The American View: Do You Know How to Spot an Insider Threat?

The American View: Do You Know How to Spot an Insider Threat?

Tell me what comes to mind when I say “insider threat.” Are you picturing a “disgruntled employee”? A middle-aged or older man? Perhaps a bit past his prime? Soured that time and opportunities have passed him by? Furious at having been denied promotions, angry at his younger co-workers who were promoted past him, or soured over the disrespect shown for his hard work and loyal service? 

I get it; that’s the classic stereotype. Think “Milton” from the 1999 comedy Office Space. American media tends to focus on the character who should be on top of the world: the college educated, middle class, white, adult, male who feels wronged by his employer, his company, or both. The “disgruntled employee” is a villain twice over: once for his disruptive actions and again for failing to recognise how his gender and racial privilege allowed him far greater opportunities than his co-workers. The audience is supposed to hold the “disgruntled employee” character in contempt: conservatives will despise the character for his failure to take personal responsibility for his situation, while progressives will despise the character for his petulant sense of entitlement.

The thing is … while there have been real insider threat cases that fit such a description, the unsettling truth is that anyonecan become “disgruntled” and decide to vent their wrath on their employer and/or their co-workers.  

TV Tropes describes the conditions that transmogrify normal adults into disgruntled employees as the Soul Crushing Desk Job: “The work your character is required to do is often meaningless, repetitive and annoying. … Your colleagues are either a real pain, making your life even worse, or if you are lucky, they may be your companions in the suffering. Your boss will be too demanding and/or incompetent. … Higher management might be outright tyrannical. You are very likely to be yelled at. … [If you] vent about this to friends or family members outside of the company, they’ll often receive no sympathy, because they have what’s allegedly a ‘good’ job. (i.e., one that can be done indoors, involves little or no manual labor, and often pays better than ‘blue-collar’ jobs do).”

IT jobs come with a lot of enviable perqs: getting to work indoors, getting to sit instead of standing all shift, getting to meet and delight some really awesome customers, and often getting paid far more than a similar white-collar role. I understand why people in other career fields can be a skosh resentful towards IT. 

I’ve seen this trope play out in real life. Take any adult, place them in a thankless, pressure cooker job, then slowly ablate their hope for a better life until they evolve from eager, to disillusioned, to jaded, to malevolent. Despite Hollywood’s reliance on stereotypes, most of us recognize this person because most of us have flirted with becoming such a person ourselves. Caustic office cultures and terrible bosses have pushed most people down the path of becoming an angry worker, barely holding back the enormous pressure to retaliate against a thousand slights. We have met the insider because most of us have almost become that insider threat ourselves. 

Case in point: Ms. Bob. That’s not her real name, of course. [1] Ms. Bob was a middle-aged Asian-American woman working as a civilian employee in the IT department Help Desk of a military hospital. When I first took over as the IT department chief, I found Bob to be quiet, polite, cheerful, prompt, and … unfortunately, not particularly good at her job. 

Bob was one of three Help Desk technicians, all civil service GS-7s, and all spouses of soldiers who were either stationed at the installation or spouses of former soldiers who had chosen to retire there for the low cost of living. All three techs were underqualified, even for a GS-7 level position. I learned from my predecessor that the senior sysadmin – a very sexist GS-11 – was only willing to hire underqualified married women … people that he could intimidate. The sexist pig has deliberately created an unhealthy work environment where he could be the unrivalled Master of Everything™ (by comparison). I was not amused. [2]

Making things worse, one of the three junior Help Desk techs wasn’t actually doing any Help Desk work. Instead, she worked evenings, manually cycling the backup tape cartridges in the tape drives attached to our 30 some Health Info Management servers. There was quite a scandal when we discovered that this GS-7 was watching her primary school children every worknight in the bloody restricted access data centre. We eventually sorted that mess, too, but it was painful. [3]

I had a ton of empathy for the young tech, however there was no possible way to justify allowing unauthorized personnel into a military server room let alone one full of soldiers’ health information. In retrospect, I’m astonished she wasn’t sacked on the spot. 

Anyway. While the New Boss kicked over anthills, Ms Bob was consistently the most inoffensive member of the team. To be fair, she was awful at creating new trouble tickets and couldn’t provide any tech support (both hard requirements of her position). That poor performance was balanced by her never actively causing trouble. Seasoned leaders will no doubt recognize the “curse of the least-offensive player” problem: under any other circumstances, Bob’s inability to do her job would have required corrective action; during the five-alarm fire that was fixing years of abuse and neglect, there were no cycles to spare to address Bob’s problem. 

Eventually, I put a senior tech in charge of re-training the junior staff and strove to bring Bob’s performance up to required levels. At year’s end, I evaluated her on her willingness to improve, not on her inability to hit a performance standard that she’d never been asked to meet before. I felt that the organization has let her down, therefore we’d help her become fully qualified. 

All of these changes made Bob and her two peers increasingly comfortable. Once the “ogre sysadmin’s” influence was neutralized, they all began to smile more, participate more, and lower their defences. I was happy to see it. Once the techs’ performance and attitudes improved, I felt we were on track to make them dependably proficient (as required by their position descriptions). 

Then Bob … changed. She dropped by my office one afternoon and asked me for a promotion. I told her that I was sorry, but it was impossible to promote her. In American civil service, full-time jobs were either coded as a range (e.g., GS-7 to GS-9) or at a fixed level (e.g., GS-7). All of the civil service jobs in our department were fixed positions. Whatever grade a person was hired at was the grade that they’d stay at for as long as they held that position. Bob had taken a job as a GS-7, so a GS-7 she’d stay. The only way to reach a higher grade was to compete for and win a different position in a different department. That, or demand a “desk audit” from higher HQ which would re-classify the position based on the work currently being performed … which wouldn’t result in a promotion and would likely result in her role being downgraded.Not ideal. 

Realistically, four of our seven staff members wouldn’t likely have survived a desk audit. All of them were just barely scraping by, even with the super cheap cost of living in rural Alabama. Had they been downgraded even one grade, they were looking at a10+% pay cut.

Bob grew indignant. She told me that she had been promised a promotion by a previous supervisor and that she deserved to be promoted, so she wanted her overdue promotion. Now!

I tried to be as empathetic and transparent as I could. I showed Bob the department’s “manning document” and the pertinent government regulations. I answered her questions as gently as I could. I made it clear that there was no “promotion” potential in any of staff roles. I offered to help her find, apply for, and prepare to be interviewed for a better job in the facility. Bob was having none of it. She wanted to jump four grade levels and be promoted to a GS-11 immediately.

That, by the way, was completely impossible. The 11s were all senior sysadmins with degrees, technical certifications, and years of experience managing servers and networks. Bob had no degree, no certifications, and possessed only rudimentary PC operator skills. She couldn’t possibly qualify for a GS-11 technical position; she didn’t even qualify for our GS-9 trainer role. It didn’t matter how much we all liked her; HR wouldn’t qualify her as an -11 anywhere in the hospital.

Bob grew sour, then indignant, then angry. She demanded that I promote her. I took her down the hall to HR where they, too, patiently explained that there was no way to give her what she wanted. Bob had never been a civil servant before and railed about how her previous employers in non-government companies had promoted her just fine! HR politely explained that the civil was bound by regulations. Bob left in a snit. 

The next morning, I was summoned to the Hospital’s Deputy Commander for Administration’s office. He’d been ambushed by Bob on his arrival and had been told a load of bollocks about how she was being “held up” for an “earned promotion.” I explained what had happened and turned over all the paperwork. The DCA audited the records, sighed, told me to send Bob back down, and proceeded to re-explain to her while I stood silently in the back of the room that what she wanted wasn’t a legal option. It wasn’t about her; what she asked for wasn’t possible.

The HR managers maintained a monk’s patience when the explained that what Bob wasted wasn’t just “difficult,” but was prohibited under government regulations. 

Bob’s attitude got even fouler after that. She became publicly insubordinate to me, waspish to her peers, and abusive to the customers. She started coming in late, stopped doing her work, disappeared from the office for hours at a stretch, and refused to take correction from anyone even when she was way out of bounds. She became a textbook “disgruntled employee.”

This disagreeable state of affairs went on for weeks. One morning, I was summoned back to the DCA’s office to meet with the hospital’s lawyers. It seemed that our Bob had filed a formal discrimination complaint through the employees’ union. Bob has claimed that she had been promised a promotion “by management” and was only being denied it because of racism, sexism, and management bullying. The much larger Regional Medical Centre we reported to had despatched an investigator to “get to the bottom of things.” 

The “investigation” turned out to be a dud. A senior HR specialist visited for an afternoon, read all the organisational paperwork, interviewed me, HR, and the complainant, and concluded that Bob’s request wasn’t legal even if there hadbeen some sort of hostile work environment … which there wasn’t anymore. So … no: Bob was given an ultimatum: either do her job in a professional manner befitting a U.S. civil servant or be terminated for cause. Bob’s union steward gave her the exact same thing in even harsher terms. 

In the end, it was a close-run thing. Bob settled down and returned to work but abandoned all her previous efforts to learn new skills, work well with others, or try to mend her damaged reputation. She sulked, bitter and angry, for the rest of my time at the facility. I later heard from my replacement that she carried that same foul attitude over to the new administration. 

Not only did my successor and I remain in contact before and after the changeover, I also mailed her a complete disk image of my office PC before I left since I predicted (correctly!) that one of my disgruntled employees would physically sabotage my office PC as soon as I left. My successor was both forewarned and forearmed.  

I want to stress that Bob was as far from the traditional image of the “disgruntled employee” as you could get, but she definitely was one. I hadn’t spotted any sign of a bad attitude through the entire first year that she’d worked for me. If anything, she had been one of the most promising junior employees on the team because of her positive attitude. Even after all of the abuse from prior years had been dragged into the open, Bob still seemed upbeat and forward-looking. We’d invested in her, she seemed to be meeting us halfway. I felt confident defending my decision to keep her despite her wholly inadequate qualifications since she showed the potential to grow.

Personally, I suspect it was Bob’s catastrophic ignorance on how the civil system worked, coupled with an off-hand comment made by a former supervisor, that poisoned Bob’s thinking. Bob didn’t become a malicious insider threat in the space of a single afternoon; there was no single precipitating event. Bob had been cultivating her spite for over five years, waiting patiently for either a resolution to her distress or an excuse to explode.

Throughout all the years that she’d suffered under a sexist pig sysadmin, she had held firm to the notion that once she finally got a fair department chief, then her endurance would be rewarded with a massive jump to full UNIX administrator status, leapfrogging all of her peers. What she wanted was pure fantasy … but she still felt betrayed when the stars finally aligned, the department got a decent chief, and her coveted promotion didn’t manifest. 

The thing was, that truth was only visible in retrospect. No one on the team had realized that Bob had harboured such bizarre beliefs. The woman wasn’t friends with anyone else on staff. She kept herself to herself and never let slip anything about her expectations. Maybe if we’d known beforehand, we might have drained off some of that poisoned thinking before she passed her personal point of no return. Maybe. I regret that we didn’t know until it was too late.

Ms. Bob burned all her bridges … with me, with my replacement, with her co-workers, with HR, with the employees’ union, and with the hospital’s command suite. All of the goodwill she had banked while we’d cleaned up the previous toxic environment was squandered in a few months. No one comes back from that.  

So, what’s the moral here? To be blunt, anyone can be (or can become) a malicious insider threat. If you’re only focused on the trope-worthy obvious “angry older white men,” you’ll get blindsided by the “sudden” emergence of a disgruntled employee like Ms. Bob. A good leader should strive to pay attention to all their people and look for signs of frustration, irritation, or grievances. That might not be sufficient in and of itself. To prevent the eruption of a Ms. Bob style threat, leaders should also regularly explain their organisation’s career path rules and idiosyncrasies to pre-emptively address critical misunderstandings. Ensure your people’s expectations synch up with how the local system actually functions so they can make rational decisions about their own future … and so that you can help them get where they want to go.

That’s a much better use of any leader’s time than trying to “clean up” after a toxic disgruntled employee burns all the bridges between them and their teammates. Damage like that can cripple a workgroup’s culture even if no physical harm is inflicted. One employee’s caustic attitude can undermine good order and discipline, damage team cohesion, and even motivate their co-workers to transfer or quit just to escape the ceaseless drama. They don’t have to steal sensitive information or sabotage equipment to be an effective insider threat. Just coming to work with a hostile and combative attitude can make the job miserable for everyone else. Anyone can do it. Just ask Ms. Bob.


[1] Every real person in these columns shares the nom de guerre “Bob.”

[2] That’s another story for a less sober time. 

[3] Remind me and I’ll tell you that story later. 

Pop Culture Allusion: Mike Judge, Office Space (1999 film)

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021