In a recent Harvard Business Review article, Corporate Advocacy in a Time of Social Outrage[1], Alison Taylor argues that employees' expectations about their employers' stance on issues of political and/or social significance are rising, particularly those of younger employees. Taylor says that employees are now more likely to 'raise alarms' about what their companies are doing (or not doing), and to hold their leaders to account by, for example, 'leaking embarrassing internal information on social media or directly to reporters'. She further notes that employees want to be able to express their social identities and personal values at work. Indeed, when she asked some of her students whether they thought their employers should make public statements on the events occurring in the Middle East, most of them 'took for granted that companies would speak out'. According to Taylor, employers find themselves in an 'uncomfortable new landscape' where some organisations are playing 'whack-a-mole' on every issue, while others are simply ignoring employee criticism in the hope that it will vanish.
It is not hard to see how this might resonate with insider risk professionals.
The Critical Pathway to Insider Risk (CPIR)[2] is an influential model for understanding how employees can move (and be moved) down a pathway to committing an intentional insider act. The idea is that underlying vulnerabilities, triggered by different stressors, place pressure on individuals in a way that may manifest in consequential insider behaviour. Importantly, the way that employers respond to the issues at hand contributes to whether insider behaviour plays out or not.
A recent inclusion in the 'stressors' component of the CPIR is social identity stress. Social identity stress is based on the idea that insider risk increases when individuals experience normative conflict[3]. Normative conflict is defined as a perceived discrepancy between the current norms of a group and another standard of behaviour[4]. For example, a normative conflict can arise when there is a disconnect between what people think their organisation should be saying or doing on a particular issue, and what they think their organisation is saying and doing on the same issue. Individual responses to normative conflict are thought to vary depending on the strength of connection one feels with the organisation[5]
Taylor's article cites a number of instructive corporate insider cases which have come about in response to normative conflict. For example, Amazon employees broke confidentiality agreements to call out the company's hypocrisy around funding climate change initiatives while at the same time working for the oil and gas industry. This followed a previous demand by Amazon employees to stop the sale of facial recognition software to the US law enforcement agencies, citing the technology's potential to violate human rights[6]. More recently, Elon Musk's emails and internal communications were repeatedly leaked to the media by his employees because they wanted to reveal the retaliatory action that was being taken when criticism was levelled at the 'free speech advocate' CEO.
The moral of these stories is not that personnel security just needs better tools and techniques to detect when an employee's views might be misaligned with those of their employer. That is not to say those tools are not helpful, because they are. But there is a bigger picture here and it is related to how well an organization's culture is able to adapt to a rapidly changing world. As Taylor puts it:
To build and maintain cohesive organizational culture in a deeply polarized, broadly vocalised society, leaders must develop norms and processes that enable them to respond to ethical concerns and political issues before they blow up.
Taylor provides guidance about what this culture might look like. At its core, it involves tuning into employee sentiment and fostering inclusion and employee voice at all levels. This could include: Designing an organization where routine discussions about social priorities, ethical concerns and healthy political discourse are encouraged; establishing committees, say where employees provide input into ethical discussions on emerging issues, and; trying to pinpoint employee expectations and values through surveys and focus groups which might identify internal sources of pressure, enthusiasm, pain and tension. While acknowledging that organizations can't represent all employees' views on social and political questions, Taylor sensibly counsels that neither can organizations ignore these views and hope they won't crop up during the workday. Naturally, leadership is also critical here. According to Taylor, those who seek to run the fluid, networked organizations of today will need to be adept at tapping into and leveraging influence. This is consistent with recent work by Haslam, Alvesson and Reicher (2024) that underscores the important idea that the efficacy of leadership is tied to context. That is, leaders can only be truly effective when they reflect the norms, values, goals and aspirations of the people they are seeking to lead[7].
One wonders if current personnel security practices, with their heavy reliance on detecting personal pathologies and focus on compliance, might be disregarding the shifting sands of employee expectations to their peril. As Lang (2022) puts it, respectful, supportive and positive work-place cultures help to build a workforce infused with trust...reducing contextual influences that breed insider threats[8].
Shaw's CPIR model incorporates mitigation strategies to stop the trajectory of an insider event. These mitigators are 'off-ramps', if you like, from the critical pathway to insider threat. One of the key mitigators is 'enlightened management'. The idea of enlightened management as articulated in the CPIR is an intervention approach, that is, a managerial response to issues that have already become manifest in the workplace. In considering Taylor's work, the idea of enlightened management might be enhanced by including some of the innovative features of the workplace that Taylor has so eloquently described.
References
[2] Shaw, E. & Sellars, L (2015). Application of the Critical Path Method to Evaluate Insider Risks. Studies in Intelligence Vol 59, No. 2 (Extracts, June 2015); Shaw, E. (2023). The Psychology of Insider Risk: Detection, Investigation and Case Management. See https://www.insiderriskgroup.com/about2
[3] Veenstra (2015). Loyalty, social identity and insider threat. Paper prepared for the Australian Crime Commission. Available at https://www.delenconsulting.com.au/
[4] Packer, D. J. (2008). On Being Both With Us and Against Us: A Normative Conflict Model of Dissent in Social Groups. Personality and Social Psychology Review, 12(1), 50-72. https://doi.org/10.1177/1088868307309606
[5] Ibid
[6] https://www.theverge.com/2018/6/22/17492106/amazon-ice-facial-recognition-internal-letter-protest
[7] Haslam, S. A., Alvesson, M., Reicher, S. D. (2024). Zombie leadership: Dead ideas that still walk among us. The Leadership Quarterly (in press), https://doi.org/10.1016/j.leaqua.2023.101770
[8] Lang, E. (2022). Seven (Science-Based) Commandments for Understanding and Countering Insider Threats. Counter-Insider Threat Research and Practice, Vol 1, Issue 1 https://citrap.scholasticahq.com/article/37321-seven-science-based-commandments-for-understanding-and-countering-insider-threats