44 The Ethical Imperative for A Priori Insider Threat Prevention Programs [full paper]
There is an insider threat risk present in the government of Canada. It has struck in the past and will certainly in the future. Dark Triad personality traits, consisting of Machiavellianism, psychopathy and narcissism are leading indicators of insider threat activity. The risk of these threats may be mitigated (aggregated) by social bonds. Current insider threat programs are reactive in nature, and respond to events after they have taken place, or after they have hired a potential threat risk into their organizations. These a posteriori programs leave organizations at significant risk. The impact of these threat events is significant and severe. Previous events have significantly impacted Canada’s international reputation, and potential future events could have a significant financial impact to the economy. Employee screening activities are commonplace in government due to the importance placed upon maintaining a trust relationship. Given the prevalence of traditional screening programs, and the significant financial and reputational risk, there is an ethical imperative to develop a priori insider threat detection programs.
The Insider Threat Problem
It is a Sunday morning and the spring rain is gently falling. The government of Canada is two days away from its fiscal year end. This also means that it is the time of year when employees are receiving their performance review. Bobby has worked for the government for 10 years and is increasingly frustrated that he does not feel valued. Throughout the year, his supervisor has commented on his poor attitude. Bobby is regularly talking down to colleagues and even commented to the Director General that he could easily do their job. In spite of these disciplinary challenges, Bobby works reasonably well as a computer programmer and holds a SECRET security clearance. He is one of a few people that maintain the Social Insurance Register (SIR), and he has complete access to it. The Social Insurance Register contains all of the Social Insurance Numbers (SINs), and biographical information of people who have a SIN. It is arguably the largest database of personal information in Canada.
As Bobby looks out the window, he has taken a decision. Bobby is going to “show” management how much he is needed. He is going to sabotage the SIR so that he can demonstrate how “important” he is to the organization, and to show how “useless” management is. Bobby’s actions are going to impact the Social Benefits programs of one of Canada’s largest federal departments that distributes more than $120 billion a year to Canadians (ESDC, 2020). Perhaps more importantly, his actions are going to shake the very core of confidence that Canadians have in the Government of Canada to safeguard their information.
The case of “Bobby” is a fiction, thankfully. That said, at any time there could be such individuals who look to commit such an attack. These attacks are known as Insider Threats.
Examples in the World – Is there an Insider Threat Problem?
Given the story of the “Bobby” lead-in, and of course the fantastical nature of events the mind conjures when we speak of things such as espionage, sabotage and subversion, you would be forgiven if you wondered aloud if this was a real concern for the government, especially in Canada. In business, risk is often spoken with regard to a negative impact or damage to the brand. Indeed, research exploring the impact of the five-factor employer brand (EB) model against the three-factor intent to join (ITJ) model has demonstrated that a company’s reputation, acceptance and belongingness, work-life balance and ethics directly correlate to a candidate’s ITJ (Sharma & Prasad, 2018). Further research has demonstrated that “trust is at the core of all good relationships” and trust and reputation are intrinsically linked (Clarke, 2007). This demand that trust be present and that organizations be responsible is so vital that a common and popular phrase that is often repeated is that “accountability should hurt” (Owen et al., 2000). When considering the importance of the trust relationship I would suggest that the value of the “brand” of the government, and indeed of the word “Canada” itself lies in the sentiment it creates. In a public survey, 80% of respondents noted that they were familiar with the government logo and brand and associated it with such sentiments as “trust and credibility, as well as national pride” (Canada, 2019). This brand is not a symbol or a product but represents the “trust” relationship Canadians have with government. This “trust as a brand” consists of the trust Canadians have that their government is competent, and is capable to protect their personal information. So, with this in mind, is there an insider threat within the government of Canada? Unfortunately, the wolf is already at the door, and they have struck before. This is why it is so important that insider threat programs expand in their nature to a priori screening. With this in mind, I will demonstrate that there is an ethical obligation toward having an a priori insider threat prevention program.
Consider the following examples:
Petty Officers Reid and Sinclair
In July of 2007, Petty Officers 2nd class Sylvia Reid and Janet Sinclair were charged and later convicted in 2010 of sabotage, conspiracy, mischief and willful property damage under the National Defence Act and Criminal Code of Canada (R. v. Reid, 2010, CMAC 4). Facts agreed upon in court noted that the then Petty Officers were employed at the National Defence Command Centre in Ottawa and worked on the Processor Displays Subsystem Migration that tracks missile and space events around the globe. This is a key system for the Canadian/United States North American Aerospace Defense Command (NORAD) relationship. The two Petty Officers were married to one another. Both felt under-valued at work, considered co-workers lazy and their supervisors unengaged and incompetent. Wanting to show how critical they were to the organization they hatched a plot. Petty Officer Sinclair was away on maternity leave but provided instructions to Reid on how to corrupt the database they controlled. This would show that their co-workers were not capable, and the Petty Officers would then be brought in to fix the database, further showing their value.
Ironically, the cost to repair the damage caused was $536, taking just 4-hours (R. v. Reid, 2010, CMAC 4). Consider the non-monetary damage, and more specifically the damage to Canada’s reputation with partners that has resulted from this and other events. Researchers have noted that the reputation of an organization is based on historical performance. If and when new behaviour comes to light that changes the perception in this performance, there is an increase in risk to the damage caused to the reputation (Lange, Lee & Dai, 2011; Maor, 2016; Luoma-aho & Makikangas, 2014). In the case of Reid and Sinclair there was certainly damage to the reputation and faith in the Canadian Forces to undertake their role. Additionally, this event caused damage to the relationship between Canada and the United States and the NORAD agreement as well as damage to Canada on the international stage. If Canada could not be trusted to protect such a vital database, what else could be damaged? The international black-eye that this event caused would take years to go away, and while still healing, a near death blow was dealt.
Sub-Lieutenant Jeffrey Delisle
It was a cool evening in December 2011 when my work cellphone rang. I was in North Carolina with my team and we had just finished a day of training in preparation to deploy to Afghanistan in 2012. At the time I was the Officer Commanding the National Counter-Intelligence Unit (NCIU) Pacific Region. The NCIU is the Canadian Military’s unit that is responsible for investigations into Terrorism, Sabotage, Subversion, Organized Crime and Information Operations (Government of Canada, 2003). Part of my responsibilities included maintaining relationships with key allies and partners. One of these was a colleague in the US Central Intelligence Agency (CIA) who had just called. “Bill, what the hell is going on with that Delisle guy”? I hadn’t seen any news that day, nor had I been looking at my work e-mails so I was completely unprepared. Needless to say, my colleague was concerned about the threat and risk Delisle posed and this case would have long lasting impacts to Canada’s formal relationships with its intelligence partners.
Around July 2007, having found out that his wife was having an affair, Jeffrey Delisle walked up to the Russian Embassy in Ottawa – literally walked up to the front door – and offered to sell Canada’s secrets through an intercom. Having worked in Human Intelligence, Source and Agent Operations, and Counter-Intelligence for more than 20-years – the absurdity of this is actually quite baffling. It would have been to the Russians as well. Was this a trap? This certainly could not be real?
Delisle admitted during his pre-sentencing interviews that he was trying to commit “Professional (career) Suicide” (R. v. Jeffrey Paul Delisle, 2012). He was feeling emotionally crushed by the end of his marriage and was also frustrated in his career. Prior to his commissioning, Delisle had served as a Sergeant in the Reserves. During interviews he stated that he was frustrated that his previous experience was not given its due credit and respect and that his previous experience had been “wiped clean” and taken for granted (2012). Superiors rated that he was competent, but appeared unambitious. Court reports also indicate that he had previous money problems. Ultimately, it was found that over a four-year period, Delisle sold secrets to the Russians and received approximately $111,000 for his work (Borden Colley, 2019). When you consider that Delisle worked for military intelligence where there are indeed monitoring tools, and given the other potential signs, how is it possible he could go undetected for 4 years?
Again, the impact of this event to Canada’s trust relationship has been extreme. In media reporting in 2021 it notes that even 10 years on, the impact endures and that Canada’s international trust relationship has been eroded (Bronskill, 2021). When considering that the governments “brand” is trust, the damage has been catastrophic. Worthy of note, these are just two recent examples. Other extremely high profile cases include those of Russell Williams, former base commander for Canadian Forces Base Trenton currently serving a life sentence for rape and murder (Westoll & Campbell, 2020), and more recently, the allegations and impending trial of Cameron Ortis. Ortis was a senior executive with the Royal Canadian Mounted Police (RCMP) who is alleged to have sold classified information to organized crime figures (Anderson, Culbert & McKeown, 2020). Up to this point, it seems apparent from the stories above that there are clear improvements in the government of Canada’s insider threat detection programs that need to take place. Indeed, I would suggest that there is an ethical imperative toward needing a priori detection and prevention programs.
Defining the Insider Threat
At times, when we think of what an insider threat might look like, our minds conjure images of spies. Powerful images of saboteurs, insurgents, and foreign agents looking to coopt governments. Indeed, these are a reality. But perhaps more concerning are the threats posed by the “Bobbys” within government, the rank and file employee who has access to IT systems, money management, or personal information databanks (PIDs). So between international spy and regular employee, how can we define an insider threat? Interestingly enough, there are some professional reports that have been created to support financial institutions and private sector organizations in building out relatively fulsome insider threat protection programs, however many fail to define what an insider threat is. One such recent example includes the 2018 Insider Threat report/whitepaper prepared by Cybersecurity Insiders (2018). It is difficult to conceive that you could build a program without defining what you are trying to protect against. Having a clear statement of the threat/problem is key.
Fortunately, and in support of defining the threat landscape, data analyzed by the Carnegie Mellon University Centre for Emergency Response Team Coordinate Centre (CERT/CC) shows that organizations face three main types of insider threats: long-term fraud, sabotage, and espionage (theft of information) (Keeney & Kowalski, 2005). While a significant effort has been made to develop security programs to protect against the outside threat, internal technological growth has increased the vulnerability to threats from insiders (Randazo et al., 2004).
So what exactly is an insider threat? The United States Department of Homeland Security defines an insider threat as “the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States” (Homeland Security, n.d.). The National Institute of Standards and Technology (NIST) out of the US Department of Commerce defines an insider threat as someone who “. . .will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities” (NIST, n.d.). Likewise, the Carnegie Mellon Computer Emergency Response Team (CERT) defines an Insider threat as “. . . a person that works from within an organization to subvert the confidentiality, integrity, and availability of the information contained within the walls of that entity” (CERT, 2016).
Within a government of Canada context, there is no commonly accepted definition of what constitutes an Insider threat. Public Safety Canada defines an Insider threat as being a “threat risk” and categorizes it as “. . . anyone with knowledge or access to an organization’s infrastructure (both physical and computer networks) who maliciously, or by change, misuses their trusted access to harm the organization’s employees, customers, assets, reputation or interests” (Public Safety, 2019). From all of these definitions, there are commonalities from which we can derive a common operational understanding of the insider threat. Plainly, an insider threat is someone who is already employed within your organization that uses their privileged access to cause harm. Across all of the previously mentioned definitions the word “harm” is a constant. This word can be subjective, and as such needs to be qualified. In support of this, and given that I am focused on harm that could occur within the federal government of Canada, I will anchor the definition of harm on the Treasury Board Secretariat (TBS) Directive on Security Management, Appendix J (TBS, 2019). In this directive harm to:
“information, assets and services are categorized as “very high,” “high,” “medium” or “low” impact to reflect the degree of injury that could reasonably be expected as a result of a loss of confidentiality (resulting from unauthorized disclosure), loss of integrity (resulting from unauthorized modification or destruction), or loss of availability (resulting from unauthorized removal or other disruption):
Very high: Applies when a compromise could reasonably be expected to cause severe to exceptionally grave injury;
High: Applies when a compromise could reasonably be expected to cause serious to severe injury;
Medium: Applies when a compromise could reasonably be expected to cause moderate to serious injury; and
Low: Applies when a compromise could reasonably be expected to cause limited to moderate injury.” (TBS, 2019)
For the context of this paper, I will use and focus on the simple definition for insider threat as I continue the exploration of the threat and risk whereby insiders can wreak havoc from within. I will further make a case that organizations have both an ethical and fiduciary responsibility to prevent insider threats before someone is within their employ.
So What, Now What?
Existing Theory – Individual or Micro-level of Analysis
Previously I defined an insider threat as someone who is already employed within your organization that uses their privileged access to cause harm. This definition looks at the deliberate “action” made by the individual threat actor. Firstly, we need to explore any potential characteristics that can be linked to the person themselves as leading indicators of insider threat risk. There is indeed significant research that looks at specific personality traits that have been linked to insider threats. Specifically, the term “dark triad” was coined by Paulhus and Williams in their seminal work linking Machiavellianism, sub-clinical psychopathology and sub-clinical narcissism (2002).
Extensive research has shown that there is a prevalence of certain personality characteristics that are found in those who commit insider threat attacks (Harrison, Summers, & Mennecke, (2018); Legg, Moffat, Nurse, Happa, Agrafiotis, Goldsmith & Creese, (2013) Maasberg, Warren and Beebe, (2015)). The most consistent and prevalent of these are Machiavellianism, sub-clinical psychopathy and sub-clinical narcissism (Paulhus and Williams, 2002). It is important to highlight at the onset that these three personality constructs, although grouped together as the dark triad, are indeed three separate and distinct items that each have their own significance in insider threat behaviour (Hogan and Shelton, 1998).
The phrase “the ends always justify the means” is commonly known, however many may not know that it was written by Nicolai Machiavelli hundreds of years ago (Machiavelli, & Bondanella, 2005). Machiavellianism as a clinical manifestation is often characterized as traits linked to individuals who demonstrate a manipulative or cold nature that lacks empathy, but also seem more stable and grounded (Kibeom, Ashton, Wiltshire, Bourdage, Visser and Gallucci, 2013; Kibeom and Ashton, 2014). In their study, Rayburn and Rayburn (1996) also explored the relationship between personality type, ethical decision-making and their linkages with Machiavellianism. Overall, they found that individuals with Type-A personalities, those who were generally extroverted tended to be more ethical than those with Type-B, those considered more introverted (Rayburn & Rayburn, 1996). Specific to Machiavellianism, individuals tended to experience more job strain, less job satisfaction and did not see room for opportunity or control in their careers (Gemmill and Heisler, 1972). Their research also found that Machiavellianism was positively correlated with individuals who had higher degrees of intelligence, and that this also associated positively with Type-A personalities. Interestingly, their research did not reveal a difference in ethical orientation between males and females. As an overall, individuals who have a higher degree of intelligence tended to be less ethical (Gemmill and Heisler, 1972). More recent research has shown that individuals with higher Machiavellian tendencies were also more likely to take advantage of situations (misreporting for financial gain), and experienced less emotional burden or sense of conscience (Murphy, 2012).
Psychopaths are broadly characterized by their highly impulsive behaviour, tendency toward thrill seeking, having a low empathy and experiencing low anxiety (Kibeom, Ashton, Wiltshire, Bourdage, Visser, and Gallucci, 2013; Jones and Paulhus, 2011; Kibeom and Ashton, 2014). In leadership roles, they tend to place their personal well-being ahead of (if not to the expense of) others, but these tendencies are sometimes accounted as them exhibiting behaviours of “fearless leadership” (Blickle and Genau, 2019). Their tendency toward lacking empathy and resistance to anxiety enables these individuals to be more self-confident and exert more social influence (Lilenfeld and Widows, 2005). Certainly it can be concerning when we see these individuals in positions of influence, and as such potentially holding a role that could expose organizations to a higher degree of insider threat risk. This makes understanding the role and impact of impulse and psychopathic behaviour important.
Narcissists tend to be extraverted and experience an over-heightened sense of self-worth that verges on grandiosity. They tend to have a strong sense of entitlement, are seen as dominating others, and experiencing an overall sense of superiority (Harrison, Summers, and Mennecke, 2018; Kibeom, Ashton, Wiltshire, Bourdage, Visser and Gallucci, 2013; Paulhus and Williams, 2002).
Interestingly, narcissism and Machiavellianism are often closely linked or paired together as they tend to favour an individual’s perceptions of their own capabilities, opportunity for advancement and motivation to succeed (Harrison, Summers, Mennecke, 2018). Further, narcissism and psychopathy were positively associated with impulsivity (Jones and Paulhus, 2011). Interestingly yet entirely surprisingly, narcissists tend to seek career opportunities that put them in positions of power (Brunell, Gentry and Campbell, 2008; Padilla, Hogan and Kaiser, 2007). While their extraverted and dominant nature seemed to propel them into positions of power, narcissists were seen as destructive leaders whose on the job performance did not match their personal vision of superiority (Brunell, Gentry and Campbell, 2008). In effect, their vison of their own performance did not match the output seen by others.
The Role of Impulsivity
When discussing the dark triad personality traits, an exploration of impulsivity is important, especially for its relationship with the dark triad and Social Control Theory (SCT). Indeed, it is this impulsivity in the dark triad that most directly links to the low self-control that is discussed by Hirschi and Gottfredson in their SCT as it relates to social bonds (1969). Additionally, Jones and Paulus explored this link between dark triad personally traits and impulse control and noted the importance of this relationship (2011). Specifically, Jones and Paulus’ study looked to assess correlations between functional versus dysfunctional impulsivity as defined by Dickman (1990). Functional impulsivity has been shown to predict idea generation (Brunas-Wagstaff, Bergquist, Morgan & Wagstaff, 1995), enthusiasm, adventurousness, and the ability to make quick decisions (Dickman, 1990). Dysfunctional impulsivity is linked to erratic disorderliness (Dickman, 1990). Behavioural characteristics seen in dysfunctional impulsivity included distraction and poor decision making (Brunas-Wagstaff, Bergquist, Morgan & Wagstaff, 1996) as well as suicide ideation (Dear, 2000). Key to the dark triad, both psychopathy and narcissism positively associated with impulsivity (Jones and Paulhus, 2011). Independently, psychopathy correlated with dysfunctional impulsivity while narcissism was associated with functional impulsivity. Machiavellianism had no unique association with any type of impulsivity (Jones and Paulhus, 2011).
Since we know that there is a significant prevalence of the dark triad personality traits in those who commit insider threat attacks, and that there is a significant implication toward impulse control (or a lack thereof), an exploration and understanding of what factors mitigate negative actions is warranted (Maasberg, Van Slyke, Ellis, Beebe, 2020; Harrison, Summers, Mennecke, 2018; Hirschi & Gottfredson, 1969). Firstly, we need to explore how to test for dark triad personality traits as a contributing factor toward insider threat behaviour.
Testing the Dark Triad Traits
Previously mentioned research by Harrison, A., Summers, J., & Mennecke, B. (2018); Legg, P. A., Moffat, N., Nurse, J. R., Happa, J., Agrafiotis, I., Goldsmith, M., & Creese, S. (2013); and Maasberg, Warren and Beebe, (2015) has pointed to the presence of the dark triad traits in insider threats. Focusing on very specific personality vectors, Hare has suggested “. . .that psychopathy is the single most important clinical construct in the criminal justice system, with particularly strong implications for the assessment of risk for recidivism and violence. . . “ (1998). To test for psychopathology, Hare has developed the Psychopathy Checklist – Revised (PCL-R) (1995). Additionally, Christie and Gies developed the MACH-IV as an assessment tool for Machiavellianism (1960). This 20-item inventory calculated using a Likert scale provides insight into the potential for someone to be manipulative, using others as a means to an end. Another well established and rigorous inventory is the Minnesota Multiphasic Personality Inventory-2 (MMPI-2). This 567 item inventory is used to assess a range of personality disorders such as psychopathy, depression, somatization and some ego-driven behaviours (Drayton, 2009). While all of the aforementioned inventories can paint part of the personality picture, they do so in a way that is possibly incomplete or at least not specific enough for the assessment of the insider threats. Recognizing the need for a simple yet reliable inventory, Jones and Paulhus developed the Short Dark Triad (SD3) measurement for the Dark Personality Traits (2014). While their evaluation of the SD3 did indeed demonstrate that it was a reliable measure, the researchers acknowledge that there is criticism given its brief nature (consisting of only 27 questions) (2014). While the SD3 is efficient in the detection of the dark triad personality traits, it does so in the absence of other generalizable personality traits. As such, many researchers looking toward generalizability to the populous tend to do so through a hybrid connection between the SD3 and the Big Five Personality traits of agreeableness, extraversion, openness, conscientiousness and neuroticism (Hodson et al., 2009; Jonason et al., 2010; Williams et al., 2010). As one would expect, this leads to overlap and inefficiencies that make such a hybrid approach less desirable. I would suggest that in place of this hybrid one must consider the HEXACO framework as a more reliable tool for assessing insider threat linked personality traits.
The HEXACO framework developed by Ashton and Lee, consists of an evaluation of honesty- humility, emotionality, extraversion, agreeableness, conscientiousness and one’s openness toward new experiences (Ashton & Lee, 2007). By way of an advantage over the hybrid SD3-Big Five model, the HEXACO’s honestly-humility as well as agreeableness factors share common elements in rating the respondents’ tendency toward manipulation or use of others, and their tendency toward cooperation (Ashton & Lee, 2007). Another powerful advantage quite germane to the study of insider threats is that the HEXACO model allows for a more granular assessment of reactions to provocations (Lee & Ashton, 2012). As insider threat behaviour holds significant links to impulsivity (Jones & Paulhus, 2014), the richness of measurements linked to reactions and provocations will be important. An additional benefit that I would anticipate, but the literature is silent on, will be how the HEXACO model could be expanded as a means of reviewing a relationship with Social Control and by extension, Life Course Theories as explained by Hirschi and Gottfredson (1990) and Sampson and Laub (1993). The inclusion, or perhaps modification of the HEXACO as a means of testing the dark triad personality traits, and their relationship with social bonds will be key if not critical to our ability to reliably predict insider threat risk.
Social Control and Life-Course Theories
Social Control Theory
Social Control Theory (SCT), also known as Social Bond Theory (SBT) was a concept developed by Travis Hirschi (1969). In SBT, behavioural attachment to society is framed around four foundations, specifically an individual’s commitment to social norms, parental and cultural attachment, involvement in community and activities, and finally, holding a common value system within society (Hirschi, 1969). His theory found that in cases where there are weak social bonds, this leads to an individual having a low self-control which in turn leads to the threat behaviour (Hirschi, 1969).
Hirschi and Gottfredson note that the development of social bonds (or lack thereof) in youth and adolescence are what anchors criminality (1990). They reject categorically that any decrease in criminality later in life can be attributed to changes in social bonds. On maturation reform they argue that any “reform is just that, change in behaviour that comes with maturation; it suggests that spontaneous desistance is just that, change in behaviour that cannot be explained and change that occurs regardless of what else happens” (Hirschi and Gottfredson, 1990).
While holding an epistemological view similar to Hirschi and Gottfredson’s Social Control Theory (1983), Sampson and Laub have suggested that there is a significant need to look beyond low self-control as the key determining factor. What their research has shown is that delinquent behaviour tends to naturally decrease with age (2003), and that more significant stability can be attributed to social bonds formed beyond adolescence. Such increased bonds can be found through commitment and success in the workplace, or through the development of significant social relationships such as through marriage or having children (1993).
In their seminal work Crime in the Making, republished in 1993, Sampson and Laub consider that while it can be true that some people who exhibit criminal tendencies in youth may continue this behaviour in later life, evidence seems to clearly indicate that there is a marked decrease (Sampson and Laub, 1993). Their theory of age-graded informal social control holds three basic principles. Firstly, deviant and delinquent behaviour in childhood and adolescence can be attributed to weak family and school social bonds. Secondly, that there is a continuity between antisocial behaviour from childhood through to adulthood. Finally, that social bonds associated with family and employment can mitigate criminality in later-life activities (Sampson and Laub, 1993). In effect, Sampson and Laub attribute this decrease in criminality to later-onset chances or enhancements to social influences, or the development of social bonds that they refer to as changes in life-course (1993). The life-course has been defined as being “pathways through the age differentiated life span” where events in life influence our decision-making processes (Elder 1985). Caspi et al took a more deliberate approach in defining life-course whereby they see it as a “sequence of culturally defined age-graded roles and social transitions that are enacted over time” (1990). Examples of later onset social bonds can include “marriage, parenting, education, the economy, and employment have led to the evolution of emerging adulthood as a unique stage of the life course” (Salvatore and Taniguchi, 2012). When considering the case of marriage we note that it is seen as an important right of social passage that is based in part on social conformity toward conventional societal norms (Arnett, 1998; Sampson and Laub, 2003). These distinctions show that there are indeed changes in social behaviour, and that these changes have impact on criminality are key to the study of insider threat behaviour.
Indeed, while acknowledging that criminality decreases with age and certain stability to one’s life-trajectory, there is a link between the absence of social bonds, or a break-down in how the perpetrator views their life-course that can be directly linked to threat behaviour. That is to say, someone who has the dark triad personality traits and a life-trajectory with weak social bonds has a greater disposition to commit an insider threat attack. This connection between social bonds, someone’s life journey and the dark triad will be explored through an analysis of Sampson and Laub’s life-course and age-graded theories for individuals who do hold dark triad traits. Linking this theory to practice, if we consider the case of Jeffrey Delisle mentioned earlier, from a social bonds perspective we can see that his marriage was failing, he had financial difficulties, his self-assessment of work value was inconsistent with how he was viewed and he appeared to be isolated from society. In effect, he lacked significant attachment or social bonds. Seeing these lack of social bonds in hindsight does little to mitigate the events that happened. What needs to be in place is an effective a priori screening element that accounts for both the dark triad and social bonds. Quite astutely, Hare has noted that “…the ability to identify and measure a construct is prerequisite to understanding its nature” (Hare, 1996). More broadly, we need to be able to measure the dark triad traits both individually and collectively, in order to understand the very nature of insider threat and see how these personality dynamics can and indeed must be woven into threat mitigation programs.
Insider Threat Programs
Given the prevalence of specific personality traits that point to increased insider threat risk, and the potential implication of SCT, certainly the detection of these will anchor insider threat prevention programs. In fact, they do not. Much of the research exploring insider threat activities and programs surrounds the CMO model or Capability, Motivation and Opportunity (Wood, 2000). Available research discusses a number of advanced programs and detection tools that are used to predict and block insider threat behavior. For example, Magklaras and Furnell have developed a three-tiered structure of mathematical functions that form an insider threat prediction model capable of calculating threat probability (2001). What is often interesting is that articles will mention that insider threats are “a comprehensive issue that involves human factors and system factors so that the detection needs to be considered from the above two aspects simultaneously” (Zhu, Guo, Ju, Ma & Wang, 2017) but will then only discuss anomaly detection and not human factors. Other recent research has looked at some exceptional tools that focus on deep system learning and system log analysis whereby the system itself “can learn both the essence of normal behaviors and abnormal behaviors, fully characterizing the rich internal information of the data, to form an adaptive optimization DBN (deep belief net) model for insider threat detection (Zhang, Chen & Ju, 2018). In effect, although some very exciting and certainly impactful tools, the threat is already within the organization, has attempted to make an attack, and these tools focus on attending to the event a posteriori. The threat attack has happened and you are now reacting to it. In effect, all these post-event tools can provide is to minimize damage to an attack that has been attempted or has occurred.
One of the most broadly accepted standards for Insider Threat programs is that developed by the United States Department of Commerce, National Institute of Standards and Technology (NIST). NIST’s framework for Insider Threat programs includes four core components, namely that a program must identify the threat, protect against it, have detection tools in place, and the ability to respond and recover (NIST, 2013). Another recent example of a technically well written and well regarded guide on Insider Threat Best Practices has been prepared by the Security Industry and Financial Markets Association (SIFMA, 2018). SIFMA classifies itself as “the voice of the nation’s securities industry” (SIFMA, n.d.). Interestingly, the SIFMA guide notes that an effective program must combine “policy and human elements with technical controls and solutions into a single, holistic model” (Sidley Austin LLP, 2018). It goes on to note that “Numerous academic studies have attempted to identify the psychological traits prevalent in insider spies”. Nevertheless, psychological, demographic, and occupational characteristics do not easily translate into a set of rules that can be applied to discover and predict insider attacks, and the relationship between such characteristics and unintentional insider threats is even more difficult to measure (Sidley Austin LLP, 2018). I am reminded of an axiom. Just because something isn’t easy, does not mean that it should not be done. Indeed, as this paper has thus demonstrated, the assessment of one’s personality and social bonds are critical to the proper development and effective implementation of any meaningful insider threat program. To leave personality and social bonds out of any meaningful insider threat program is quite simply to leave the person who is committing the act out of the equation. Since it is the person who commits the act, a program must account for this key human dimension. Any effective insider threat program must include a priori screening of known threat indicators before the threat is allowed into your organization. If the program does not account for blocking the threat from entering the organization, it will be severely limited to reacting to insider threats versus blocking them from happening.
Financial Impact of Insider Threat Events
So far, it has been made clear that there is awareness of the leading indicators for insider threat behaviour through the dark triad, and there are effective tools available that can detect for this potential vulnerability. I have also discussed how current programs focus on strategies that could more accurately be considered response actions (a posteriori) versus an effective mitigation strategy. I have highlighted that in a government of Canada context, the threat and vulnerability from such events is the significant damage to the reputation of Canada and the significant impact this has on our international relationships. Beyond the risk of reputation there is another extremely key factor. Namely, the Canadian economy is at risk from insider threat attacks. By way of an example consider that one single department, Service Canada, is responsible for the dispensation of 170.2 million transactions totaling more than $180 billion dollars (Employment and Social Development Canada, 2020). Compared against the overall Canadian gross domestic product of approximately $1 trillion dollars annually, this one department accounts for 9% of the Canadian economy (Statistics Canada, 2021). In effect, it is not impossible to conceive that a significant insider threat attack could have a catastrophic impact not only to reputation, but to the entire Canadian economy.
Insider Threat as Applied Research
Critical Analysis of Insider Threat Research
Up to this point I have demonstrated the following. Firstly, that there is indeed a real threat in the world and here in Canada linked to insider threats. Whether it is the cases of Sinclair or Delisle as presented, or the upcoming trial and allegations of Ortis; there is clear evidence that insider threats have been found within the government of Canada, and logically we must conclude that there will be others to follow. Secondly, I have presented the research that demonstrates a direct link to the dark triad personality traits of Machiavellianism, psychopathy and narcissism and insider threat behavior. Thirdly, I have discussed the relationship between Social Control Theory/social bonds, and where their absence is linked to criminal behaviour. Additionally, how one’s Life-Course trajectory can have a mitigating or aggravating effect. That is to say, one’s life-course trajectory can lead to the development of social bonds that offsets the insider threat behaviour or inversely, the removal of social bonds can increase threat risk. Finally, I have discussed that the current industry best practices for insider threat protection programs is through a posteriori IT tools on systems that seek to protect organizations after the threat/attack has happened.
When we consider the points above, the gap in literature, research and indeed in current practice becomes apparent. An insider threat program designed to attend to a threat cannot be effective if it only begins after the attack or attempt has happened. In the government of Canada context where I have previously discussed that the brand is the “trust” relationship with Canadians, there is an ethical imperative to ensure that any insider threat program takes a proactive approach and cannot be reactive. When considering the absolute need toward the safeguarding of Canadian’s information and assets, the government has both an ethical obligation and fiduciary responsibility to ensure a priori protection. Additionally, and it must be stated, there is a need for such an a priori program to be implemented at the enterprise level. That is to say, that it must be consistent horizontally across all of the federal government. I can state with first-hand experience, there is no consistent approach or application to insider threat programs at this time that is equal across all of the federal government departments. This lack of consistency will be explored empirically at a later date as a means to validate patterns. Worthy of note, this current lack of an enterprise approach can be linked to limitations and an imbalance on resources and technologies between departments of different size as well as variance in the perception of risk.
If we know from the research that dark triad personality traits are present in individuals who commit insider threat attacks, and it seems apparent that social bonds and a person’s life-course trajectory have a significant role in whether someone commits deviant or impulse-driven behaviour then surely research could be undertaken that validates this connection and develops a screening tool. Not unlike the HEXACO inventory, a screening tool could be developed that would highlight the leading indicators of insider threat risk. Such a tool could be used a priori in the hiring process that would be informative, and indeed could offer the opportunity to mitigate insider threats before they ever take place. If, as I have stated, there is an ethical imperative to have such a tool, the use of such a tool does beg the question on the ethics of its use. What do ethics and practice tell us about screening someone for potential behavior before they have committed any act? Surely such tools cannot be ethical. Indeed they are ethical, and are already very commonplace in their use.
It is important to address the ethical concern head-on. There is indeed research that discusses how the use of screening tools on employees is unethical. For example, in his research, Davidson discusses a wide array of testing procedures currently in use in the United States, such as drug screening and polygraph testing (1988). While recognizing that the loss to organizations through theft or inefficiency was more than $100 billion a year, Davidson did conclude that the use of such tests was unethical, largely based on how he considered such tests to be an invasion of individual privacy. This protection of privacy was codified in US federal legislation, namely the Employee Polygraph Protection Act, enacted in 1988. This act prohibits essentially all private sector employers from demanding employees submit to a polygraph. Interestingly, this protection to the private sector does not apply to US federal employees where polygraph testing is widely conducted and publicly reported. Examples include obligatory polygraph testing for individuals holding Top Secret Security clearances, or employees of intelligence services (Henderson, 2020). These same contradictions between what is seen as commonplace yet unacceptable is also present in Canada. For example, R v Beland (1987) reject the use of polygraph evidence aimed at supporting someone’s credibility. At the same time, the Canadian Security Intelligence Service (CSIS) notes in its hiring Frequently Asked Questions (FAQs) that “All CSIS employees must obtain a Top Secret security clearance and the polygraph is a mandatory part of the process” (CSIS, 2020). Quick web research will also show that the use of a polygraph is fairly commonplace as part of the hiring process for many police forces across Canada as well (Cape Breton Regional Police, n.d.; Royal Canadian Mounted Police, n.d.). Putting aside the specifics of polygraph testing, “integrity testing” for personnel selection is quite commonplace (Dalton and Metzger, 1993), and indeed is mandatory for federal employees in Canada (TBS, 2014). Research has shown that conducting integrity testing, when paired with human resources practices, increased employee work performance (Febrina and Syamsir, 2020; Rosmi and Syamsir, 2020). In the context of those wanting employment in the federal government, the participation in this integrity testing (in the form of security screening) is voluntary insofar as you can exclude yourself, but this immediately disqualifies you for the position. Indeed, maintaining a valid security screening is a standard condition of employment (TBS, 2014). The purpose of these security screenings is to assess an individual’s honesty and reliability as well as their loyalty to Canada (TBS, 2014). When considering the ethics of this practice, we must consider whether screening for honesty, reliability and loyalty is ethical when someone has not exhibited behaviours to the contrary. The TBS policy offers that the conduct of such a screening is “a fundamental practice that establishes and maintains a foundation of trust within government, between government and Canadians, and between Canada and other countries” (TBS, 2014). I immediately refer back to how the “brand” for the government is indeed that trust relationship. As was noted in the Sinclair and Delisle cases, the damage to that trust relationship and the consequences are extreme and long-lasting. Further, I have highlighted that there is a significant financial exposure to potential insider threat attacks. Where one single department manages 9% of Canada’s gross domestic product (Employment and Social Development Canada, 2020; Statistics Canada, 2021), the potential risk that an insider threat could pose would not only impact the organization, but the Canadian economy as a whole.
Given the use of employee screening tools and that they are a generally accepted practice, and given the expectation of Canadians that their information will be appropriately safeguarded, compounded by the exceptional financial risk; there is indeed an ethical imperative to have such screening programs, and they are equally commonplace.
This paper has positioned the following critical points. Firstly, that there has been validated insider threats within the government of Canada, and that the actions of these rogue individuals has had significant and lasting negative effects for the government. The result of these attacks has certainly been an international degradation of Canada’s reputation, and the trust “brand” of the government has been severely impacted. Further, there is an exceptionally high risk that an insider threat attack could have a catastrophic financial impact that could impair the Canadian economy. Secondly, this paper has presented that there are indeed specific personality traits that are associated with insider threat activities. These traits, known as the dark triad, can indeed be used to predict insider threat potentiality (Jones and Paulhus, 2011). As not all people who hold dark triad personality traits commit insider threat attacks, I have posited that social bonds could be the mitigating factor and that these bonds can change through one’s life-course trajectory and journey. This relationship and integration of dark triad traits and social bonds needs to be studied and validated. This integration, if validated, may indeed lead to a new framework and understanding. To that end, I have presented that the HEXACO or some similar, if not modified version, would be best suited to validate this relationship. Thirdly, I have discussed how the current “best practices” linked to insider threat programs are almost exclusively focused on activities a posteriori to an employee being within (hired by) the organization. That is to say, they are entirely reactive and inwardly focused, and therefore are more associated with reducing the impact of an event than reducing the actual threat risk. I further explore the practical implications, if not the critical need for an assessment tool to be developed so as to be employed at the front-end of a human resource process. I have argued that there is a need for a priori assessment so that the true potentiality of an insider threat attack can be reduced before the person is employed and granted access to critical systems. Lastly, I have concluded that the use of assessment tools in government, and indeed in the private sector are commonplace, and are ethically required given the foundational role and relationship the government has on ensuring it lives up to its trust brand. In fact, I have shown that to not have these tools is an ethical failing and is a breech in the fiduciary relationship the government has with Canadians. This paper has noted that there is indeed an insider threat problem. We know potential causes and mitigations. What needs to come next is the development of an effective and rigorous assessment tool that can be applied by human resources professionals as a means to reduce insider threat risk before someone is offered the opportunity to strike.
Anderson, S., Culbert, A., & McKeown, B. (2020). How a high-stakes gambler set authorities on the trial of accused Canadian spy Cameron Ortis. CBC News. https://www.cbc.ca/news/canada/cameron-ortis-investigation-rcmp-1.5827502
Arnett, Jeffrey J. (1988). Risk Behaviour and Family Role Transitions During the Twenties. Journal of Youth and Adolescence. 27:301-319.
Ashton, M. C., & Lee, K. (2007). Empirical, theoretical, and practical advantages of the hexaco model of personality structure. Personality and Social Psychology Review : An Official Journal of the Society for Personality and Social Psychology, Inc, 11(2), 150–66. https://doi.org/10.1177/1088868306294907
Blickle, G., & Genau, H. A. (2019). The two faces of fearless dominance and their relations to vocational success. Journal of Research in Personality, 81, 25–37. https://doi.org/10.1016/j.jrp.2019.05.001
Bronskill, Jim. (2021). Canada’s spy-catching system caused delay, angst in Delisle case: former FBI official) CTV News. https://www.ctvnews.ca/politics/canada-s-spy-catching-system-caused-delay-angst-in-delisle-case-former-fbi-official-1.5270234
Borden Colley, Sherri. (2019). Convicted spy Jeffrey Delisle released on full parole. CBC News. https://www.cbc.ca/news/canada/nova-scotia/convicted-spy-russians-canadian-armed-forces-parole-1.5049166
Brunell, A. B., Gentry, W. A., Campbell, W. K., Hoffman, B. J., Kuhnert, K. W., & Demarree, K. G. (2008). Leader emergence: the case of the narcissistic leader. Personality & Social Psychology Bulletin, 34(12), 1663–76. https://doi.org/10.1177/0146167208324101
Brunas-Wagstaff, J., Bergquist, A., Richardson, P., & Connor, A. (1995). The relationships between functional and dysfunctional impulsivity and the eysenck personality questionnaire. Personality and Individual Differences, 18(5), 681–683. https://doi.org/10.1016/0191-8869(94)00202-4
Canada (government of). (2019). The face of the Government of Canada: a brand that never goes out of style. https://www.canada.ca/en/government/system/digital-government/living-digital/face-government-canada-brand-never-goes-out-style.html
Canadian Security Intelligence Service. (2020). Applying for a job at CSIS: Frequently Asked Questions. https://www.canada.ca/en/security-intelligence-service/corporate/csis- jobs/faq.html
Cape Breton Reginal Police. (n.d.). Pre-Employment Polygraph Applicant’s Booklet. https://www.cbrps.ca/3-pre-employment-booklet/file.html
Caspi, A., Bem, D., & Elder, G. H. Jr. (1990). Personality continuity and change across the life course. Handbook of Personality: Theory and Research, ed. L.A. Pervin, p 549-75. New York.
Cleckley, Dr. H. M. (2016). The Mask Of Sanity: An Attempt To Clarify Some Issues About the So-Called Psychopathic Personality 3rd Edition. Hauraki Publishing. http://ebookcentral.proquest.com/lib/royalroads-ebooks/detail.action?docID=4808049
CERT Inside Threat Center. (2016). Common Sense Guide to Mitigating Insider threats. (5th Ed.). Pittsburgh, PA, USA. Retrieved from https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf
Cybersecurity Insiders. (2018). Insider Threat Report. https://cdn2.hubspot.net/hubfs/5260286/PDFs – Whitepapers, Case Studies, 20 Datasheets/Whitepapers/insider-threat-report-2018-wp.pdf
Davidson, D. (1988). Employee testing: an ethical perspective. Journal of Business Ethics, 7(3), 211–217.
Dear, G. E. (2000). Functional and dysfunctional impulsivity, depression, and suicidal ideation in a prison population. The Journal of Psychology, 134(1), 77–80. https://doi.org/10.1080/002 23980009600850
Dickman, S. (1990). Functional and dysfunctional impulsivity: Personality and cognitive correlates. Journal of Personality and Social Psychology, 58. 95-102.
Drayton, Mike. (2009). The Minnesota Multiphasic Personality Inventory-2 (MMPI-2). Occupational Medicine, Vol 59 (2). https://doi.org/10.1093/occmed/kqn182
Elder, G.H. Jr. (1985). Perspectives on the life course. Life Course Dynamics, ed. G.J. Elder Jr., pp 23-49. Ithaca, USA
Employment and Social Development Canada. (2020). Departmental Results Report.for fiscal year 2019 to 2020. https://www.canada.ca/en/employment-social-development/corporate/reports/departmental-results/2019-2020.html
Febrina, Dita and Syamsir, Syamsir (2020) The Influence of Integrity and Commitment Organizational on Employee Performance. International Journal of Research and Analytical Reviews (IJRAR),, 7 (1). pp. 799-805
Gemmill, G. R., & Heisler, W. J. (1972). Machiavellianism as a factor in managerial job-strain, job-satisfaction, and upward mobility. Academy of Management Journal, 15(1), 51–51.
Government of Canada. (2003). Defence Administrative Orders and Directives (DAOD) 8002- 02, Canadian forces National Counter-Intelligence Unit. https://www.canada.ca/en/department-national-defence/corporate/policies-standards/defence-administrative-orders-directives/8000-series/8002/8002-2-canadian- forces-national-counter-intelligence-unit.html
Gottfredson, M. R., & Hirschi, T. (1990). A general theory of crime. Stanford University Press.
Hare, R. D. (1995). Psychopaths and their nature: Implications for the mental health and criminal justice systems. E. Simonson & T. Millon (Eds), Psychopathy: Concept, Etiology, Epidemiology, and Treatment. New York Guilford.
Hare, R. D. (1998). The hare pcl-r: some issues concerning its use and misuse. Legal and Criminological Psychology, 3(1), 99–119. https://doi.org/10.1111/j.2044- 8333.1998.tb00353.x
Henderson, William. (2020). How to Prepare ofr a Security Clearance Polygraph Examination. ClearanceJobs. https://news.clearancejobs.com/2020/08/25/how-to-prepare-for-a-security- clearance-polygraph-examination/
Hirschi, T. (1969). Causes of delinquency. Berkeley: University of California Press.
Hodson, G., Hogg, S. M., & MacInnis, C. C. (2009). The role of “dark personalities” (narcissism, machiavellianism, psychopathy), big five personality factors, and ideology in explaining prejudice. Journal of Research in Personality, 43(4), 686–690. https://doi.org/10.1016/j.jrp.2009.02.005
Jonason, P. K., Li, N. P., & Buss, D. M. (2010). The costs and benefits of the dark triad: implications for mate poaching and mate retention tactics. Personality and Individual Differences, 48(4), 373–378. https://doi.org/10.1016/j.paid.2009.11.003
Harrison, A., Summers, J., & Mennecke, B. (2018). The Effects of the Dark Triad on Unethical Behavior. Journal of Business Ethics, 153(1), 53–77. https://doi.org/10.1007/s10551-016- 3368-3
Hart, S. & Hare, R. (1996). Psychopathy and antisocial personality disorder. Current Opinion in Psychiatry, 9(2), 129-132. https://oce-ovid-com.ezproxy.royalroads.ca/article/00001504- 199603000-00007/HTML
Hogan, R., & Shelton, D. (1998). A socioanalytic perspective on job performance. Human Performance, 11(2/3).
Jones, D. N., & Paulhus, D. L. (2011). The role of impulsivity in the Dark Triad of personality. Personality and Individual Differences, 51(5), 679–682. https://doi.org/10.1016/j.paid.2011.04.011
Jones, D. N., & Paulhus, D. L. (2014). Introducing the short dark triad (sd3): a brief measure of dark personality traits. Assessment, 21(1), 28–41. https://doi.org/10.1177/1073191113514105
Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., & Rogers, S. (2005). Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. National Threat Assessment Centre, Washington, DC. https://apps.dtic.mil/docs/citations/ADA636653
Lange, D., Lee, P. M., & Dai, Y. (2011). Organizational reputation: a review. Journal of Management, 37(1), 153–184. https://doi.org/10.1177/0149206310390963
Lee, K., & Ashton, M. C. (2012). Getting mad and getting even: agreeableness and honesty- humility as predictors of revenge intentions. Personality and Individual Differences, 52(5), 596–600. https://doi.org/10.1016/j.paid.2011.12.004
Lee, K., Ashton, M. C., Wiltshire, J., Bourdage, J. S., Visser, B. A., & Gallucci, A. (2013). Sex, power, and money: prediction from the dark triad and honesty-humility. European Journal of Personality, 27(2), 169–184. https://doi.org/10.1002/per.1860
Lee, K., & Ashton, M. C. (2014). The dark triad, the big five, and the hexaco model. Personality and Individual Differences, 67, 2–5.
Legg, P. A., Moffat, N., Nurse, J. R., Happa, J., Agrafiotis, I., Goldsmith, M., & Creese, S. (2013). Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 4(4), 20-37.
Lilienfeld, S. O., & Widows, M. R. (2005). Psychopathic Personality Inventory-Revised: Professional Manual. Lutz, FL: Psychological Assessment Resources Inc.
Luoma-aho, Vilma, and Mirja E. Makikangas. 2014. Do Public Sector Mergers (re) Shape Reputation? International Journal of Public Sector Management 27(1): 39–52.
Machiavelli, N., & Bondanella, P. (2005). The prince. Oxford: Oxford University Press.
Maasberg M, Warren J, Beebe NL (2015) The dark side of the insider: detecting the insider threat through examination of dark triad personality traits. In 2015 48th Hawaii International Conference on System Sciences. IEEE, pp 3518–526. https://doi.org/10.1109/HICSS.2015.423
Magklaras G. B. Furnell S. M. (2001). Insider threat prediction tool: Evaluating the probability of IT misuse.Computers & Security, 21(1), 62–73. 10.1016/S0167-4048(02)00109-8
Maor, Moshe. (2016). Responsive Change: Agency Output Response to Reputational Threats. Journal of Public Administration Research and Theory 26(1): 31-44.
Murphy, P. R. (2012). Attitude, machiavellianism and the rationalization of misreporting. Accounting Organizations and Society, 37(4), 242–259
National Institute of Standards in Technology. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Joint Task Force Transformation initiative. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Padilla, A., Hogan, R., & Kaiser, R. B. (2007). The toxic triangle: destructive leaders, susceptible followers, and conducive environments. Leadership Quarterly, 18(3), 176–176.
Paulhus, D. L., & Williams, K. M. (2002). The Dark Triad of personality: Narcissism, Machiavellianism, and psychopathy. Journal of Research in Personality, 36(6), 556–563. https://doi.org/10.1016/S0092-6566(02)00505-6
R. v. Beland. (1987). Supreme Court Judgements. https://scc-csc.lexum.com/scc-csc/scc- csc/en/item/250/index.do?r=AAAAAQAGQmVsYW5kAAAAAAE
R. v. Delisle (2012). Nova Scotia Department of Justice Pre-Sentence Report. https://assets.documentcloud.org/documents/602196/delisles-pre-sentence-report.pdf
R. v. Reid. (2010) Canadian Military Appeals Court (CMAC). https://www.cmac- cacm.ca/Content/assets/pdf/Reports-2005-2015/2010CMAC-CACM4_Reid.pdf
Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D., & Moore, A. (2005). Insider threat Study: Illicit Cyber Activity in the Banking and Finance Sector (CMU/SEI-2004-TR-021). Carnegie-Mellon University, Pittsburgh, PA, Software Engineering Institute. https://apps.dtic.mil/docs/citations/ADA441249
Rayburn, J. M., & Rayburn, L. G. (1996). Relationship between Machiavellianism and Type A personality and ethical-orientation. Journal of Business Ethics, 15(11), 1209–1219. https://doi.org/10.1007/BF00412819
Rosmi, Rosmi and Syamsir, Syamsir (2020) The Influence of Integrity and Work Experience on Employee Performance. International Journal of Research and Analytical Reviews (IJRAR),, 7 (1). pp. 789-794.
Royal Canadian Mounted Police. (n.d.). Pre-Employment Polygraph. https://www.rcmp- grc.gc.ca/en/pre-employment-polygraph
Salvatore, C., & Taniguchi, T. A. (2012). Do social bonds matter for emerging adults? Deviant Behavior, 33(9), 738–738. https://doi.org/10.1080/01639625.2012.679888
Sampson, R. J., & Laub, J. H. (1993). Crime in the Making. Pathways and turning points through life. First Harvard University Press. Cambridge, MA.
Semmer, N. K., Tschan, F., Meier, L. L., Facchin, S., & Jacobshagen, N. (2010). Illegitimate tasks and counterproductive work behavior. Applied Psychology, 59(1), 70–96. https://doi.org/10.1111/j.1464-0597.2009.00416.x
Sharma, R., & Prasad, A. (2018). Employer brand and its unexplored impact on intent to join. International Journal of Organizational Analysis, 26(3), 536–566. https://doi.org/10.1108/IJOA-11-2017-1280
SIFMA. (n.d.). https://www.sifma.org/
Statistics Canada. (2021). Gross domestic product (GDP) at basic prices, by industry, monthly, growth rates (x1,000,000). https://www150.statcan.gc.ca/t1/tbl1/en/tv.action?pid=3610043402
Swift, T. (2001). Trust, reputation and corporate accountability to stakeholders. Business Ethics: A European Review, 10(1), 16–26. https://doi.org/10.1111/1467-8608.00208
Treasury Board Secretariat. (2014). Standard on Security Screening. https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=28115§ion=html
Treasury Board Secretariat. (2019). Directive on Security Management. Appendix J: Standard on Security Categorization. https://www.tbs-sct.gc.ca/pol/doc- eng.aspx?id=32614§ion=html
US Department of Commerce. (n.d.). National Institute of Standards and Technology (NIST). Computer Security Resource Centre (CSRC). Glossary. https://csrc.nist.gov/glossary/term/insider_threat
US Department of Homeland Security. (n.d.). Cyber Security, Science and Technology, Insider Threat. https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat
Wood B. (2000). An insider threat model for adversary simulation. SRI International. Research on Mitigating the Insider Threat to Information Systems, 2, 1–3.
Westoll, N. & Campbell, M. (2020). Family, friends of Jessica Lloyd mark decade since Russell Williams received life sentence. Global News. https://globalnews.ca/news/7411289/jessica-lloyd-russell-williams-sentenced-10-years/
Williams, K. M., Nathanson, C., & Paulhus, D. L. (2010). Identifying and profiling scholastic cheaters: their personality, cognitive ability, and motivation. Journal of Experimental Psychology: Applied, 16(3), 293–307. https://doi.org/10.1037/a0020773
Zhang, J., Chen, Y., & Ju, A. (2018). Insider threat detection of adaptive optimization dbn for behavior logs. Turkish Journal of Electrical Engineering and Computer Sciences, 26(2), 792–802. https://doi.org/10.3906/elk-1706-163
Zhu, T., Guo, Y., Ju, A., Ma, J., & Wang, X. (2017). An insider threat detection method based on business process mining. International Journal of Business Data Communications and Networking, 13(2), 83–83.