Economic Espionage: Behavioral Study on Employee Reporting of Insider Threat Incidents
In 2020, MITRE behavioral psychologists conducted a sensitive behavioral experiment, the first of its kind, to derive a data-driven understanding of why employees do not report insider threat incidents. To accomplish this, we sent out a series of LinkedIn Messages from a recruiter with ties to a foreign adversary to 300 random employees at a medium size company in the National Capital Region. The three messages were crafted from actual messages used by foreign adversaries, and each one uniquely and clearly escalated the recruiter’s approach. We asked employees that reported the messages (Reporters) and those that did not (Non-Reporters) to meet for a 1-hour security interview, which included a set of open-ended questions and completing a 109-item questionnaire, where we collected information on their attitudes, intentions, decisions, perceptions, emotions, etc. to better understand why some people report and more importantly why others do not. Findings from the study identified the reporting rate for insider threat incidents to be no more than 39%. In addition, we identified statistical differences in reporters and non-reporter attitudes, intentions, and behaviors.
We leveraged the data and findings to evaluate current assumptions about low reporting rates including perceptions of security reporting mechanisms, concerns about anonymity, fears about retaliation for reporting, and expectations about responses from security after reporting. Based on that analysis, the MITRE research team made evidence-based recommendations for how security awareness programs, security reporting programs, and Insider Threat/Risk Programs can improve employee reporting of insider threats at their organization. The reusable methodology for the behavioral experiment is ready to be used in other government and critical infrastructure organizations to help more accurately understand the baseline for actual employee reporting of insider risks and learn from Reporters and Non-Reporters in your organization.