)
Desirable (2)
Essential (1)
Innocent (3)
Part of the exercise
Recruitment –
8 8 16 ? /
Good practices
Recruitment –
/ 10 10 23
Red flags
Organization socialization –
10 10 20 ? /
Good practices
Observation –
12 12 21 ? /
Good practices
Observation –
/ 15 15 23
Red flags
Investigation –
10 10 14 ? /
Good practices
Table 9.4: Categorization rules
475
Participants received the sample of practices/red flags in two formats and
in their preferred language (Dutch or French). Firstly, each group received a
paper that listed all the possible practices/red flags in a table that numbered the
practices/red flags in alphabetical order. Two more columns were included in the
table, one indicating the category the practice/red flag was assigned to and one in
which each group could leave a comment on the specific practice/red flag.
Secondly, each group received a deck of playing cards that contained every
practice/red flag so that groups could physically put the card in the category of
their preference. This type of visualization (Black & Andersen, 2012; Curry,
2020; Rubel, 2006) was inspired by the Operation Digital Ant game developed
by Hofmeier & Lechner (2021) and was suggested during the pilot study (see
infra 2.5). Table 9.5. illustrates the paper format, whereas figure 9.2 shows the
play cards format.
Stage of the
Nr. Category Comments
conceptual framework
Potential measure/red flag
1
(Medium-rated)
Potential measure/red flag
2
(Low-rated)
3 Potential measure/red flag
(Medium-rated)
4 Potential measure/red flag
(High-rated)
5 …
Table 9.5: Paper format
476
Figure 9.2: Game cards format
9.2.5. Data collection
Regarding data collection, a distinction can be made between outcome

data and deliberative data (Lin-Greenberg et. al., 2022). Outcome data was
collected via the paper form (see table 9.5) that was collected at the end of each
part of the TTX. In this way, a formal categorization of mitigation practices and
potential red flags was received. Concerning deliberative data, it was emphasized
during the introduction of each TTX that the reasoning behind the categorization
was also important, referring to the comments section on the paper format.
In total, three TTXs were played preceded by one pilot study to test the
suitability of the TTX design (Hofmeier & Lechner, 2021; Peters et. al., 1998:
Wibeck & Neset, 2020). Due to time constraints, it was impossible to pilot all
477
three TTXs, so the pilot was limited to exercise two of sponsor one (see supra
table 9.2). More specifically, three students from the Master of Safety Sciences
at Universiteit Antwerpen participated in the pilot study that took approximately
three hours. During the pilot study, the students received the pre-defined sample
of practices/red flags only in the paper format. Apart from the addition of the
playing cards format, other conclusions that were drawn from the pilot study are
for instance the addition of the comments section in the paper format and the
recommendation to not make groups too big to keep discussions manageable.
The same reasoning was applied to the number of items included in every list,
referring to the merge and elimination of some of the Delphi items (see supra
table 9.3 and Appendix B). Worth noticing is that it was also recommended by
the pilot audience not to include too much contextualization because the abstract
script would leave more room for discussion.
9.3. Expected outcome based on the Delphi study
Based on the conclusions of the Delphi study, it was expected that the
participants would categorize the list of possible practices/red flags in accordance
with the recommendations from the panel of experts during the Delphi study,
with high-rated practices/red flags respectively being categorized in the
essential/deeply concerning category, the medium-rated ones in the
desirable/slightly alarming category and the low-rated ones in the additional or
non-recommended category/innocent category.
A comparison between table 9.3 and table 9.4, however, shows that in
every part of the exercise the number of high-rated and medium-rated items
included in the pre-defined lists of items exceeds the number of items that could
be placed in the essential/deeply concerning category and the desirable/slightly
alarming category. For instance, regarding good practices during the recruitment
stage, the pre-defined list of practices contains eleven high-rated practices, eleven
478
medium-rated practices and ten low-rated practices, whereas the participants
could only assign eight practices to the ‘essential’ and ‘desirable’ category, with
the rest of the practices being categorized either ‘additional’ or ‘not
recommended’.
Consequently,not all high-rated practices from the Delphi study could be
categorized as essential and not all medium-rated practices from the Delphi study
could be categorized as desirable as was originally hypothesized. Table 9.6
therefore illustrates that the expectations were slightly adjusted in the sense that
the ‘desirable’ category might also contain some high-rated practices, and the
‘additional’ category might include some medium-rated practices. The same
principle applies to the potential red flags categorization, with some high-rated
red flags being assigned to the ‘slightly alarming’ category and some medium-
rated red flags being considered ‘innocent’.
Item Delphi categorization Expected categorization TTX
Essential (1) X
Desirable (2) X
High-rated practices
Additional (3)
Not recommended (4)
Essential (1)
Mitigation
Desirable (2) X
practices Medium-rated practices
Additional (3) X
Not recommended (4)
Essential (1)
Desirable (2)
Low-rated practices
Additional (3) X
Not recommended (4) X
479
Deeply concerning (1) X
High-rated red flags Slightly alarming (2) X
Innocent (3)
Potential red
Medium-rated red flags Slightly alarming (2) X
flags
Innocent (3) X
Low-rated red flags Slightly alarming (2)
Innocent (3) X
Table 9.6: Expected outcome TTX
9.4. Results
The results of the study are outlined below. In similarity with chapter
eight, the different stages of the conceptual insider threat mitigation model are
used as a guide to report the results. Also in line with chapter eight, I insist on
presenting the results of the TTX study as detailed as possible, even though an
in-depth discussion of every single item would lead us too far. Therefore, in the
remainder of the chapter each part of the exercise is discussed by on the one hand
providing the reader with summary tables of the outcome data (i.e. the
categorization) of the items for that particular step, and on the other hand
zooming in on deliberative data (i.e. the comments made by the participants of
the TTX), either in the text or in footnotes, that I find noteworthy. More
concretely, a table with the results corresponding to the high-rated, medium-rated
and low-rated practices/red flags is presented for each stage of the framework
that was discussed during the TTX. As illustrated in for instance table 9.7, for
each item the rating of each group is presented in the table by means of a number
from 1 to 4 and the corresponding color code (see supra 9.2.4).
Before elaborating on the results from the recruitment stage, it should be
emphasized that the level of analysis is the item and not the group. I will therefore
look to what extent the item was rated as expected by the different groups, rather
480
than looking to what extent each individual group rated the different items as
expected. Or to put it in a different way, for each item I will see how many of the
groups gave a rating that is different from the rating that is expected for that
particular item based on the Delphi study, instead of looking for each group how
many of the high-rated, medium-rated and low-rated items were included in the
expected category. To give an example, my main interest is to see how many
groups categorized the high-rated practice ‘do an identity check’ (see table 9.7)
as ‘essential’ or ‘desirable’ in line with the hypothesis, whereas I am less
interested to see whether the essential category of group A contained only high-
rated practices, as would be expected.
Furthermore, it should be mentioned that not all groups complied with the
categorization rules outlined earlier in this chapter. In some cases the maximum
number of practices that could be assigned to a certain category was exceeded.
For example, only one group followed the rules when categorizing recruitment
practices, with the other four groups assigning more than eight practices to the
‘essential’ category. Similar deviations from the categorization rules took place
in the other parts of the TTX, though not by all groups. The opposite situation
occurred as well, with groups assigning less items to the category than allowed.
One of the main reasons that groups breached the categorization rules is that it
was often mentioned by the participants that certain items could be clustered
together as one overarching item, wishing to give all these items in the cluster the
same (essential or desirable) rating. Although certain items indeed resemble each
other, could have been grouped under the same umbrella and subsequently
presented as one overarching item to the TTX audience, the research design did
not always allow to merge these items because they had different Delphi ratings
(see supra 9.2.4). Throughout the results section I will point out the clusters of
items that were suggested by the TTX participants.
481
9.4.1. Recruitment – Good practices
Regarding the recruitment stage, participants were asked to categorize

practices that can be used to detect red flags during the recruitment of new
insiders. This part of the exercise was played by two groups that consisted of HR
professionals of sponsor one (i.e. groups A and B) and three groups of HR and
security professionals related to sponsor two (i.e. groups C, D and E). Table 9.7,
9.8 and 9.9 show the results of this part of the exercise, whereby 1 refers to the
‘essential’ category, 2 to the ‘desirable’ category, 3 to the ‘additional’ category
and 4 to the ‘not recommended’ category.
A B C D E
Delphi study
Do an identity check 1 1 1 1 1
Let multiple actors within the
2 1 1 1 1
organization decide upon a hire
Verify professional history of
the candidate (diplomas,
1 2 1 2 1
licenses, professional
certifications, ...)
Check criminal record 1 3 1 1 1
Training and awareness of
recruiters (investigative
3 1 2 1 1
interviewing, insider threat
indicators, ...)
Let trained interviewers conduct
an in-depth interview with the 1 1 1 2 4
candidate
Follow-up on any issues raised
3 1 3 1 2
by references
Be transparent to the candidate
on the recruitment and screening
4 3 1 1 1
process, including consequences
for missing/false information
Check listed professional
references (like previous 3 1 1 3 3
employers/co-workers)
482
Check open sources like the
2 4 3 1 3
internet
Have a coherent list of non-
1 3 3 2 4
acceptable convictions
1: ‘essential’; 2: ‘desirable’; 3: ‘additional’; 4: ‘not recommended’
Table 9.7: Results recruitment good practices – High-rated practices Delphi study
Table 9.7 shows the results for the high-rated practices from the Delphi
study. It was expected that the participants would categorize these practices as
either essential (1) or desirable (2). From the eleven high-rated practices only
three practices completely fulfil this expectation, namely checking the identity of
the candidate, letting multiple actors within the organization decide upon a hire
and verifying professional history of the candidate. Concerning the latter, one
group indicated in the comments section that even though a systematic check of
the entire professional history is desirable, it is not possible in practice.
A check of the criminal record, training and awareness of recruiters and
letting trained interviewers conduct an in-depth interview with the candidate
receives the expected rating by four of the five groups, with one group not
recommending the latter practice. In the comments section, one group indicated
that the latter two practices are intertwined, as recruiters should be trained to be
able to conduct the in-depth interview. Another group indicated that not all
candidates should be subjected to an in-depth interview, suggesting to make the
practice dependent on the position the candidate wants to fill. Both follow-up on
issues raised by references and transparency on the recruitment process were
categorized as expected by only three groups, with one group explicitly opposing
the latter practice.
More than half of the groups deviated from the expected outcome with
respect to checking listed professional references and open sources and having a
coherent list of non-acceptable convictions, with the latter two not recommended
483
by one group each. With respect to a check of the candidate’s listed professional
references, the comments section revealed that one group considers it standard
practice whereas another group only considers it necessary in case the curriculum
vitae raises questions. Furthermore, the suggestion to check open sources during
recruitment is highly subject to debate as it receives all four possible ratings.
While it is perceived by one group as too vague, lacking clear selection criteria,
another group considers it not necessarily a practice to counter insider threat but
rather a practice to check the candidate’s capability.
Medium-rated practices Delphi study A B C D E
Implement a government security
1 2 ? 3 1
clearance program if possible
Conduct an interview with the manager
of the team the candidate will be 2 1 3 1 1
assigned to
Request only original documents of
educational and professional paths (do 3 1 1 3 1
not allow copies)
Conduct an integrity interview whereby
the candidate reflects on integrity 2 2 2 2 3
dilemma cases
Check social media 2 4 1 2 3
Ask personal letters of
1 3 3 4 2
recommendation (no standard letters)
Check psychological or mental fitness
4 3 1 4 2
for duty
Give the candidate a questionnaire with
2 4 3 3 4
a lot of open questions
Check financial records 4 2 ? 4 4
Use probationary periods and make
clear that passing from probationary 2 4 4 2 4
Check vulnerability for manipulation
4 4 2 4 3
by a hostile party (social engineering)
Table 9.8: Results recruitment good practices – Medium-rated practices Delphi study
484
Regarding the medium-rated practices from the Delphi study, it was
expected that the participants would categorize these practices either desirable
(2) or additional (3). Table 9.8 shows that conducting an integrity interview is the
only practice fully categorized as expected. In this regard, one group proposed in
the comments to add three integrity-related questions to the job interview, though
one group would make the inclusion of integrity issues in the interview dependent
on the position the candidate applies for. One last group indicated that in their
organization, at the moment integrity is touched upon during employment rather
than during recruitment.
From all the other medium-rated practices, some score better than
expected, while others score worse than expected. Concerning the better-
performing ones, conducting an interview with the manager of the team the
candidate will be assigned to and requesting original documents of educational
and professional paths is categorized as essential by more than half of the groups,
while a categorization as desirable or additional was expected. One group,
however, indicated that an interview with the manager might be useful but not
necessarily in the context of insider threat mitigation. The suggestion to request
original documents was considered obsolete by one group that thinks copies are
sufficient, while another group was of the opinion that original documents are
better than copies.
Concerning the worse-performing medium-rated practices, giving the
candidate a questionnaire with a lot of open questions and checking the
candidate’s vulnerability for social engineering is not recommended by
respectively two and three groups. Even though one group indicated that open
questionnaires are usually given so that recruiters can dig deeper if necessary,
another group perceived that it is difficult to use open questionnaires as selection
criteria. Regarding an evaluation of the candidate’s vulnerability for social
485
engineering attacks, one group questioned how proneness to social engineering
can be determined, wondering whether there already exist a psychosocial test that
accurately measures it. Even if such tests exist, one group does not believe it has
any added value, at least not during the recruitment stage, while another group
would make the use of the practice dependent on the vacant position.
The participants showed mixed signals with respect to asking personal
letters of recommendation, checking social media and checking psychological or
mental fitness for duty, given that all these practices received all four possible
rating. In case of the former two, each time one group categorizes the practice
higher than expected (essential) and one group rates it lower than expected (not
recommended). In the comments section, one group raised questions on how data
that was gathered via social media should be retained, with another one making
clear that insiders with malicious intent will not make mistakes on social media
that would reveal them. In case of a check for psychological or mental fitness for
duty the number of groups not recommending this practice increases to two.
Again, one group recommended to make the practice dependent on the position
the candidate wants to fill, whereas another group pointed out that only experts
or therapists are capable to do such an evaluation.
For probationary periods the number of groups that explicitly discourage
the practice is even higher with three groups not recommending it. This is mainly
due to the fact that this practice is not allowed anymore in Belgium, which was
pointed out by nearly all groups. Still, two of them emphasized that they would
see it as a desirable practice if it would still exist. The remaining two practices
only received a rating from four groups, as one group remained undecided on the
suggestion to check the candidate’s financial records and indicated that in their
sector the implementation of a government security clearance program is already
obliged, therefore not giving it a rating. Concerning the former, one group
486
referred to the difficulty to implement this practice and simultaneously
questioned its legality. Concerning the latter, two groups urge to make the
practice dependent on the role that needs to be filled.
Low-rated practices
A B C D E
Delphi study
Use personality tests (like
2 1 1 2 2
Hexaco)
Outsource background screening 3 2 2 2 1
Use standard application forms
1 2 3 3 1
for the recruitment process
Verify self-reported claims (like
1 2 3 4 4
salary history)
Ask non work-related questions
(job of partner, number of recent 4 3 3 3 2
house moves, hobbies, …)
Conduct a group interview with
the team the candidate will be 3 3 3 4 2
assigned to
Request written documentation of
educational and professional 4 2 3 3 3
paths (allow copies)
Conduct a group interview with
the managers of the teams that
3 3 3 4 4
often interact with the team the
candidate will be assigned to
Check with the desk clerk if the
4 4 4 3 3
candidate was friendly
Check listed social network
references (like friends and 4 4 4 4 4
family)
Table 9.9: Results recruitment good practices – Low-rated practices Delphi study
Concerning the low-rated practices, the hypothesis was that these

practices would be categorized as additional (3) at most, or even not
recommended (4). Table 9.9 shows that three practices fully resemble the rating
from the Delphi panel, namely conducting a group interview with the managers
487
of the teams that often interact with the team the candidate will be assigned to,
checking with the desk clerk if the candidate was friendly and checking listed
social network references, respectively not recommended by two, three and all
five groups. In the comments section, one group clarified that group interviews
with multiple managers would take too long, while another group considers it
potentially relevant for other purposes but not necessarily for insider threat
mitigation. Two groups indicated that questioning the desk clerk is irrelevant
since it does not tell much about the candidate and because negative outliers will
automatically come to the surface. Contacting social network references was
considered one step too far for one group, with another one perceiving it too time-
consuming.
All other low-rated practices from the Delphi study score better than
expected. The most striking results are that all five groups rate the use of
personality tests either essential (two groups) or desirable (three groups), though
one group again emphasized that it should be implemented only for certain
positions. Four groups consider outsourcing background screening an essential
(one group) or desirable (three groups) practice during the recruitment stage,
whereby one group highlights the need to only outsource it to entities that possess
the necessary licenses122 and another one would do it only for certain positions.
Also the use of standard application forms and the verification of self-
reported claims123 receives a better score than expected by respectively three and
two groups, with the former even being considered essential by two groups and
the latter by one group. It should, however, also be mentioned that the latter was
not recommended by two other groups, indicating lack of consensus on the
suitability of this practice since all four possible ratings were given to this
122
Think for instance of private investigator certificates.
123
One group pointed out that verifying self-reported claims is standard procedure in any work-
related negotiation and is therefore not specifically related to insider threat mitigation.
488
suggested practice. Asking non work-related questions, conducting a group
interview with the team the candidate will be assigned to and requesting copies
of educational and professional paths are rated desirable by one group, with each
time another group not recommending it. The suggestion to ask non work-related
questions is considered too intrusive by one group, while in two other groups it
prompted questions about possible privacy violations or risks of discrimination.
In similarity with a (group) interview with one (or multiple) manager(s), one
group argues that a group interview with the future team members of the
candidate might be valuable but not necessarily to detect red flags during
recruitment. Another group would only use it in case of small teams.
Newly suggested practices A B C D E
Check the candidate’s work permit X
Specify during the job interview that the candidate will be
X
subjected to a security investigation
Get equipment and training to identify IDs X
Table 9.10: Results recruitment good practices – Newly suggested practices
Apart from the pre-defined list of practices, three practices not yet
appearing in the list were suggested by the TTX audience, namely checking the
candidate’s work permit, specifying during the job interview that the candidate
will be subjected to a security investigation and getting equipment and training
to identify IDs, the latter relating to the identity check that all groups unanimously
considered an essential practice during the recruitment stage. Furthermore, it was
already mentioned that it was sometimes argued by the TTX participants that two
or more practices are intertwined and should be considered together rather than
separately. In this regard, the example of the training and awareness of recruiters
and the in-depth interview was already given. Likewise, one group argued to
cluster outsourcing of background screening with a check of financial records
and a verification of self-reported claims, whereas another group would do the
same with checks of identity, criminal record and original documents of
489
educational and professional background. To conclude, one group clarified that
it did not only take into account the usefulness of the suggested practice to
mitigate insider threats, but also whether the practice might negatively impact the
impression candidates might have on the organization, as too intrusive mitigation
practices might be interpreted by candidates as a sign of mistrust.
9.4.2. Recruitment – Red flags
In part 9.2.2.2 of this chapter, it was mentioned that only sponsor one
wanted to include the evaluation of potential red flags in its exercises. As a result,
only two groups A and B that consisted of HR professionals from sponsor one
were asked to categorize the pre-defined list of potential red flags during
recruitment, as illustrated in tables 9.11, 9.12 and 9.13. In these tables, 1 represent
a categorization as ‘deeply concerning’, 2 as ‘slightly alarming’ and 3 as
‘innocent’.
High-rated red flags Delphi study A B
Having been fired from similar jobs
1 1
before
Low score on integrity 1 1
Current or previous extremist ideology 1 1
Candidate has an addiction problem
1 1
(alcohol, gambling, drugs, etc.)
Negative advice following security
clearance screening by government 1 1
authorities
Manipulative nature 1 2
Reticent attitude of candidate
(unwillingness to undergo background 2 1
check, provide references, etc.)
Inadequate/deviating responses to
2 2
questions during interview
Negative references (conflict with
previous manager/employer,
2 2
violations of policies in previous
workplaces, …)
490
Being dishonest/incomplete about
2 2
involvement in bankruptcy
Inappropriate behavior in current or
past ties outside of work (social 3 1
unrest, interpersonal violence,… )
1: ‘deeply concerning’; 2: ‘slightly alarming’; 3: ‘innocent’
Table 9.11: Results recruitment red flags – High-rated red flags Delphi study
It was expected that the participants would categorize the high-rated red
flags from the Delphi study as either deeply concerning (1) or slightly alarming
(2). Comparing them with the categorization from the TTX participants, it can be
concluded that only inappropriate behavior in current or past ties outside work
received a lower rating than expected. All other red flags that were considered
worrisome by the Delphi panel were thus categorized according to the
hypotheses. Both groups see having been fired from similar jobs before, low
integrity, current or previous extremist ideology, addiction problems and
negative advice following government security clearance screening as deeply
concerning warning signals of insider threat incidents. One group, however,
pointed out in the comments section that it is difficult to detect extremist ideology
and addictions. The level of concern in case of inadequate or deviating responses
to questions during interview, being dishonest or incomplete about involvement
in bankruptcy and negative references is a little lower, being considered by both
groups as slightly alarming red flags. One group indicated in the comments
section that inadequate or deviating responses can also be given unintentionally,
whereas another group mentioned that as long as the candidate has only one
negative reference, the situation should not be exaggerated. The degree of
concern related to candidates that are manipulative in nature or that have a
reticent attitude is less conclusive, with each time one group perceiving it as
deeply concerning and the other one as slightly alarming.
491
Medium-rated red flags
A B
Delphi study
Current or previous anger
1 1
management issues
Inappropriate social media footprint 1 2
No background information available
3 1
for the candidate
High score on immaturity 3 1
High score on narcissism 1 3
Non-blanco criminal record 1 3
Unclear reason for ending previous
2 3
job(s)
Unexplained periods of
3 2
unemployment
Incomplete information on
2 3
professional history (work/education)
Lack of financial stability 3 3
Irrelevant/sensitive questions asked by
3 3
candidate during interview
Illogical responses to questions during
3 3
interview
Table 9.12: Results recruitment red flags – Medium-rated red flags Delphi study
The hypothesis for the medium-rated red flags was a rating of slightly
alarming (2) or innocent (3). Looking at the medium-rated red flags from the
Delphi study, it can be deduced from table 9.12 that half of the red flags received
a higher rating than expected. Especially current or previous anger management
issues was considered to be deeply concerning by both groups during the TTX,
even though one group argued that it is difficult to identify this red flag.
The level of concern corresponding with an inappropriate social media
footprint is also relatively high in comparison with the other medium-rated red
flags. High scores on immaturity and narcissism, absence of background
information for the candidate and a non-blanco criminal record are each
considered deeply concerning by one group but innocent by the other one. With
492
respect to the latter two, one group pointed out that the number of candidates that
applied for the job will influence the extent to which absence of background
information for the candidate will be considered alarming and that only traffic
fines are acceptable.
All other medium-rated red flags from the Delphi study are in accordance
with the hypothesis. Unclear reasons for ending previous jobs, unexplained
periods of unemployment and incomplete information on professional history are
all considered slightly alarming by one group and innocent by the other one,
whereas the participants are least bothered by lack of financial stability, irrelevant
or sensitive questions asked by the candidate during the interview and illogical
responses to questions during the interview. In similarity with candidates that
give inadequate or deviating responses to questions during the job interview, one
group emphasized that these are not always posed or given in an intentional way.
Low-rated red flags Delphi study A B
High score on arrogance 1 2
Low score on humility 1 3
Abnormal educational path (lot of
courses, courses abroad, courses not 2 2
completed/stopped abruptly, …)
High frequency of moves between
2 2
employers (job-hopping)
Low score on conscientiousness 2 3
Mental health issues (like depression) 3 2
Inability to receive constructive
2 3
criticism
Discrepancy between educational and
3 3
professional career path
Physical health issues 3 3
Low score on resilience 3 3
Low score on friendliness 3 3
No social media footprint 3 3
History of intensive travel 3 3
Multiple citizenship 3 3
493
Instable relationship status (frequent
3 3
different partners, divorce, …)
Illogical or unclear motivation for why
candidate wants to work for the 3 3
organization
Excessive social media footprint 3 3
Social network risks (like family,
3 3
friends or foreign contacts)
Cold applications (without
open/announced vacancy) for critical 3 3
positions
Previous employment for a competitor 3 3
Table 9.13: Results recruitment red flags – Low-rated red flags Delphi study
Next to the high-rated red flags and medium-rated red flags, also the
group of low-rated red flags is analyzed. Based on the Delphi study, it is assumed
that the TTX audience will consider these red flags innocent (3). Table 9.13
shows that approximately two thirds of the items was rated in accordance with
the expectations. It concerns among other things discrepancy between
educational and professional career path, absent or excessive social media
footprints, lack of friendliness and physical health issues, though one group
indicated that the level of concern of the latter two depends on the position the
candidate wants to fill. Moreover, one group pointed out the difficulty related to
the detection of social network risks, which was also rated innocent by both
groups. Previous employment for a competitor was not only considered innocent
by both groups but was even perceived as a big asset by one of them.
The low-rated red flags that the participants considered relatively more
worrisome than the Delphi panel are arrogance and lack of humility, as both are
considered deeply concerning by one of the groups. Also the rating of abnormal
educational path and job-hopping is higher than expected, given that both groups
refer to it as slightly alarming. The same applies to low score on consciousness,
494
mental health issues and inability to receive constructive criticism, which are all
categorized as slightly alarming by one group.
Newly suggested red flags A B
After the initial contact, the candidate is very
difficult to reach or does not respond as
X
quickly, is not very flexible towards
appointments, ... ('ghosting')
Family members sometimes think even at
recruitment interview that they will definitely
X
be hired. Think they can afford a little more
than others
Political influence: people who are
recommended by a politician or come from X
politics
Table 9.14: Results recruitment red flags – Newly suggested red flags
To conclude, the Delphi panel seems to have missed some red flags of
insider threat that can be spotted during recruitment because three new red flags
were added. Specifically, these include ghosting (i.e. candidates that are difficult
to reach after the initial contact), candidates that have a family member that is
already employed at the organization and therefore think they will receive
preferential treatment, and political influence (i.e. candidates that are
recommended by a politician).
9.4.3. Organizational socialization – Good practices
The part of the TTX that related to the organizational socialization stage
was played by only two groups A and B that consisted of HR professionals from
sponsor one. Both groups were asked to evaluate the practices to socialize (new)
insiders to the organizational culture and the organizational norms corresponding
to it. Table 9.15, 9.16, and 9.17 show the results of the exercise, whereby 1 refers
to the ‘essential’ category, 2 to the ‘desirable’ category, 3 to the ‘additional’
category and 4 to the ‘not recommended’ category.
495
High-rated practices Delphi study A B
Have a clear code of conduct that
undiscussable states expectations 1 1
Create an open culture where employees
2 1
can ask questions about integrity issues
Build trust between supervisors and
1 2
employees
Use the code of conduct and policies and
2 1
procedures in case of detected issues
Inclusion of the (new) employee (being
1 2
part of the team)
'Lead by example' by senior and direct
1 2
managers
Show that you care about the employee 2 2
Make expectations concrete and
2 2
achievable
Have a welcome policy outlining the
3 1
organization's history, mission, values, ...
Installation of a point of contact for
3 1
questions
Take appropriate measures if there are
3 1
violations of the code of conduct
Employ a strong security culture within
the organization so that expectations are 1 3
reinforced through colleagues
Organize mandatory onboarding training
that provides detailed information on
3 3
expectations regarding appropriate
conduct
Clarify not only appropriate conduct, but
also what conduct is considered as
3 3
inappropriate (including reasons for
termination)
Be transparent on control measures 3 3
Table 9.15: Results organizational socialization good practices – High-rated practices

Delphi study
496
The hypothesis for the high-rated practices was a categorization of
essential (1) or desirable (2). Table 9.15 shows that only half of the high-rated
practices is categorized in accordance with the hypothesis. These practices again
suggest to use the Aristotelian method of precept, habit and demonstration, as
was explained in chapter eight (see supra 8.3.4). Of these practices, only the
possession of a code of conduct that outlines the expectations regarding
appropriate conduct received the highest possible rating (essential) by both
groups. With the other practices that were categorized as hypothesized, at least
one group perceives the practice as desirable rather than essential. Creating an
open culture where employees can ask questions about integrity issues, building
trust between supervisors and employees, using the code of conduct in case of
detected issues, inclusion and ‘leading by example’ is considered desirable by
only one group, whereas showing that you care about the employee and making
expectations concrete and achievable is categorized in this way by both groups.
The other half of the high-rated practices, that was not categorized by the
participants as expected, can be divided in two group. In the first one, both groups
differed from opinion, as one group perceives the practices essential while the
other group only considers them additional. This was the case for the suggestions
to have a welcome policy, a point of contact for questions, a strong security
culture and to take appropriate measures if there are violations of the code of
conduct. The second group of practices, namely organizing mandatory
onboarding training, clarifying what is considered to be inappropriate conduct
and transparency on control measures, was unanimously categorized as an
additional practice and therefore less recommended by the TTX audience in
comparison with the Delphi panel. None of the high-rated practices received a
‘not recommended’ rating from the participants.
497
Medium-rated practices
A B
Delphi study
Underline open feedback culture and
1 1
transparency
Have compliance registers 2 1
Periodic awareness campaigns on
expectations regarding appropriate 2 1
behavior/safety for the entire company
Regular evaluation of employee
1 2
performance by management
Let employees accept policies and
3 1
procedures in written
Detail the code of conduct in policies
3 1
and procedures
Visibility of integrity as a core value on
corporate website/social 1 3
media/recruitment campaigns
Have an appeal process to resolve
management-employee disputes before 2 2
they fester
Use positive reinforcement (reward
2 3
appropriate conduct)
Make integrity part of the regular
3 2
evaluation procedure by management
Use a mentor/buddy system 3 3
Casual/informal reminders on
expectations during ongoing
3 3
communications from line managers
(like staff briefings)
Install a culture of social control and
1 4
confidentiality
Communication of sanctions taken
4 2
against misconduct by an employee
Regular formal meeting with line
manager to ensure employees are aware
4 3
of expectations regarding appropriate
conduct
Table 9.16: Results organizational socialization good practices – Medium-rated practices

Delphi study
498
While the division between practices that fulfilled the hypothesis and the
ones for which the hypothesis was rejected was fifty-fifty in case of the high-
rated practices, the number that fulfilled the hypothesis decreases to one third
when analyzing the medium-rated practices, as illustrated in table 9.4. Here, a
rating of desirable (2) or additional (3) was expected. Consensus was reached
between both groups on the presence of an appeal process to resolve disputes
between management and employees, as they both perceive it as a desirable
practice. Likewise, both groups came to the same conclusion that a mentor/buddy
system and informal reminders on expectations during communications from line
managers should only be regarded as additional practices. Two practices, namely
the use of positive reinforcement and making integrity part of the regular
evaluation procedure, score in between the previously mentioned medium-rated
practices because one group considers them desirable but the other group
additional at most.
The remaining medium-rated practices that did not fulfill the expectations
can again be divided in two groups, with on the one hand the practices that score
better than expected and on the other hand the practices that receive a worse score
than expected. The most deviating result is that underlining an open feedback
culture and transparency receives the highest possible quotation (essential) from
both groups. A similar categorization as essential, though by one group only,
occurred with respect to compliance registers, periodic awareness campaigns and
regular evaluation of employee performance, all practices that were rated
desirable by the other group. Also detailing the code of conduct in policies and
procedures, written acceptance of these policies and procedures and visibility of
integrity as a core value on corporate website, social media or recruitment
campaigns is perceived by one group as essential, but considered only an
499
additional practice by the other group, indicating relative lack of consensus
between both groups.
The biggest disagreement between both groups was however on whether
or not a culture of social control and confidentiality is needed, since one group
considered it essential while the other group did not recommend the practice. The
same discrepancy can be found with respect to the communication of sanctions
taken against misconduct by an employee and regular formal meetings between
line managers and employees to ensure awareness of expected conduct, given
that one group not recommends them but the other group perceives the measure
respectively desirable and additional.
Low-rated practices Delphi study A B
Create a culture of constructive dissent 1 1
Use intranet, newsletters, e-mail
campaigns, posters, screensavers, etc.
2 2
to communicate expectations about
appropriate behavior
Use negative reinforcement (punish
3 1
inappropriate conduct)
Enquire employees on a regular basis to
3 1
get a feeling of general mood
Use peer or '360' evaluation 2 3
Team building events/days 3 2
Use game principles (Gamification) to
encourage friendly competition 3 3
between work units
Use self-evaluation 4 3
Phase in granting of access to more
privileges and responsibilities based on 4 3
performance
Ask explicit consent for control 4 3
Table 9.17: Results organizational socialization good practices – Low-rated practices

Delphi study
500
The group of low-rated practices too contains a number of practices of
which the quotation exceeds the expectations based on the Delphi study, best
shown by the categorization of a culture of constructive dissent as essential by
both groups when a categorization of at most additional was hypothesized. Also
the use of negative reinforcement and enquiring employees on a regular basis to
get a feeling of general mood was perceived essential by one group, although the
other group categorized these practices in conformity with the hypothesis. The
use of intranet, newsletters, e-mail campaigns, posters, screensavers, etc. to
communicate expectations about appropriate behavior too scored better than
expected, being considered a desirable practice by both groups. A quotation as
desirable was given as well to the use of peer or ‘360’ evaluations and team
building events or days, albeit by only one of the groups. The low-rated practices
that are least recommended by the TTX audience are gamification, self-
evaluations, asking explicit consent for controls and phasing in access to the
organizational assets based on performance, with the latter three explicitly not
recommended by one of the groups. No extra practices were suggested by the
TTX audience.
In similarity with the recruitment stage, it was sometimes argued that two
or more practices are inseparable and should be considered together rather than
on its own. With respect to the organizational socialization stage, three clusters
of practices were suggested. Firstly, it was argued by one group that a culture of
constructive dissent cannot be separated from an open feedback culture and
transparency. Secondly, one group argued that using the code of conduct in case
of detected issues and taking appropriate measures if there are violations of the
code of conduct resemble each other, and that they go hand in hand with the
possession of a code of conduct on expectations of appropriate conduct and
detailing the code of conduct in policies and procedures. Lastly, one group
501
perceived a welcome policy to be inseparable from inclusion of the (new)
employee.
9.4.4. Observation – Good practices
In contrast to organizational socialization stage, the practices relating to

the observation stage were played by both sponsors, or by five groups in total.
Two groups consisted of security professionals of sponsor one (i.e. groups A and
B) and three groups consisted of HR and security professionals related to sponsor
two (i.e. groups C, D and E). In this part of the exercise, participants were asked
to evaluate measures that can be used to detect red flags during employment.
Table 9.18, 9.19 and 9.20 show the results of the exercise, whereby 1 refers to
the ‘essential’ category, 2 to the ‘desirable’ category, 3 to the ‘additional’
category and 4 to the ‘not recommended’ category.
A B C D E
Delphi study
Physical protection and
technical measures (decent 1 2 1 1 1
camera systems, ...)
Ensure insider threat
awareness on Board, CEO 2 1 1 1 1
and management levels
Have various means to
1 2 1 1 2
report red flags
Use and audit a system to
monitor the use of
1 1 3 1 1
badges/access rights
(electronic access control)
Prevent an employee from
accessing data/facilities
he/she does not need for
1 3 1 1 1
his/her work (role-based
access) (i.e. principle of least
privilege)
Do not punish employees
1 1 3 1 2
that make a wrong call when
502
reporting red flags in good
faith
Invest in a culture of open
2 1 1 1 4
feedback and trust
Put in place alarms on access
1 2 3 2 1
systems
Ensure an active role of line
manager/supervisor
following-up if someone 2 2 3 1 1
appears unhappy or different
from usual
Risk analysis based on
2 2 3 2 1
access and impact
Structure coordination and
communication along the
2 2 2 1 3
organization (avoid
information silos)
Tailor-made training for
managers and staff to detect
3 1 2 2 2
and report red flags in their
context
Secure endpoints or entry
points of end-user devices
such as desktops, laptops, 1 4 3 1 1
and mobile devices
(endpoint security tools)
Create a culture of reporting
where employees know they
are actually helping co- 2 1 3 2 4
workers by disclosing
concerns
Require management sign-
off for potentially disruptive 2 4 3 3 1
actions
Installation of a point of
3 1 3 3 3
contact to report red flags
Four-eyes principle/two-
4 3 3 3 2
person rule
503
Repeat screening when
employee moves to a more 3 3 3 3 ?
vulnerable position
Table 9.18: Results observation good practices – High-rated practices Delphi study
Table 9.18 shows how the participants categorized the high-rated

practices related to the observation stage. Apart from physical and technical
protection measures, ensuring insider threat awareness on Board, CEO and
management levels and the presence of various means to report red flags, which
are all rated essential by at least three groups and desirable by the remaining
groups, none of the high-rated practices was rated essential or desirable by all
five groups as would be assumed based on the Delphi study.
Still, it is fair to say that the majority of the practices for which the
hypothesis is rejected have only one group with a dissenting quotation as
additional. For on the one hand the principle of least privilege124 and electronic
access controls and on the other hand the suggestions to not punish employees
that make a wrong call when reporting red flags in good faith and to invest in a
culture of open feedback and trust, the balance between an essential and desirable
score is in favor of the former, with respectively all four groups and three groups
perceiving these practices as essential. It should, however, be mentioned that one
group explicitly discouraged a culture of open feedback and trust. The division
between essential and desirable ratings is fifty-fifty (2-2) with respect to the
suggestions to place alarms on electronic access controls and to ensure an active
role of line manager/supervisor following-up if someone appears unhappy or
different from usual. The balances flips in favor of a desirable score in case of
risk analysis based on access and impact, avoidance of information silos and
tailor-made training for managers and staff to detect and report red flags. One
124
One group referred to the ‘need-to-know’ principle instead of the principle of least privilege.
504
group, however, noted that even though the latter is desirable, it is not yet in place
at the moment.
For the remaining high-rated practices of the observation stage, at least
two groups rated the practice different than expected. Endpoint security tools125,
creating a culture of reporting and management sign-off for potentially disruptive
actions126 are most subject to discussion. While the former was rated essential by
the majority of the groups but also additional and even not recommended by the
remaining ones, the latter two practices received all four possible ratings,
indicating lack of consensus among the TTX audience. Worth noting is that one
group pointed out that a culture of reporting is not created but originates naturally
from a decent security culture.
For the suggestions to install a point of contact to report red flags and to
implement the four-eyes principle, only one group rated these practices as
hypothesized, with one group even explicitly discouraging the latter. In the
comments section, one group clarified that the four-eyes principle is only useful
in certain areas, whereas another one was in favor of the practice but
simultaneously questioned its feasibility given the costs related to its
implementation. Finally, none of the groups rated repetition of screening when
the employee moves to a more vulnerable position127 as essential or desirable,
though none of them opposes the practice either and one group refrained from
rating this practice.
125
One group argued to use endpoint security tools especially for the sensitive parts of the
organization.
126
One group noted that it is recommended for certain practices only.
127
One group interpreted screening as done by the government rather than the pre-employment
screening done by the organization itself, thereby pointing out that official communication
from the government is often insufficient or even not available after the initial screening.
505
A B C D E
Delphi study
Put responsibility for
monitoring behavior with all
members of staff, not just the 1 1 1 1 4
security team (vigilant
managers & staff)
External audit 1 3 1 3 1
Development of a formal
2 1 1 2 2
threat assessment
Data loss prevention (DPL)
2 1 3 2 1
tools
Create a supportive culture 2 1 3 3 1
Internal audit 2 2 1 3 ?
Implement an anonymous
whistleblower system
(compliant with relevant 1 1 3 3 3
legislation and not only
ticking the box)
Put in place a hotline to report
3 2 3 3 3
red flags
Stage manipulation by a
hostile third party (social 3 3 2 3 ?
engineering)
Let employees work in teams 4 2 2 2 2
Conduct red team tests 3 2 2 3 4
Separation of key roles/duties 3 4 3 2 2
Conduct random tests 3 4 2 3 3
Periodic and variable
4 4 2 2 3
workplace climate surveys
Insist on a regular use of
vacation and holiday time off 4 4 3 3 1
from work
Job rotation 4 4 4 4 3
Promote self-reporting 4 4 4 3 4
Table 9.19: Results observation good practices – Medium-rated practices Delphi study
506
The large majority of the medium-rated practices too are categorized
different from the expected outcome (i.e. desirable or additional). Only putting
in place a hotline to report red flags and staging social engineering attacks was
rated as hypothesized, though one group abstained from quoting the latter. The
biggest deviations from the expected outcome relate to the suggestions to put
responsibility for monitoring behavior with all members of staff, to use external
audits, to use job rotation and to promote self-reporting. The quotation of the
former two practices is better than expected, with at least three groups
considering the practice essential. It should, however, be mentioned that one
group explicitly opposed the idea to put responsibility for monitoring with all
staff128. Job rotation129 and promotion of self-reporting, on the other hand, score
significantly worse than expected since they are explicitly not recommended by
four of the five groups.
Other medium-rated practices that receive a relatively high quotation,
with more than half of the groups rating the practice essential or desirable, are
the development of a formal threat assessment, data loss prevention tools, the
creation of a supportive culture, internal audits, and letting employees work in
teams, admittedly with the nuance that internal audits was not rated by one group
and that letting employees work in teams was explicitly opposed by another one.
The suggestion to implement an anonymous whistleblower system is considered
essential by two groups but not more than additional by the other three. Likewise,
the suggestions to conduct random and red team tests and to apply separation of
key roles and duties are rated desirable by at most two groups, with the remaining
groups rating it additional and one even not recommending the practices. For the
128
In the comments section one group highlighted that although it is often implicitly mentioned,
in practice it is not officially done.
129
One group questioned the feasibility of this practice.
507
suggestions to use periodic and variable workplace climate surveys and to insist
on regular time off from work, the number of explicit discouragements increases
to two groups, though the latter is also perceived essential by one group. Still,
one group mentioned in the comments section that even if employees are on
leave, they can still pose an insider threat.
Low-rated practices
A B C D E
Delphi study
Declaration by the organization
1 2 2 1 ?
of assets and interests
Let security report directly to the
3 2 2 2 1
CEO
Conduct desktop simulations 3 3 2 3 ?
Use a formal assessment process
supported by regular catch-up 4 3 3 2 1
sessions
Scrutiny of internet use and
1 4 3 3 2
social media activity
Encourage isolated or withdrawn
employees to participate in 2 3 4 3 3
informal gatherings
Periodic and variable
psychological assessment 3 4 3 2 3
(fitness for duty screening)
Use artificial
intelligence/machine learning to
find warning signals (UEBA,
3 3 3 3 4
Anomaly Detection, Sentiment
Analysis, Keyword Matching,
...)
Reward employees that report
3 4 3 4 4
red flags
Formally inform employees that
use of time during work hours
3 4 4 4 4
can be checked by private
investigators
Table 9.20: Results observation good practices – Low-rated practices Delphi study
508
Finally, three of the ten low-rated practices to observe red flags during
employment were categorized according to the hypothesis. It concerns the
suggestions to use artificial intelligence or machine learning to find warning
signals, to reward employees that report red flags and to formally inform
employees that the use of time during work hours can be checked by private
investigators, all factors that are rated additional at most. In case of the latter two,
the majority of the groups even explicitly disapproved the practice, whereas the
use of artificial intelligence is discouraged by one group only. The same applies
to periodic and variable fitness for duty screenings and encouragement of isolated
or withdrawn employees to participate in informal gatherings, both practices that,
apart from the not recommended rating, receive a desirable and an additional
rating from respectively one and three groups. The two practices that are most
subject to debate, with all possible quotations being given to these practices, are
scrutiny of internet use and social media activity130 and the use of a formal
assessment process supported by regular catch-up sessions131. Low-rated
practices that score significantly better than expected are the suggestions to let
security report directly to the CEO and to declare assets and interests, since both
practices are categorized essential or desirable by four of the five groups. The
suggestion to conduct desktop simulations caused a lot of confusion among the
TTX audience, with the majority of the groups not knowing what this practice
actually refers to. No new practices were suggested by the TTX audience.
To conclude, one group systematically pointed out that organizations
have to comply with applicable laws when implementing practices to detect red
flags during employment, for instance in the context of physical and technical
measures or (alarms on) electronic access controls. Furthermore, participants
130
One group suggested to block certain websites.
131
One group suggested to do it on an annual basis, whereas another group indicated that the
wording of the practice was unclear.
509
pointed out possible clusters of mitigation practices. One group considered the
four-eyes principle equal to letting employees work in teams, whereas another
group made multiple clusters of practices. The first cluster concentrates on
internal reporting of red flags, gathering the suggestions to have various means
to report red flags, to have an anonymous whistleblower system, to have a hotline
for internal reporting and the installation of a point of contact to report under the
same umbrella. The second cluster focuses on cultural practices and proposed to
merge the suggestions to have a culture of reporting, a supportive culture, a
culture of open feedback and transparency and to not punish employees that make
a wrong call when reporting red flags in good faith. A third cluster relates to the
shared responsibility of managers and staff in the mitigation of insider threats,
referring in this regard to both the suggestion to put responsibility for monitoring
behavior with all members of staff as well as to the active role of line
manager/supervisor in the follow-up of subordinates. The fourth cluster
concentrates on organizational measures, synthesizing the principle of least
privilege and separation of key roles and duties with the suggestion to let
management sign-off for potentially disruptive actions. The last cluster focused
on physical and technical measures, referring for instance to (the alarms on) the
electronic access controls and data loss prevention tools. Worth noting is that the
group that proposed these clusters considered them essential practices to detect
red flags during employment.
510
9.4.5. Observation – Red flags
In similarity with the part of the exercise that questioned the participants
on potential red flags during recruitment only two groups A and B, this time
consisting of security professionals of sponsor one, were asked to categorize the
pre-defined list of potential red flags during employment, as illustrated in table
9.21, 9.22 and 9.23. In these tables, 1 represent a categorization as ‘deeply
concerning’, 2 as ‘slightly alarming’ and 3 as ‘innocent’.
High-rated red flags
A B
Delphi study
Abnormal cyber activities on-
and off-site (for example large 1 1
up/downloads)
Making threats against
1 1
employer or other employees
Participating in illegal
1 1
activities
Negative security screening
advice from government 1 1
authorities
Unexplained irregularities in
1 1
the organization's accountancy
Gambling 1 1
Attempts to remove sensitive
data (physical and cyber 1 1
methods)
Unauthorized access attempts
to systems or physical locations 1 1
not necessary for the job
Signs of radicalization (Making
statements or defending 1 1
extremist/radical views, ...)
Employee tests boundaries to
see if he/she can get away with
1 1
it (e.g. Failure to comply with
safety and (cyber) security
511
policies and procedures) (i.e.
boundary probing)
Participating in manifestations
1 2
of extreme organizations
Drug or alcohol abuse 2 1
Vulnerability to blackmail 1 2
Remotely accessing systems at
2 1
uncharacteristic hours132
Organizational culture of fear
2 1
and silence
Warnings received from other
employees, clients or third
2 1
parties on the behavior of the
employee
Disgruntlement as a result of
2 2
career disappointment
Unexplained wealth 1 3
Employee is not open to audits 3 2
Changes in lifestyle (new car,
3 3
expensive clothes, ...)
Table 9.21: Results observation red flags – High-rated red flags Delphi study
The hypothesis for the high-rated red flags was a quotation of deeply
concerning (1) or slightly alarming (2). Of the potential red flags that were
considered most worrisome by the Delphi panel of experts, half of the practices
received the highest quotation possible, being perceived deeply concerning by
both groups. Regarding individual factors, it concerns among other things
abnormal cyber activities on- and off-site, unauthorized access attempts to
systems or locations not needed for the job, attempts to remove sensitive data and
boundary probing. While also gambling (abuse) is seen as deeply concerning by
both groups, only one group places drugs and alcohol abuse on the same level of
concern, with the other group considering it only slightly alarming. The same
132
One group argued that the formulation of this red flag was unclear.
512
principle applies to threats against employer or other employees and warnings
received from other stakeholders that respectively receive the highest rating from
both groups and only one group. Likewise, signs of radicalization is unanimously
categorized as deeply concerning, whereas participation in manifestations of
extreme organizations is perceived slightly alarming by one group. In case of
participation in illegal activities, however, the level of concern is at maximum
level for both groups, just like when government gives a negative advice
following a government security screening. Concerning organizational factors,
both groups follow the conclusion from the Delphi panel that unexplained
irregularities in the accountancy and a culture of fear and silence is worrisome,
though only one group perceives the latter deeply concerning, with the other
group considering it only slightly alarming. A similar quotation of deeply
concerning by one group and slightly alarming by the other corresponds with
vulnerability to blackmail and remotely accessing systems at uncharacteristic
hours. Relatively less worrisome in comparison with the other high-rated red
flags discussed above, but nevertheless still fulfilling the expectations based on
the Delphi study, is the rating of disgruntlement following career disappointment
as slightly alarming by both groups. The high-rated red flags that worry the
participants of the TTX the least are unexplained wealth, employees that are not
open to audits and changes in lifestyle, since at least one group categorized these
potential red flags as innocent.
513
Medium-rated red flags
A B
Delphi study
Indirectly expressing negative
feelings towards employer/co-
workers instead of openly 1 1
addressing them (passive
aggression)
Financial difficulties 1 2
Impending termination of
2 2
contract
Being easily frustrated or
disappointed (anger 2 2
management issues)
Indications of unmet personal
expectations (personal 2 2
stressors)
Maladaptive behaviors outside
2 2
workplace
Changes in online or social
2 2
media behavior
Absence of interest by
employer/co-workers in the
2 3
employee's frustrations about
the job
Lack of responsibility 3 2
Repeatedly declining to allow
others to serve as back-up for
3 2
handling responsibilities
(control freak)
Narcissism 2 3
Sudden and unexplained
3 2
change in performance
Directly expressing negative
feelings toward
3 2
employer/colleagues (online or
in person)
Time pressure or bureaucracy
('red tape') leading to unwanted 2 3
shortcuts
514
Sudden changes in working
hours (working more or less
than expected, unauthorized 3 3
absence, abnormal
absenteeism,...)
Team members leaving the
3 3
organization
Changes in mental health 3 3
Table 9.22: Results observation red flags – Medium-rated red flags Delphi study
Apart from the high-rated red flags during employment, the large majority
of the medium-rated red flags too were rated as hypothesized based on the Delphi
study (slightly alarming or innocent). Only passive aggressive employees that
indirectly express negative feelings towards employer/co-workers instead of
openly addressing them, as well as employees with financial difficulties, are
considered deeply concerning by respectively both and one group. The former is
thereby rated relatively higher than directly expressing negative feelings toward
employer or colleagues, which is rated slightly alarming by one group and even
innocent by the other group.
A number of medium-rated red flags are unanimously seen as slightly
alarming or unanimously perceived as innocent. In case of the former, it concerns
impending termination of contract, anger management issues, personal stressors,
maladaptive behaviors outside the workplace and changes in social media
behavior. In case of the latter, it concerns sudden changes in working hours, team
members leaving the organization and changes in mental health. The remaining
medium-rated red flags were more subject to debate, being rated slightly
alarming by one group and innocent by the other one. It concerns both individual
factors like lack of responsibility, narcissism, control freaks and sudden changes
in performance as well as organizational factors like absence of interest by
515
employer/co-workers in the employee's frustrations about the job and time
pressure or bureaucracy leading to unwanted shortcuts.
Low-rated red flags
A B
Delphi study
Employee volunteers for new
2 2
sensitive projects
Employee wants to define
2 3
his/her job him-/herself
Burn-out 3 3
Lone wolves who have contact
3 3
with colleagues
Lack of adaptability in adverse
circumstances (failure to
3 3
respond appropriately to stress
or crisis, ...)
Repeatedly declining to take
3 3
annual leave
High level of competitiveness 3 3
Introversion 3 3
Not being very empathetic 3 3
Not being able to deal with
3 3
criticism
Uneasiness with fellow
3 3
employees133
Sudden intensive travel 3 3
Love relationship with a
3 3
colleague
Too heavy workload 3 3
Changes in physical health
3 3
(poor personal hygiene, ...)
Changes in personal status
3 3
(divorce, new partner, ...)
Employee takes long lunch
3 3
breaks without colleagues
Table 9.23: Results observation red flags – Low-rated red flags Delphi study
133
One group argued that the meaning of this red flag was unclear.
516
Regarding the low-rated red flags during employment, the TTX audience
to a large extent follows the conclusions from the Delphi panel, considering the
majority of the potential red flags innocent. Again, it concerns individual factors
like introversion, lack of empathy, sudden intensive travel or changes in physical
health or personal status, but also organizational factors like high level of
competitiveness and too heavy workloads. Only employees that volunteer for
sensitive projects and employees that want to define their job themselves are
considered slightly alarming by respectively both and one group. One group
indicated with respect to the former that it becomes particularly alarming if it is
presented in combination with other red flags.
Newly suggested red flags A B

Receiving information that is
not "official" but is reality
X
(e.g., through intelligence
agencies)
Not agreeing to new working
X
hours imposed by employer
Table 9.24: Results observation red flags – Newly suggested red flags during the TTX
To conclude the part on potential red flags during employment, it is

noteworthy that two new red flags were suggested by the TTX participants,
namely receiving worrisome information through unofficial communication lines
(off the record) and employees that not agree with new working hours that are
imposed by their employer. Furthermore, it is worth noting that one group
proposed to introduce a new category in between the deeply concerning and
slightly alarming one, which in retrospect might indeed have been a good idea.
On top of that, this group echoed one of the comments made by one of the
panelists of the Delphi study that the biggest red flag is a combination of multiple
of the aforementioned red flags.
517
9.4.6. Investigation – Good practices
The last part of the exercise related to the investigation stage of the
conceptual insider threat mitigation model, asking the participants to what extent
they would recommend practices to investigate the validity of a potential red flag
that was observed. This part of the exercise was played by two groups that
consisted of security professionals of sponsor one (i.e. groups A and B) and three
groups that consisted of HR and security professionals related to sponsor two (i.e.
groups C, D and E). Table 9.25, 9.26 and 9.27 show the results of this part of the
exercise, whereby 1 refers to the ‘essential’ category, 2 to the ‘desirable’
category, 3 to the ‘additional’ category and 4 to the ‘not recommended’ category.
A B C D E
Delphi study
Respect the (legal)
1 1 1 1 1
rights of the suspect
Ensure you know what
the normal situation is
meant to be like to
allow audit trails (like 1 1 2 1 1
material inventories if
suspicion of stolen
material)
Have trained and
experienced staff to
2 1 2 1 1
conduct the
investigation
Have a formal
investigation policy,
procedures and process 1 2 1 2 1
(who conducts
investigation and how)
Not act in a haste
unless the situation 2 2 2 2 2
appears urgent
518
Detect and use only
what is legally 1 4 1 2 1
authorized
Make sure
unauthorized staff
members do not
2 1 3 3 1
conduct their own
investigation and make
accusations
Provide sufficient
resources to conduct 3 1 2 1 3
investigations
Have an internal
investigation protocol
regarding concerns 1 2 3 3 2
reported through the
whistleblowing system
Avoid a witch hunt 3 2 3 2 2
Review emails and ICT
3 1 3 3 4
history of the suspect
Table 9.25: Results investigation good practices – High-rated practices Delphi study
Looking at the high-rated practices to investigate potential impending

insider threat incidents, table 9.26 shows that approximately half of the practices
is rated as expected (essential or desirable). All five groups agreed that respecting
the legal rights of the suspect is essential and that not acting in a haste unless the
situation appears urgent is desirable. Four out of five groups perceive knowledge
about the normal or baseline situation as essential, with the remaining group
considering it desirable. Likewise, having a formal investigation policy and
trained and experienced staff to apply and guide the process is seen as essential
by three groups and desirable by the two other ones.
For all the other high-rated practices related to the investigation stage, at
least one group categorized the practice only additional or even not recommended
the practice. Perhaps surprisingly this is the case for the suggestion to detect and
519
use only what is legally authorized, which received three essential ratings and
one desirable rating but was also not recommended by one group. The respective
group clarified this classification by saying that it might not have given the
politically correct answer, but that in reality situation sometimes leaves you no
other choice than to use grey or even dark means. The group thereby echoes a
statement made by one of the panelists during the Delphi study and although I do
not endorse their point of view and would recommend all organizations to
comply with applicable laws, I do appreciate their honesty and that they did not
simply give the answer that is socially desirable.
Other practices were even more subject to debate, with half of the groups
rating it essential or desirable as expected, but the other half considering it
additional at most. This applies for instance to providing sufficient resources to
conduct investigations, making sure unauthorized staff members do not conduct
their own investigation, avoiding a witch hunt and having an internal
investigation protocol to investigate internal reporting. One group, however,
indicated that implementation of the latter practice should depend on the size of
the organization.
The participants of the TTX mostly disagree with the Delphi panel on the
recommendation to review emails and ICT history of the suspect, with only one
group considering it essential, three groups seeing it as an additional practice and
one group explicitly discouraging it. Privacy is mentioned as the main reason for
the relatively low quotation, with one group indicating that it is not allowed in
Belgium to check this information while another one argues that the prohibition
only applies to emails and not to ICT history.
520
A B C D E
Delphi study
Mask the identity of the
suspect until anomalies
1 1 1 2 1
and allegations are
confirmed
Have a formal
conversation with the 2 2 1 2 1
suspect
Culture of presumption of
2 2 2 2 1
innocence
Investigate à charge and à
2 3 1 1 1
décharge
Involve as few people as
possible until anomalies
2 1 3 2 1
and allegations are
confirmed
Compare observed
behavior with duties and 2 3 1 1 2
tasks of the suspect
Assess whether there is a
link with external
criminality (suspect
1 2 1 4 1
providing help to
criminals outside the
organization)
Triangulate information
2 1 2 1 4
sources
Interview other
stakeholders (like co- 2 3 1 1 3
workers/managers)
Use a team approach 4 3 2 2 2
Regularly interact with
applicable police,
prosecutor, security and 3 1 3 3 1
intelligence services
(proactive rapport)
Have policies and
procedures in place to 1 4 3 1 2
determine if the behavior
521
is concerning enough to
warrant a response
Be transparent on the
3 4 2 3 2
investigative process
Automate data
aggregation rather than
asking for data from 3 2 3 4 4
different data owners for
each new investigation
Senior ownership of the
4 4 3 4 ?
investigation process
Table 9.26: Results investigation good practices – Medium-rated practices Delphi study
In contrast to the high-rated practices related to the investigation stage,

where half of the practices was rated as hypothesized, table 9.26 illustrates that
none of the medium-rated practices was rated as expected. The participants are
in agreement that senior ownership of the investigation process is less
recommended, with three groups explicitly discouraging it, one group
considering it an additional practice at most and one group abstaining from rating
this practice. In contrast, three of the practices are unanimously rated better than
expected, with all groups rating it either essential or desirable. In particular,
masking the identity of the suspect until allegations are confirmed is perceived
essential by four out of five groups, whereas this number decreases to two and
one for the suggestion to have a formal conversation with the suspect and a
culture of presumption of innocence respectively.
The suggestions to investigate à charge and à décharge, to involve as few
people as possible until allegations are confirmed134 and to compare the observed
behavior with duties and task of the suspect score relatively good as well, since
all of them received an essential or desirable rating by at least four groups and an
134
One group argued that this is difficult to realize in practice.
522
additional one by the remaining group. The same applies to the suggestion to
assess whether there is a link with external criminality and to triangulate
information sources, though one group explicitly discouraged these practices.
One group also emphasized in the comments that only competent services should
assess whether there is a link with external criminality, rather than the
organization doing it. The opposite situation occurs as well, since the suggestion
to automate data aggregation was less recommended by the participants except
for one group considering it desirable.
The remaining practices are characterized by disagreement among the
TTX audience, with some groups more eager to encourage the practice (essential
or desirable) and other groups more eager to discourage the practice (additional
or not recommended). For the suggestion to interview other stakeholders and to
use a team approach the balance falls in favor of encouragement of the practice,
while the opposite is true for the suggestion to proactively rapport with applicable
authorities and to be transparent on the investigative process. With respect to the
latter practice, one group questioned to whom the organization should be
transparent.
Low-rated practices
A B C D E
Delphi study
Inform prosecutor &
3 2 1 3 1
police
Approval of formal
investigation policies
1 3 2 2 3
and procedures by
social partners
Explicitly define
threshold of concerning
behaviors that must be
1 4 3 3 2
met before an
investigation is
launched
523
Temporary
reassignment of the
suspect to a less
4 3 2 4 2
sensitive area during
the investigation (time-
out)
Have an informal
conversation with the 4 4 3 1 3
suspect
Review financial
circumstances of the 3 2 3 3 3
suspect
Involve external
expertise from the
3 4 3 3 4
beginning (like a
private investigator)
Make sure different
entities must give their
4 4 4 4 4
consent to start an
investigation
Table 9.27: Results investigation good practices – Low-rated practices Delphi study
To conclude the results section, table 9.27 shows the results from the low-
rated practices. Only two of the low-rated practices receive the rating that was
expected based on the Delphi study. The suggestion to make sure different
entities must give their consent to start an investigation was unanimously not
recommended by the participants of the TTX, whereas the involvement of
external expertise from the beginning was explicitly discouraged by two groups
and seen as additional by the other three groups.
In four out of the remaining six practices at least two groups rated the
practice higher than expected. For the suggestion to inform prosecutor and police
and to let social partners approve the formal investigation policy more than half
of the groups showed support for these practices, with the former being perceived
essential by two groups and desirable by one and the latter vice versa. Two groups
524
argued that instead of asking social partners for approval simply informing or at
most consulting them is sufficient.
For the suggestion to explicitly define the threshold of concerning
behaviors that must be met before an investigation is launched and to temporarily
reassign the suspect to a less sensitive area during the investigation135 two groups
go for an essential or desirable rating, though both practices are also explicitly
discouraged by respectively one and two groups. In relation to the former, two
groups point out that the threshold can be implicitly defined, but that it is
practically impossible to define it in an explicit way.
Reviewing financial circumstances of the suspect and having an informal
conversation with the suspect is relatively encouraged by only one group. While
the former is considered desirable by one group and additional by four other
groups, the latter is explicitly not recommended by two groups but
simultaneously considered essential by another one, with the remaining groups
perceiving it an additional practice.
Finally, also in relation to the investigation stage a cluster of mitigation
practices was proposed. In particular, it was suggested by two groups to put the
suggestions to mask the identity of the suspect and to involve as few people as
possible in the investigation until allegations are confirmed under the same
umbrella.
135
One group argued that it is desirable but simultaneously questioned the feasibility of the
practice.
525
9.5. Limitations
Also in this chapter it should be acknowledged that the TTX study is
limited by some weaknesses. Some of the shortcomings resemble the limitations
mentioned in the context of the Delphi study, like the lack of collaborative
approach to design and play the TTXs. Only one principal researcher (i.e. the
PhD-candidate) designed and played it, albeit supported by feedback from a
range of people (supervisor, doctoral committee, external reviewers, pilot
audience, …), instead of the recommended team approach (Hobbs et. al., 2016).
Similarly, one could point out the lack of contextualization of the scenario, a
shortcoming already addressed earlier in this chapter (see supra 9.2.2.1), as well
as the risk of participant fatigue because TTX is time and energy intensive for
participants (Dausey et. al., 2017; Pauly, 2018).
Likewise, the fact that the outcome of the TTX is influenced by its design
(Dausey et. al., 2017) can be seen as a limitation of this study. Think for instance
of the decision to not make the outcome of the exercise consequence-based,
which contradicts Lin-Greenberg et. al.’s (2022) recommendation. Even though
the TTX outlined in the present study consists of a sequential exercise, decisions
that participants make in one step of the TTX have no influence on decisions that
have to be taken in the next step of the TTX. In other words, every part of the
exercise participants start again from scratch. Still, it is argued that for future
research the TTX design can easily be adapted to include consequence-based
outcomes. For instance, instead of presenting the participants with a list of red
flags during recruitment, the participants could be informed about a number of
applicants that applied for a vacant position and that show certain red flags.
Depending on the practices the team chooses in the first step of the exercise,
information is revealed about the applicants in the second step. To give an
example: applicant one might have inconsistencies in the CV, but this info is only
526
revealed if the participants have chosen to check the professional history of the
candidate. In the end, the team has to rank the applicants from most desirable to
least desirable to hire for the vacant position. Similar dependencies could be
introduced with respect to the other parts of the TTX design to make sure that
decisions taken in one step of the exercise do influence the rest of the exercise.
Another shortcoming relates to data collection, which is
disproportionately focused on outcome data in comparison with deliberative data
(Frank, 2012; Pournelle, 2017). This mainly follows from the impossibility to
record audio or video (Frank, 2012) due to lack of consent from the participants,
as well as from the impossibility to use notetakers (Hobbs et. al., 2016) due to
budgetary restraints. These options would have given the opportunity to review
the arguments made by the participants to better explain their outcomes.
Furthermore, the decision to engage the sponsors of the PhD-project as
participants in the TTX may raise questions on possible conflict of interest or
bias, because sponsored games might be used “to validate existing programs of
record or doctrine or to justify budgets and authorities” (Lin-Greenberg et. al.,
2022: 100). In this regard, I can only say that an independent analysis took place,
with no interference from any of the sponsors trying to steer it (Rubel, 2006).
Finally, a shortcoming not necessarily related to the design outlined in
this study but rather to TTX as a research method in general is the fact that TTX
does not guarantee that participants would react the same way in real life
situations (Bunn, 2022), or the possible tension between participants’ attitude
during the TTX (i.e. lusory attitude) and their attitude during real life (i.e.
professional attitude) (Frank, 2012). On the one hand, TTX outcome might be
prone to the social desirability bias (Pauly, 2018), with participants not daring to
take decisions that contradict societal norms. In this regard, it should be
mentioned that the results of the study show that at least one group refrained from
527
social desirability answers by not recommending to detect and use only what is
legally authorized (see supra 9.4.6). On the other hand, participants might enter
in ‘gamer mode’, whereby they only care about winning the game and thereby
disregard the real purpose of the TTX (Frank, 2012). Participants falling into this
so-called ‘warrior trap’ tend to behave in a more aggressive way than they would
do in real life. Still, the risk of the warrior trap is minimal in the present study
because there are no winners and losers in this TTX, which on its own can be
regarded as going against the spirit of ‘serious gaming’. Indeed, one could
question whether the present TTX design concerns a real game, perhaps relating
more to a ‘serious play’ (i.e. paidia1) than a ‘serious game’ (i.e. ludus1) in the
terminology of Alvarez & Djaouti (2012), with some even using the more
pejorative term BOGSAT1 (Pace, 1991; Perla & McGrady, 2011; Rubel, 2006).
9.6. Conclusion
This chapter elaborated on the TTX study on insider threat mitigation.
The aim of the study was to examine to what extent HR and security professionals
in organizations belonging to a critical infrastructure sector would follow the
policy recommendations from the Delphi panel. This was done by means of
tabletop exercises whereby the output from the Delphi study was used as input
for the TTX study. In three separate TTXs on insider threat prevention and
detection, practitioners were asked to rate a pre-defined list of mitigation
practices and potential red flags that consisted of a combination of high-,
medium- and low-rated practices/red flags stemming from the Delphi study
outlined in chapter eight. The expected outcome was that the categorization by
the TTX audience would be similar to the ratings from the Delphi panel.
The comparison between the ratings from the Delphi panel of experts and
the TTX audience regarding the evaluation of mitigation practices teaches us
that in all steps of the conceptual model that were included in the TTX design,
528
certain recommendations from the Delphi panel were supported by the TTX
audience, whereas others were opposed. Zooming in on the high-rated practices,
or the practices that are most recommended by the Delphi panel, it can be
concluded that in each part of the TTX more than half of the high-rated practices
was endorsed by four of the five groups of the TTX and more than 70 percent by
three of the five groups. This means that less than one third of the policy
recommendations from the Delphi study was supported by less than half of the
TTX audience. Still, it is noteworthy that the number of policy recommendations
that was unanimously endorsed by the TTX participants was also less than 30
percent, except for the investigation stage where close to half of the high-rated
practices was endorsed by all five groups.
A similar conclusion can be drawn with respect to the low-rated practices,
or the practices that were least recommended by the Delphi panel. Half of the
low-rated practices related to the observation and the investigation stage were
rated in accordance with the ratings from the Delphi panel by at least four of the
five groups of the TTX, whereas the number increases to 60 percent for the
recruitment stage. At least 70 percent of the least recommended practices were
also considered additional at most or even explicitly not recommended by three
of the five groups. For the organizational socialization stage, for which the
practices were only rated by two groups, 80 percent of the low-rated practices
was less recommended by at least one of the groups. Again, it is noteworthy that
the number of low-rated practices for which the rating from the TTX audience
was completely in line with the rating from the Delphi panel was 30 percent at
most, except for the organizational socialization stage where it concerned 40
percent of the practices.
In each part of the TTX, there were also some clear contradictions
between the opinion of the Delphi panel and the opinion of the TTX audience. In
529
the recruitment stage, the Delphi panel suggested to consult open sources and to
have a list of non-acceptable convictions, whereas both practices received all four
possible ratings from the TTX participants with the majority perceiving it not
more than additional practices. In contrast, the Delphi panel was less in favor of
personality tests and outsourcing background screenings, while these practices
were considered essential or desirable by at least four groups of the TTX. In the
organizational socialization stage, the same reasoning applies to on the one hand
the suggestions to clarify what is considered to be inappropriate conduct, to be
transparent on control measures and to implement mandatory onboarding
training, all practices that are recommended by the Delphi panel but seen as
additional practices by the TTX participants, and on the other hand the
suggestions to have a culture of constructive dissent and to use communication
channels (intranet, newsletters, …) for the code of conduct, all practices
recommended by the TTX audience but not based on the Delphi study. In the
observation stage, at least four of the five groups relatively opposed the
recommendation from the Delphi study to implement the four-eyes principle and
to repeat screening when the employee moves to a more vulnerable position,
while declaration of assets and interests and letting security report directly to the
CEO was endorsed by at least four groups in spite of the few attention given to
these practices by the Delphi panel. In the investigation stage, the
recommendation to review emails and ICT history was questioned by the TTX
audience, since only one of the groups gave it a rating that is in line with the
Delphi study. The opposite situation did not occur given that none of the low-
rated practices was considered essential or desirable by at least four of the five
groups.
Also with respect to the medium-rated practices some outliers were
present, with practices that were either more recommended by the TTX audience
530
or less recommended. Better-performing medium-rated practices related to the
recruitment stage are the suggestion to conduct an interview with the manager of
the candidate’s team and to request original documents of professional history,
while in the organizational socialization stage a culture of open feedback and
transparency was perceived essential by both groups. The same principle applies
to the suggestion to put responsibility for monitoring behavior with all members
of staff and to use external audits for the observation stage, as well as to the
suggestion to mask the identity of the suspect until allegations are confirmed, to
investigate à charge and à décharge and to assess a possible link with external
criminality for the investigation stage. Worse-performing medium-rated
practices, or practices that are explicitly not recommended by more than half of
the groups, are checks of financial records and vulnerability for social
engineering attacks as well as probationary periods for the recruitment stage.
Likewise, job rotation and promoting self-reporting as well as senior ownership
of the investigation process are considered less appropriate practices for
respectively the observation stage and the investigation stage.
Regarding the evaluation of potential red flags, the ratings from the
Delphi panel and the TTX audience are more in line with each other in
comparison with the evaluation of the mitigation practices, though it should be
emphasized that these parts of the TTX were played by only two groups instead
of five and that only three ratings were available instead of four. From the list of
most worrisome (high-rated) red flags during recruitment, only one red flag that
the Delphi panel considers worrisome, namely past or current inappropriate
behavior outside work, was downgraded by one of the groups as innocent. The
rest of them was rated at least slightly alarming, with half of them being
unanimously considered deeply concerning by the TTX audience. Similarly, only
three of the in total 20 red flags appearing in the list of red flags during
531
employment that concern the Delphi panel the most (high-rated) were considered
innocent by at least one group, with changes in lifestyle being the only one rated
this way by both groups. The opposite situation occurred as well since some of
the red flags that are considered less worrisome by the Delphi panel are
considered deeply concerning or slightly alarming by at least one group of the
TTX. This is the case with arrogance and lack of humility as red flags during
recruitment and with volunteering for sensitive projects as red flag during
employment. Medium-rated red flags that the TTX audience perceived more
concerning than the Delphi panel related to anger management issues as red flag
during recruitment and passive aggression as red flag during employment, since
both of them were unanimously seen as deeply concerning.
In conclusion, with the TTX I tried to “bring [practitioners] on a journey
from theory to practice” (Hobbs et. al., 2016: 7), making “the abstract,
clandestine world of insider threats tangible” (Hofmeier and Lechner, 2021: 14).
The exercises allowed to familiarize the TTX audience with the results obtained
via the Delphi study, thereby raising their awareness on the insider threat problem
and exposing them to new insider threat mitigation ideas (Gondree et. al., 2013)
in a more pleasant way than conventional lecturing approaches (Hobbs et. al.,
2016). The take-home message from the TTX is, however, not that every
organization is urged to copy-paste the recommendations that follow from the
Delphi study in their organization. In similarity with Hoffmeier and Lechner
(2021), who indicate that in their study “attacks that were perceived as unlikely
got lower plausibility ratings, which does not mean that they are inconsistent or
unrealistic” (ibid: 18), it should be emphasized that practices that were
recommended (high-rated) by the Delphi panel might not be suitable for certain
organizations while practices that were less recommended (low-rated) might be
useful. It was thus made clear to the TTX audiences, and to the reader of this
532
dissertation, that the output of the Delphi study should not be considered the
ultimate benchmark for insider threat mitigation, but that it can be used as input
for their tailor-made insider threat mitigation program. In summary, it can be
concluded from the TTX that the recommendations from the Delphi panel are not
conclusive but rather indicative. Still, “indicativeness is no mean thing when
dealing with a very complex or weakly structured problem” (Rubel, 2006: 5),
which is the least you can say about the insider threat problem.
533
PART V: CONCLUSION
Chapter 10
Conclusions
This study worked toward a better understanding of insider threat

problem (part II), insider threat awareness in Belgium (part III) and insider threat
mitigation (part IV). In the introductory part of the study (part I), it was explained
that the goal of this dissertation was two-fold, namely the identification of insider
threat awareness (gaps) among Belgian stakeholders and the provision of an
insider threat mitigation framework that helps organizations to better secure
themselves against insider threats, and that to reach these goals one additional
goal has to be met, namely the development of a suitable insider threat
conceptualization. Translating these research goals into research questions led to
three research questions (see figure 1.1): How should the insider threat problem
be conceptualized? (level-setting research question); What is the current level of
awareness, and the related awareness gaps, on the insider threat problem in
Belgium? (main RQ1) and How can an effective framework be developed that
helps organizations to mitigate insider threats? (main RQ2). Even though these
research questions were already answered in the conclusion sections of each
chapter of this dissertation, it might be beneficial to briefly summarize them in a
concluding part (Part V). This will be the main goal of the last chapter of this
dissertation.
10.1. How should the insider threat problem be conceptualized?
Regarding the level-setting research question on insider threat
conceptualization, it was demonstrated that the existing conceptualizations found
534
in the insider threat literature were not suitable because they interpret the insider
threat concept too narrow, too broad or leave too much room for interpretation.
Consequently, a new definition of insiders and insider threats was proposed in
chapter two, defining the insider as an actor who is or used to be trusted by the
organization with the free privilege of access to and/or knowledge about the
organizational assets, and the insider threat as the possibility that an insider
causes harm to the organization because they intentionally misuse their access to
or knowledge about the organizational assets.
The insider threat definition consists of five key concepts, namely
organizational assets, insiders, privileged access/knowledge, harm, and
intentional misuse. Organizational assets are valuable resources controlled by
the organization that need to be protected and that are therefore situated within
the (proverbial) security perimeter (Bunn & Sagan, 2016; Lynch, 2006; Nurse et.
al., 2014). Organizations have no other choice than to provide certain individuals
with a privilege in the form of access to and/or knowledge about the
organizational assets, and trust that they will handle the privilege with care
(Baier, 1986). These individuals are referred to as insiders. The privileged
access/knowledge refers to the trust-based permission that the organization gives
to insiders to penetrate the security perimeter that defends the organizational
assets from harm (Bishop et. al, 2010). Harm to the organizational assets is
interpreted as the negative effect on the confidentiality, availability or integrity
of the organizational assets (Sarkar, 2010; Cole & Ring, 2006; Nurse et. al.,
2014). Harm caused by insiders either results from misconduct, or misuse of the
insider privilege, or from misbehavior, or inappropriate behavior not related to
the insider privilege, the latter not being elaborated further on when constructing
the insider threat conceptualization. Misconduct can either be unintentional due
to lack of competence or intentional due to lack of trustworthiness, whereby only
535
intentional misuse of the insider privilege, whether or not with the intention to
inflict harm, is interpreted as an insider threat, denoting unintentional misuse of
the insider privilege (safety) insider hazards.
In turn, insider threat was divided into security insider threats whereby
the insider knows their action will definitely cause harm to the organization and
safety insider threats whereby the insider knows their action might possibly cause
harm. Moreover, as an alternative to the ambiguous ‘malicious’/’non-malicious’
distinction, I suggested to replace the concepts with ‘expressive’ and
‘instrumental’ respectively, whereby expressive means the harm to the
organization is a goal in itself and instrumental means the insider harms the
organization to achieve another goal. Combining the insider threat-insider hazard
separation, the security-safety distinction and the expressive-instrumental
division leads to four categories of insider misconduct, three of which are insider
threats: expressive security insider threats, instrumental security insider threats,
instrumental safety insider threats and safety insider hazards.
An important aspect of the insider threat definition that was elaborated on
in chapter three is the notion of trust. Trust is, apart from access to and knowledge
about the organizational assets, the third characteristic that defines the insider
privilege and refers to the organization’s belief that the insider will use the insider
privilege appropriately. The decision to trust an individual with access to or
knowledge about the organizational assets is pivotal in the context of insider
threat, given that trusting insiders benefits organizations if the insider is worthy
of trust but harms the organization if the insider is not worthy of trust. It was
demonstrated in the dissertation that whether an insider is worthy of trust is
mainly determined by their trustworthiness, or the willingness of the insider to
act responsibly toward the organization, when the organization has placed an
implicit or explicit expectation to properly use the insider privilege. Absence of
536
trustworthiness to the organization sooner or later results in betrayal of
organization trust, or results in insider threat incidents. However, since
trustworthiness is not only perceived from an organizational perspective but also
from a societal one, whereby the concept refers to the willingness of the insider
to act responsibly toward society, insider threats always entail betrayal of
organizational trust but not always entail betrayal of societal trust. Betrayal of
societal trust can occur both when the insider acts responsibly toward the
organization and when the insider deliberately fails to live up to their
commitment to the organization, depending on whether the commitment to the
organization coincides or collides with the commitment to society.
Because from an organizational point of view the goal is to avoid
situations where the organization excessively trusts insiders who do not merit
trust (Hardin, 1996; Isaeva et. al., 2019), and because trustworthiness assessment
models are at the moment nearly absent in personnel recruitment and assessment
(Sinek, 2019), the first step toward an assessment model of insider
trustworthiness was put forward in this dissertation. The model distinguishes vice
and virtue insiders from mutable insiders based on the question to what extent
the insider perceives intentional misconduct as an acceptable action, whereby
intentional misconduct is certain in the case of vice insiders and impossible in the
case of virtue insiders. For mutable insiders, the most densely populated category
(Cools, 1994; Kumar et. al., 2013), the possibility of intentional misconduct
depends on the interaction between an insider’s disposition to commit intentional
misconduct and the situational circumstances the insider encounters, referred to
as their situational-disposition (Eoyang, 1994). An application of the NIPS model
(Blum et. al., 2018; Blum & Schmitt, 2017; Schmitt et. al., 2013) makes it
possible to determine an insider’s situational disposition and therefore to assess
537
the probability that a particular insider will intentionally deviate from the
prescribed standards of behavior in a given situation.
Even though throughout the dissertation I frequently referred to ‘the’
insider threat, chapter four clearly illustrated that insider threat should be
interpreted as a class of threats and not as a single distinct threat. I already
discussed the distinction between expressive security insider threats,
instrumental security insider threats and instrumental safety insider threats, but
even this categorization is a simplification of the complexity of the insider threat
problem. The typology outlined in chapter four showed, in fact, that insider threat
incidents differ according to objective of the insider that commits intentional
misconduct, the subject that is affected by it, the motivation that incites the
insider to commit intentional misconduct, the time the insider is not worthy of
trust (anymore), the way in which the insider commits intentional misconduct
(i.e. Modus Operandi), the severity of the (potential) impact of the intentional
misconduct, the number of insiders that are involved in the intentional
misconduct and the complicity of the insider(s) in the incident. The mind map
that arose from the real-case examples on which the typology is based shows how
wicked the insider problem is, and shows how essential awareness of the insider
threat problem is to develop a mitigation strategy. Insider threat awareness was
therefore the focus of the first main research question of the dissertation.
10.2. What is the current level of awareness, and the related
awareness gaps, on the insider threat problem in Belgium?
Concerning the first main research question on insider threat awareness,
it was shown in the dissertation that the awareness level of Belgian organizations
of which it could be assumed that they are (or at least should be) aware of the
insider threat problem is, generally speaking, satisfactory, but that there still is
room for improvement. This conclusion can be drawn from the online insider
538
threat awareness and behavior survey that was based upon the four-part typology
of security awareness developed in chapter five of this dissertation and that
questioned 315 Belgian security officers acting as representatives for their
organizations.
In more concrete terms, it can on the one hand be concluded from the
results of the survey that the knowledge of the survey population was satisfactory
except for the unfamiliarity with the degree of insiderness and the related need to
apply a risk-based approach in insider threat mitigation. With respect to cognitive
threat awareness, the large majority of the respondents (+80%) gave the
answers that were expected based on the insider threat literature, except for the
question related to degree of insiderness that indicated that less than 60% of the
respondents is familiar (enough) with this notion. Similar to the satisfactory
knowledge level of the survey population on the insider threat problem, also their
cognitive mitigation awareness, or knowledge level on the measures that
mitigate insider threats, is in general satisfactory. Still, in analogy with cognitive
threat awareness, there is room to improve cognitive mitigation awareness, as
more than 10% of the respondents believes that measures taken to protect the
organization from external threats are sufficient to protect the organization from
insider threats. From the literature we know that the majority of protection
measures against external threats, like access badges and password protection, do
not protect against insider threats given that insiders are trusted with badges and
passwords. Moreover, almost 15% of the respondents thinks it is not necessary
to relate the rigor of the trustworthiness evaluation to the extent to which the
insider will have access to the organizational assets, again referring to insufficient
knowledge of the degree of insiderness.
On the other hand, it can be concluded with respect to the attitude of the
survey population toward insider threats that although the insider threat problem
539
is recognized by the large majority of the respondents as a general security
problem, a certain part of the survey population suffers from the NIMO bias,
disregarding the applicability of the insider threat problem to the own
organization. Regarding attitudinal threat awareness, the large majority of the
respondents (+85%) considers insider threats a significant problem, urging to put
it higher on the security agenda, whereas the results also indicate that a
considerable group of respondents denies vulnerability to insider threats. 17%
believes that absence of significant conflicts between employer and employee
makes the insider threat problem not applicable to their organization, although
we know from the literature (and from the typology in chapter four) that insider
threat incidents also originate from a multitude of factors other than disagreement
like greed, personal problems, negligence, social engineering and so on.
Furthermore, over a quarter of the respondents (28%) indicates that their
organization is not worried that one of its employees will wittingly misuse their
access to the organizational assets.
Concerning attitudinal mitigation awareness, the majority of the
respondents puts insider threat mitigation on the same level as external threat
mitigation, with nine out of ten respondents agreeing that protecting the
organization from insider threats is just as important as protecting the
organization from external threats. Still, only seven out of ten respondents refuted
that protecting the organization from insider threats is inferior to protecting the
organization from external threats, meaning that a considerable part of the survey
population still prioritizes external threat mitigation over insider threat
mitigation. Regarding the countermeasures currently prescribed by the insider
threat literature, respondents are more convinced about the usefulness of non-
disclosure agreements and background checks to counter insider threats
(respectively 89% and 87% agreement) than of the usefulness of a contact point
540
for employees to report suspicious behavior and exit interviews (respectively
74% and 70% agreement). With respect to the respondents’ motivation to apply
the prescribed insider threat mitigation measures, the majority of the respondents
(+85%) indicates a willingness to investigate each notification of suspicious
behavior.
10.3. How can an effective framework be developed that helps
organizations to mitigate insider threats?
Since the principal aim of organizations is not awareness of the insider
threat problem but mitigation of insider threats, the most valuable contribution
the insider threat research community, and therefore this dissertation, could have
was finding policy recommendations to better protect organizations against
insider threats. In this regard, I wanted to provide organizations with an
intuitively easy understandable model that presents organisations a roadmap of
insider threat mitigation advice, but did not find this in the existing insider threat
literature. As a result, a nine-part step-by-step guide (i.e. recruitment,
organizational socialization, observation, investigation, anticipation, damage
limitation, reconstruction, deliberation and termination) was developed that helps
organizations think about insider threat mitigation in their organization. The goal
was to get a deeper understanding of the characteristics of insider threat
mitigation, or to get a more holistic understanding of the different aspects of
insider threat mitigation that organizations should take into account. The different
stages of the theoretical model correspond with different moments an
organization can take decisions that might influence the risk that an insider threat
incident occurs, whereby both the appropriate management decisions and the
possibility of mismanagement were illustrated in each step of the model.
Given that a theoretical outline of the different insider threat mitigation
steps on its own is insufficient to help organizations with the development of
541
insider threat mitigation policy, the practical usability of the model was increased
via two empirical studies to formulate more concrete policy recommendations
corresponding with each step of the theoretical framework. On the one hand, a
three-round Delphi study iteratively compared the opinions of a multidisciplinary
panel of international insider threat experts through the completion of three
rounds of online questionnaires that contained questions on the nine stages of the
conceptual insider threat mitigation model. On the other hand, tabletop exercises
were played to see to what extent practitioners share the opinion of the Delphi
panel.
The results of the Delphi study namely provide organizations with useful
insights on what experts consider to be red flags organizations should be vigilant
of, as well as with mitigation measures to better secure themselves against insider
threats. Concerning red flags of insider threat, the panel considers falsifications
of background information, low integrity, addictions (to drugs, alcohol,
gambling), affinity with extremist ideology/organizations, an unresponsive
attitude during the recruitment process and negative advice from either
government authorities and references all factors that may point to insider threat
during recruitment. On the other hand, previous employment for a competitor,
job-hopping, discrepancies between educational and career path and mental and
physical health issues are all examples of factors that were much less perceived
as a red flag of insider threat. The panel gave surprisingly little attention to the
applicant’s motivation to work for the organization. Likewise, apart from
addictions, low priority is given to the applicant’s personal problems, even
though both in the literature (Shaw & Sellers, 2015; Noonan, 2018) and in the
survey it was shown that personal problems can be a possible breeding ground of
insider threats.
542
Factors that may point to insider threat during employment concern both
individual and organizational factors (Greitzer et. al., 2012; Greitzer et. al.,
2016), with the majority relating to the former. The most obvious warning signals
that were unanimously accepted by the panel are threatening employers or co-
workers and receiving warnings from other employees, clients or third parties
about the behavior of the insider. In line with the insider threat literature
(BaMaung et. al., 2018; Gelles, 2016; Shaw & Sellers, 2015), the panel considers
deviation from normal or baseline behavior an early warning of insider threat
(e.g. unauthorized access attempts, unexplained wealth, changes in lifestyle),
although the results show that not all deviant behavior is worrisome (e.g. changes
in personal status like divorce, changes in online or social media behavior and
changes in mental or physical health). Moreover, personality characteristics (e.g.
not being very empathetic or introversion) were generally less regarded as a red
flag. Concerning underlying reasons of insider threats, the panel rates
disgruntlement with the organization (e.g. as a result of a career disappointment)
relatively higher than personal strains (e.g. financial difficulties or unmet
personal expectations) and personality disorders (e.g. narcissism), something that
is in line with the results of the survey. The presence of a culture of fear and
silence and unexplained irregularities in the accountancy of the organization are
considered to be organizational factors that may stimulate insider threats, while
other organizational factors (e.g. too heavy workloads or high levels of
competitiveness) are not necessarily indicative of future insider threat incidents.
Apart from the insights on potential indicators of insider threats, the
Delphi study resulted in a catalogue of possible insider threat mitigation
measures that organizations can chose from to develop their tailor-made insider
threat mitigation policy, using the conceptual model as a guide. In the recruitment
stage, screening background information of applicants (e.g. verifying CV,
543
credentials, identity and criminal record) is recommended whereby organizations
need to take screening seriously instead of carrying it out perfunctory, but also
need to apply a risk-based approach (i.e. adjust screening depending on the
position). In the organizational socialization stage, the panel recommends
organizations to focus on precept (e.g. a code of conduct), habit (e.g. a strong
security culture) and demonstration (e.g. lead by example) to inform (new)
employees on the organizational culture, as well as to have a general supportive
attitude toward insiders (e.g. foster a spirit of belonging and show care when
needed) while simultaneously being strict but fair when it comes to violations of
the code of conduct. In the observation stage, internal reporting (e.g. point of
contact, culture of reporting, …) is considered to be more effective than artificial
intelligence tools (e.g. anomaly detection, UEBA, …). In the investigation stage,
the panel advises organizations to have a formal investigation policy that outlines
who conducts the investigation and how the investigation proceeds, although not
going as far as formally outlining what conduct would trigger the investigation
process. In the anticipation stage, it is noteworthy that the panel rather showed
which practices are less recommended to pre-empt imminent insider threats (e.g.
deterrence practices or awareness-raising initiatives) than which practices are
useful.
In the damage limitation and reconstruction stage, both preparatory
practices (e.g. a business continuity plan and an event notification tree) and
reactive practices (e.g. collecting evidence, identifying and changing
compromised processes and conducting a post-incident analysis) are suggested
by the panel to remedy an insider threat incident, as well as practices related to
internal and external incident communication. In the deliberation stage, the panel
outlined policy recommendations to deal with an insider that is responsible for
an insider threat incident, recommending organizations to have for instance a fair
544
and consistent disciplinary system that respects the rights of the offender, to
discuss different options with relevant stakeholders and to review access
permissions. In the termination stage, recommended exit procedures were
discussed, some of which were straightforward (e.g. the development, consistent
application and regular update of termination procedures) whereas others
resembled practices suggested in the insider threat literature (e.g. reclaiming
equipment from the terminated employee, revoking virtual and physical access
or conducting an exit interview).
Given that the conceptual model also discussed the possibility of
mismanagement, the panel also elaborated on recommendations to deal with false
positives (i.e. insiders that are wrongly accused of being responsible for an
incident), referring to practices aimed at restoring the relation with the wrongly
accused insider (e.g. full rehabilitation or welfare/psychological support) as well
as practices targeted at preventing the reoccurrence of similar false positives (e.g.
reviewing the indicators and/or the reporting route that led to the false
assessment). Moreover, the desirability of a formal insider threat mitigation team
was questioned, with the panel indicating that the implementation of such a team
should depend on the size and type of the organization, should not necessarily be
a distinct team but can equally reside in an already existing team, and should
cooperate with other relevant stakeholders like co-workers, line management and
social partners.
To see to what extent practitioners from critical infrastructure would
imply the recommendations from the Delphi panel, tabletop exercises were
played. These exercises, however, confirmed that the recommendations from the
Delphi panel are indicative rather than conclusive. Practices that were
recommended (high-rated) by the Delphi panel were sometimes considered not
suitable by the exercise audience, while practices that were less recommended
545
(low-rated) by the Delphi panel were considered to be useful. The underlying
idea of both the Delphi study and the TTX study was that the outcomes of both
studies would “produce insights, not proofs” (Rubel, 2006:5), and that the
combined insights are used by organizations as input for the establishment of
their tailor-made insider threat mitigation policies (Roungas et. al., 2019).
10.4. Concluding remarks
I realize that the research done in the context of this dissertation will not
result in the elimination of the insider threat problem, simply because full
elimination of the problem is utopian. To avoid creating the illusion that this
dissertation will resolve all the problems related to insider threats, in each chapter
I tried to thoroughly discuss the limitations that should be taken into account
when interpreting the results. Academics and/or practitioners that expected a
silver bullet or holy grail of insider threat mitigation from this dissertation will
probably be disappointed after reading this dissertation. Practitioners might for
instance fail to appreciate it because its contributions are too theoretical and are
therefore of lesser interest for practitioners that seek practical recommendations.
Practical recommendations were included in the dissertation, but not in a way
that organizations can copy-paste the results in their own organization. Instead,
organizations have to put some effort in translating the results into their own
organizational context. From an academic point of view, one might (maybe
correctly) argue that some aspects of the dissertation were not ambitious enough,
like for instance the insider trustworthiness assessment model that lacks
empirical validation. Still, time and budget constraints make that choices have to
be made, and that being overly ambitious would have been counterproductive.
Still, I dare to say that the theoretical research (i.e. the insider threat and
insider trustworthiness and betrayal conceptualization, the four-part typology of
security awareness, the conceptual insider threat mitigation model, the
546
conceptual insider trustworthiness assessment model) and empirical research (i.e.
the insider threat awareness and behavior survey, the Delphi study and the TTX)
outlined in this dissertation have added value for the insider threat (research)
community. On a theoretical level, for instance the insider threat
conceptualization provides a holistic interpretation of the insider threat problem
that addresses the negative aspects of the existing conceptualizations while
simultaneously covering all harmful insider incidents that the organization can
face and addressing the variation within the insider threat concept. In the absence
of a standardized consensus definition of ‘insider’ and ‘insider threat’, I believe
the conceptualization put forward in this dissertation has the potential to fill this
gap in the literature. Moreover, the dissertation addresses another gap in the
(insider threat) literature, the one on insider trustworthiness and betrayal, by
thoroughly conceptualizing these concepts and taking the first step toward
assessment of insider (un)trustworthiness. I do acknowledge that more theoretical
and empirical research is needed to validate and transform the present conceptual
model into an operational model with practical usability. But just like awareness
of the insider threat problem is a prerequisite for insider threat mitigation, getting
an understanding of the way probability of intentional misconduct is dependent
on the interaction between the insider’s disposition to commit misconduct and
the situational circumstances the insider encounters, and transforming this
understanding into a conceptual model, is a prerequisite for the development of
a model that organizations can implement in practice. I believe this dissertation
therefore took this necessary first step toward developing such an assessment
tool, and paved the way for further research that should have the ambition to
validate and operationalize the conceptual model. The same principle, in fact,
applies to the four-part security awareness typology. The insider threat awareness
and behavior survey, whereby the different awareness categories were assessed
547
on the basis of statements, was only the first attempt to operationalize the four-
part typology, and future research is needed to for instance refine the content of
the statements and to construct knowledge and attitude scales that do not measure
awareness per statement but rather measure the aggregate awareness over
different statements of one particular awareness type.
On a practical level, it was my intention to demonstrate both the
wickedness of the insider threat problem and the mitigation of the problem.
Concerning the former, the typology of insider threat characteristics not only
showed that the insider threat can occur in a variety of ways and is therefore more
than ‘devils in disguise’, but also that insider threat is a universal threat that
applies to every sector and organization around the globe. Concerning the latter,
the conceptual insider threat mitigation model showed that insider threat
mitigation corresponds with a lot of decision-making moments that can easily go
wrong in every step of the model, either through judgements of non-threats as
threats (i.e. false positives), threats as non-threats (i.e. false negatives) or
oversight of the threat or omission of the threat mitigation (i.e. null). Based on
case studies of well-known examples of insider threat, like the Fort Hood
shooting or the Anthrax letters, Bunn & Sagan (2016) provide a ‘worst practice
guide’ containing ten practices that organizations should avoid at all time. While
the validity of these worst practices was, either explicitly or implicitly, confirmed
throughout this dissertation, my intention was to go one step further than that and
to complement the worst practice guide with a good practice guide. Providing
organizations with an insider threat mitigation model that consists of a list of
potential red flags that apply to all types of insiders or insider threat cases, or
cataloguing a list of measures that mitigate all kinds of insider threats is, however,
impossible (BaMaung, 2018; Noonan, 2018; Randazzo et. al., 2005). Therefore,
the goal of this study was instead the composition of a list of factors that may
548
point to insider threats and a list of measures that may help organization in
mitigating insider threats. The added value of the dissertation therefore lies in the
input it gives organizations to think about their insider threat mitigation policy,
more specifically in the form of an inventory of ‘red flags’ that they should be
vigilant of and an inventory of possible insider threat mitigation measures that
they can chose from to develop their tailor-made insider threat mitigation policy.
To conclude, via opinion pieces (Reveraert, 2020; Sauer & Reveraert,
2019; Sauer & Reveraert, 2020) and interviews (Verberckmoes, 2021;
Vereecken, 2021) on the insider threat problem in Belgian media, as well as via
presentations on the subject on a national136 and international137 stage, I tried to
raise awareness on the problem, both among practitioners and academics. The
research project tried to bridge the gap between the two worlds, for instance via
the organization of three workshops on the insider threat problem that gathered
relevant stakeholders from both worlds to discuss the problem and look at it from
each other’s perspective. I therefore sincerely hope that this dissertation
contributed and can continue to contribute to putting the insider threat problem
higher on the security agenda, and that it can function as a level-setting study that
paves the way for more research on insider threat awareness and mitigation,
especially in Belgium and by extension the whole of Europe.
136
For instance presentations for the FEB, FEBETRA, Federal Police and G4S clients, as well as
guest lectures in the context of the Master Safety Sciences at the University of Antwerp.
137
For instance presentations given at the Counter Insider Threat Student Symposium in March
2021, Behavioral Analysis 2022 in June 2022, the Advanced, Practitioner-Level Training
Course on Preventive and Protective Measures against Insider Threats organized by the
IAEA and the Insider Risk Summit 2022, both in September 2022.
549
Annex
A. The online questionnaire
Introduction:
Dear respondent,
Thank you for participating in our survey on ‘insider threats’.
Employees that steal, commit fraud, sabotage or leak confidential information: it is every
employer’s nightmare. To better protect organizations from such threats, the University
of Antwerp initiated a research study which requires your assistance. Please complete
our short questionnaire and be the first to know our research findings.
Completing the questionnaire should take no longer than 10 minutes. The questionnaire
should be filled in by the Security Officer of your organization. You can stop the
questionnaire at any time and resume it later. We recommend you to use a computer to
complete the questionnaire, not a mobile phone. The processing of your answers is
anonymously.
Do not hesitate to contact us if something is not clear to you.
The research team would like to thank you in advance for your valuable contribution:
Prof. dr. Tom Sauer and doctoral researcher Mathias Reveraert (Universiteit
Antwerpen): mathias.reveraert@uantwerpen.be
Please read the following 'informed consent'-document before participation. The

document provides you information on how we ensure anonymity and confidentiality of
your data and responses. If you agree, you will be redirected to the questionnaire. If you
disagree, you will not be able to participate to our study.
550
Part A: Cognitive threat awareness
Nr. Statement Rating*

1 Each employee of the organization poses an
insider threat of a similar size.
2 Temporary employees who do not have a
permanent employment contract (consultants,
working students, agency workers, interns, …)
cannot pose an insider threat.
3 Former employees can still pose an insider threat
after their employment.
4 An insider threat can only be called such if the
employee commits a crime (theft, fraud, …).
5 The insider threat problem is only applicable to
large enterprises, not to SME’s.
6 An insider threat might endanger the survival of
the organization.
7 A consultant who has access to sensitive
information of the organization poses a potential
insider threat.
*1 Completely disagree; 2 Disagree: 3 Somewhat disagree; 4 Neither disagree nor agree; 5
Somewhat agree; 6 Agree; 7 Completely agree; 8 No opinion/ I don’t know/ Not applicable
Table A.1: Statements cognitive threat awareness
Part B: Attitudinal threat awareness
1 The insider threat problem deserves more attention in

discussions on safety and security.
2 A distinction should be made between insider threats and
external threats.
3 Given that our organization trusts its employees, the insider
threat problem is not applicable to our organization.
4 Our organization is worried that one of its employees will
wittingly misuse his access to the organizational assets.
5 Given that our organization has no significant conflict with
one of its employees, our organization is not concerned about
insider threats.
6 Employees who have access to the organizational assets are
considered a potential insider threat.
551
Table A.2: Statements attitudinal threat awareness
Part C: Cognitive mitigation awareness

1 Measures taken to protect the organization from external
threats are sufficient to protect the organization from insider
threats.
2 If an employee is judged trustworthy during the recruitment
process, the trustworthiness of the that employee should not
be re-evaluated during employment.
3 The trustworthiness evaluation should be proportionate to
the extent to which the employee has access to the
organizational assets (= more access/knowledge means more
strict trustworthiness evaluation).
4 Evaluating trustworthiness during employment is just as
important as evaluating trustworthiness during recruitment.
5 Employees who suddenly exhibit a remarkable change to the
their normal behavior (like odd working hours, or sudden
unexplained wealth), should be extra monitored by the
organization.
6 An employee that in good faith reports suspicious behavior
of a colleague, should be sanctioned if the investigation
reveals that the reported employee has done nothing wrong.
7 The network account (login & password) of employees that
leave the organization should immediately be made
inaccessible.
8 Protecting the organization from insider threats is the sole
responsibility of employees that are involved with security.
Table A.3: Statements cognitive mitigation awareness
Part D: Attitudinal mitigation awareness
1 Protecting the organization from insider threats is inferior to

protecting the organization from external threats.
2 An insider threat policy is a sign of mistrust towards the own
employees.
552
3 Protecting the organization from insider threats is just as
important as protecting the organization from external threats.
4 It is an exaggeration to ask future employees that will have
access to organizational assets to sign a non-disclosure
agreement.
5 It is necessary to check the background of applicants that
apply for roles that give access to organizational assets.
6 Interviewing employees that leave the organization adds value
to the protection against insider threats.
7 The presence of a point of contact where employees can report
suspicious behavior of colleagues is unnecessary.
8 Our organization is prepared to investigate each notification
of suspicious behavior.
Table A.4: Statements attitudinal mitigation awareness
Part E: Behavior

1 Our organization has made a threat assessment on insider
threats.
2 Our organization simulates insider threats to test its insider
threat policy.
3 Our organization subjects all employees to the same
trustworthiness evaluation during recruitment.
4 Our organizations contacts the references that the future
employee provides on his CV.
5 Our organization checks during recruitment the non-work-
related social media profiles (Facebook, Twitter, Instagram,
…) of employees who will have access to the organizational
assets.
6 Our organization subjects all employees to the same
trustworthiness evaluation during employment.
7 Our organization checks the non-work-related social media
profiles (Facebook, Twitter, Instagram, …) of employees
who have access to the organizational assets.
8 Our organization ensures that employees solely have access
to the information needed to perform their job.
9 Our organization trains its employees so that they have the
necessary skills to report insider threats.
10 Our organization has a point of contact where employees can
report suspicious behavior of colleagues.
553
11 Our organization surveys its employees on their general job
satisfaction.
12 Our organization offers employees with personal problems
(alcohol addiction, gambling addiction, debts, bereavement,
…) professional help.
13 Our organization performs an exit interview with employees
that leave the organization.
14 Our organization immediately shuts down all accesses from
employees that leave the organization.
Table A.5: Statements behavior
Part F: Multiple Choice questions
1. To which sectoral federation of the FEB does your organization belong?

(Drop-down list)
1) Association of Consulting Engineering, Engineering and
Consultancy Firms (ORI)
2) Audiovisual media (FEBELAV)
3) Belgian society of authors, composers and publishers (SABAM)
4) Belgian Confederation of Motor Vehicle Dealers, Repairers and
Operators in Related Sectors (TRAXIO)
5) Belgian Federation of the Car and Two-wheeler Industries
(FEBIAC)
6) Belgian Brick Industry Federation (BBF)
7) Belgian Financial Sector Federation (FEBELFIN)
8) INDUSTRIAL PACKAGING MANAGEMENT (VALIPAC)
9) Belgian Precast Concrete Federation (FEBE)
10) SECURITY FIRMS (APEG/BVBO)
11) Construction (CONFEDERATIE BOUW)
12) Federation of the Belgian Cement Industry (FEBELCEM)
13) Belgian Federation for Chemistry and Life Sciences Industries
(ESSENSCIA)
14) Waste and recycling sector (DENUO)
15) CONTACTCENTERS (CUSTOMER CONTACT)
16) Diamond industry (SBD)
17) Diamond (AWDC)
18) Miscellaneous Activities (MISCELLANEOUS ACTIVITIES
GROUP)
19) Energy: electricity and gas companies (FEBEG)
554
20) Energy: electricity and gas network operators (SYNERGRID)
21) Energy: crude oil (FPB/BPF)
22) Graphics industry (FEBELGRA)
23) Commerce and services (COMEOS)
24) Ports (FEDERATION OF BELGIAN PORT EMPLOYERS)
25) National Wood Council (NATIONAL WOOD COUNCIL)
26) HR services (FEDERGON)
27) Steel industry (GSV)
28) Lime, calcareous stones, dolomite and related products (FEDIEX)
29) Clothing and fashion (CREAMODA)
30) NOTARIES (FEDNOT)
31) Paper - Cardboard - Glass (INDUFED)
32) Pension Institutions (PENSIOPLUS)
33) Footwear, tanning and leatherwork industries (LEDERCUIR)
34) Cleaning industry (UGBN/ABSU)
35) Cigarette Manufacturers (CIMABEL)
36) Social Secretariats (USS)
37) Savings Banks (BELGIAN SAVINGS BANKS ASSOCIATION)
38) Technology industry (AGORIA)
39) Textiles, woodworking and furniture (FEDUSTRIA)
40) Tourist Attractions (ATTA)
41) Transport: logistic service providers (FEBETRA)
42) Transport: international trade (FEDERATION OF EMPLOYERS
IN INTERNATIONAL TRADE, TRANSPORT AND
LOGISTICS)
43) INSURANCE COMPANIES (ASSURALIA)
44) FIBRES CEMENT (PROFESSIONAL UNION OF BELGIAN
FIBRE CEMENT MANUFACTURERS)
45) Food Industry Federation (FEVIA)
46) PREPAID VOUCHERS (VIA)
47) Sand Pits (SAND PITS GROUP)
48) SHIP-OWNERS (RBSA)
2. What is the annual turnover (expressed in euro) of your organization?

1) Lower or equal to 2 million
2) 2.01 million – 10 million
3) 10.01 million – 50 million
4) More than 50 million
3. How many employees (FTE) does your organization have?

1) Less than 10
555
2) 10-49
3) 50-249
4) 250 or more
4. Where is the headquarters of your organization?

1) Flanders
2) Wallonia
3) Brussels Capital Region
5. Does your organization belong to a group of enterprises?

1) Yes
2) No
6. Does your organization operate internationally?

1) Yes
2) No
7. What should be the main focus of insider threat policy?

a. Discouraging employees to pose an insider threat (motivation)
b. Averting that employees have opportunities to pose insider threats
(opportunity)
c. No opinion
8. Does your organization spend more attention to the insider threat problem
now than before?
a. Yes
b. No
c. I don’t know
9. Has your organization already experienced an insider threat incident?

a. Yes
b. No
c. I don’t know
10. How large was the material damage resulting from the insider threat
incident?
1) There was no material damage
2) 0,1-1% of turnover
3) 2-5% of turnover
4) 6-10% of turnover
556
11. The person responsible for security in your organization (security manager):
a. Works fulltime on security
b. Combines security with other tasks within the organization
c. Our organization does not have a person explicitly responsible for
security
d. I don’t know
12. Within your organization, who is responsible for the protection against
insider threats? (multiple answers possible)
a. Security
b. Human Resources
c. ICT
d. Management
e. Legal
f. Other: …
g. Nobody
13. The knowledge our organization has on insider threats originates from
(multiple answers possible)
a. The government
b. Academia
c. Fellow companies within the sector
d. The FEB
e. Media
f. Own experiences
g. Other: …
14. Which of the insider threats outlined below worry your organization the
most (multiple answers possible)?
a. Radicalisation/extremism/terrorism
b. Interpersonal violence
c. Sexual misconduct
d. Fraud/corruption
e. Theft
f. Sabotage
g. Espionage
h. Whistleblowing (public leakage of sensitive information)
i. Negligence
557
j. Other: …
k. Our organization is not concerned about insider threats
15. What are the main factors behind insider threats (multiple answers
possible)?
l. Ideology or religion
m. Revenge out of disgruntlement with the organization
n. Personal problems (like addictions)
o. Greed
a. Coercion by external party
b. Negligence
c. Moral concerns with organizational activities
d. Concerns with organizational security practices
e. Personal relationship (love, empathy, …)
f. Employees who are manipulated by external parties into giving
access to the organizational assets (social engineering)
g. Personality disorder (like narcissism or psychopathy)
h. Other: …
i. Our organization is not concerned about insider threats
16. What is your sex?

a. Male
b. Female
c. X
17. How long have you been active in your organization?

1) Less than 2 years
2) 2-5 years
3) 6-10 years
4) More than 10 years
18. How long have you been active in the sector your organization belongs to?
1) Less than 2 years
2) 2-5 years
3) 6-10 years
4) More than 10 years
19. What is your function within your organization? Please provide the specific
title.
a. Employee: …
b. Executive: …
558
c. Management: …
d. Other: …
20. Do you have a security clearance?

a. Yes
b. No
21. May we contact you for an interview on insider threats? If so, please
provide your email address.
a. No
b. Yes : …
22. Would you like us to inform you on the research findings of our survey? If
so, please provide your email address.
a. No
b. Yes: …
23. Thank you for your valuable contribution. If you have any feedback to our
questionnaire, please comment below, or mail to
mathias.reveraert@uantwerpen.be
559
B. Item-selection for the TTX
B.1. Recruitment – Good practices

Nr. Good Practices Recruitment (ENG)
1 Check with the desk clerk if the candidate was friendly
Check vulnerability for manipulation by a hostile party (social
2
engineering)
3 Check social media
4 Check financial records
5 Check criminal record
6 Check open sources like the internet
7 Check listed professional references (like previous employers/co-workers)
Verify professional history of the candidate (diplomas, licenses,
8*
professional certifications, ...)
9 Check psychological or mental fitness for duty
10 Check listed social network references (like friends and family)
11 Do an identity check
Conduct an integrity interview whereby the candidate reflects on
12*
integrity dilemma cases
13 Follow-up on any issues raised by references
14 Use personality tests (like Hexaco)
Use probationary periods and make clear that passing from probationary
15*
16 Use standard application forms for the recruitment process
17 Give the candidate a questionnaire with a lot of open questions
18 Have a coherent list of non-acceptable convictions
19 Implement a government security clearance program if possible
20 Let trained interviewers conduct an in-depth interview with the candidate
21 Let multiple actors within the organization decide upon a hire
Training and awareness of recruiters (investigative interviewing, insider
22
threat indicators, ...)
Ask non work-related questions (job of partner, number of recent house
23
moves, hobbies, ...)
24 Outsource background screening
25 Verify self-reported claims (like salary history)
560
Conduct an interview with the manager of the team the candidate will be
26
assigned to
Conduct a group interview with the managers of the teams that often
27
interact with the team the candidate will be assigned to
28 Conduct a group interview with the team the candidate will be assigned to
Request only original documents of educational and professional paths
29
(do not allow copies)
Request written documentation of educational and professional paths
30
(allow copies)
31 Ask personal letters of recommendation (no standard letters)
Be transparent to the candidate on the recruitment and screening process,
32
including consequences for missing/false information
Merged Verify CV
8 Verify every single credential (diplomas, licenses, professional
certifications, ...)
Merged Let candidates reflect on integrity dilemma cases
12 Conduct an integrity interview
Merged Use probationary periods
15 Make clear that passing from probationary status is by no means
automatic
Take screening seriously instead of pro-forma
Adopt a risk-based approach (adjust screening depending on the position)
Not
Make a thorough screening procedure common practice
inclu-
ded Check non-listed references elicited from listed references
Conduct a drug screening
Conduct an alcohol screening
Table B.1: Item-selection for TTX - Recruitment good practices
B.2. Recruitment – Red flags

Nr. Red Flags Recruitment (ENG)
Abnormal educational path (lot of courses, courses abroad, courses not
1
completed/stopped abruptly, ...)
2 Discrepancy between educational and professional career path
3 Having been fired from similar jobs before
4 Physical health issues
5 Lack of financial stability
6 Low score on integrity
7 Low score on humility
561
8 Low score on resilience
9 Low score on friendliness
10 Low score on conscientiousness
11 No background information available for the candidate
12 No social media footprint
13 History of intensive travel
14 Multiple citizenship
15 High frequency of moves between employers (job-hopping)
16 High score on arrogance
17 High score on immaturity
18 High score on narcissism
19 Current or previous anger management issues
20 Current or previous extremist ideology
21 Inadequate/deviating responses to questions during interview
22 Instable relationship status (frequent different partners, divorce, ...)
23 Irrelevant/sensitive questions asked by candidate during interview
24* Candidate has an addiction problem (alcohol, gambling, drugs, etc.)
25 Non-blanco criminal record
26 Manipulative nature
27 Mental health issues (like depression)
Negative advice following security clearance screening by government
28
authorities
Negative references (conflict with previous manager/employer,
29
violations of policies in previous workplaces, …)
Inappropriate behavior in current or past ties outside of work (social
30*
unrest, interpersonal violence,... )
31 Unclear reason for ending previous job(s)
32 Being dishonest/incomplete about involvement in bankruptcy
33 Inappropriate social media footprint
34 Illogical responses to questions during interview
Illogical or unclear motivation for why candidate wants to work for the
35*
organization
36 Unexplained periods of unemployment
37 Inability to receive constructive criticism
38 Incomplete information on professional history (work/education)
39 Excessive social media footprint
40 Social network risks (like family, friends or foreign contacts)
Cold applications (without open/announced vacancy) for critical
41
positions
562
Reticent attitude of candidate (unwillingness to undergo background
42*
check, provide references, etc.)
43 Previous employment for a competitor
Drug addiction
Merged
24 Alcohol addiction
Gambling addiction
Current or previous interpersonal violence (harm to self or others)
Merged Candidate supported societal upheaval in the past
30 Maladaptive behaviors in current or previous affiliations outside
workplace (school, church,..)
Merged Illogical motivation why candidate wants to work for the organization
35 No clear motivation why candidate wants to work for the organization
Merged Reluctance to approve background screening
42 Reluctance to provide references
False information on professional history (work/education)
Membership of certain illegal or illegitimate organizations/associations
Not False reason for ending previous job(s)
inclu- False criminal record
ded Conflict of interest
Indiscretion
Father-deficiency (abusive or absent father)
Table B.2: Item-selection for TTX - Recruitment red flags
B.3. Organizational socialization – Good practices

Nr. Good Practices Organizational Socialization (ENG)
1 Use positive reinforcement (reward appropriate conduct)
2 Underline open feedback culture and transparency
3 Have compliance registers
4 Use negative reinforcement (punish inappropriate conduct)
5 Create a culture of constructive dissent
Create an open culture where employees can ask questions about integrity
6
issues
7 Build trust between supervisors and employees
8 Enquire employees on a regular basis to get a feeling of general mood
Have an appeal process to resolve management-employee disputes before
9
they fester
Have a clear code of conduct that undiscussable states expectations
10
Use the code of conduct and policies and procedures in case of detected
11
issues
563
12 Use a mentor/buddy system
Use intranet, newsletters, e-mail campaigns, posters, screensavers, etc. to
13*
communicate expectations about appropriate behavior
Use game principles (Gamification) to encourage friendly competition
14*
between work units
15 Use self-evaluation
Have a welcome policy outlining the organization's history, mission,
16
values, ...
17* Inclusion of the (new) employee (being part of the team)
18 Installation of a point of contact for questions
19 Let employees accept policies and procedures in written
20 Show that you care about the employee
21* 'Lead by example' by senior and direct managers
22* Detail the code of conduct in policies and procedures
23 Use peer or '360' evaluation
24 Make integrity part of the regular evaluation procedure by management
25 Make expectations concrete and achievable
26 Communication of sanctions taken against misconduct by an employee
27 Take appropriate measures if there are violations of the code of conduct
Organize mandatory onboarding training that provides detailed
28
information on expectations regarding appropriate conduct
Periodic awareness campaigns on expectations regarding appropriate
29*
behavior/safety for the entire company
30* Regular evaluation of employee performance by management
Regular formal meeting with line manager to ensure employees are aware
31
of expectations regarding appropriate conduct
Phase in granting of access to more privileges and responsibilities based
32
on performance
33 Team building events/days
Casual/informal reminders on expectations during ongoing
34
communications from line managers (like staff briefings)
Clarify not only appropriate conduct, but also what conduct is considered
35
as inappropriate (including reasons for termination)
36 Ask explicit consent for control
37 Be transparent on control measures
Employ a strong security culture within the organization so that
38
expectations are reinforced through colleagues
Visibility of integrity as a core value on corporate website/social
39
media/recruitment campaings
40 Install a culture of social control and confidentiality
Use intranet to communicate expectations regarding appropriate conduct
Merged
Develop newsletters, email campaigns, posters, screen savers, with key
13
rules regarding appropriate conduct
564
Merged Use game-design elements and game principles (Gamification)
14 Foster friendly competition between work units
Foster a spirit of belonging (being part of the team)
Merged
Orientate new employees to their unit and their role in the larger
17
organization (ensure inclusion)
Merged Lead by example by senior leadership
21 Lead by example by middle management
Merged Explain the code of conduct in more detail in policies and procedures
22 Develop a small but clear document with 'golden rules'
Recurrent company-wide awareness campaigns on expectations regarding
Merged
appropriate conduct
29
Recurrent security awareness programs
Merged Regular employee performance evaluation conducted by management
30 Regular employee performance evaluation conducted by management
Not
inclu- Embrace continuous improvement principles to rapidly respond to
ded changing needs of the workforce
Table B.3: Item-selection for TTX - Organizational socialization good practices
B.4. Observation – Good practices

Nr. Good Practices Observation (ENG)
1 Reward employees that report red flags
2 Have various means to report red flags
Secure endpoints or entry points of end-user devices such as desktops,
3
laptops, and mobile devices (endpoint security tools)
Create a culture of reporting where employees know they are actually
4
helping co-workers by disclosing concerns
5 Create a supportive culture
6 Conduct desktop simulations
7 Insist on a regular use of vacation and holiday time off from work
Implement an anonymous whistleblower system (compliant with relevant
8
legislation and not only ticking the box)
9 Put in place a hotline to report red flags
10 External audit
11 Physical protection and technical measures (decent camera systems, ...)
Use artificial intelligence/machine learning to find warning signals
12* (UEBA, Anomaly Detection, Sentiment Analysis, Keyword Matching,
...)
Use and audit a system to monitor the use of badges/access rights
13*
(electronic access control)
14* Use a formal assessment process supported by regular catch-up sessions
565
Encourage isolated or withdrawn employees to participate in informal
15
gatherings
16 Require management sign-off for potentially disruptive actions
17 Repeat screening when employee moves to a more vulnerable position
18 Declaration by the organization of assets and interests
19 Installation of a point of contact to report red flags
20 Internal audit
21 Invest in a culture of open feedback and trust
22 Job rotation
23 Let security report directly to the CEO
24 Let employees work in teams
Put responsibility for monitoring behavior with all members of staff, not
25
just the security team (vigilant managers & staff)
Do not punish employees that make a wrong call when reporting red
26
flags in good faith
27 Scrutiny of internet use and social media activity
28 Development of a formal threat assessment
29 Periodic and variable workplace climate surveys
Periodic and variable psychological assessment (fitness for duty
30
screening)
31 Put in place alarms on access systems
32 Conduct red team tests
33 Risk analysis based on access and impact
34 Separation of key roles/duties
Structure coordination and communication along the organization (avoid
35
information silos)
36 Stage manipulation by a hostile third party (social engineering)
37 Data loss prevention (DPL) tools
Tailor-made training for managers and staff to detect and report red flags
38
in their context
39 Conduct random tests
40 Four-eyes principle/two-person rule
Prevent an employee from accessing data/facilities he/she does not need
41*
for his/her work (role-based access)
Formally inform employees that use of time during work hours can be
42
checked by private investigators
43 Promote self-reporting
44 Ensure insider threat awareness on Board, CEO and management levels
Ensure an active role of line manager/supervisor following-up if someone
45
appears unhappy or different from usual
Merged Computationally analyze employee's opinions, sentiments and emotions
12 expressed in text (sentiment analysis)
566
Computationally identify unexpected items or events in data sets which
differ from the norm (anomaly detection)
Use artificial intelligence/machine learning to find red flags
Keyword matching (emails, chats, web usage)
User and entity behavior analytics (UEBA) tools
Audit access registration systems
Merged Use a system to monitor the use of badges/access rights (electronic
13 access control)
Merged Utilize a formal appraisal process supported by regular catch-up sessions
14 Annual professional development interviews
Restrict access for critical systems/applications/sites
Merged Avoid that an employee can consult data/facilities he/she doesn't need for
41 his/her job (role-based access)
Alcohol screening
Track company vehicles during work hours (in a legal manner)
Behavior observation program
Not Trustworthiness evaluation/investigation by police, military, or
included intelligence services
Drug screening
Scrutinize workforce segments that have wider access/greater impact
Oversight of line management
Table B.4: Item-selection for TTX - Observation good practices
B.5. Observation – Red flags

Nr. Red Flags Employment (ENG)
Abnormal cyber activities on- and off-site (for example large
1
up/downloads)
2 Making threats against employer or other employees
3 Burn-out
4 Employee volunteers for new sensitive projects
5 Employee wants to define his/her job him-/herself
6 Participating in manifestations of extreme organizations
7 Participating in illegal activities
8 Impending termination of contract
9* Drug or alcohol abuse
10 Lone wolves who have contact with colleagues
11 Financial difficulties
Lack of adaptability in adverse circumstances (failure to respond
12*
appropriately to stress or crisis, ...)
Absence of interest by employer/co-workers in the employee's frustrations
13
about the job
14 Lack of responsibility
567
15 Being easily frustrated or disappointed (anger management issues)
16 Repeatedly declining to take annual leave
Repeatedly declining to allow others to serve as back-up for handling
17
responsibilities (control freak)
18 High level of competitiveness
19 Indications of unmet personal expectations (personal stressors)
Indirectly expressing negative feelings towards employer/co-workers
20
instead of openly addressing them (passive aggression)
21 Introversion
22 Vulnerability to blackmail
23 Narcissism
24 Negative security screening advice from government authorities
25 Not being very empathetic
26 Not being able to deal with criticism
27 Maladaptive behaviors outside workplace
28 Uneasiness with fellow employees
29 Disgruntlement as a result of career disappointment
30* Unexplained irregularities in the organization's accountancy
31 Unexplained wealth
32 Remotely accessing systems at uncharacteristic hours
33 Organizational culture of fear and silence
34 Gambling
35 Sudden intensive travel
36 Sudden and unexplained change in performance
Sudden changes in working hours (working more or less than expected,
37*
unauthorized absence, abnormal absenteeism,...)
38* Attempts to remove sensitive data (physical and cyber methods)
Unauthorized access attempts to systems or physical locations not
39
necessary for the job
Directly expressing negative feelings toward employer/colleagues (online
40*
or in person)
41 Love relationship with a colleague
Signs of radicalization (Making statements or defending extremist/radical
42*
views, ...)
43 Too heavy workload
44 Team members leaving the organization
45* Time pressure or bureaucracy ('red tape') leading to unwanted shortcuts
46* Changes in physical health (poor personal hygiene, ...)
47 Changes in mental health
48 Changes in lifestyle (new car, expensive clothes, ...)
49 Changes in online or social media behavior
50 Changes in personal status (divorce, new partner, ...)
568
Warnings received from other employees, clients or third parties on the
51
behavior of the employee
52 Employee takes long lunch breaks without colleagues
53 Employee is not open to audits
Employee tests boundaries to see if he/she can get away with it (e.g.
54* Failure to comply with safety and (cyber) security policies and
procedures)
Merged Alcohol abuse
9 Drug abuse
Merged Lack of adaptability in adverse circumstances
12 Not responding well under stress or during crises
Merged Unexplained irregularities in the accountancy of the organization
30 Increase in organizational losses
Abnormal high absenteeism
Working less than expected (come late/leave early)
Merged
Unauthorized absence
37
Sudden changes in working hours
Working a lot of overtime (come early/stay late)
Merged Unnecessary copying of material (physical or digital)
38 Attempts to remove sensitive data (physical and cyber methods)
Directly expressing negative feelings towards employer/co-workers in
Merged person
Directly expressing negative feelings towards employer/co-workers online
Merged Signals of radicalization (like change in physical appearance)
42 Making or defending statements of extremist/radical point of view
Merged Red tape leading to unwanted shortcuts
45 Time pressure leading to unwanted shortcuts
Merged Poor personal hygiene
46 Changes in physical health
Not complying to safety and (cyber)security policies and procedures
Merged
Employee pushes rules to see whether he/she can get away with it
54
(boundary probing)
Interest in matters outside of the scope of his/her job
Compulsive behavior
Not
Inappropriate communications (in person or online)
inclu-
Being flexible with ethics or morals
dedd
Changes in the way an employee expresses him-/herself
Employee receives strange phone calls
Table B.5: Item-selection for TTX - Observation red flags
569
B.6. Investigation – Good practices
Nr. Good Practices Investigation (ENG)
Automate data aggregation rather than asking for data from different data
1 owners for each new investigation
2 Review emails and ICT history of the suspect
Assess whether there is a link with external criminality (suspect providing help
3 to criminals outside the organization)
4 Have trained and experienced staff to conduct the investigation
5 Involve as few people as possible until anomalies and allegations are confirmed
6 Culture of presumption of innocence
7 Mask the identity of the suspect until anomalies and allegations are confirmed
8 Detect and use only what is legally authorized
Explicitly define threshold of concerning behaviors that must be met before an
9 investigation is launched
10 Review financial circumstances of the suspect
11 Use a team approach
12 Approval of formal investigation policies and procedures by social partners
13 Not act in a haste unless the situation appears urgent
Have a formal investigation policy, procedures and process (who conducts
14 investigation and how)
Have an internal investigation protocol regarding concerns reported through the
15 whistleblowing system
16 Interview other stakeholders (like co-workers/managers)
17 Senior ownership of the investigation process
18 Inform prosecutor & police
19 Investigate à charge and à décharge
Regularly interact with applicable police, prosecutor, security and intelligence
20 services (proactive rapport)
21 Respect the (legal) rights of the suspect
22 Involve external expertise from the beginning (like a private investigator)
Temporary reassignment of the suspect to a less sensitive area during the
23 investigation (time-out)
24 Be transparent on the investigative process
25 Triangulate information sources
26 Compare observed behavior with duties and tasks of the suspect
27 Avoid a witch hunt
28 Have a formal conversation with the suspect
29 Have an informal conversation with the suspect
Make sure unauthorized staff members do not conduct their own investigation
30 and make accusations
Ensure you know what the normal situation is meant to be like to allow audit
31 trails (like material inventories if suspicion of stolen material)
570
32 Make sure different entities must give their consent to start an investigation
Have policies and procedures in place to determine if the behavior is concerning
33 enough to warrant a response
34 Provide sufficient resources to conduct investigations
Table B.6: Item-selection for TTX– Investigation good practices
571
C. Author contributions
Chapter Author contributions
Chapter 1: introduction /
Chapter 2: Conceptualizing the insider Mathias Reveraert: literature review,

threat problem theory development and drafting the
manuscript
• Based upon the article
‘Redefining insider threats: a
distinction between insider Tom Sauer: revising the manuscript
hazards and insider threats’
published in ‘Security Journal’,
co-authored with Prof. dr. Tom
Sauer in December 2021.
Chapter 3: Understanding insider Mathias Reveraert: literature review,
trust(worthiness) and betrayal theory development and drafting the
manuscript
Tom Sauer: revising the manuscript
Chapter 4: Categorizing the insider Mathias Reveraert: literature review,

threat problem theory development, selection of
examples and drafting the manuscript
• Based upon the book chapter
‘Insider threat to critical
infrastructure: a typology’, co-
authored with dr. Marlies Sas, Marlies Sas: selection of examples and
Prof. dr. Genserik Reniers, Prof. drafting the manuscript
dr. Wim Hardyns and Prof. dr.
Tom Sauer. The chapter is
accepted for the book Genserik Reniers, Wim Hardyns &
‘Management and Engineering Tom Sauer: revising the manuscript
of Critical Infrastructures’,
edited by Bedir Tekinerdogan,
Mehmet Aksit, Cagatay Catal,
Will Hurst & Tarek Alskaif
Chapter 5: Four-part typology of Mathias Reveraert: literature review,
security awareness theory development and drafting the
manuscript
• Based upon the article ‘A four-
part typology to assess
572
organizational and individual
security awareness’, published Tom Sauer: revising the manuscript
in ‘Information Security
Journal’, co-authored with Prof.
dr. Tom Sauer.
Chapter 6: Insider threat awareness in a Mathias Reveraert: research design,
Belgian context research execution and drafting the
manuscript
• Based upon a research report that
was published earlier and that
was co-authored with Prof. dr Tom Sauer: feedback research design,
Tom Sauer. interpretation results and revising the
manuscript
Chapter 7: A conceptual model for Mathias Reveraert: literature review,

insider threat mitigation theory development and drafting the
manuscript
Tom Sauer: revising the manuscript

Chapter 8: A Delphi study on insider Mathias Reveraert: research design,
threat mitigation research execution, drafting and revising
the manuscript
• Based upon a research report that
was published earlier and that
was co-authored with Prof. dr Tom Sauer: feedback research design,
Tom Sauer. interpretation results and revising the
manuscript
Chapter 9: Tabletop-exercises on insider Mathias Reveraert: literature review,

threat mitigation theory development and drafting the
manuscript
Tom Sauer: feedback research design,

interpretation results and revising the
manuscript
Chapter 10: Conclusions /

Table C.1: Author contributions
573
References
Afolabi, M. B. (2017). An Insight to Security Vetting. In L. N. Asiegbu, Unending

Frontiers in Intelligence and Security Studies (pp. 61-69). Ekiti, Nigeria:
Intelligence and Security Studies Programme, Afe Babalola University, Ado.
Agnew, R. (1992). Foundation for a Generalism Strain Theory. Criminology, 30(1),
47-87.
Agnew, R., & Peters, A. A. (1986). The Techniques of Neutralization An Analysis of
Predisposing and Situational Factors. Criminal Justice and Behavior, 13(1),
81-97.
Albrechtsen, E. (2003, August). Security vs safety. Opgeroepen op November 13, 2019,
van Semantic Scholar:
https://pdfs.semanticscholar.org/451c/18d9b07ecda89b367095c48582358a1f3c
51.pdf
Alvarez, J., & Djaouti, D. (2012). An introduction to Serious game: Definitions and
concepts. Proceedings of the Serious Games & Simulation for Risks
Management Workshop (pp. 11-15). Paris: Laboratory for Research in Science
of Energy. Opgehaald van http://www.hayka-
kultura.org/images/Proceedings%20SGS%20Wkshp%202011%20ind%2004.p
df#page=11
Anderson, M. (1994). Introduction. In T. R. Sarbin, R. M. Carney, & C. Eoyang (eds.),
Citizen Espionage Studies in Trust and Betrayal (pp. 1-17). United States of
America: Greenwood Publishing Group.
Annemans, L. (2020, March 31). Coronagesprek met een non-believer. De Tijd.
Opgehaald van https://www.tijd.be/opinie/algemeen/coronagesprek-met-een-
non-believer/10217728.html?
Annemans, L. (2020, April 6). Uit de coronatunnel: gesprek met een bedrijfsleider. De
Tijd. Opgehaald van https://www.tijd.be/opinie/algemeen/uit-de-coronatunnel-
gesprek-met-een-bedrijfsleider/10219137.html
Armstrong, N. J. (2013). With an Eye Open and a Round Chambered: Explaining the
Afghan Insider Threat and its Implications for Sustained Partnership. Journal
of Intervention and Statebuilding, 7(3), 223-240.
Arnoudt, R. (2020, March 20). Vreemdelingenzaken laat 300-tal mensen zonder
papieren uit gesloten centra vrij, burgemeesters boos. VRT NWS. Opgehaald
574
van https://www.vrt.be/vrtnws/nl/2020/03/20/dienst-vreemdelingenzaken-laat-
300-tal-mensen-zonder-papieren-ui/
Baert, D. (2021, October 20). Ziekenhuizen willen personeel dat zich niet laat
vaccineren kunnen ontslaan. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/10/20/vaccinatieplicht-ziekenhuizen/
Baier, A. (1986). Trust and Antitrust. Ethics, 96(2), 231-260.
Bailey, T. (2002, April 1). On Trust and Philosophy. Opgehaald van The Open
University: https://www.open.edu/openlearn/history-the-
arts/culture/philosophy/on-trust-and-philosophy
Baker, J., Lovell, K., & Harris, N. (2006). How expert are the experts? An exploration
of the concept of 'expert' within Delphi panel techniques. Nurseresearcher,
14(1), 59-70.
BaMaung, D. (2018). The Hidden Threat. International Airport Review, 22(4), 22-25.
BaMaung, D., McIlhatton, D., MacDonald, M., & Beattie, R. (2018). The Enemy
Within? The Connection between Insider Threat and Terrorism. Studies in
Conflict & Terrorism(41:2), 133-150. doi:10.1080/1057610X.2016.1249776
Barbé, L. (2012). Hoofdstuk 5: Pakistan. In L. Barbé, België en de bom: de rol van
België in de proliferatie van kernwapens (pp. 69-122). Opgehaald van
http://www.lucbarbe.be/sites/default/files/boek/files/Belgie-en-de-bom.pdf
Barbieux, Y. (2021, September 11). Britse majoor veroordeeld voor stelen tanks uit
Belgisch legermuseum: “U zou uit pure schaamte de rechtszaal met
neerhangend hoofd moeten verlaten”. Het Nieuwsblad. Opgehaald van
https://m.nieuwsblad.be/cnt/dmf20210911_93847854
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don’t make
excuses! Discouraging neutralization to reduce IT policy violation. Computers
& Security, 39, 145-159. doi:http://dx.doi.org/10.1016/j.cose.2013.05.006
Barnes, J. E., Spigariol, A., Nicas, J., & Goldman, A. (2022, March 15). Submarine
Spy Couple Tried to Sell Nuclear Secrets to Brazil. New York Times.
Opgehaald van https://www-nytimes-
com.cdn.ampproject.org/c/s/www.nytimes.com/2022/03/15/us/politics/submari
ne-spy-brazil.amp.html
Barrios, M., Guilera, G., Nuno, L., & Gomez-Benito, J. (2021). Consensus in the
delphi method: What makes a decision change? Technological Forecasting &
Social Change, 163, 1-10. doi:https://doi.org/10.1016/j.techfore.2020.120484
575
BBC News. (2018, November 15). Ian Naude: How predatory paedophile joined
police. BBC News. Opgehaald van https://www.bbc.com/news/uk-england-
shropshire-46220586
BBC News. (2018, November 19). Zholia Alemi: Foreign doctor checks after fake
psychiatrist case. BBC News. Opgehaald van
https://www.bbc.com/news/health-46258687
BBC News. (2019, December 19). Eskom crisis: Arrests over $50m South Africa
power station 'fraud'. BBC News. Opgehaald van
https://www.bbc.com/news/world-africa-50854186
BBC News. (2019, July 05). Norway ex-minister Svein Ludvigsen guilty of sexually
abusing asylum seekers. BBC News. Opgehaald van
https://www.bbc.com/news/world-europe-48880551
BBC News. (2019, November 21). Patient died after 'transplant surgeon error'. BBC
News. Opgehaald van https://www.bbc.com/news/uk-wales-50493248
BBC News. (2019, December 16). Workers secure fresh victory over Post Office. BBC
News. Opgehaald van https://www.bbc.com/news/business-50806745
BBC News. (2020, March 29). Coronavirus: YouTube stars urge fans to stay at home.
BBC News. Opgehaald van https://www.bbc.com/news/technology-52084700
BBC News. (2020, November 19). Kenya arrests four more after BBC Africa Eye baby
stealers exposé. BBC News. Opgehaald van https://www.bbc.com/news/world-
africa-54986993
BBC News. (2020, March 4). US defence department linguist charged with espionage.
BBC News. Opgehaald van https://www.bbc.com/news/world-us-canada-
51746192?intlink_from_url=https://www.bbc.com/news/world&link_location
=live-reporting-story
BBC News. (2020, June 23). US soldier Ethan Melzer accused of planning attack on
own unit. BBC News. Opgehaald van https://www.bbc.com/news/world-us-
canada-53145806
Beattie, R. (2019). International Symposium on Insider Threat Mitigation. Round
Table: Insider Motivations and Intentions. Brussels, Belgium: Federal Agency
for Nuclear Control (FANC) & National Nuclear Security Administration
(NISA). Opgehaald van http://insiderthreatmitigation.org/program
Beattie, R., & BaMaung, D. (2015). Mind the Gap: HRD's Role in Keeping
Organization's Safe. 16th International Conference on Human Resource
576
Development Research and Practice across Europe. Cork, Ireland: Academy
of Human Resource Development.
Becker, H. (1963). Outsiders. In H. Becker, Outsiders: Studies in the Socioloy of
Deviance (pp. 1-15). New York: The Free Press.
Beckers, K., & Pape, S. (2016). A Serious Game for Eliciting Social Engineering
Security Requirements. 2016 IEEE 24th International Requirements
Engineering Conference (pp. 16-25). Beijing, China: IEEE.
doi:10.1109/RE.2016.39
Bell, A. J., Rogers, M. B., & Pearce, J. M. (2019). The insider threat: Behavioral
indicators and factors influencing likelihood of intervention. International
Journal of Critical Infrastructure Protection(24), 166-176.
Ben-Ner, A., & Halldorsson, F. (2010). Trusting and trustworthiness: What are they,
how to measure them, and what affects them. Journal of Economic
Psychology, 31, 64-79. doi:10.1016/j.joep.2009.10.001
Bews, N., & Martins, N. (2002). An Evaluation of the Facilitators of Trustworthiness.
SA Journal of Industrial Psychology, 28(4), 14-19.
Biaggio, M., Paget, T. L., & Chenoweth, M. S. (1997). A Model for Ethical
Management of Faculty-Student Dual Relationships. Professional Psychology:
Research and Practice, 28(2), 184-189.
Bies, R. J., & Tripp, T. M. (1996). Beyond Distrust. "Getting Even" and the Need for
Revenge. In R. M. Kramer, & T. R. Tyler, Trust in organizations: Frontiers of
theory and research (pp. 246-260). London: Sage Publications.
Bijlsma, K., & Koopman, P. (2003). Introduction: trust within organisations. Personnel
review, 32(5), 543-555. doi:10.1108/00483480310488324
Bishop, M., Engle, S., Frincke, D. A., Gates, C., Greitzer, F. L., Peisert, S., & Whalen,
S. (2010). A Risk Management Approach to the 'Insider Threat'. In C. W.
Probst, J. Hunker, D. Gollmann, & M. Bishop, Insider Threats in Cyber
Security (pp. 115-137). Boston: Springer.
Bishop, M., Gates, C., Frincke, D., & Greitzer, F. L. (2009). AZALIA: an A to Z
Assessment of the Likelihood of Insider Attack. IEEE Conference on
Technologies for Homeland Security (pp. 385 - 392). Boston: IEEE.
Biswas, S. (2020, January 27). Nambi Narayanan: The fake spy scandal that blew up a
rocket scientist’s career. BBC News. Opgehaald van
https://www.bbc.com/news/world-asia-india-
577
49836270?intlink_from_url=https://www.bbc.com/news/world&link_location
=live-reporting-story
Black, L. J., & Andersen, D. F. (2012). Using Visual Representations as Boundary
Objects to Resolve Conflict in Collaborative Model-Building Approaches.
Systems Research and Behavioral Science, 29, 194-208. doi:10.1002/sres.2106
Blodgett, B. J. (2010). Trustworthy or Accountable: Which is Better? Reflective
Practice: Formation and Supervision in Ministry, 34-45.
Blokland, P. J., & Reniers, G. (2018). Safety security A fundamental exploration and
understanding of similarities and differences. Safety - Security Synergies &
Tensions (pp. 1-6). Château de Montvillargenne, Gouvieux, France: NeTWork.
Blum, G. S., & Schmitt, M. (2017). The Nonlinear Interaction of Person and Situation
(NIPS) Model and Its Values for a Psychology of Situations. In J. F.
Rauthmann, R. A. Sherman, & D. C. Funder, The Oxford Handbook of
Psychological Situations (pp. 14–24). Oxford: Oxford University Press.
doi:https://doi.org/10.1093/oxfordhb/9780190263348.013.24
Blum, G. S., Rauthmann, J. F., Göllner, R., Lischetzke, T., & Schmitt, M. (2018). The
Nonlinear Interaction of Person and Situation (NIPS) Model: Theory and
Empirical Evidence. European Journal of Personality, 32, 286-305.
doi:10.1002/per.2138
Bové, L. (2021, August 13). Onderzoek naar sabotage kerncentrale Doel na 7 jaar
afgerond. De Tijd. Opgehaald van https://www.tijd.be/politiek-
economie/belgie/algemeen/onderzoek-naar-sabotage-kerncentrale-doel-na-7-
jaar-afgerond/10325602.html
Bové, L. (2021, March 13). 'Sky ECC-kraak legt corruptie bloot bij overheidsdiensten'.
De Tijd. Opgehaald van https://www.tijd.be/politiek-
economie/belgie/algemeen/sky-ecc-kraak-legt-corruptie-bloot-bij-
overheidsdiensten/10290968.html
Brock, T. (2020, March 30). Ultra-orthodoxe joden in Israël houden zich niet aan
coronamaatregelen. NOS Nieuws. Opgehaald van
https://nos.nl/artikel/2328871-ultra-orthodoxe-joden-in-israel-houden-zich-
niet-aan-coronamaatregelen.html
Brown, C., Watkins, A., & Greitzer, F. (2013). Predicting Insider Threat Risks through
Linguistic Analysis of Electronic. 46th Hawaii International Conference on
System Sciences (HICSS-46) (pp. 1849-1858). Hawaii: IEEE. Opgehaald van
https://ieeexplore.ieee.org/abstract/document/6480064
578
Buechner, J., Simon, J., & Tavani, H. T. (2014). Re-Thinking Trust and
Trustworthiness in Digital Environments. Ambiguous Technologies:
Philosophical Issues, Practical Solutions, Human Nature: Proceedings of the
Tenth International Conference on Computer Ethics (pp. 65-79). Menomonie :
CEPE 2013 (Edited by E. Buchanan et al.).
Bunn, M. (2020). The Need for Creative and Effective Nuclear Security Vulnerability
Assessment and Testing. Project on Managing the Atom. Opgehaald van
https://scholar.harvard.edu/files/matthew_bunn/files/iaea-cn-278-587.pdf
Bunn, M., & Glynn, K. M. (2016). Preventing Insider Theft: Lessons from the Casino
and Pharmaceutical Industries. In M. Bunn, & S. Sagan, Insider Threats (pp.
121-144). Ithaca: Cornell University Press.
Bunn, M., & Sagan, S. (2016). Insider Threats. Ithaca: Cornell University Press.
doi:https://doi.org/10.7591/9781501705946
Carney, R. M. (1994). The Enemy Within: A Social History of Treason. In T. R.
Sarbin, R. M. Carney, & C. Eoyang (eds.), Citizen Espionage: Studies in Trust
and Betrayal (pp. 19-38). United States of America: Greenwood Publishing
Group.
Carroll, R. (2013, January 13). Lance Armstrong admits doping in Oprah Winfrey
interview. The Guardian. Opgehaald van
https://www.theguardian.com/sport/2013/jan/18/lance-armstrong-admits-
doping-oprah-winfrey
Castaldo, S., Premazzi, K., & Zerbini, F. (2010). The Meaning(s) of Trust. A Content
Analysis on the Diverse Conceptualizations of Trust in Scholarly Research on
Business Relationships. Journal of Business Ethics, 96, 657-668.
doi:10.1007/s10551-010-0491-4
Catrantzos, N. (2009). No dark corners : defending against insider threats to critical
infrastructure. Monterey, California: Naval Postgraduate School.
Catrantzos, N. (2010). No Dark Corners: A Different Answer to Insider Threats.
Homeland Security Affairs, 6(2), 1-20.
Champion, M. (2020, October 5). Three Leaders Downplayed Covid and Ended Up
Catching It. Bloomberg. Opgehaald van
https://www.bloomberg.com/news/articles/2020-10-02/three-leaders-
downplayed-covid-and-ended-up-catching-it
Charney, D. (2018). Prevention: The Missing Link For Managing Insider Threat in the
Intelligence Community. Alexandria: NOIR White Paper.
579
Chavez, N., & Royal, D. (2019, December 18). A former American Airlines mechanic
admitted he tried to sabotage a plane at the Miami airport. CNN News.
Chipperfield, C., & Furnell, S. (2010). From security policy to practice: Sending the
right messages. Computer Fraud & Security, 13-19.
doi:https://doi.org/10.1016/S1361-3723(10)70025-7
Christie, C. A., & Barela, E. (2005). The Delphi technique as a method for increasing
inclusion in the evaluation process. The Canadian Journal of Program
Evaluation, 20(1), 105-122.
Chuenjitwongsa, S. (2017). How to conduct a Delphi Study. UK: Wales Deanery.
Opgehaald van
https://foundation.walesdeanery.org/sites/default/files/how_to_conduct_a_delp
histudy.pdf
Cialdini, R. B., Reno, R. R., & Kallgren, C. A. (1990). A Focus Theory of Normative
Conduct: Recycling the Concept of Norms to Reduce Littering in Public
Places. Journal of Personality and Social Psychology, 58(6), 1015-1026.
Cohen, T. R., Kim, Y., Jordan, K. P., & Panter, A. (2016). Guilt-proneness is a marker
of integrity and employment suitability. Personality and Individual
Differences, 92, 109-112.
Cole, E., & Ring, S. (2006). What Is There to Worry About? In E. Cole, & S. Ring,
Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft
(pp. 3-48). Rockland, MA: Syngress Publishing, Inc. Opgehaald van
https://www.elsevier.com/books/insider-threat-protecting-the-enterprise-from-
sabotage-spying-and-theft/cole/978-1-59749-048-1
Colquitt, J. A., & Scott, B. A. (2007). Trust, Trustworthiness, and Trust Propensity: A
Meta-Analytic Test of Their Unique Relationships With Risk Taking and Job
Performance. Journal of Applied Psychology, 92(4), 909-927.
Colwill, C. (2009). Human factors in information security: The insider threat - Who
can you trust these days? Information Security Technical Report, 186-196.
doi:10.1016/j.istr.2010.04.004
Commonwealth of Australia. (2014). Managing the Insider Threat to your business: A
personnel security handbook. Australia: Commonwealth of Australia.
Opgehaald van https://www.tisn.gov.au/Documents/InsiderThreatBooklet-
ManagingTheInsiderThreatToYourBusiness.pdf
Connolly, K., Roy, E. A., Holmes, O., Goñi, U., Phillips, T., Ratcliffe, R., . . . Hall, R.
(2020, March 18). Fears 'lockdown parties' will increase global spread of
coronavirus. The Guardian. Opgehaald van
580
https://www.theguardian.com/world/2020/mar/18/fears-lockdown-parties-will-
increase-global-spread-of-coronavirus
Cools, M. (1994). Werknemerscriminaliteit. Brussel: VUB Press.
Coolsaet, R. (2015). Wat drijft de Syriëstrijder? Samenleving & Politiek, 4-13.
Coolsaet, R. (2016). Facing the Fourth Foreign Fighters Wave: What Drives
Europeans to Syria, and to Islamic State? Insights from the Belgian Case.
Brussels: Egmont Royal Institute for International Relations.
Costa, D. L., Collins, M. L., Perl, S. J., Silowash, G. J., & Spooner, D. L. (2014). An
Ontology for Insider Threat Indicators: Development and Applications. 9th
International Conference on Semantic Technologies for Intelligence, Defense,
and Security (STIDS). Fairfax, VA: CEUR Workshop Proceedings.
Coulton, P., Burnett, D., & Gradinar, A. (2016). Games as Speculative Design:
Allowing Players to Consider Alternate Presents and Plausible Futures. Future
Focused Thinking - DRS International Conference 2016 (pp. 1609-1625).
Brighton, UK: DRS Biennial Conference Series. doi:https://doi.org/10.21606/
Craig, J. M. (2019). Extending Situational Action Theory to White-Collar Crime.
Deviant Behavior, 40(2), 171-186. doi:10.1080/01639625.2017.1420444
Cressey, D. R. (1950). The Criminal Violation of Financial Trust. American
Sociological Review, 15(6), 738-743.
Curry, J. (2020). Professional Wargaming: A Flawed but Useful Tool. Simulation &
Gaming, 51(5), 612-631. doi:https://doi.org/10.1177/1046878120901852
Dabney, D. (1995). Neutralization and Deviance in the Workplace: Theft of Supplies
and Medicines by Hospital Nurses. Deviant Behavior, 16(4), 313-331.
Dalkey, N., & Helmer, O. (1963). An Experimental Application of the Delphi Method
to the Use of Experts. Management Science, 9(3), 458-467.
Dapaah, J. (2022, October 20). Docent ontslagen ‘vanwege Tiktok-filmpjes’. De
Standaard. Opgehaald van
https://www.standaard.be/cnt/dmf20221019_97990334
Dausey, D. J., Buehler, J. W., & Lurie, N. (2007). Designing and conducting tabletop
exercises to assess public health preparedness for manmade and naturally
occurring biological threats. BMC Public Health, 7(92), 1-9.
doi:https://doi.org/10.1186/1471-2458-7-92
Davidson, H. (2020, March 24). Around 20% of global population under coronavirus
lockdown. The Guardian. Opgehaald van
581
https://www.theguardian.com/world/2020/mar/24/nearly-20-of-global-
population-under-coronavirus-lockdown
De Graaff, B. (2019). Data en Dreiging: Stap in de Wereld van Intelligence.
Amsterdam: Boom Uitgevers.
De Morgen . (2009, November 2). Iljo Keisse vrijgesproken voor positieve dopingplas.
De Morgen. Opgehaald van https://www.demorgen.be/nieuws/iljo-keisse-
vrijgesproken-voor-positieve-dopingplas~b87902ff/
De Morgen. (2007, December 20). Leukemans positief door blunder arts. De Morgen.
Opgehaald van https://www.demorgen.be/nieuws/leukemans-positief-door-
blunder-arts~bc9b2236/
De Morgen. (2009, November 13). Vlaamse topsporters krijgen extra infosessies over
whereabouts. De Morgen. Opgehaald van
https://www.demorgen.be/nieuws/vlaamse-topsporters-krijgen-extra-
infosessies-over-whereabouts~b0735653/
De Morgen. (2019, October 09). Parijse messentrekker radicaliseerde bij politie. De
Morgen, p. 16.
De Roy, L. (2020, March 18). Nieuwe coronavirus is het product van natuurlijke
evolutie. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/03/18/coronavirus-sars-cov-2-is-het-
product-van-natuurlijke-evolutie/
De Roy, L. (2020, March 25). Ziekenhuizen gaan nieuwe snelle Belgische coronatest
volgende week in gebruik nemen. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/03/25/ziekenhuizen-gaan-nieuwe-snelle-
belgische-coronatest-meteen-gebr/
De Schamphelaere, J. (2020, July 23). Klokkenluider van Novartis krijgt 109 miljoen
dollar. De Tijd. Opgehaald van https://www.tijd.be/ondernemen/farma-
biotech/klokkenluider-van-novartis-krijgt-109-miljoen-dollar/10240450.html
De Standaard. (2012, July 12). Van Tichelt dicht bij schorsing. De Standaard.
Opgehaald van https://www.standaard.be/cnt/dmf20120711_00219716
De Standaard. (2019, January 23). Wielrenner Tosh Van der Sande vrijgesproken na
positieve dopingtest: “Ik werd bestempeld als dopingzondaar terwijl ik enkel
verklaring moest geven”. De Standaard. Opgehaald van
De Standaard. (2020, June 23). Neonazistische Amerikaanse soldaat beschuldigd van
plannen aanslag tegen eenheid. De Standaard. Opgehaald van
582
https://m.standaard.be/cnt/dmf20200623_04998432?utm_campaign=twitterfee
d&utm_medium=dlvr&utm_source=twitter
De Standaard. (2021, June 2). Brandweerman gedood door collega bij schietpartij in
Amerikaanse kazerne. De Standaard. Opgehaald van
De Standaard. (2021, April 22). Italië vervolgt man die niet ging werken maar wel half
miljoen euro aan salaris opstreek. De Standaard. Opgehaald van
De Standaard. (2021, March 12). MIVB ontslaat medewerkers die zichzelf vrijaf
gaven. De Standaard. Opgehaald van
de Vaus, D. (2002). Constructing questionnaires. In D. de Vaus, Surveys in Social
Research (pp. 94-121). Crows Nest, Australia: Allen & Unwin.
De Vleeschauwer, T. (2019). BEVEILIGING VAN DE KRITISCHE
INFRASTRUCTUUR: Het succes of falen van de veiligheidscultuur binnen
Brussels Airport. Antwerpen: Masterproef voorgelegd met het oog op het
behalen van de graad van Master in de Internationale Betrekkingen en
Diplomatie aan de Universiteit Antwerpen.
Debruyne, A. (2020, April 4). Braziliaanse president Bolsonaro geeft economie
voorrang op mensenlevens: 'Uiterst berekende strategie'. Knack. Opgehaald
van https://www.knack.be/nieuws/wereld/braziliaanse-president-bolsonaro-
geeft-economie-voorrang-op-mensenlevens-uiterst-berekende-strategie/article-
longread-1583939.html
Decré, H. (2021, Mei 26). Drie arrestaties na dodelijk ongeval met kabelbaan in Italië:
er zou bewust geknoeid zijn met noodremsysteem. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/05/26/arrestaties-na-ongeval-kabelbaan/
Deffer, F. (2012). Transportation Security Administration Has Taken Steps To Address
the Insider Threat But Challenges Remain. Department of Homeland Security
Office of Inspector General.
Dejonghe, V. (2005). Werknemerscriminaliteit. In V. Dejonghe, Handboek
Geïntegreerde criminaliteitspreventie in ziekenhuizen (pp. 89-93). Gent.
Opgehaald van https://docplayer.nl/2658651-Handboek-geintegreerde-
criminaliteitspreventie-in-ziekenhuizen.html
Dekker, S. (2009). Just culture: who gets to draw the line? Cognition, Technology &
Work, 177-185. Opgehaald van
https://link.springer.com/article/10.1007/s10111-008-0110-7
583
Dekker, S. (2017). Just Culture: Restoring Trust and Accountability in your
Organization. London: CRC Press.
Deutsch, M. (1958). Trust and Suspicion. The Journal of Conflict Resolution, 2(4),
265-279.
Dewey, K., Hobbs, C., Foster, G., Salisbury, D., & Tzinieris, S. (2020).
Reconceptualising Nuclear Security as a Business Enabler: Opportunities and
Challenges. IAEA International Conference on Nuclear Security (ICONS
2020) (pp. 1-8). Vienna: International Atomic Energy Agency (IAEA).
Opgehaald van https://conferences.iaea.org/event/181/contributions/15290/
Diamond, I. R., Grant, R. C., Feldman, B. M., Pencharz, P. B., Ling, S. C., Moore, A.
M., & Wales, P. W. (2014). Defining consensus: A systematic review
recommends methodologic criteria for reporting of Delphi studies. Journal of
Clinical Epidemiology, 67, 401-409.
doi:https://doi.org/10.1016/j.jclinepi.2013.12.002
Dietz, G., & Den Hartog, D. N. (2006). Measuring Trust inside Organisations.
Personnel Review, 35(5), 557-588.
doi:https://doi.org/10.1108/00483480610682299
Dinev, T., & Hu, Q. (2007). The Centrality of Awareness in the Formation of User
Behavioral Intention toward Protective Information Technologies. Journal of
the Association for Information Systems, 8(7), 386-408.
doi:10.17705/1jais.00133
Draulans, D. (2020, March 24). Waarom we ons moeten voorbereiden op nog meer
coronavirussen. Knack. Opgehaald van
https://www.knack.be/nieuws/gezondheid/waarom-we-ons-moeten-
voorbereiden-op-nog-meer-coronavirussen/
Dupuis, M., & Khadeer, S. (2016). Curiosity Killed the Organization: A Psychological
Comparison between Malicious and Non-Malicious Insiders and the Insider
Threat. Proceedings of the 5th Annual Conference on Research in Information
Technology (pp. 35-40). New York: Association for Computing Machinery.
doi:10.1145/2978178.2978185
Duval, A. (2017). The Russian doping scandal at the court of arbitration for sport:
lessons for the world anti-doping system. International Sports Law Journal,
16, 177-197.
Ebrahimji, A. (2020, September 25). Three railroad workers built a ‘man cave’ under
New York’s Grand Central Terminal. CNN News. Opgehaald van
584
https://edition.cnn.com/2020/09/25/us/grand-central-man-cave-ny-
trnd/index.html
Efftin, M., & van den Berg, J. (2020, March 19). Driekwart van overleden
coronapatiënten in Nederland kwam nooit op intensive care. De Volkskrant.
Opgehaald van https://www.volkskrant.nl/nieuws-achtergrond/driekwart-van-
overleden-coronapatienten-in-nederland-kwam-nooit-op-intensive-
care~b9c5660d/
El Bakkali, L., & Arnoudt, R. (2021, May 19). Hoe kan het dat iemand nog voor
Defensie werkt als hij op lijst van veiligheidsdiensten staat? VRT NWS.
Opgehaald van https://www.vrt.be/vrtnws/nl/2021/05/19/zwaar-bewapende-
beroepsmilitair-die-van-ranst-bedreigde-stond-a/
Elangovan, A., & Shapiro, D. L. (1998). Betrayal of Trust in Organizations. The
Academy of Management Review, 23(3), 547-566.
Elifoglu, I. H., Abel, I., & Tasseven, Ö. (2018). Minimizing Insider Threat Risk with
Behavioral Monitoring. Review of Business: Interdisciplinary Journal of Risk
and Society(38:2), 61-73.
Eoyang, C. (1994). Models of Espionage. In T. R. Sarbin, R. M. Carney, & C. Eoyang
(eds.), Citizen Espionage: Studies in Trust and Betrayal (pp. 69-91). United
States of America: Greenwood Publishing Group.
European Commission. (2005). Green Paper on a European programme for critical
infrastructure protection. Brussels: European Commission. Opgehaald van
https://op.europa.eu/en/publication-detail/-/publication/4e3f9be0-ce1c-4f5c-
9fdc-07bdd441fb88/language-en
European Commission. (2015). User guide to the SME Definition. Luxembourg:
Publications Office of the European Union. Opgehaald van
https://ec.europa.eu/regional_policy/sources/conferences/state-
aid/sme/smedefinitionguide_en.pdf
European Commission. (2017). Special Eurobarometer 459 - Climate Change.
Brussels: European Commission. Opgehaald van
https://ec.europa.eu/clima/sites/clima/files/support/docs/report_2017_en.pdf
European Council. (2008, December 8). Council Directive 2008/114/EC. Opgehaald
van https://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:
PDF
Evensen, P.-I., Martinussen, S. E., Halsør, M., & Bentsen, D. H. (2019). Wargaming
Evolved: Methodology and Best Practices for Simulation-Supported
585
Wargaming. Interservice/Industry Training, Simulation, and Education
Conference (I/ITSEC), (pp. 1-13). Volume 2019. Opgehaald van
https://fhs.brage.unit.no/fhs-
xmlui/bitstream/handle/11250/2652599/1761821.pdf?sequence=1
Federal Agency for Nuclear Control (FANC). (2021, November 2021). Sabotage van
de stoomturbine van Doel 4. Opgehaald van Federaal Agentschap voor
Nucleaire Controle (FANC): https://fanc.fgov.be/nl/dossiers/kerncentrales-
belgie/actualiteit/sabotage-van-de-stoomturbine-van-doel-4
Federal Police. (2021, November 29). Sabotage Doel 4. Opgehaald van Federale
Politie: https://www.politie.be/5998/nl/opsporingen/gezocht/onbekende-
verdachten/sabotage-doel-4
Feldman, R. S. (2011). Module 52: Attitudes and Social Cognition. In R. S. Feldman,
Essentials of Understanding Psychology (pp. 579-589). McGraw-Hill: New
York.
Finkel, E. J., Rusbult, C. E., Kumashiro, M., & Hannon, P. A. (2002). Dealing With
Betrayal in Close Relationships: Does Commitment Promote Forgiveness?
Journal of Personality and Social Psychology, 82(6), 956-974.
doi:10.1037//0022-3514.82.6.956
Fischbascher-Smith, D. (2015). The enemy has passed through the gate: Insider threats,
the dark triad, and the challenges around security. Journal of Organizational
Effectiveness: People and Performance, 2(2), 134-156.
Fishbein, M. A., & Ajzen, I. (1975). Chapter 1: Introduction. In M. A. Fishbein, Belief,
attitude, intention and behaviour: An introduction to theory and research (pp.
1-18). Boston, Massachusetts: Addison-Wesley.
Flade, F. (2021). The Insider Threat: Far-right extremism in the German military and
police. CTC Sentinel, 14(5), 1-10. Opgehaald van https://ctc.usma.edu/the-
insider-threat-far-right-extremism-in-the-german-military-and-police/
Fleeson, W., & Noftle, E. E. (2009). In favor of the synthetic resolution to the person–
situation debate. Journal of Research in Personality, 43, 150-154.
doi:10.1016/j.jrp.2009.02.008
Foth, T., Efstathiou, N., Vanderspank-Wright, B., Ufholz, L.-A., Dütthorn, N.,
Zimansky, M., & Humphrey-Murto, S. (2016). The use of Delphi and Nominal
Group Technique in nursing education: a review. International Journal of
Nursing Studies, 60, 112-120.
doi:https://doi.org/10.1016/j.ijnurstu.2016.04.015
586
Frank, A. (2012). Gaming the Game:: A Study of the Gamer Mode in Educational
Wargaming. Simulation & Gaming, 43(1), 118-132.
doi:10.1177/1046878111408796
Franssen, J. (2021, May 20). Voortvluchtige Jürgen Conings kreeg sleutel wapendepots
ondanks tuchtsanctie voor extreemrechts gedachtegoed. VRT NWS. Opgehaald
van https://www.vrt.be/vrtnws/nl/2021/05/20/blunder-defensie-conings-krijgt-
na-tuchtsancties-voor-extreemre/
Freedman, L. (2003). Prevention, not preemption. The Washington Quarterly, 26(2),
105-114. doi:https://doi.org/10.1162/01636600360569720
Funder, D. C. (2006). Towards a resolution of the personality triad: Persons, situations
and behaviors. Journal of Research in Personality, 40, 21-34.
doi:10.1016/j.jrp.2005.08.003
Funder, D. C. (2009). Persons, behaviors and situations: An agenda for personality
psychology in the postwar era. Journal of Research in Personality, 43, 120-
126. doi:10.1016/j.jrp.2008.12.041
Furnell, S., & Thomson, K.-L. (2009). From culture to disobedience: Recognising the
varying user acceptance of IT security. Computer Fraud & Security, 5-10.
doi:https://doi.org/10.1016/S1361-3723%2809%2970019-3
Furnell, S., Gennatou, M., & Dowland, S. (2002). A prototype tool for information
security awareness training. Logistics information management, 15(5/6), 352-
357. doi:https://doi.org/10.1108/09576050210447037
Gallagher, B. (2011, November 15). Michael Rasmussen admits he lied over missed
doping tests ahead of 2007 Tour de France. The Telegraph. Opgehaald van
https://www.telegraph.co.uk/sport/othersports/cycling/8891464/Michael-
Rasmussen-admits-he-lied-over-missed-doping-tests-ahead-of-2007-Tour-de-
France.html
Gallagher, J. (2020, March 14). Coronavirus: What it does to the body. BBC News.
Opgehaald van https://www.bbc.com/news/health-51214864
Gayle, D., & Quinn, B. (2019, October 17). Extinction Rebellion rush-hour protest
sparks clash on London Underground. The Guardian. Opgehaald van
https://www.theguardian.com/environment/2019/oct/17/extinction-rebellion-
activists-london-underground
Gazet van Antwerpen. (2006, February 13). Assisen Antwerpen: vrijspraak voor Els
Op de Weerdt. Gazet van Antwerpen.
587
Gazet van Antwerpen. (2018, March 9). Ex-werknemer Veviba getuigt: “Als het vlees
rot was, moesten we er extra kruiden op gooien”. Gazet van Antwerpen.
Opgehaald van https://www.gva.be/cnt/dmf20180309_03399503
Geis, G. (1994). Trade Secret Theft as an Analogue to Treason. In T. R. Sarbin, R. M.
Carney, & C. Eoyang (eds.), Citizen Espionage: Studies in Trust and Betrayal
(pp. 127-142). United States of America: Greenwood Publishing Group.
Gelles, M. (2016). Insider Threat: Detection, Mitigation, Deterrence and Prevention.
Oxford: Elsevier - Health Science Division.
Gemeentelijk Havenbedrijf Antwerpen. (2012). Handreiking Creëren van Security
Awareness in een havenfaciliteit. Antwerpen: Locaal Comité voor Maritieme
Beveiliging, Antwerpen. Opgehaald van
https://www.portofantwerp.com/sites/portofantwerp/files/Handreiking%20cre
%c3%abren%20security%20awareness.pdf
George, A., Arey, B., Ertzinger, B., Michaelson, B., Heck, D., Johnson, D., . . . Smith,
K. (2019). Best Practices in Vetting Prospective and Current Employees. US:
Department of Homeland Security (DHS) Office of Intelligence and Analysis
(I&A).
Geril, J. (2022, November 9). Keeperstrainer Erwin Lemmens mag na minnelijke
schikking mee naar het WK. De Standaard. Opgehaald van
Giannarou, L., & Zervas, E. (2014). Using Delphi technique to build consensus in
practice. Int. Journal of Business Science and Applied Management, 9(2), 66-
82. Opgehaald van https://business-and-management.org/library/2014/9_2--65-
82-Giannarou,Zervas.pdf
Gino, F., Ayal, S., & Ariely, D. (2009). Contagion and Differentiation in Unethical
Behavior The Effect of One Bad Apple on the Barrel. Psychological Science,
20(3), 393-398.
Gondree, M., Peterson, Z. N., & Denning, T. (2013). Security through Play. IEEE
Security & Privacy, 11(3), 64-67. doi:10.1109/MSP.2013.69
Goold, S. D. (2002). Trust, Distrust and Trustworthiness Lessons from the field.
Journal of General Internal Medicine, 17, 79-81.
Gossler, T., Sigala, I. F., Wakolbinger, T., & Buber, R. (2019). Applying the Delphi
method to determine best practices for outsourcing logistics in disaster relief.
Journal of Humanitarian Logistics and Supply Chain Management, 9(3), 438-
474. doi:10.1108/JHLSCM-06-2018-0044
588
Gottfredson, M., & Hirschi, T. (1990). The Nature of Criminality: Low Self-Control.
In M. Gottfredson, & T. Hirschi, A general theory of crime (pp. 85-120).
Stanford: Stanford University Press.
Grady, D. (2020, March 27). How Does the Coronavirus Compare With the Flu? New
York Times. Opgehaald van https://www.nytimes.com/article/coronavirus-vs-
flu.html
Greco, P. J. (2017). Insider Threat: The Unseen Dangers Posed by Badged Airport
Employees and How to Mitigate Them. Journal of Air Law and Commerce,
717-742.
Greitzer, F. L., Imran, M., Purl, J., Axelrad, E. T., Leong, Y. M., Becker, D. (., &
Laskey, K. B. (2016). Developing an Ontology for Individual and
Organizational Sociotechnical Indicators of Insider Threat Risk. The Eleventh
International Conference on Semantic Technology for Intelligence, Defense,
and Security (STIDS 2016), (pp. 1-9). Fairfax.
Greitzer, F. L., Kangas, L. J., Noonan, C. F., Dalton, A. C., & Hohimer, R. E. (2012).
Identifying At-risk Employees: Modeling Psychosocial Precursors of Potential
Insider Threats. Hawaii International Conference on System Sciences (pp.
2392-2401). Hawaii: IEEE Computer Society. doi:10.1109/HICSS.2012.309
Grime, M. M., & Wright, G. (2016). Delphi Method. Wiley StatsRef: Statistics
Reference Online, 1-6. doi:10.1002/9781118445112.stat07879
Guido, M. D., & Brooks, M. W. (2013). Insider Threat Program Best Practices. 46th
Hawaii International Conference on System Sciences (pp. 1831-1839). Hawaii:
IEEE. doi:10.1109/HICSS.2013.279
Gundu, T., & Flowerday, S. V. (2012). The Enemy Within: A Behavioural Intention
Model and an Information Security Awareness Process. 2012 Information
Security for South Africa (pp. 1-8). Johannesberg, South Africa: IEEE.
doi:10.1109/ISSA.2012.6320437.
Gundu, T., Flowerday, S., & Renaud, K. (2019). Deliver Security Awareness Training,
then Repeat: {Deliver; Measure Efficacy}. 2019 Conference on Information
Communications Technology and Society (ICTAS). Durban: IEEE. Opgehaald
van https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8703523
Gutwin, C., & Greenberg, S. (1997). Workspace Awareness. ACM CHI'97 Workshop
on Awareness in Collaborative Systems. Atlanta, Georgia: Susan E. McDaniel
and Tom Brinck.
Hackett, S., Masson, H., & Phillips, S. (2006). Exploring Consensus in Practice with
Youth Who Are Sexually Abusive: Findings from a Delphi Study of
589
Practitioner Views in the United Kingdom and the Republic of Ireland. Child
Maltreatment, 11(2), 146-156. doi:10.1177/1077559505285744
Haeussinger, F. J., & Kranz, J. J. (2013). Information Security Awareness: Its
Antecedents and Mediating Effects on Security Compliant Behavior. Paper
Thirty Fourth International Conference on Information Systems (pp. 1-16).
Milan: Association for Information Systems. Opgehaald van
https://www.researchgate.net/publication/258926834_Information_Security_A
wareness_Its_Antecedents_and_Mediating_Effects_on_Security_Compliant_B
ehavior
Hänsch, N., & Benenson, Z. (2014). Specifying IT security awareness. 25th
International Workshop on Database and Expert Systems Applications (pp.
326-330). Munich, Germany: IEEE.
doi:https://doi.org/10.1109/DEXA.2014.71
Hanson, F. (2017, January 17). Revenge of the nerd: Fired IT worker who accused his
former employer of racial discrimination locks his boss out of his Google
account - and will only hand over the passwords for $200,000. Daily Mail
(Online). Opgehaald van https://www.dailymail.co.uk/news/article-
4128382/IT-worker-s-legal-dispute-locked-Google-account.html
Hanus, B., Windsor, J. C., & Wu, Y. (2018). Definition and Multidimensionality of
Security Awareness: Close Encounters of the Second Order. The DATA BASE
for Advances in Information Systems, 49, 103-132.
doi:https://doi.org/10.1145/3210530.3210538
Hardin, R. (1996). Trustworthiness. Ethics, 107(1), 26-42.
Hart, G. (1996). The Five W's: An Old Tool for the New Task of Audience Analysis.
Technical Communication, 139-145.
Harteveld, C., Guimarães, R., Mayer, I. S., & Bidarra, R. (2010). Balancing Play,
Meaning and Reality: The Design Philosophy of LEVEE PATROLLER.
Simulation & Gaming, 41(3), 316-340. doi:10.1177/1046878108331237
Hasson, F., & Keeney, S. (2011). Enhancing rigour in the Delphi technique research.
Technological Forecasting & Social Change, 78, 1695-1704.
doi:10.1016/j.techfore.2011.04.005
Hasson, F., Keeney, S., & McKenna, H. (2000). Research guidelines for the Delphi
survey technique. Journal of Advanced Nursing, 32(4), 1008-1015.
Hawley, K. (2014). Trust, Distrust and Commitment. Noûs, 48(1), 1-20.
Hawley, K. (2019). How to be trustworthy. Oxford: Oxford University Press.
590
Hegghammer, T., & Hoelstad Daehli, A. (2016). Insiders and Outsiders: A Survey of
Terrorist Threats to Nuclear Facilities. In M. Bunn, & S. Sagan, Insider
Threats (pp. 10-41). Ithaca: Cornell University Press.
Held, V. (1968). On the Meaning of Trust. Ethics, 78(2), 156-159.
Herbig. (1994). A History of Recent American Espionage. In T. R. Sarbin, R. M.
Carney, & C. Eoyang (eds), Citizen Espionage: Studies in Trust and Betrayal
(pp. 39-68). United States of America: Greenwood Publishing Group.
Hern, A. (2018, January 28). Fitness tracking app Strava gives away location of secret
US army bases. The Guardian.
Hershkowitz, M. (2007). The “Insider” Threat. Journal of Police Crisis Negotiations,
7(1), 103-111.
Het Laatste Nieuws. (2018, September 14). Gerante (52) steelt in 3 jaar €700.000 aan
juwelen van baas: “Ik wou alleen waar ik recht op had”. Het Laatste Nieuws.
Opgehaald van https://www.hln.be/de-krant/gerante-52-steelt-in-3-jaar-700-
000-aan-juwelen-van-baas-ik-wou-alleen-waar-ik-recht-op-had~abed79b6/
Het Laatste Nieuws. (2018, January 30). Medewerker bakkerij steelt geld uit
broodautomaten. Het Laatste Nieuws. Opgehaald van https://www.hln.be/sint-
amands/medewerker-bakkerij-steelt-geld-uit-broodautomaten~a9b6c3f1/
Het Laatste Nieuws. (2019, March 4). Dief steelt lenzen voor meer dan half miljoen
euro en moet nu 185.000 euro ophoesten. Het Laatste Nieuws. Opgehaald van
https://www.hln.be/leuven/dief-steelt-lenzen-voor-meer-dan-half-miljoen-
euro-en-moet-nu-185-000-euro-ophoesten~adf2cd45/
Het Nieuwsblad. (2017, March 27). Animal Rights filmt “schokkende undercover
beelden” in Tielt en eist dat slachthuis deuren sluit. Het Nieuwsblad.
Opgehaald van https://www.nieuwsblad.be/cnt/dmf20170323_02795187
Het Nieuwsblad. (2019, October 18). Ex-schepen Anick Berghmans krijgt 30 maanden
cel, waarvan 24 met uitstel, voor rol bij plofkraak in Lommel. Het Nieuwsblad.
Het Nieuwsblad. (2019, July 1). Postsorteerster die jarenlang brieven achteroverdrukte
maakte 150.000 tot 300.000 euro buit. Het Nieuwsblad. Opgehaald van
https://www.nieuwsblad.be/cnt/dmf20190701_04488256
Het Nieuwsblad. (2019, May 22). Treinbegeleidster ontslagen omdat ze pornovideo’s
maakte in wagon. Het Nieuwsblad. Opgehaald van
591
Het Nieuwsblad. (2019, December 11). Vijftienjarige stagiair-garagist knalt met
gestolen BMW in op auto’s op pechstrook na wilde politieachtervolging. Het
Nieuwsblad. Opgehaald van
Het Nieuwsblad. (2021, December 4). Verpleegkundige knipt per ongeluk vingertopje
van baby af: “Mijn dochter is verminkt voor het leven”. Het Nieuwsblad.
Het Nieuwsblad. (2022, July 5). Man krijgt 330 keer te veel salaris en vertrekt met de
noorderzon. Het Nieuwsblad. Opgehaald van
https://m.nieuwsblad.be/cnt/dmf20220705_95520592?fbclid=iwar00c_ix386tlr
jdtezhiukunagmqmaohh1nxpsw6jhussajgcd7xickfeu&utm_campaign=seeding
&utm_content=article&utm_medium=social&utm_source=facebook&utm_ter
m=nieuwsblad
Heylen, K. (2021, May 23). 11 militairen die Defensie volgt voor connecties met
extreemrechts, verliezen rechten, nog veel vragen over Conings. VRT NWS.
Opgehaald van https://www.vrt.be/vrtnws/nl/2021/05/23/zoektocht-juergen-
conings-zondag/
Heylen, K. (2021, May 02). Webwinkel Bol.com voor 750.000 euro opgelicht via mail
vol taalfouten. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/05/02/webwinkel-bol-com-voor-750-000-
euro-opgelicht/
Hiroux, D. (2020, November 25). Hoe havenarbeiders in de val trappen van
drugsbendes: "Het begint op café, daarna laten ze je niet meer los". VRT NWS.
Opgehaald van https://www.vrt.be/vrtnws/nl/2020/11/23/nieuwe-campagne-
om-havenarbeiders-te-sensibiliseren-rond-drugs/
Hirschman, A. O. (1978). Exit, Voice and the State. World Politics, 31(1), 90-107.
Ho, S. M. (2008). Toward a Deeper Understanding of Personnel Anomaly Detection.
In L. J. Janczewski, & A. M. Colarik, Cyber Warfare and Cyber Terrorism
(pp. 206-215). United States of America: Information Science Reference IGI
Global).
Ho, S. M., & Katukoori, R. R. (2013). Agent-based modelling to visualise
trustworthiness: a socio-technical framework. International Journal of Mobile
Network Design and Innovation, 5(1), 17-27.
Ho, S. M., Kaarst-Brown, M., & Benbasat, I. (2018). Trustworthiness Attribution:
Inquiry Into Insider Threat Detection. Journal of the Association for
Information Science and Technology, 69(2), 271–280.
592
Hobbs, C., & Moran, M. (2015). Insider Threats An Educational Handbook of Nuclear
& Non-Nuclear Case Studies. London: King's College London - Centre for
Science & Security Studies. Opgehaald van
https://www.kcl.ac.uk/csss/assets/insider-threats-handbook.pdf
Hobbs, C., Lentini, L., & Moran, M. (2016). The Utility of Table-Top Exercises in
Teaching Nuclear Security. International Journal of Nuclear Security, 2(1), 1-
11. doi:https://doi.org/10.7290/v7x34vdw
Hodge, L. (2020, November 12). Belgische anesthesiste krijgt drie jaar cel wegens
dood zwangere vrouw. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/11/12/belgische-anesthesiste-krijgt-drie-
jaar-cel-wegens-dood-zwangere/
Hofmeier, M., & Lechner, U. (2021). Operation Digital Ant: A Serious Game
Approach to Collect Insider Threat Scenarios and Raise Awareness. EICC:
European Interdisciplinary Cybersecurity Conference (pp. 14-19). New York:
Association for Computing Machinery.
doi:https://doi.org/10.1145/3487405.3487655
Hogan, R., & Hogan, J. (1994). The Mask of Integrity. In T. R. Sarbin, R. M. Carney,
& C. Eoyang (eds.), Citizen Espionage: Studies in Trust and Betrayal (pp. 93-
105). United States of America: Greenwood Publishing Group.
Holton, R. (1994). Deciding to trust, coming to believe. Australasian Journal of
Philosophy, 72(1), 63-76. doi:10.1080/00048409412345881
Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., & Ochoa, M. (2018). Insights Into
Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling,
and Countermeasures. ACM Computing Surveys, 52(2), 1-40.
doi:https://doi.org/10.1145/3303771
Hosmer, L. T. (1995). Trust: The Connecting Link between Organizational Theory and
Philosophical Ethics. The Academy of Management Review, 20(2), 379-403.
Hsu, C.-C., & Sandford, B. A. (2007). The Delphi Technique: Making Sense of
Consensus. Practical Assessment, Research, and Evaluation(12), 1-8.
Information Security Forum. (2015). Managing the Insider Threat: Improving
Trustworthiness. London: Information Security Forum Limited. Opgehaald
van https://www.securityforum.org/uploads/2017/01/Managing-The-Insider-
Threat-ISF-Briefing-Paper.pdf
Ingle, S. (2017, December 13). Chris Froome Q&A: how long could he be banned for
and what happens next? The Guardian. Opgehaald van
593
https://www.theguardian.com/sport/2017/dec/13/chris-froome-cycling-how-
long-could-he-be-banned-what-happens-next
Ingle, S. (2018, July 2). Chris Froome cleared by UCI in anti-doping investigation. The
Guardian. Opgehaald van
https://www.theguardian.com/sport/2018/jul/02/chris-froome-cleared-by-uci-
in-anti-doping-investigation
Ingle, S., & Kelner, M. (2017, December 13). Chris Froome fights to save career after
failed drugs test result. The Guardian. Opgehaald van
https://www.theguardian.com/sport/2017/dec/13/chris-froome-team-sky-
reputation-abnormal-drug-test
International Atomic Energy Agency. (2008). Preventive and Protective Measures
against Insider Threats. Vienna: IAEA Nuclear Security Series No. 8.
Isaeva, N., Hughes, C., & Saunders, M. (2019). Trust, Distrust and Human Resource
Management. In K. Townsend, K. D. Cafferekey, & A. McDermott (eds.),
Elgar Introduction to Theories of Human Resources and Employment
Relations (pp. 247-263). Cheltenham:: Edward Elgar.
Jakobsson, U., & Westergren, A. (2005). Statistical methods for assessing agreement
for ordinal data. Scandinavian Journal of Caring Sciences, 427-431.
Opgehaald van https://www.semanticscholar.org/paper/Statistical-methods-for-
assessing-agreement-for-Jakobsson-
Westergren/8c000e813c6eecfe26d124c1cf43decf4933188f
Jore, S. (2019). The Conceptual and Scientific Demarcation of Security in Contrast to
Safety. European Journal for Security Research, 4, 157-174.
doi:10.1007/s41125-017-0021-9
Joris, M. (2022, November 10). Voormalig hulptrainer KFC Turnhout aangeklaagd na
ongepaste berichten naar minderjarige speler. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2022/11/10/voormalig-hulptrainer-kfc-turnhout-
aangeklaagd-na-ongepaste-beri/
Kabay, M. (2002). Using Social Psychology to Implement Security Policies. In S.
Bosworth, & M. Kabay, Computer Security Handbook (pp. 35.1-35.22). New
York: John Wiley & Sons. Opgehaald van https://www.wiley.com/en-
us/Computer+Security+Handbook%2C+4th+Edition-p-9780471269755
Katzenstein, P. J. (1996). Introduction: Alternative Perspectives on National Security.
In P. J. Katzenstein, The Culture of National Security: Norms and Identity in
World Politics (pp. 1-33). New York: Colombia University Press.
594
Kazim, M. (2019, December 9). Pakistan paramedic 'stole baby to give to childless
aunt'. BBC News. Opgehaald van https://www.bbc.com/news/world-asia-
50713433
Kee, H. W., & Knox, R. E. (1970). Conceptual and methodological considerations in
the study of trust and suspicion'. Journal of Conflict Resolution, 14(3), 357-
366.
Keeney, S., Hasson, F., & McKenna, H. (2006). Consulting the oracle: ten lessons
from using the Delphi technique in nursing research. The Journal of Advanced
Nursing (JAN), 205-212. doi: 10.1111/j.1365-2648.2006.03716.x
Keulemans, M. (2020, April 3). Waarom corona zelfs de griep van ’17-’18 overtreft.
De Volkskrant. Opgehaald van https://www.volkskrant.nl/nieuws-
achtergrond/waarom-corona-zelfs-de-griep-van-17-18-overtreft~ba9c1f10/
Khalid, H. M., & Ramli, S. N. (2012). Measuring Affect, Behavior and Cognition for
Modeling Disaster Risk Attitudes. 2012 Southeast Asian Network of
Ergonomics Societies Conference (SEANES) (pp. 1-6). Langkawi, Kedah,
Malaysia: IEEE.
Khan, B., Alghathbar, K. S., Nabi, S. I., & Khan, M. K. (2011). Effectiveness of
information security awareness methods based on psychological theories.
African Journal of Business Management, 5(26), 10862-10868. Opgehaald van
https://academicjournals.org/article/article1380536009_Khan%20et%20al.pdf
Khan, K. (2018). Tabletop Exercise on Mass Casualty Incident Triage, Does it Work?
Health Science Journal, 12(3). doi:10.21767/1791-809X.1000566
Klotz, A. C., Da Motta Veiga, S. P., Buckley, M. R., & Gavin, M. B. (2013). The role
of trustworthiness in recruitment and selection: A review and guide for future
research. Journal of Organizational Behavior, 104-119.
Knack. (2020, March 22). Overheid zet influencers in om Turkse gemeenschap te
informeren. Knack. Opgehaald van
https://www.knack.be/nieuws/belgie/overheid-zet-influencers-in-om-turkse-
gemeenschap-te-informeren/article-news-1579677.html
Knack. (2021, June 16). Defensie spendeerde al meer dan 650.000 euro aan zoektocht
Conings. Knack. Opgehaald van https://www.knack.be/nieuws/belgie/defensie-
spendeerde-al-meer-dan-650-000-euro-aan-zoektocht-conings/article-news-
1747231.html?cookie_check=1640304148
Koehn, D. (1998). Employee Vice: Some Competing Models A Response to Moberg.
Business Ethics Quarterly, 8(1), 147-164.
595
Konstantinos, R., Konstantinos, F., & Charalampos, M. (2012). How effective is your
security awareness program? An evaluation methodology. Information
Security Journal A Global Perspective, 21(6), 328-345.
doi:https://doi.org/10.1080/19393555.2012.747234
Korovessis, P., Furnell, S., Papadaki, M., & Dowland, P. H. (2017). A toolkit approach
to information security awareness and education. Journal of Cybersecurity
Education, Research and Practice, 2017(2), 1-32. Opgehaald van
https://digitalcommons.kennesaw.edu/jcerp/vol2017/iss2/5?utm_source=digita
lcommons.kennesaw.edu%2Fjcerp%2Fvol2017%2Fiss2%2F5&utm_medium=
PDF&utm_campaign=PDFCoverPages
Koutsouvelis, V., Shiaeles, S., Ghita, B., & Bendiab, G. (2020). Detection of Insider
Threats using Artificial Intelligence and Visualisation. 2020 2nd International
Workshop on Cyber-Security Threats, Trust and Privacy management in
Software-defined (pp. 437-443). Netsoft.
Kozak, M., & Iefremova, O. (2014). Implementation of the Delphi technique in
finance. e-Finanse: Financial Internet Quarterly, 10(4), 36-45.
Kramer, L. A., & Heuer Jr., R. J. (2007). America's Increased Vulnerability to Insider
Espionage. International Journal of Intelligence and CounterIntelligence,
20(1), 50-64.
Kruger, H., & Kearney, W. (2006). A prototype for assessing information security
awareness. Computers & Security, 25, 289-296.
Krull, K. (2016). The Threat Among Us: Insiders Intensify Aviation Terrorism.
Richland, Washington: Pacific Northwest National Laboratory - Prepared for
the US Department of Energy.
Kumar, S., Deskmukh, A., Liu, J., & Stecke, K. E. (2013). An Analysis of Trust,
Employee Trustworthiness, Fraud, and Internal Controls. International Journal
of Strategic Decision Sciences, 4(3), 66-89.
Landeta, J. (2006). Current validity of the Delphi method in social sciences.
Technological Forecasting & Social Change, 73, 467-482.
Lange, T., Kopkow, C., Lützner, J., Günther, K.-P., Gravius, S., Scharf, H.-P., . . .
Schmitt, J. (2020). Comparison of different rating scales for the use in Delphi
studies: different scales lead to different consensus and show different test-
retest reliability. BMC Medical Research Methodology, 20(28), 1-11.
doi:10.1186/s12874-020-0912-8
596
Lanssens, P. (2020). The Belgian civil intelligence service VSSE - general overview
and current trends and threats. Lecture at VUB for Master students European
and Economic Governance (pp. 1-18). Brussel: Veiligheid Van De Staat.
Lasoen, K. (2020). Geheim België: de geschiedenis van de inlichtingendiensten 1830-
2022. Tielt: Lannoo. Opgehaald van https://www.lannoo.be/nl/geheim-
belgi%C3%AB
Le, D., & Zincir-Heywood, A. (2019). Machine learning based Insider Threat
Modelling and Detection. 2019 IFIP/IEEE Symposium on Integrated Network
and Service Management (IM) (pp. 1-6). Washington D.C., USA: IFIP/IEEE.
Lee, G., & Kulkarni, U. (2011). Business Intelligence in Corporate Risk Management.
Proceedings of the Seventeenth Americas Conference on Information Systems
(pp. 1-11). Detroit, Michigan: AMCIS.
Levine, E. E., Bitterly, T. B., Cohen, T. R., & Schweitzer, M. E. (2018). Who Is
Trustworthy? Predicting Trustworthy Intentions and Behavior. Journal of
Personality and Social Psychology, 115(3), 468-494.
doi:http://dx.doi.org/10.1037/pspi0000136
Levine, E. E., Roberts, A. R., & Cohen, T. R. (2020). Difficult conversations:
navigating the tension between honesty and benevolence. Current Opinion in
Psychology, 31, 38-43. doi:https://doi.org/10.1016/j.copsyc.2019.07.034
Lewicki, R. J., & Bunker, B. B. (1995). Trust in Relationships: A Model of
Development and Decline. In B. B. Bunker, & J. Z. Rubin, Conflict,
Cooperation, and Justice: Essays Inspired by the Work of Morton Deutsch (pp.
133-173). San Franscisco: Jossey-Bass Inc.
Lewicki, R. J., & Bunker, B. B. (1996). Developing and Maintaining Trust in Work
Relationships. In R. M. Kramer, & T. R. Tyler, Trust in Organizations
Frontiers of Theory and Research (pp. 114-139). London: Sage Publications.
Li, P. P. (2012). When trust matters the most: The imperatives for contextualising trust
research. Journal of Trust Research, 2(2), 101-106.
doi:10.1080/21515581.2012.708494
Lin-Greenberg, E., Pauly, R. B., & Schneider, J. G. (2022). Wargaming for
International Relations Research. European Journal of International Relations,
28(1), 83-109. doi:https://doi.org/10.1177/13540661211064090
Linstone, H. A., & Turoff, M. (2002). The Delphi Method Techniques and
Applications. Addison-Wesley Publishing Company. Opgehaald van
https://web.njit.edu/~turoff/pubs/delphibook/index.html
597
Loffi, J. M., & Wallace, R. J. (2014). The unmitigated insider threat to aviation (Part
1): a qualitative analysis of risks. Journal of Transportation Security(7), 289-
305. doi:10.1007/s12198-014-0144-4
Long, A. (2016). Green-on-Blue Violence: A First Look at Lessons from the Insider
Threat in Afghanistan. In M. Bunn, & S. Sagan, Insider Threats (pp. 103-120).
Ithaca: Cornell University Press.
Luckey, D., Stebbins, D., Orrie, R., Rebhan, E., Bhatt, S. D., & Beaghley, S. (2019).
Assessing Continuous Evaluation Approaches for Insider Threats. Santa
Monica, Calif: RAND Corporation. Opgehaald van
https://www.rand.org/pubs/research_reports/RR2684.html
Luhmann, N. (2000). Familiarity, Confidence, Trust: Problems and Alternatives. In D.
Gambetta (ed.), Trust: Making and Breaking Cooperative Relations (pp. 94-
107). Oxford: Basil Blackwell.
Luyten, S. (2019, August 5). “Keer terug naar uw eigen land”: De Lijn onderzoekt
vermeend racisme van Gentse buschauffeur. Het Nieuwsblad. Opgehaald van
Lynch, D. M. (2006). Securing Against Insider Attacks. Information Security and Risk
Management, 39-47.
Maasberg, M., & Beebe, N. L. (2014). The Enemy Within the Insider: Detecting the
Insider Threat Through Addiction Theory. Journal of Information Privacy and
Security, 10(2), 59-70.
Maasberg, M., Warren, J., & Beebe, N. L. (2015). The Dark Side of the Insider:
Detecting the Insider Threat Through Examination of Dark Triad Personality
Traits. 48th Hawaii International Conference on System Sciences (pp. 3518-
3526). Hawaii: IEEE Computer Society. doi:10.1109/HICSS.2015.423
Maerevoet, E. (2020, March 9). Danira Boukhriss, Koen Wauters en Annelien
Coorevits delen tips om coronavirus op afstand te houden: bekijk hier de spot.
VRT NWS. Opgehaald van https://www.vrt.be/vrtnws/nl/2020/03/08/danira-
boukhriss-koen-wauters-en-annelies-coorevits-delen-tips/
Maio, G. R., M., B. M., & Luke, M. A. (2003). Ideologies, Values, Attitudes, and
Behavior. In J. Delamater, Handbook of Social Psychology (pp. 283-308). New
York: Kluwer Academic/Plenum Publishers.
Malik, J. (2020). Making sense of human threats and errors. Computer Fraud &
Security, 6-10.
598
March, J. G., & Olson, J. P. (1998). The Institutional Dynamics of International
Political Orders. International Organization, 52(4), 943-969.
Martinez-Moyano, I. J., Rich, E., Conrad, S., Andersen, D. F., & Stewart, T. R. (2008).
A Behavioral Theory of Insider-Threat Risks: A System Dynamics Approach.
ACM Transactions on Modeling and Computer Simulation, 18(2), 7:1-7:27.
Mastroianni, G. R. (2011). THE PERSON–SITUATION DEBATE: IMPLICATIONS
FOR MILITARY LEADERSHIP AND CIVILIAN–MILITARY
RELATIONS. Journal of Military Ethics, 10(1), 2-16.
doi:10.1080/15027570.2011.561636
Mayer, R. C., & Norman, P. M. (2004). Exploring Attributes of Trustworthiness: A
Classroom Exercise. Journal of Management Education, 28(2), 224-249.
doi:10.1177/1052562903252641
Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An Integrative Model of
Organizational Trust. The Academy of Management Review, 20(3), 709-734.
doi:10.2307/258792
McAllister, D. J. (1995). Affect- and Cognition-Based Trust as Foundations for
Interpersonal Cooperation in Organizations. Academcy of Management
Journal, 38(1), 24-59.
McCall, J. R., & Pruchnicki, S. (2017). Just culture: A case study of accountability
relationship boundaries influence on safety in HIGH-consequence industries.
Safety Science, 94, 143-151. doi:http://dx.doi.org/10.1016/j.ssci.2017.01.008
McCurry, J. (2019, November 8). Sky-high selfies: Japan warns US over 'outrageous'
antics of military pilots. The Guardian. Opgehaald van
https://www.theguardian.com/world/2019/nov/08/sky-high-selfies-japan-
warns-us-over-outrageous-antics-of-military-pilots
McKnight, D. H., & Chervany, N. L. (2001). Trust and Distrust Definitions: One Bite
at a Time. In R. Falcone, M. Singh, & Y. Tan (eds.) (Red.), Trust in Cyber-
societies Integrating the Human and Artificial Perspectives - Lecture Notes in
Computer Science (pp. 27-54). Berlin: Springer. doi:https://doi.org/10.1007/3-
540-45547-7_3
Mehan, J. E. (2016). Insider Threat: A Guide to Understanding, Detecting, and
Defending Against the Enemy from Within. Cambridgeshire: IT Governance
Publishing.
Meijering, J., Kampen, J., & Tobi, H. (2013). Quantifying the development of
agreement among experts in Delphi studies. Technological Forecasting &
599
Social Change, 80(8), 1607-1614.
doi:https://doi.org/10.1016/j.techfore.2013.01.003
Mertens, C. (2022, October 3). Raadslid Werner De Gres (Vlaams Belang) uit Wilrijk
geschorst nadat hij voetballer Lamkel Zé "mensaap" heeft genoemd. VRT
NWS. Opgehaald van https://www.vrt.be/vrtnws/nl/2022/10/03/wilrijkse-
vlaams-belanger-werner-de-gres-geschorst-nadat-hij-voe/
Merton, R. K. (1938). Social Structure and Anomie. American Sociological Review,
3(5), 672-682.
Milio, L. (2020, October 8). Voormalig bankier uit Heist-op-den-Berg veroordeeld
omdat hij geld van klant in eigen zak stak. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/10/08/voormalig-bankier-veroordeeld-
omdat-hij-geld-van-klant-in-eigen/
Mishra, A. K. (1996). Organizational Responses to Crisis: The Centrality of Trust. In
R. M. Kramer, & T. R. Tyler, Trust in Organizations: Frontiers of Theory and
Research (pp. 261-287). Newbury Park, CA: Sage Publications.
Moberg, D. J. (1997). On Employee Vice. Business Ethics Quarterly, 7(4), 41-60.
Möllering, G. (2005). Rational, institutional and active trust: just do it!? In K. Bijlsma-
Frankema, & R. K. Woolthuis, Trust under Pressure Empirical Investigations
of Trust and Trust Building in Uncertain Circumstances (pp. 17-36).
Cheltenham: Edward Elgar Publishing Limited.
Monahan, S. C., & Quinn, B. A. (2006). Beyond ‘bad apples’ and ‘weak leaders’
Toward a neo-institutional explanation of organizational deviance. Theoretical
Criminology, 10(3), 361-385. doi:10.1177/1362480606065911
Montaquila, J., & Godwin, C. (2016). Personnel security and open source intelligence:
Employing social media analytics in pre-employment screening and selection.
Journal of Information Privacy and Security, 145-159.
doi:10.1080/15536548.2016.1213997
Morris, J. H., & Moberg, D. J. (1994). Work Organizations as Contexts for Trust and
Betrayal. In T. R. Sarbin, R. M. Carney, & C. Eoyang (eds.), Citizen
Espionage: Studies in Trust and Betrayal (pp. 163-187). United States of
America: Greenwood Publishing Group.
Mukherjee, N., Hugé, J., Sutherland, W. J., McNeill, J., Van Opstal, M., Dahdouh-
Guebas, F., & Koedam, N. (2015). The Delphi technique in ecology and
biological conservation: applications and guidelines. Methods in Ecology and
Evolution, 6, 1097–1109. doi:10.1111/2041-210X.12387
600
Munshi, A., Dell, P., & Armstrong, H. (2012). Insider Threat Behavior Factors: A
comparison of theory with reported. 45th Hawaii International Conference on
System Sciences (pp. 2402-2411). Hawaii: IEEE Computer Society.
doi:10.1109/HICSS.2012.326
Murphy, I. (2019). Remediating the Insider Threat. Enterprise Times.
Nationaal Adviescentrum Vitale Infrastructuur. (2008). Handreiking Security
Awareness. Den Haag: Nationaal Adviescentrum Vitale Infrastructuur (NAVI).
Opgehaald van https://www.slideshare.net/florisvanmaanen/handreiking-
security-awareness-concept
Neumann, P. G. (2010). Combatting Insider Threats. In C. W. Probst, J. Hunker, D.
Gollmann, & M. Bishop, Insider Threats in Cyber Security (pp. 17-44).
Boston: Springer.
Nishishiba, M., & Ritchie, L. D. (2000). The concept of trustworthiness: A cross‐
cultural comparison between Japanese and U.S. business people. Journal of
Applied Communication Research, 28(4), 347-367.
Nitsch, D., Baetz, M., & Hughes, J. C. (2005). Why Code of Conduct Violations go
Unreported: A Conceptual Framework to Guide Intervention and Future
Research. Journal of Business Ethics, 57, 327-341.
Noonan, C. (2018). Spy the Lie: Detecting Malicious Insiders. Richland, Washington:
Pacific Northwest National Laboratory Prepared for the US Department of
Energy.
Noor, P. (2020, March 28). 'If I get corona, I get corona': the Americans who wish
they'd taken Covid-19 seriously. The Guardian. Opgehaald van
https://www.theguardian.com/lifeandstyle/2020/mar/28/americans-who-dont-
take-coronavirus-seriously
NOS Nieuws. (2014, December 23). Kamerlid Voortman niet vervolgd om lekken.
NOS Nieuws. Opgehaald van https://nos.nl/artikel/2010422-kamerlid-
voortman-niet-vervolgd-om-lekken
NOS Nieuws. (2019, December 19). 20 jaar cel en tbs voor doden demente ouderen
met insuline. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2315452-20-
jaar-cel-en-tbs-voor-doden-demente-ouderen-met-insuline
NOS Nieuws. (2019, December 19). Gelderse sportclubs vragen vaak niet om
verklaring omtrent gedrag. NOS Nieuws. Opgehaald van
https://nos.nl/artikel/2315435-gelderse-sportclubs-vragen-vaak-niet-om-
verklaring-omtrent-gedrag
601
NOS Nieuws. (2020, September 17). Corruptie bij politie: niet alleen met verleiding,
maar ook met bedreiging. NOS Nieuws. Opgehaald van
https://nos.nl/artikel/2348716-corruptie-bij-politie-niet-alleen-met-verleiding-
maar-ook-met-bedreiging
NOS Nieuws. (2020, January 23). Japanse postbode neemt duizenden brieven mee naar
huis. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2319846-japanse-
postbode-neemt-duizenden-brieven-mee-naar-huis
NOS Nieuws. (2020, October 13). Medewerkster tbs-kliniek ontslagen vanwege relatie
met patiënt. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2352208-
medewerkster-tbs-kliniek-ontslagen-vanwege-relatie-met-patient
NOS Nieuws. (2020, July 3). Nepdirecteur bestelt voor ruim een ton aan sterke drank
en eten. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2339451-
nepdirecteur-bestelt-voor-ruim-een-ton-aan-sterke-drank-en-eten
NOS Nieuws. (2020, June 17). Oostenrijkse arts veroordeeld voor misbruik van meer
dan 100 kinderen. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2337617-
oostenrijkse-arts-veroordeeld-voor-misbruik-van-meer-dan-100-kinderen
NOS Nieuws. (2020, March 4). Saboterende monteur American Airlines moet drie jaar
de cel in. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2325836-
saboterende-monteur-american-airlines-moet-drie-jaar-de-cel-in
NOS Nieuws. (2021, February 24). Klokkenluider atoomspionage Frits Veerman (76)
overleden. NOS Nieuws. Opgehaald van https://nos.nl/artikel/2370048-
klokkenluider-atoomspionage-frits-veerman-76-overleden
NOS Nieuws. (2021, January 13). 'Securitas-medewerkers hielpen drugsbende bij
cocaïnesmokkel via haven R'dam'. NOS Nieuws. Opgehaald van
https://nos.nl/artikel/2364165-securitas-medewerkers-hielpen-drugsbende-bij-
cocainesmokkel-via-haven-r-dam
Nurse, J. R., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R., &
Whitty, M. (2014). Understanding Insider Threat: A Framework for
Characterising Attacks. IEEE Security and Privacy Workshops, (pp. 214-228).
doi:10.1109/SPW.2014.38
Okoli, C., & Pawlowski, S. D. (2004). The Delphi method as a research tool: an
example, design considerations and applications. Information & Management,
42, 15–29.
Oltermann, P. (2019, June 6). German nurse given second life sentence for murder of
85 patients. The Guardian. Opgehaald van
602
https://www.theguardian.com/world/2019/jun/06/german-nurse-niels-hogel-
second-life-sentence-murder-of-85-patients
Oltermann, P. (2020, February 18). Danish social worker jailed for stealing £13m of
government funds. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/feb/18/danish-social-worker-jailed-
britta-nielsen
Olusegun, O. J., & Ithnin, N. B. (2013). “People Are the Answer to Security”:
Establishing a Sustainable Information Security Awareness Training (ISAT)
Program in Organization. (IJCSIS) International Journal of Computer Science
and Information Security, 11(8), 57-64. Opgehaald van
https://arxiv.org/abs/1309.0188
O'Neill, O. (2018). Linking Trust to Trustworthiness. International Journal of
Philosophical Studies, 26(2), 293-300. doi:10.1080/09672559.2018.1454637
O'Neill, T. A., & Hastings, S. E. (2011). Explaining workplace deviance behavior with
more than just the ‘‘Big Five”. Personality and Individual Differences, 50,
268-237. doi:10.1016/j.paid.2010.10.001
Ooghe, S. (2018, December 10). Politie-inspecteur veroordeeld tot cel met uitstel voor
opmaken valse pv: “U moet uw empathie beter doseren”. Het Laatste Nieuws.
Opgehaald van https://www.hln.be/evergem/politie-inspecteur-veroordeeld-tot-
cel-met-uitstel-voor-opmaken-valse-pv-u-moet-uw-empathie-beter-
doseren~abd59b91/
Ophoff, J., Jensen, A., Sanderson-Smith, J., Porter, M., & Johnston, K. (2014). A
Descriptive Literature Review and Classification of Insider Threat Research.
Proceedings of Informing Science & IT Education Conference (InSITE), (pp.
211-223).
Oprysko, C. (2020, March 15). Fauci warns against coronavirus indifference among
young people. Politico. Opgehaald van
https://www.politico.com/news/2020/03/15/fauci-coronavirus-young-people-
130229
Outters, A. (2020, September 7). Studenten VIVES Kortrijk moesten herexamen 2 keer
afleggen: "Examens per ongeluk weggegooid". VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/09/07/herexamen-afvalcontainer-vives-
hogeschool-kortrijk/
Pace, D. K. (1991). SEMINAR GAMING: AN APPROACH TO PROBLEMS TOO
COMPLEX FOR ALGORITHMIC SOLUTION. Johns Hopkins APL
603
Technical Digest, 12(3), 290-296. Opgehaald van
https://www.jhuapl.edu/Content/techdigest/pdf/V12-N03/12-03-Pace.pdf
Padayachee, K. (2016). An assessment of opportunity-reducing techniques in
information security: An insider threat perspective. Decision Support Systems,
92, 47-56. doi:http://dx.doi.org/10.1016/j.dss.2016.09.012
Parveen, N. (2020, March 30). Coronavirus message not reaching sections of society –
police chief. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/mar/30/coronavirus-message-not-
getting-through-demographics-police
Pattyn, T. (2019, December 20). Leraar filmt naakte leerlingen in zwembad na eerdere
veroordeling voor bezit kinderporno (maar kreeg toen opschorting van straf).
Het Nieuwsblad. Opgehaald van
Pauli, W. (2011, July 6). In de koers is je ploegmaat vaak je eerste vijand. De Morgen.
Opgehaald van https://www.demorgen.be/nieuws/in-de-koers-is-je-ploegmaat-
vaak-je-eerste-vijand~bb618fb8/
Pauly, R. B. (2018). Would U.S. Leaders Push the Button? Wargames and the Sources
of Nuclear Restraint. International Security, 43(2), 151-192.
doi:https://doi.org/10.1162/ISEC_a_00333
Pearce, J. L. (2000). Employability as Trustworthiness. In C. R. Leana, & D. M.
Rousseau, Relational wealth: A new model for employment in the 21st Century
(pp. 79-90). Oxford: Oxford University Press. Opgehaald van
https://escholarship.org/uc/item/9zb3v2p5#main
Perla, P. P., & McGrady, E. (2011). WHY WARGAMING WORKS. Naval War
College Review, 64(3), 111-130. Opgehaald van
https://www.jstor.org/stable/26397225
Peters, V., Vissers, G., & Heijne, G. (1998). The Validity of Games. Simulation &
Gaming, 29(1), 20-30. doi:https://doi.org/10.1177/1046878198291003
Pfleeger, C. (2008). Reflections on the Insider Threat. In S. Stolfo, S. Bellovin, S.
Keromytis, A. Hershkop, S. Smith, & S. Sinclair (eds), Insider Attack and
Cyber Security. Advances in Information Security (pp. 5-15). Boston, M.A.:
Springer.
Pfleeger, S. L., Sasse, M. A., & Furnham, A. (2014). From Weakest Link to Security
Hero: Transforming Staff Security Behavior. Homeland Security & Emergency
Management, 11(4), 489-510. doi:https://doi.org/10.1515/jhsem-2014-0035
604
Phillips, T. (2020, March 23). Brazil's Jair Bolsonaro says coronavirus crisis is a media
trick. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/mar/23/brazils-jair-bolsonaro-says-
coronavirus-crisis-is-a-media-trick
Phillips, T., & Milhorance, F. (2021, September 29). Brazil hospital chain accused of
hiding Covid deaths and giving unproven drugs. The Guardian. Opgehaald van
https://www.theguardian.com/global-development/2021/sep/29/brazil-prevent-
senior-hospital-chain-covid-accusations
Piquero, N. L., Tibbetts, S. G., & Blankenship, M. B. (2005). Examining the role of
differential association and techniques of neutralization in explaining corporate
crime. Deviant Behavior, 26, 159-188. doi:10.1080/01639620590881930
Polit, D. F., Beck, C. T., & Owen, S. V. (2007). Is the CVI an Acceptable Indicator of
Content Validity? Appraisal and Recommendations. Research in Nursing &
Health, 30, 459–467. doi:10.1002/nur.20199
Poudin, K. (2019). The Human Factor in Business Security. Годишник на УНСС, 287-
304. Opgehaald van http://unwe-
yearbook.org/uploads/Yearbook/Yearbook_2019_No15_Poudin.pdf
Pournelle, P. E. (2017). Designing Wargames for the Analytic Purpose. Phalanx,
50(2), 48-53. Opgehaald van https://www.jstor.org/stable/10.2307/26296384
Power, K. (2021). Rutger Bregman, Humankind: A Hopeful History. Society, 58, 159–
161. doi:https://doi.org/10.1007/s12115-021-00582-y
Power, R., & Forte, D. (2006). Thwart the insider threat: a proactive approach to
personnel security. Computer Fraud & Security, 10-15.
Probst, C. W., Hunker, J., Gollmann, D., & Bishop, M. (2010). Aspects of Insider
Threats. In C. W. Probst, J. Hunker, D. Gollmann, & M. Bishop, Insider
Threats in Cyber Security (pp. 1-15). Boston: Springer.
Provoost, B. (2022, October 20). Kurt W. was al langer het noorden kwijt voor hij zijn
ouders neerstak op café: “Dit is de kroniek van een aangekondigd
horrorverhaal”. Het Nieuwsblad. Opgehaald van
Puusa, A., & Tolvanen, U. (2006). Organizational Identity and Trust. Electronic
Journal of Business Ethics and Organization Studies, 11(2), 29-33.
Quinn, B. (2021, May 31). Attractiveness of British military for far right continues to
be a threat. The Guardian. Opgehaald van
605
https://www.theguardian.com/world/2021/may/31/attraction-of-british-
military-to-the-far-right-continues-to-be-a-threat-prevent
Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D., & Moore, A. (2005). Insider
Threat Study: Illicit Cyber Activity in the Banking and Finance Sector.
Pittsburgh: Carnegie Mellon Software Engineering Insitute.
Raskin, M. S. (1994). The Delphi Study in Field Instruction Revised: Expert
Consensus on Issues and Research Priorities. Journal of Social Work
Education, 30(1), 75-89. Opgehaald van
https://www.jstor.org/stable/23043175?origin=JSTOR-
pdf&seq=1#metadata_info_tab_contents
Rayens, M. K., & Hahn, E. J. (2000). Building Consensus Using the Policy Delphi
Method. Policy, Politics, & Nursing Practice, 1(4), 308-315.
doi:https://doi.org/10.1177%2F152715440000100409
Readfearn, G. (2020, March 18). Coronavirus testing explained: how does it work and
how quickly can you get a response in Australia? The Guardian. Opgehaald
van https://www.theguardian.com/world/2020/mar/19/coronavirus-testing-
explained-how-does-it-work-and-how-quickly-can-you-get-a-response-in-
australia
Readfearn, G. (2020, March 26). How ventilators work and why they are so important
in saving people with coronavirus. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/mar/27/how-ventilators-work-and-
why-they-are-so-important-in-saving-people-with-coronavirus
Reason, J. (1998). Achieving a safe culture: Theory and practice. Theory and practice,
Work & Stress, 12(3), 293-306.
Rehak, D., Hromada, M., & Lovecek, T. (2020). Personnel threats in the electric power
critical infrastructure sector and their effect on dependent sectors: Overview in
the Czech Republic. Safety Science, 1-10.
Reiersen, J. (2019). Drivers of trust and trustworthiness. International Journal of
Social Economics, 46(1), 2-17.
Reina, D. S., & Reina, M. L. (2005). Trust & Betrayal in the Workplace Building
Effective Relationships in Your Organization. San Francisco: Berret-Koehler
Publishers.
Renson, T. (2022, August 24). Als dokwerkers omkopen niet lukt, solliciteren ze
gewoon zelf: hoe drugsmaffia infiltreert in Antwerpse haven. Het Nieuwsblad.
606
Reveraert, M. (2020, December 21). "Insider threats" zijn geen ver-van-ons-bedshow,
ze zijn een dreiging voor veel bedrijven. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/12/21/sensibilisering-rond-insider-threats-
is-broodnodig/
Reveraert, M., & Sauer, T. (2021). Redefining insider threats: a distinction between
insider hazards and insider threats. Security Journal, 34, 755-775.
doi:https://doi.org/10.1057/s41284-020-00259-x
Reveraert, M., & Sauer, T. (2022). A four-part typology to assess organizational and
individual security awareness. Information Security Journal: A Global
Perspective, 31(1), 64-82. doi:10.1080/19393555.2020.1855374
Reyntjens, S. (2020, March 2). Ex-directeur Antwerps bedrijf verdacht van
grootschalige oplichting: zette eigen rekeningnummers op facturen. Het
Nieuwsblad. Opgehaald van
Ring, T. (2015). The Enemy Within. Computer Fraud & Security, 9-14.
Robin, G. D. (1970). The Nonshareable Problem Theory of Trust Violation.
Criminologica, 7(4), 48-57.
Robinson, S. L., & Bennett, R. J. (1995). A Typology of Deviant Workplace
Behaviors: A Multidimensional Scaling Study. The Academy of Management
Journal, 38(2), 555-572.
Roemer, K. (2008). Treating employees as a threat. Network Security, 9-11.
Roungas, B., Bekius, F., & Meijer, S. (2019). The Game Between Game Theory and
Gaming Simulations: Design Choices. Simulation & Gaming, 50(2), 180-201.
doi:https://doi.org/10.1177/1046878119827625
Rousseau, D. M., Sitkin, S. B., Burt, R. S., & Camerer, C. (1998). Introduction to
Special Topic Forum: Not so Different after All: A Cross-Discipline View of
Trust. The Academy of Management Review, 23(3), 393-404.
Rowe, G., & Wright, G. (2001). Expert Opinions in Forecasting: The Role of the
Delphi Technique. In J. (. Armstrong, Principles of Forecasting. International
Series in Operations Research & Management Science (pp. 125-144). Boston,
MA.: Springer. doi:https://doi.org/10.1007/978-0-306-47630-3_7
Royal Meteorological Institute (RMI),. (sd). More info on our warnings. Opgeroepen
op May 15, 2020, van https://www.meteo.be/en/weather/warnings/info-
warnings
607
Rubel, R. C. (2006). The Epistemology of War Gaming. Naval War College Review,
59(2), 108-128. Opgehaald van https://digital-commons.usnwc.edu/nwc-
review/vol59/iss2/8
Russel, C. (2002). Security Awareness - Implementing an Effective Strategy. Swansea,
UK: SANS Institute. Opgehaald van https://www.sans.org/reading-
room/whitepapers/awareness/paper/418
Sample, I. (2020, March 30). New study sheds light on coronavirus infection
mechanism. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/mar/30/new-study-sheds-light-on-
coronavirus-infection-mechanism
Sanen, S. (2021, October 25). Opnieuw arrestaties in Antwerpse drugsmilieu na grote
telefoonkraak "Operatie Sky": 10 verdachten opgepakt. VRT NWS. Opgehaald
van https://www.vrt.be/vrtnws/nl/2021/10/25/opnieuw-arrestaties-in-
antwerpse-drugsmilieu-na-grote-telefoonkr/
Santaguida, P., Dolovich, L., Oliver, D., Lamarche, L., Gilsing, A., Griffith, L. E., . . .
Raina, P. (2018). Protocol for a Delphi consensus exercise to identify a core set
of criteria for selecting health related outcome measures (HROM) to be used in
primary health care. BMC Family Practice, 19, 1-14.
doi:https://doi.org/10.1186/s12875-018-0831-5
Santens, T. (2020, March 22). Hoe zeg je “corona” in het Pools? Lees hier alle
maatregelen én advies in meer dan 10 talen. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/03/22/maatregelen-talen/
Sarbin, T. R. (1994). A Criminological Approach to Security Violations. In T. R.
Sarbin, R. M. Carney, & C. Eoyang (eds.), Citizen Espionage: Studies in Trust
and Betrayal (pp. 107-125). United States of America: Greenwood Publishing
Group.
Sarkar, K. R. (2010). Assessing insider threats to information security using technical,
behavioural and organisational measures. Information Security Technical
Report(15), 112-133. doi:10.1016/j.istr.2010.11.002
Sauer, T. (1998). Nuclear Deterrence Revisited. In T. Sauer, Nuclear Arms Control
Nuclear Deterrence in the Post-Cold War Period (pp. 1-29). London: Palgrave
Macmillan. doi:10.1007/978-1-349-26729-3
Sauer, T., & Reveraert, M. (2019, November 6). 'Interne dreigingen worden vaak over
het hoofd gezien omdat organisaties er vanuit gaan dat medewerkers te
vertrouwen zijn'. Knack. Opgehaald van
https://www.knack.be/nieuws/belgie/interne-dreigingen-worden-vaak-over-
608
het-hoofd-gezien-omdat-organisaties-er-vanuit-gaan-dat-medewerkers-te-
vertrouwen-zijn/article-opinion-1529145.html
Sauer, T., & Reveraert, M. (2020, Juli 20). It's the human, stupid! De Tijd. Opgehaald
van https://www.tijd.be/opinie/algemeen/it-s-the-human-stupid/10240025.html
Savage, M. (2022, July 18). Why people watch pornography at work. BBC Worklife.
Opgehaald van https://www.bbc.com/worklife/article/20220714-why-people-
watch-pornography-at-work
Schabregs, B., & Huyghebaert, P. (2020, October 6). VS-president Trump heeft het
ziekenhuis verlaten: "Wees niet bang van COVID, laat het je leven niet
domineren". VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/10/05/vs-president-gaat-het-ziekenhuis-
verlaten-wees-niet-bang-van-c/
Schafheitle, S., Weibel, A., & Möllering, G. (2016). Touchstone of Trust inside
Organizations:. Short Paper Submitted to EGOS 2016 Sub-theme 02: SWG
Organizational Trust (pp. 1-8). Naples: European Group for Organizational
Studies.
Scheibe, K. E. (1994). The Temptations of Espionage: Self-Control and Social Control.
In T. R. Sarbin, R. M. Carney, & C. Eoyang (eds.), Citizen Espionage: Studies
in Trust and Betrayal (pp. 143-162). United States of America: Greenwood
Publishing Group.
Schermerhorn Jr., J. R., Hunt, J. G., & Osborn, R. N. (2002). Values and Attitudes. In
J. R. Schermerhorn Jr., J. G. Hunt, & R. N. Osborn, Organizational Behavior
(pp. 27-31). USA: John Wiley & Sons, Inc.
Schillewaert, N. (2022, October 20). "Ik werd ontslagen door mijn TikTok-filmpjes",
beweert docent aan Arteveldehogeschool: is "ongepaste" humor geldige reden
voor ontslag? VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2022/10/20/ik-werd-ontslagen-door-mijn-tiktok-
filmpjes-is-ongepaste-humo/
Schmidt, R. C. (1997). Managing Delphi Surveys Using Nonparametric Statistical
Techniques. Decision Sciences, 28(3), 763-774.
Schmitt, M., Gollwitzer, M., Baumert, A., Blum, G., Gschwendner, T., Hofmann, W.,
& Rothmund, T. (2013). Proposal of a Nonlinear Interaction of Person and
Situation (NIPS) model. Frontiers in Psychology, 4, 499.
doi:10.3389/fpsyg.2013.00499
609
Schoorman, F. D., Mayer, R. C., & Davis, J. H. (1996). Organizational Trust:
Philosophical Perspectives and Conceptual Definitions. The Academy of
Management Review, 21(2), 337-340.
Searle, R. H. (2013). HRM and trust, or trust and HRM? An underdeveloped context
for trust research. In R. Bachmann, & A. Zaheer, Handbook of Advances in
Trust Research (pp. 9-28). Cheltenham: Edward Elgar Publishing Limited.
doi:https://doi.org/10.4337/9780857931382.00009
Searle, R., Rice, C., McConnell, A., & Dawson, J. (2017). Bad apples? Bad barrels?
Or bad cellars? Antecedents and processes of professional misconduct in UK
Health and Social Care: Insights into sexual misconduct and dishonesty.
Coventry: Professional Standards Authority.
Shahri, A. B., Ismail, Z., & Rahim, N. Z. (2013). Security Culture and Security
Awareness as the Basic Factors for Security Effectiveness in Health
Information Systems. Jurnal Teknologi, 64(2), 7-12.
doi:https://doi.org/10.11113/jt.v64.2212
Shaw, E., & Sellers, L. (2015). Application of the Critical-Path Method to Evaluate
Insider Risks. Studies in Intelligence, 59(2), 1-8.
Shigihara, A. M. (2013). It's Only Stealing a Little a Lot: Techniques of Neutralization
for Theft Among Restaurant Workers. Deviant Behavior, 34(6), 494-512.
doi:10.1080/01639625.2012.748630
Simon, C. (2020, March 27). Julie, 16 ans, adolescente décédée du coronavirus : «Elle
avait juste une toux». Le Parisien. Opgehaald van
http://www.leparisien.fr/essonne-91/morsang-sur-orge-91390/julie-16-ans-
decedee-du-coronavirus-personne-n-est-invincible-se-desole-sa-soeur-27-03-
2020-8288850.php#xtor=AD-1481423553
Sinek, S. (2019, November 10). Simon Sinek Performance vs Trust. Youtube.
Opgehaald van https://www.youtube.com/watch?v=kJdXjtSnZTI
Siponen, M. (2000). A conceptual foundation for organizational information security.
Information Management & Computer Security, 8(1), 31-41.
doi:https://doi.org/10.1108/09685220010371394
Siponen, M., & Kajava, J. (1998). Ontology of organizational IT security awareness-
from theoretical foundations to practical framework. Proceedings Seventh
IEEE International Workshop on Enabling Technologies: Infrastucture for
Collaborative Enterprises (pp. 327 - 331). Stanford, CA, USA, USA: IEEE.
doi:https://doi.org/10.1109/ENABL.1998.725713
610
Siponen, M., & Vance, A. (2010). Neutralization: New Insights into the Problem of
Employee Information Systems Security Policy Violations. MIS Quarterly,
34(3), 487-502.
Sitkin, S. B., & Roth, N. L. (1993). Explaining the Limited Effectiveness of Legalistic
"Remedies" for Trust/Distrust. Organization Science, 4(3), 367-392.
Skulmoski, G. J., Hartman, F. T., & Krahn, J. (2007). The Delphi Method for Graduate
Research. Journal of Information Technology Education, 6, 1-21.
doi:https://doi.org/10.28945/199
Smallman, C. (1996). Risk and organizational behaviour: a research model. Disaster
Prevention and Management, 5(2), 12-26.
Smedts, B. (2011). Critical infrastructure protection at European Level. Studia
Diplomatica, 71-78. Opgehaald van https://www.nonproliferation.eu/wp-
content/uploads/2018/09/bartsmedts4ec14cdd011bd.pdf
Sokolowski, J. A., Banks, C. M., & Dover, T. J. (2016). An agent-based approach to
modeling insider threat. Computational and Mathematical Organization
Theory, 22, 273-287. doi:10.1007/s10588-016-9220-6
Spitzner, L. (2017). LAB2‐R04: Achieving and Measuring Success with the Security
Awareness Maturity Model. RSA Conference 2017 - Learning Labs. San
Francisco: RSA Conference. Opgehaald van https://published-
prd.lanyonevents.com/published/rsaus17/sessionsFiles/4969/LAB2-
R04_LAB2-R04_Achieving-and-Measuring-Success-with-the-Security-
Awareness-Maturity-Model.pdf
Spruit, M. (2010). Bewust veilig? de IT-Auditor, 4, 15-21. Opgehaald van
https://www.deitauditor.nl/wp-content/uploads/2014/09/bewust-veilig.pdf
Spurling, P. (1995). Promoting security awareness and commitment. Information
Management & Computer Security, 3(2), 20-26.
doi:https://doi.org/10.1108/09685229510792988
Stacius, S. (2021, June 9). Werkstraf voor ex-politieagent die wapens stal uit depot
Gentse politie. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/06/09/ex-agent-krijgt-werkstraf-na-diefstal-
uit-het-gents-wapenmagazij1/
Staes, B., & Vergauwen, E. (2020, March 31). Overleden meisje van 12 afkomstig uit
Gent. De Standaard. Opgehaald van
https://www.standaard.be/cnt/dmf20200331_04907938?M_BT=37859250720
70&_section=69567463&adh_i=c950089f50a0f1e3ba0088d556e8794d&imai=
611
&utm_campaign=middagupdate&utm_medium=newsletter&utm_source=stan
daard
Steele, S., & Wargo, C. (2007). An Introduction to Insider Threat Management.
Information Systems Security(16), 23-33. doi:10.1080/10658980601051334
Stempel, J. (2021, November 24). Pfizer sues departing employee it says stole COVID-
19 vaccine secrets. Reuters. Opgehaald van
https://www.reuters.com/business/healthcare-pharmaceuticals/pfizer-sues-
departing-employee-it-says-stole-covid-19-vaccine-secrets-2021-11-24/
Steneck, N. H. (1994). Research Universities and Scientific Misconduct: History,
Policies, and the Future. The Journal of Higher Education, 65(3), 310-330.
Stern, J., & Schouten, R. (2016). Lessons from the Anthrax Letters. In M. Bunn, & S.
Sagan, Insider Threats (pp. 74-102). Ithaca: Cornell University Press.
Steurer, J. (2011). The Delphi method: an efficient procedure to generate knowledge.
Skeletal Radiol, 40, 959-961.
Stevenson, V. (2010). Some initial methodological considerations in the development
and design of Delphi Surveys,. St. Andrews: Supergen XIV. Opgehaald van
http://orca.cardiff.ac.uk/id/eprint/9949
Stone Fish, L., & Busby, D. M. (2005). The Delphi Method. In D. Sprenkle, & F. (.
Piercy, Research methods in family therapy (2nd ed., pp. 238-253). New York:
Guilford. Opgehaald van https://scholarsarchive.byu.edu/facpub/4584/
Strynckx, M. (2019, October 5). Dader mesaanval op politieagenten in Parijs was
wellicht geradicaliseerd en had contact met salafisten. VRT NWS. Opgehaald
van https://www.vrt.be/vrtnws/nl/2019/10/05/dader-mesaanval-op-
politieagenten-in-parijs-was-geradicaliseerd.app/
Sykes, G. M., & Matza, D. (1957). Techniques of Neutralization: A Theory of
Delinquency. American Sociological Review, 22(6), 664-670.
Tavani, H. T., & Grodzinsky, F. S. (2014). SIGCAS Computers & Society, 44(3), 8-13.
Temmerman, M., & Vandenhole, K. (2019, February 12). Nederlandse
milieuverenigingen dagen Shell voor de rechter. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2019/02/12/nederlandse-milieuverenigingen-
dagen-shell-voor-de-rechter/
Terryn, L. (2020, March 30). Brusselse politie stelde voorbije weekend 682 inbreuken
op coronamaatregelen vast. VRT NWS. Opgehaald van
612
https://www.vrt.be/vrtnws/nl/2020/03/30/brusselse-politie-stelde-voorbije-
weekend-682-inbreuken-op-coron/
The Guardian. (2019, April 12). Dutch fertility doctor 'secretly fathered at least 49
children'. The Guardian. Opgehaald van
https://www.theguardian.com/world/2019/apr/12/dutch-fertility-doctor-
secretly-fathered-at-least-49-children
The Guardian. (2019, October 9). US counter-terrorism analyst charged with leaking
classified materials. The Guardian. Opgehaald van
https://www.theguardian.com/us-news/2019/oct/09/henry-kyle-frese-defense-
intelligence-arrest-leaker
The Guardian. (2022, January 6). China scientist pleads guilty to stealing trade secret
from Monsanto. The Guardian. Opgehaald van https://amp-theguardian-
com.cdn.ampproject.org/c/s/amp.theguardian.com/us-news/2022/jan/07/china-
scientist-pleads-guilty-to-stealing-trade-secret-from-monsanto
Thomas, D. (2022, July 26). Prosecutors say FBI trainee stole tips from lawyer-
girlfriend to trade on Merck deal. Reuters. Opgehaald van
https://www.reuters.com/legal/government/prosecutors-say-fbi-trainee-stole-
tips-lawyer-girlfriend-trade-merck-deal-2022-07-25/
Thompson, E. E. (2018). Introduction. In E. E. Thompson, The Insider Threat:
Assessment and Mitigation of Risks (pp. 1-34). New York: CRC Press Taylor
and Francis Group.
Thompson, S. M., & Friedlander, G. (2016). Scope. In S. M. Thompson, & G.
Friedlander, Insider Threat Program: Your 90-Day Plan, A Guide for
Initiating, Developing and Implementing your Insider Threat Program (pp. 9-
13). United States: ObserveIT.
Thomson, M., & R., v. S. (1998). Information security awareness: educating your users
effectively. Information Management & Computer Security, 6(4), 167–173.
doi:https://doi.org/10.1108/09685229810227649
Tinsley, D. B. (1996). Trust Plus Capabilities. The Academy of Management Review,
21(2), 335-337.
Tondo, L. (2020, March 18). Italy charges more than 40,000 people with violating
lockdown. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/mar/18/italy-charges-more-than-
40000-people-violating-lockdown-coronavirus
613
Torfs, M. (2020, March 31). Kan "snorkelmasker" voor corona-hulpverleners de nood
helpen lenigen? VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/03/30/snorkelmasker-corona/
Torfs, M. (2021, June 20). Body of Jürgen Conings found in the woodlands of
Dilserbos, five weeks after he vanished. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/en/2021/06/20/body-of-juergen-conings-probably-
found-in-dilserbos-woodlands/
Tsohou, A., Karyda, M., & Kokolakis, S. (2015). Analyzing the role of cognitive and
cultural biases in the internalization of information security policies:
Recommendations for information security awareness programs. Computers &
Security, 128-141. doi:https://doi.org/10.1016/j.cose.2015.04.006
Turoff, M. (2002). The Policy Delphi. In H. A. Linstone, & M. (. Turoff, The Delphi
Method: Techniques and Applications (pp. 80-96). Opgehaald van
https://web.njit.edu/~turoff/pubs/delphibook/index.html
UK Centre for the Protection of National Infrastructure. (2011). Investigating
Employees of Concern: A Good Practice Guide. London: UK Centre for the
Protection of National Infrastructure. Opgehaald van
https://www.cpni.gov.uk/investigation-and-disciplinary
UK Centre for the Protection of National Infrastructure. (2019). Exit procedures
guidance. London: Centre for the Protection of National Infrastructure (CPNI).
US National Insider Threat Task Force . (2021, November 25). National Insider Threat
Task Force (NITTF) Mission. Opgehaald van The National Counterintelligence
and Security Center: https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-
nittf
US National Insider Threat Task Force. (2016). Protect your organization from the
inside out: Government best practices. Washington D.C.: The National
Counterintelligence and Security Center.
US NITTF. (2018). Insider Threat Program: Maturity Framework. US: National
Insider Threat Task Force (NITTF).
Van Cauwelaert, R. (1998, July 29). Een beetje doping doet wonderen. Knack.
Opgehaald van https://www.knack.be/nieuws/magazine/een-beetje-doping-
doet-wonderen/article-normal-1070399.html
van de Linde, E., & van der Duin, P. (2011). The Delphi method as early warning:
Linking global societal trends to future radicalization and terrorism in The
Netherlands. Technological Forecasting & Social Change, 78, 1557-1564.
doi:http://dx.doi.org/10.1016/j.techfore.2011.07.014
614
Van de Vliet, L. (2021, November 5). Personeel Antwerpse en Waaslandhaven krijgt
tips "om niet in drugsmilieu te belanden". VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/11/05/medewerkers-antwerpse-haven-
krijgen-brochure-die-waarschuwt-voor/
Van den Berghe, C., & Vanhelden, V. (2022, August 23). "We weten op welke school
je kinderen zitten": hoe drugscriminelen ook havenarbeiders in Antwerpen
treffen. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2022/08/23/getuigenis-havenarbeider/
Van Dolderen, B., Stoffers, J., & Kleefstra, A. (2017). Delphi als onderzoeksmethode
voor consensus en draagvlak: een casus in de gezondheidszorg. Tijdschrift
voor Begeleidingskunde, 6(1), 24-30.
Van Hessche, J. (2020, March 24). Trump pleit alweer voor 'back to business'. De Tijd.
Opgehaald van https://www.tijd.be/politiek-economie/internationaal/vs/trump-
pleit-alweer-voor-back-to-business/10216531.html
Van Hessche, J. (2020, March 31). Trump stopt 'back to business'-pleidooi. De Tijd.
Opgehaald van https://www.tijd.be/politiek-economie/internationaal/vs/trump-
stopt-back-to-business-pleidooi/10217754.html
Van Hiel, A. (2016). Attitudes. In A. Van Hiel, Sociale Psychologie (pp. 202-245).
Gent: Academia press.
Van Laethem, W. (2005). Veiligheidsmachtigingen, veiligheidsadviezen,
veiligheidsattesten en andere veiligheidsdocumenten. Een snelle
kennismaking. Private Veiligheid – Sécurité privée, 16-21.
Van Nunen, K., Sas, M., Reniers, G., Vierendeels, G., Ponnet, K., & Hardyns, W.
(2018). An integrative conceptual framework for physical security culture in
organisations. Journal of Integrated Security Science, 1-7.
Vanderschoot, K. (2020, April 20). Braziliaanse president Bolsonaro stapt mee op in
protest tegen coronamaatregelen. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/04/20/braziliaanse-president-bolsonaro-
stapt-mee-op-in-protest-tegen-c/
Vanderschoot, K. (2020, November 19). Rapport legt wantoestanden Australische
elitetroepen bloot: "39 Afghanen onrechtmatig gedood als
ontgroeningsritueel". VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/11/19/australische-troepen-hebben-39-
afghanen-onrechtmatig-gedood/
Vast Comité van Toezicht op de Inlichtingen- en veiligheidsdiensten. (2021).
Toezichtonderzoek naar het opsporen en het opvolgen-door de twee
615
inlichtingendiensten-van de radicalisering van een militair werkzaam bij
Defensie, en anderzijds naar hun samenwerking met hun partnerdiensten,
waaronder Defensie (...). Finaal verslag 1 juli 2021. Opgehaald van
https://www.comiteri.be/images/pdf/publicaties/RAPP%20UNCLASS%20JC
%20NL%2001%2007%202021.pdf
Verberckmoes, Y. (2021, May 31). Onderzoeker Mathias Reveraert over ‘insider
threats’ zoals Jürgen Conings: ‘Niemand wil de verklikker zijn’. De Morgen.
Opgehaald van https://www.demorgen.be/nieuws/onderzoeker-mathias-
reveraert-over-insider-threats-zoals-jurgen-conings-niemand-wil-de-
verklikker-zijn~b65c7424/
Verberckmoes, Y., & Notelteirs, P. (2022, February 8). #MeToo niet enkel in
academische wereld: 7 procent werknemers krijgt te maken met
grensoverschrijdend gedrag. De Morgen. Opgehaald van
https://www.demorgen.be/nieuws/metoo-niet-enkel-in-academische-wereld-7-
procent-werknemers-krijgt-te-maken-met-grensoverschrijdend-
gedrag~b0ee053f/
Vereecken, H. (2021, April 23). Interne dreigingen: blindelings vertrouwen in
medewerkers of gezonde achterdocht? HR Square. Opgehaald van
https://hrsquare.be/nl/interne-dreigingen-blindelings-vertrouwen-in-
medewerkers-of-gezonde-achterdocht/
Verhaeghe, C. (2022, June 15). Nachtverpleegster voor rechtbank na diefstal van
duizenden euro's van stervende patiënte. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2022/06/15/nachtverpleegster-voor-rechtbank-na-
diefstal-van-duizenden-euro/
Verstuyft, A. (2020, February 28). Antwerpse transportfirma hangt camera's in cabines
van vrachtwagens. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2020/02/28/transportfirma-hangt-camera-s-in-
cabines-van-vrachtwagens/
Viotti, P. R., & Kauppi, M. V. (2012). International Relations Theory. Amsterdam:
Longman.
Vogel, C., Zwolinsky, S., Griffiths, C., Hobbs, M., Henderson, E., & Wilkins, E.
(2019). A Delphi study to build consensus on the definition and use of big data
in obesity research. International Journal of Obesity, 43, 2573-2586.
doi:https://doi.org/10.1038/s41366-018-0313-9
Volpentesta, A. P., Ammirato, S., & Palmieri, R. (2011). Investigating effects of
security incident awareness on information risk perception. Int. J. Technology
Management, 54(2/3), 304-320. doi:https://doi.org/10.1504/IJTM.2011.039317
616
von der Gracht, H. A. (2012). Consensus measurement in Delphi studies Review and
implications for future quality assurance. Technological Forecasting & Social
Change, 79, 1525-1536. doi:10.1016/j.techfore.2012.04.013
Von Solms, R., & Von Solms, B. (2004). From policies to culture. Computers &
Security, 23, 275-279. doi:10.1016/j.cose.2004.01.013
VRT NWS. (2012, November 9). Schandaal bij Russisch satelliet-programma. VRT
NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2012/11/09/schandaal_bij_russischsatelliet-
programma-1-1478076/
VRT NWS. (2020, October 28). Postbode die niet aanbelt en enkel kaartje in de bus
steekt, terwijl je thuis op pakje wacht? "Kan niet", zegt CEO Bpost. VRT NWS.
Opgehaald van https://www.vrt.be/vrtnws/nl/2020/10/28/ceo-bpost-postbodes-
moeten-aanbellen-als-ze-een-pakje-leveren/
VRT NWS. (2021, January 13). Bpost: "Postzegels die niet afgestempeld zijn mag je
niet hergebruiken, dat is een misdrijf". VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2021/01/13/bpost-postzegels-die-niet-
afgestempeld-zijn-mag-je-niet-hergeb/
Wall, D. S. (2013). Enemies within: Redefining the insider threat in organizational
security policy. Security Journal(26), 107-124.
Waltz, E. (2003). Knowledge Management in the Intelligence Enterprise. Bosten:
Artech House.
Waltz, K. (1979). Theory of International Politics. London: Addison-Wesley
Publishing Company.
Warrel, H., & Wright, R. (2019, December 27). Balfour Beatty sacked from MI6
refurbishment contract. The Financial Times. Opgehaald van
https://www.ft.com/content/81d4ac8c-28d9-11ea-9a4f-963f0ec7e134
Weibel, A. (2007). Formal Control and Trustworthiness Shall the Twain never Meet?
Group and Organization Management, 32(4), 500-517.
doi:10.1177/1059601106293961
Weibel, A., & Six, F. (2013). Trust and Control: the Role of Intrinsic Motivation. In R.
Z. Bachmann, Handbook of Advances in Trust Research (pp. 57-81).
Cheltenham: Edward Elgar.
Wendelboe, A. M., Miller, A., Drevets, D., Salinas, L., Miller, E., Jackson, D., . . .
Raines, J. (2020). Tabletop exercise to prepare institutions of higher education
617
for an outbreak of COVID-19. Journal of Emergency Management, 18(2),
183-184. doi:10.5055/jem.2020.0464
Wibeck, V., & Neset, T.-S. (2020). Focus groups and serious gaming in climate change
communication research—A methodological review. WIREs Climate Change,
11(5). doi:10.1002/wcc.664
Wikström, P.-O. H. (2014). Why crime happens: A situational actions theory. In G.
Manzo, Analytical Sociology: Actions and Networks (pp. 74-94). Chinchester:
John Wiley & Sons, Ltd.
Willems, F. (2022, October 27). "Meisje met de parel" van Vermeer doelwit van
klimaatactie, drie Belgische activisten opgepakt. VRT NWS. Opgehaald van
https://www.vrt.be/vrtnws/nl/2022/10/27/klimaatactie-meisje-met-parel/
Williamson, O. E. (1993). Calculativeness, Trust, and Economic Organization. Journal
of Law and Economics, 36(1), 453-486.
Willison, R., & Warkentin, M. (2013). Beyond Deterrence: An Expanded View of
Employee Computer Abuse. MIS Quarterly, 37(1), 1-20.
Willison, R., Warkentin, M., & Johnston, A. C. (2016). Examining employee computer
abuse intentions: insights from justice, deterrence and neutralization
perspectives. Information Systems Journal, 28(2), 266-293.
doi:10.1111/isj.12129
Willsher, K. (2020, September 3). French reporter who joined police exposes racism
and violence. The Guardian. Opgehaald van
https://www.theguardian.com/world/2020/sep/03/french-reporter-who-joined-
police-exposes-racism-and-violence-valentin-
gendrot?CMP=fb_gu&utm_medium=Social&utm_source=Facebook&fbclid=I
wAR2-
9XvmY4xNnCWuDXK9Vuh65D9xJNOJrkRo1rpJPd1EURjXLSULw7hRAh
Y#Echobox=15991
World Health Organization. (sd). Ebola outbreak in West Africa and the risk to
Europe. Opgeroepen op 03 31, 2020, van http://www.euro.who.int/en/health-
topics/health-emergencies/ebola-outbreak-2014/ebola-outbreak-in-west-africa-
and-the-risk-to-europe
Wright, S. (2010). Trust and Trustworthiness. Philosophia, 38, 615-627.
doi:10.1007/s11406-009-9218-0
Wynd, C. A., Schmidt, B., & Schaefer, M. A. (2003). Two Quantitative Approaches
for Estimating Content Validity. Western Journal of Nursing Research, 25(5),
508-518.
618
Zanna, M. P., & Rempel, J. K. (1988). Attitudes: a new look at an old concept. In B.-T.
D., & K. A. W., The social psychology of knowledge (pp. 315-334). New
York: Cambridge University Press.
Zegart, A. B. (2016). The Fort Hood Terrorist Attack: An Organizational Postmortem
of Army and FBI Deficiencies. In M. S. Bunn, Insider Threats (pp. 42-73).
Ithaca: Cornell University Press.
Zhou, N. (2018, June 14). Nazi flag on Australian army vehicle 'utterly unacceptable',
Turnbull says. The Guardian. Opgehaald van
https://www.theguardian.com/australia-news/2018/jun/14/nazi-flag-on-army-
vehicle-utterly-unacceptable-turnbull-says
619

Exploring Insider Threat Awareness and Mitigation: More Than The Devil in Disguise

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exploring Insider Threat Awareness and Mitigation: More Than The Devil in Disguise

Uploaded by

Copyright:

Available Formats

Faculteit Sociale Wetenschappen

Departement Politieke Wetenschappen

Exploring Insider Threat Awareness and Mitigation:

Supervisor: Tom Sauer Antwerpen, February 2023

Members of the jury

Figure 1.1: Research questions of this dissertation ......................................................... 6

Table 2.1: Misconduct vs. misbehavior......................................................................... 34

Setting the stage

Employees that steal, commit fraud, sabotage or leak confidential

Level-setting research question:

Figure 1.1: Research questions of this dissertation

Part II: Part IV:

Figure 1.2: Dissertation outline

Conceptualizing the insider threat problem

Starting from a harm-oriented perspective, the insider threat

In contrast to the existing definitions originating from the harm-oriented

Firstly, the malicious insider is an insider who deliberately commits

First of all, it should be acknowledged that insiders can appear in many

An insider is an actor who is or used to be trusted by the organization

After clarifying the insider concept, I move on to explain the novel

2.3.2.1. Insider threats vs. insider hazards

Deviation from specific organizational Deviation from general organizational

The suggestion that only misconduct should be included in the insider

An insider threat is the possibility that an actor who is or used to be

To illustrate the difference between insider hazards and insider threats,

As stated before, the basis of the insider threat conceptualization outlined

Intentional misconduct whereby the Unintentional misconduct whereby the

Although my choice to start the conceptualization from the privilege-

Intentional misconduct Intentional misconduct No intentional misconduct

definitely cause harm possibly cause harm causes harm

Table 2.3: Security threats, safety threats and safety hazards

2.3.2.3. Expressive insider threats vs. instrumental insider threats

2.3.2.4. Summary of the conceptualization

Figure 2.2 provides a schematic overview of the insider threat

Insider threat Insider hazard

Security Safety insider

Expressive Instrumental Instrumental

Figure 2.2: Summary of the insider threat conceptualization

Regarding the harm-oriented perspective and the resulting distinction

“Some people may object that this [conceptualization] is merely a

thoroughly explain and of the insider’s the trust relationship

defend their decision to arguments to determine between the insider and

insider privilege. be blamed and restored, or to what extent

disciplined for the the organization can

intentional misconduct forgive the offender

Table 2.5: Policy implications of the insider threat conceptualization

Understanding insider trust(worthiness) and betrayal

While the choice to trust is an action performed by the truster,

This chapter so far elaborated on the definition of insider trustworthiness.

So far, insider trustworthiness and betrayal were studied from an

• The insider • The insider

• The insider • The insider

Table 3.1: Categorization of insider trustworthiness and betrayal

Figure 3.1 summarizes the key points of the conceptualization of insider

Figure 3.1: Conceptualization of insider trustworthiness and betrayal

It should be emphasized that in the remainder of the dissertation, insider

Firstly, the organization’s perception of insider trustworthiness can

Secondly, the organization’s perception of insider trustworthiness can

Lastly, the organization’s perception of insider trustworthiness can

The sources of insider trustworthiness perception show that organizations

3.4.2.1. Perception of action alternatives: virtue, vice and mutable insiders

The first aspect relates to the insider’s perception of intentional

3.4.2.2. Process of choice: the non-linear interaction of person and situation