To counter human-centered, inside-the-system (insider) threats posed to critical infrastructure security confronts the nonlinearity of human-centered behaviour. The threats include occupational fraud, theft, corruption, workplace sabotage and work place violence.

It is beyond a single article to science on nonlinearity.  Emerging science is spellbinding, offering promise to the next generation of security. Our challenge introducing it to insider problems in ways that are immediately recognizable and meaningful to the daily realities faced by risk managers and internal securing personnel tasked with minimizing human-centered threats.

Having written this, a distinction can be drawn in policy, guidelines and harms reduction practice between mostly honest people who  cheat a little bit when tempted to do bad things and predation. Mostly honest employees must rationalize their decisions that confront morals when tempted to do bad things. They are more vulnerable to temptations when their resilience (emotions) is low. Predation is more closely aligned with aggression, This is the domain of people with anti-social personality disorders such as psychopathy or sociopathy from whom attacks come from outside the system, with some perhaps slipping through human resources screening and getting inside. The percentage of people with anti-social behaviour disorder is predicted to range between 1.5  and four percent of a population, depending on who you care to cite.

When considering interventions against insider threats, it is important to factor the role environment plays in shaping human behaviour, and it is considerable. Place this within the context of evolution. Environmental conditions bring about speciation. Many of the same rules from nature apply at a more granular level to inside-the-system behaviours. Environment is a huge factor to consider in how employees, contractors; and in the case of such critical infrastructure as health care, how trusted billing partners behave.  To say this is complex and messy is an understatement!

Here is the rub from a prevention science perspective. It can be counter-productive to security at  critical infrastructure not to make a clear distinction in policy, guidelines, communications and interventions between ordinarily honest people and predators. The last thing you want to do is aggravate mostly honest people, thus providing them with rationalizations and excuses when tempted to do bad things.

The consideration of prevention science is that everything is situational and ought not to be painted with a broad brush. This is the stuff of complex systems thinking; the business of understanding how what you are doing and communicating in one domain is impacting on another. The problem appears most acute in the health care sector. It confounds me that those overseeing trusted billing system providers haven’t figured this out. Some are turning to behavioural insights, but unfortunately as the panacea. According to a meta analyses it is a little more complicated that putting all the eggs in one basket. The rule of thumb for behavioural biologists, it always depends. It depends on context.