One year ago, Mohammed Alshamrani, a 21-year-old Saudi aviation student studying at the Naval Air Station in Pensacola, FL, shot and killed three U.S. Navy Sailors. Last week, the 260-page investigation was released, revealing an important yet overlooked impetus of this unfortunate event.
As dictated by Chief of Naval Operations, Adm. Michael Gilday, Alshamrani was primarily motivated by anti-American sentiment, but “the organizational environment inherent in the aviation pipeline, likely increased his probability of committing an insider attack.”
The investigation revealed that Alshamrani’s instructor mocked his facial hair (he called it a “pornstache”) and called him an “a-hole” in front of his peers. Instructors were also known for telling Saudi students that they stink, demanding that they go home and take a shower, and assigning them demeaning or humiliating tasks for amusement.
Some might ignore this context, citing that Alshamrani would likely have carried out his anti-American agenda, regardless of these shenanigans. But consider another case—Joshua Schulte, a 31-year-old former Central Intelligence Agency (C.I.A) computer engineer. Schulte was recently accused of leaking the biggest trove of classified documents in the spy agency’s history.
Both Alshamrani and Schulte are classic cases of failing to prevent an insider threat. This is when employees, contractors, or business partners have authorized access to an organization’s internal operations, networks, or systems, giving them the chance to engage in acts of violence, data theft, fraud, sabotage, or the like.
What was Schulte’s motive? The prosecution argued that he was retaliating against colleague mistreatment. The trial revealed that officemates shot him with Nerf guns and rubber bands, taunted him for being bald, trashed his desk, and intimidated him both verbally and physically.
Both the Alshamrani and Schulte scenarios highlight an overlooked aspect of why employees go rogue. Namely, working in a hostile work climate, whereby the affective tone of the environment is angry, bitter, and antagonistic.
It is increasingly important to understand how toxic work climates breed insider incidents. Between 2018 and 2020, the number of insider incidents has increased by 47%. Given this increased prevalence, it’s not surprising that as of today, 90% of organizations report feeling vulnerable to insider threats.
The Critical Pathway Model of Insider Threat
The most widely used framework for developing insider risk management programs is the Critical Pathway Model. This model suggests that when certain personal dispositions (e.g, poor social skills) are paired with specific stressors (e.g., financial issues), it can lead to concerning behaviors. If these behaviors are not addressed through adequate interventions, the individual is more likely to pursue insider acts.
This model is helpful, but less attention is being paid to scenarios like Alshamrani at the U.S. Navy and Josh Schulte at the C.I.A. It’s not only important to focus on the individual, it’s necessary to evaluate stressors specific to the work environment in which they operate.
Keeping a Pulse on Hostile Work Climates
A work climate can be described as the emotional tone of a work environment. Do people seem happy and get along well? Or do they seem tense and terse with one another? Getting a pulse on affect can be tricky, but with proper forethought, it can be captured.
To date, organizations interested in preventing insider risk focus on individual-level data. For example, U.S. organizations might screen candidates for prior ethical infractions, monitor the degree to which employees admit mistakes, or track employees’ digital activity for suspicious behavior.
Hostile work climates are a collective, multi-person phenomenon. Organizations should, therefore, be evaluating data on employees’ perceptions of interactions with other individuals or how employees view the team as a whole.
For starters, organizations should collect round-robin data where they prompt each employee to rate each of their colleagues on how much they interact with them. These team-level satisfaction and engagement surveys can reveal in a safe, unobtrusive manner who is being ostracized.
These initiatives can then be supplemented with confidential and anonymous hotlines where employees can share concerns about specific colleagues. Organizations can also hire trained coaches who understand insider risk and know how to intervene when employees appear disgruntled due to team-level relational dynamics.
The overarching goal is the same—prevent insider risk—but the means for doing so change. Organizations should continue to try and pinpoint which individuals are potential insider threats. At the same time, however, organizations should address team-level work climate to ensure that insiders aren’t provoked to act.
Addressing Hostile Work Climates
Paying attention to precursors of insider threats—like hostile work climates—is important, especially if it can prevent acts of terrorism. But it’s also important to long-term organizational stability. Insider incidents are costing organizations 31% more than ever in lost assets. To date, dollars spent recovering from insider attacks for smaller organizations (less than 500 employees) averages $7.7M US, and for larger organizations averages $17.9M US.
The implications of insider incidents also go beyond hard costs. The impact on reputation, shareholder confidence, and employee morale makes it near impossible to recover.
If organizations want to prevent insider incidents it’s important to start broadening our view of insider risk. Individuals are ultimately responsible for acts of insider threat, but the teams and organizations in which they are embedded are the breeding grounds for such behaviors.
To prevent insider risk, organizations should consider incorporating what’s been proven over decades of research in organizational psychology: behavior is ultimately determined at the intersection of person and environment.
This post was co-written by Elsine van Os, a psychologist and insider risk management expert. She is the CEO and owner of Signpost Six, an insider risk training and consultancy firm. She also owns Signpost Film Productions and produced a documentary called Edward Snowden: Whistleblower or Spy? (2018).
Visit www.scottdust.com for more free resources for human capital enthusiasts, including a free e-book titled “A Field Guide to Human Capital Assessments.”