paulmudgett.com

Let’s look at a very simple risk equation:

Risk =  Threat x Vulnerability

Now let’s apply that formula to a disgruntled employee.   You have an angry employee (threat) who has access to sensitive company information based on their role in the organization (vulnerability).  The combination of these two creates a situation where sensitive information, say the “secret recipe”, can potentially be disclosed to competitors (risk).  This could have very serious consequences to your competitive advantage, your shareholders, your market share, etc.

The typical security response is to deploy preventive, detective, and corrective controls that hopefully reduce the risk by mitigating the threat and/or vulnerability.  Most often, the controls lean heavily towards detection which is an after-the-fact, reactive response to the problem.  I believe the root cause of this issue lies with the management of an organization rather than the employee.  Here’s why.

I’ve yet to see a person start a new job saying “this place sucks” or “I hate it here”.  Instead, these new employees are often the most enthusiastic and engaged members of your workforce.  Something has to occur that shifts this positive behavior to disengaged and/or destructive action.  Something changes the attitude of the employee.  I contend that it is the systems developed by management that are responsible for the growth and development of disgruntled behavior in the workplace.

Systems for employee review are often filled with hidden agendas and surprises designed to “put the employee in their place”.   Systems are designed to punish failure by taking power away from “empowered” employees who didn’t meet performance expectations (that probably weren’t defined well anyway).  Systems are designed to give responsibility but no authority to act.  It is these types of unfortunately common management systems that set the stage for the development of disgruntled employees.

So, doesn’t it make sense to mitigate or eliminate the risk associated with the disgruntled employee threat by fixing systems that spawn that type of dissatisfaction?  I’m by no means saying that employees rule the roost or that you won’t have an employee unhappy over a disagreement.  What I am saying is by treating employees fairly, enabling them to be successful, helping them learn from mistakes rather than punish them, and creating an environment where ideas are freely discussed without fear will go a long way toward eliminating this threat to information security.

Remember the equation:

Risk =  Threat x Vulnerability

Without the threat, there is no risk.

Tags: disgruntled employee, information security, insider threat, security psychology

This entry was posted on Thursday, October 22nd, 2009 at 12:23 pm and is filed under Business and Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.