Something completely different. Sorta.

Hello blog, it’s been about 2 years and I have some thoughts, more on the psychology side and less so on insider threat, but there are connections to be made. Apologies if this gets stream of consciousness.

First up, work. My last post dealt with the evolution of work and the potential for a universal basic income, so I suppose it makes sense to start here.

I heard a news story this morning about Snag Work. It’s essentially a hiring service for  menial labor jobs in the service industry – hotels, food service, and retail. From what I gather, it’s a pretty good set up for people who need and income (all of us) and flexibility (all of us), but hires are treated as 1099s rather than an employee of the work organization.

Never having been a 1099, I wasn’t aware of the lack of legal protections and regulations these work types have, but the counterargument is essentially about the downsides of being a 1099. No unemployment coverage, issues with healthcare coverage, etc.

I could see more and more of society shifting to this kind of gig-work. In many ways it seems inevitable with the amount of automation and reduction of traditional manufacturing labor needs. So perhaps the argument shouldn’t be about the downsides of an increasingly gig-based economy (which seems to go hand in hand with global volatility, doesn’t it?), but rather about if we want to have an economy that works, we need to build more robust and useful social support programs – you know like guaranteed health coverage or a UBI.

I’ll get off that soapbox now… and onto the next.

From the time my children could move about on their own, I’ve noticed how they choose to squat or stand, rather than sit. Increasingly I get the impression sitting is less about comfort and more about group dynamics and institutional control of subordinates. Why do I think this? I’ll get there.

As others have put it, our ancestors have essentially been on a millennia long camping trip only until very recently. Our minds (as I’ve expressed elsewhere) are the result of THAT world and best suited for THOSE purposes, regardless of where we find ourselves today. Our bodies too, are suited for a lifetime of movement, and yet we seem to avoid movement, to nearly enforce sitting or laying down whenever possible, rather than standing or squatting.

I digress. As anyone with kids, or who works with kids will tell you, they have a hard time sitting still. At our home, if one of our kids has a hard time sitting still during dinner, they are welcome to stand. It is not a punishment, it’s a recognition that their body needs to move. Restricting the body, housing the mind, is going to place negative stressors on the mind which will result in some net effect. So why not just stand up?

Back to why I think sitting is about power dynamics – I got a report a certain young man had trouble sitting still in circle time. It’s not a big deal and wasn’t made a big deal of, just noted, but it got me thinking. Why does he need to sit? Can he stand up? Can he squat? So I asked.

The answer, of course, was yes. Kids who want to stand are allowed to in the back of the circle. I get it, there is a certain degree of crowd control required to do anything with more than 2 kids at a time, and distractions are just that. But how about we all just stand then? My guess is, the kids who might want to stand, see it as a punishment because they are nearly removed from the group. In a sense they are the “out group” because they are not acting in sync with what has now been established as the “right” way to act or “in group acceptable norms.” Certainly I’ve seen it as a preferred stander at meetings. Others will practically treat it as a hostage situation if you stand while they sit, trying to cajole you into a seat. I’ve also seen people fall asleep at said meetings, something which happens with much less frequency in standing meetings.

I’m heartened to hear of schools that are experimenting with solutions for kids such as standing desks or pedaling desks, so their bodies can exert the energy necessary to stay in shape – which also means healthier.

On the other hand, I was dumbfounded to learn recently that many people cannot actually squat in place – we have been that trained that muscles are weakened due to lack of use or misuse. I’m no physiologist, but squatting must help posture, reduce tension on the spine, blah, blah – which should result in a positive net effect for our mind.

When we feel better physically, we feel better mentally. When we feel better mentally, we are less likely to be jerks to others, and really isn’t that what the hokey pokey is all about?

In summary – evolutionary psychology is informed by evolutionary physiology. In establishing power dynamics (e.g. “I talk, you listen”; “I important, you not”) we have created cultures which insist upon the suppression of valid physiological needs (e.g. body moves, and in doing so gets exercise, stays healthy). So next time you see me standing next to a chair at a meeting, or squatting at the bus stop, maybe give it a try first and see if you feel better too. Then, pass it along.


7.4 billion monkeys with enlarged craniums and a trillion devices….


If you’ve been follow artificial intelligence and the coming revolution like I have, you’ve probably picked up on a few common themes:

  1. Universal Basic Income
  2. People are freed of work
  3. Peoples’ lives are less meaningful without work

I’m on board with one and two, but point three is really sticking in my craw.

But let me back up. If you’re not following the general conversation on AI, here’s basically what’s going on. The development of machines eliminated some human jobs (routine manual labor), the development of computers eliminated other human jobs (routine cognitive labor). Up to now, the non-routine, cognitive, and to an extent manual workload has been the safe haven of humanity – machines weren’t able to make the mental shortcuts required for these tasks. Well that day is basically here.


A few months ago, with the development of “deep learning”, an AI named AlphaGo was able to beat the world champion of Go (a strategy game, essentially chess on PCP). Only months before the thinking was that level of AI was a decade out – not so much. Let me put this in perspective – the game, Go, has more possible permutations than there are atoms in the universe, and by more I mean by a large factor. Traditional computing couldn’t go through all the permutations in a reasonable amount of time to take down the world champion. This AI basically played the game and developed concepts, allowing it to reach deity rank (for the game), something no human has done.

Basically the consensus now is the days of machines out performing humans in all tasks, that is routine manual, routine cognitive, non-routine manual, and non-routine cognitive, is effectively now. The commercialization and deployment of this technology will only be as slow or as fast as the economy mandates, but it’s already taking out call centers (millions of jobs globally), being added to your messaging services, how you buy things, etc.


A nightmarish depiction of the author via Deep Dream

Even the arts are not free from AI – just last year you probably saw a few Google deep-dream art pieces on your friends’ feeds; well AI is moving into music and writing as well. Given the massive repository of data for AI to digest and learn from, everything is really a matter of time – and not much time at that.

If you’re saying, “So what?” or “sounds good!” we’re on the same page. A world in which machines do the labor while people rest on their laurels sounds like a place that might know no war, know no famine, and is free to pursue higher aspirations, whatever those might be.

The train of thought continues – if there’s no work, then we end up with a universal basic income for all. I think this, coupled with the idea of no “jobs”, is what really bothers a bunch of folks, particularly here in America where some consider hours spent at work to be a status symbol.

If you haven’t seen it, here’s a sample from a recent article on theguardian discussing Yuval Noah Harari’s thoughts on the matter:

“What might be far more difficult is to provide people with meaning, a reason to get up in the morning,” Harari says. For those who don’t cheer at the prospect of a post-work world, satisfaction will be a commodity to pay for: our moods and happiness controlled by drugs; our excitement and emotional attachments found not in the world outside, but in immersive VR.

I would counter the Western concept of a life well lived, that is going to work 60+ hours a week and dying of a heart attack immediately after retirement, is not actually in line with our innate biological drives or mechanisms, and at their core I imagine most folks would agree.


I’m not sure who gets out of bed for this.

In America at least, if you’re not working in coal mines or tied to a desk, you’re usually perceived as a free-rider, a neer-do-well, a parasite. I recall one day in college calculus when a professor at random said to me, “idle hands, Mr. Whalen, are the devil’s workshop.” Strangely I had never heard the phrase before, but this seems to encapsulate the American attitude towards work – if you’re not actively engaged in a task, and by that we mean unpleasant effort, then your are evil. In other words, a life of pain is good, a life free of pain is bad.

I won’t bother delving into the roots of this cultural phenomenon, but it’s fair to say this mental framework is in exact opposition the the biological drives of all animals; avoid stressors, conserve energy. Yes, all animals are driven to eat and reproduce, but not to the extent they create a calorie debt; biologically we are no different.


Praying mantis in its natural state.

In the cultural context I’m defining work as a non self-fulfilling task which one engages in to obtain either the means to purchase or directly obtain food, shelter, or other goods and services. In this respect an artist who enjoys their work is not engaged in the cultural context of work, even though they may obtain payment for their work. I’m not belittling the value of the artist’s work, simply stating that culturally speaking in the West, this is usually not considered “work” in the classical sense.

So does everyone sit in their apartment, play video games and smoke pot? Maybe, but what exactly is the problem with that? Those individuals are making risk benefit decisions about how they want to live their lives, which frankly if they won the lotto in a pre-UBI world, would not receive as much disdain. Perhaps it is the leveling of the field which bothers many of us so much – that it becomes harder to demonstrate being one up on our neighbors? Perhaps it’s jealousy, of being unable to allow oneself to relax the way one would like to.

When I left active duty in the military I had 75 days of leave saved up. Rather than “buy-back” some of that time, I took the full 75 days off from work. I was not able to play video games the whole time, technically I could have, but I just couldn’t sit around that much. And that’s not because I was an army guy – I didn’t really fit the stereotype (and few of us do). My body and brain needed me to get out and see the sun, to do something, to interact with the world. This is where I think a UBI would take us; to new concept of work.

With UBI, work could become a choice – a task we engage in for the enjoyment of the task or the fruit of the task. Farmers could farm, for the joy of it. Gamers could game, for the joy of it. Writers could write. Hikers could hike. Politicians could… stay at home?

And everyone would have the freedom to change their new work as they pleased. That’s what UBI gives us, a chance to be human beings in the the way our ancestors dreamed of – free to decide when to work, how to work, what work to do, and when not to work. Our ancestors didn’t dream of tethering our bodies to plows, desks, or war machines. That’s just how we got here. 


This is not the master plan.




We’ve Identified the Enemy and it’s Us!

The overwhelming majority of insider threat events are not the result of a malicious employee’s actions, rather they are caused by the unintentional insider – someone gets hit by a spear phishing email, data spillage occurs, documents are destroyed improperly, a data storage device is lost or stolen, people are the victims of social engineering and elicitation.

Research shows that while well-known events like the Ashley Madison compromise, which involved an insider, get a lot of attention, organizations may be too focused on the spectacular threat vectors. A 2013 CERT Software Engineering Institute (SEI) study on unintentional insider threat showed that 17% of cases were unintentional hacks, while 49% were unintentional disclosure. The SEI highlights that employees should be cognizant of the non-spectacular risks which are far more common than the over-exaggerated spectacular risks. In other words, it may be more often the case that organizations are the victims of 10,000 paper cuts rather than a single atomic event.

While a lot of time and energy has gone into examining the root elements of the malicious insider, the unintentional vector has received less focus. Available research on the topic points to the perception of risk, biases, the influence of environment, and everyday stressors, though we shouldn’t discount simple ignorance. So, how can organizations address the very real risk of unintentional insider threat?  Start by getting inside the mind of the average employee as you roll out your strategies.

Insider threat and cybersecurity training during onboarding or even annually may not be enough. The constantly evolving threat landscape requires ongoing training. For example, phishing emails used to be fairly obvious – spelling errors, an obviously incorrect sender email address, etc. Now, spear phishers commonly spoof legitimate sender email addresses, or have taken control of a legitimate user’s account through earlier attacks.

There may be little that employees can do other than call the sender to verify unusual requests for information or action, but that highlights another challenge to security.

Many of us don’t want to contact our superior on seemingly simple requests at the risk of looking insubordinate or challenging their authority. This deference to authority is exactly what attack authors are preying on. Of course, this could be addressed by management or even incorporated into organizational policy – such as using voice confirmation for certain types of requests – but it must be part of a larger cultural shift to have any lasting effect.

People in general have a deferential attitude towards what happens on their workstations – if there is no error screen or warning, then they must be ok, right? For most people who are not intimately familiar with the mechanics of computing and the internet, they trust their machine or an administrator to tell them when something is wrong. The message to employees and the public in general usually says something to the extent of having anti-virus software and not providing a social security number to anyone asking for it in an email.

Consider the feet-on-the-ground workplace culture – in this case I am referring to culture as a system of beliefs, practices, orientations, acceptable norms, demonized and praised attributes, that organically emerge – not the practices as written. Individuals may be trained to respond in a certain way when risk presents itself, but face a cost-benefit analysis in terms of culture compliance. When there is no obstacle between the individual and cultural practices, or when individual and cultural norms are aligned, there is no pressure on the individual to act in a contrary manner (e.g. not follow security protocol). When the individual’s behavior is not in line, or contrary to cultural norms, then the individual must make a cost-benefit decision, the result of which could depend on any number of factors.

Consider the recent Department of Justice “hack” in which 20,000 FBI employee names were released. According to media reports, the hacker said he or she was able to access systems by telling a help desk attendant he or she lacked a token code (dual-factor authentication) and the attendant provided one since he/she posed as a “new employee.”

It seems unbelievable at first, but consider it from the attendant’s point of view. The caller seemed to know what they were talking about in terms of access. The caller may be in a position of authority and could pose risk to the attendant’s job by not performing. The attendant’s primary duty is to resolve issues, not to analyze issues.

Going back to the authority statement, while most of us have been trained to know when to deny a privilege escalation – it’s another thing to get a request from a person who seems to be in charge – who might be able to affect our day to day stress level. So what do you do? What does a low level system administrator in today’s economy do?

A dysfunctional work culture, or work culture incongruent with documented policies and procedures, tends to be the result of some incentivized behavior, either through perceived or actual punishment or reward. This isn’t too far a stretch from mixed messaging in parenting psychology – inconsistent rule application/messaging and unbalanced, sometimes opposing, responses to behaviors, result in confusion for the child and ability to function accordingly.

As I pointed out in my blog post “Why Insider Threat Detection Fails”, humans are poor performers when it comes to detecting rule violations of anything other than social contract or personal safety rules. While we function in a super connected world of relationships, the human mind still functions in a hunter-gatherer world, designed to monitor maybe 50 relationships. Simply put, the human mind is really concerned with its own survival, and by extension its progeny; concepts like threat to the corporation from abstract concepts like supply chain are not natural to the human mind and do not present as an immediate threat to self.

As such, if training and communications about cybersecurity are only presented as a series of “if-then” concepts without tying those to the individual’s health and well being, they will fall on deaf ears. That message – that the health of the company is the health of the individual – needs to be articulated, repeated, demonstrated, and believable. Rote memorization of “if-then” rules will yield some measure of protection, but it does nothing to build a culture or to take real residence in the mind of the employee.

Your employees are your first responders, your first line of defense, and the most critical asset. There are certainly a variety of factors which might cause them to become the next unintentional insider threat, but nothing is worse than apathy.

5 Ways to Combat Insider Risk

  • Climate surveys by a third party industrial psychologist can clarify what the culture really is.
  • Messaging to the workforce – if in doubt, question. Build a culture of rewarding security posture and questioning suspect vectors.
  • Tie organizational risk to real life employee risk in training. Don’t just say it’s bad for the company to lose money from IP theft via insider threat. Tie it all to the employee’s bottom line.
  • Be consistent – what’s on paper needs to match what managers exude.
  • Encourage questions. It might save you a lot of money. Employees who think they might be facing a security issue, insider or cyber, should feel reporting/questioning is a duty rather than a burden. Make this a value and you could very well save a lot of pain in the end.

*Originally written for, reposted with permission.

Deus ex something something…

­­The past few months, I keep finding myself in this conversation about “cyber” and insider threat. Generally speaking, it seems quite a few people think insider threat is a “cyber” issue – and I can’t disagree more.

I think there are three reasons people equate insider threat with cyber:

  1. In the media a “cyber” event is often ascribed to an “insider”. This is about as much as people hear about insider threats, so the words are assumed to be interchangeable.
  2. At least in the U.S., there’s a tendency to focus on spectacle – by this I mean the never before seen technology or tactics, and the spectacular employment of them, while simultaneously ignoring the less spectacular or historical tactic or technology.
  3. From a mitigation standpoint, organizations are rightfully focused on protecting critical assets, which these days tend to be information on a network; in this vein network security is the “cyber” element – protecting assets from an insider, an outsider who finds an opening in the network, or an outsider who becomes an “insider” by obtaining existing insider credentials for access.

In that view, people are understandably confused. On the second point there’s a valid psychological underpinning to the bias toward the “unknown” and newly perceived threat. In the last point, a mitigation avenue for a particular critical asset begins to color views of insider threat.

So why isn’t insider threat a “cyber” thing?

An insider event is precipitated by a trusted person with access.

A “cyber” event could be precipitated by an outsider or an insider.

If an insider, then the individual already has access to the victim organization (employee, supplier, contractor, etc), and they leverage that access to sabotage computer resources (physical or non), leak data, steal data, or otherwise attack the confidentiality, integrity, or availability of said organization’s data

If an outsider, then they are not a trusted member of the victim organization, rather they pose as one.

The outsider may manipulate a person within the organization, wittingly or unwittingly – say through social engineering, to enable the outsider’s access into the victim network – but the outsider is only presenting as someone with legitimate access. In this case we might call the manipulated person in the organization as an insider – either unintentional or intentional depending on their malicious intent or lack thereof – and the external hacker the outsider.

That all said, the cyber insider event does not make up the majority of insider events – it might be as low as 22% in fact. Cyber insider events are the spectacular – they do a lot of harm in a seemingly short period, but they are not necessarily the most devastating.

Consider the following:

Edward Snowden managed to take a whole bunch of data from the US government, using his placement and access. Then he “sneaker-netted” that information overseas. Sure, he got the information from a virtual data source, but it wasn’t a “cyber” event.

Say what you will, insider threat is older than computers. It is as old as espionage and plain old vengeance, and that’s pretty old.

Cyber isn’t insider, much like a hammer isn’t the only way to open a lock.




Quick Post – Insiders and Religion

Just about 24 hours after my last post our second child was born, hence the lack of updates.

Real quick, I saw this study this morning which indicates children raised in religious households are less altruistic and tolerant. The article at Forbes goes into the evolutionary basis for morality versus the human development of religion, something Tooby and Cosmides have written quite a bit about (evolution and morality that is). As the article states, religion was an effective way to develop cohesive groups, to define the inside group versus the outsiders. The point being this is often at odds in our present day world, the foci of much conflict.

I’m wondering, if this is the case, are insiders more likely to have religious (or comparable organizational belief systems) convictions. Do secular societies have a lower rate of insider events? What are your thoughts?