People often have odd reasons for their office behaviour. Security investigators need to be aware that their enthusiasm to catch a miscreant might cause them to assume ill intent where there’s no conscious intent at all.
People usually have reasons for their odd habits. Often, they don’t realize why they do strange things around the office. Formative experiences at a young age often compel irrational behaviours decades later. We need to consider this possibility when observing user behaviour and when ascribing motivation to a potential insider threat: the logical reasons that we assume drive a certain action may be completely wrong … while the real motivator behind a strange act may be buried so deeply in the user’s past that it’s impossible to guess.
I’ll offer myself as an example because I don’t want to embarrass anyone. I have an unconscious and compulsive habit of snatching up discarded, partially-used tablets, notebooks, and stacks of sticky notes at the end of meetings. Doesn’t’ matter if it’s at a conference, a social gathering, or a formal meeting. If you saw me do that, what would you assume I’m up to?
The reasonable conclusion would be that I’m pilfering intellectual property; taking a notebook or a Post-It note with notes written on it seems like a stealthy way to exfiltrate sensitive business information. If you were looking for a spy, that might be a tell-tale behaviour. It would be embarrassing for both of us if you tried to act on that assumption, though, since you’d be wrong for two reasons: first, I never take paper with writing on it, ever. That eliminates the notion that I was actively trying to pilfer information. Second, I know exactly when, where, and why I came by this habit.
Reality is much sillier. When I was very young and was left to stay with relatives, it was common family practice that we wouldn’t travel with toys. Too easy to lose, to get broken, or to be forgotten on the return trip. I also wasn’t allowed to watch prime-time television. There were rarely other kids around to play with. So, when I’d be stuck in an older relative’s house and ran out of things to read, I’d have to invent my own games (as you do).
I shudder to imagine the havoc I could’ve unleashed if 3D printers had existed back then.
At first, I’d scribble or colour on scrap paper. That quickly got old. Then I learned about paper airplanes and started experimenting with them. Eventually – and I don’t recall what tipped me off to it – I learned that you could craft your own three-dimensional toys with paper, scissors, and either glue or a little tape.
When playing Army, for example, you can make a decent-looking towed howitzer (at plastic Army Man figure scale) with about seven components: one long cylinder for the barrel and a shorter one for the recuperator cylinder, two wheels, two trails, and either a gun shield or a breach block. Soldiers themselves could be made with 2D drawings taped to a circular base (what we’d now call ‘pawns’). With a little careful measuring and inventive folding, you could make fully 3D tanks, planes, sandbag walls, landing craft, ruins … whatever the game required.
The only catch was that I couldn’t use my relatives’ ‘good paper.’ That is, the stationary that they used for written correspondence  … only scrap paper. Fox example, newspaper, old bank deposit slips, etc. Finding some school-style construction paper was a huge win. After a lot of experimentation, I worked out what paper weight and style was best suited for my needs, and got into the habit of policing up every scrap of good paper that I came across so that I’d have enough crafting supplies to make my own fun when the next family trip rolled around.
I know. It’s silly. I think I picked up this habit around age eight and it never truly abated. Once I got into the working world, I found myself squirrelling away ‘surplus’ office supplies at my desk for those ‘just in case’ moments where I might need them. After all, there’s always a need for another blank spiral notebook. You have to have one in every meeting (never trust your memory when it comes to work tasks!). Same goes for sticky notes; they’re too darned useful for process mapping, marking books, jotting down notes … You can never have enough.
It might be coincidence, but one of my favourite parts of running an IT department was re-organizing our department warehouse.
I just glanced over the office supplies shelf here next to my desk at home. I counted 36 lined paper tablets, 22 blank logbooks, 12 spiral notebooks, and 35 stacks of sticky notes. I have two packing boxes full of various weights and colours of printer paper, including (for reasons completely lost to me) about 300 pages of heavy magenta cardstock. There’s an even mix of pristine/unused materials and partially depleted. The spiral notebook closest to me only has half of its original pages. I first got it while deployed to Fort Sam Houston back in … sheesh … 1992.
I have a problem. I’m aware.
Thing is, I know where this goofy compulsion came from. I can still recall what it felt like to never had enough paper to draw, write, or craft with. Most (normal) people discard paper products after they’ve used a few pages, whereas I can’t stand seeing good paper wasted. It’s a barmy condition, given how cheap and ubiquitous office supplies are now-a-days. Still, I find it hard to walk out of a room where people have tossed away their notepad after using a single page.
This is what I mean by ‘odd habits.’ We all have them. Something affected us long before we joined out current organisation, and we brought those compulsions to the office … often without giving them a second thought. I’ve seen enough peculiar behaviour in business to appreciate just how wonderfully weird and varied people can be. We’re a fascinating and frustrating bunch.
This can be a problem, though, when we’re trying to ascribe motivation … especially when it comes to conducting internal investigations. The ‘insider threat’ problem is very real. Security departments (often with the help of HR and Legal) are compelled to investigate potential nefarious conduct as early on as possible. When a worker starts acting uncharacteristically, suspiciously, or just strangely, there’s usually a strong need to monitor that worker to see if they’re violating security regulations so that they can be stopped before they inflict harm.
The only way to be sure that an employee is stealing company secrets is to wait until they’ve stolen them and the damage has been done. That’s why it’s foolish to wait until you’re sure. Investigate swiftly and you might be able to pre-emptively block the attempted theft.
The problem comes when we fall victim to ‘conformation bias.’ That is, the cognitive fallacy where an investigator interprets of favours information that confirms their pre-existing beliefs, suspicions, or prejudices. When an investigator observes a subject to engage in (or finds evidence of having taken) a peculiar action, confirmation bias unconsciously convinces the investigator that the worker took the action specifically to achieve whatever they’ve been accused of (be that data theft, sabotage, incompetence, etc.). This is especially true for ambiguous inputs. When an investigator can’t see a logical reason why an act was taken, they assume the worst.
As security professionals, we have to be constantly on guard against being led astray by confirmation bias. It’s all too easy to get ‘target fixation’ and build a case for prosecution of an innocent subject because of erroneous assumptions and unsubstantiated conclusions. We’re all vulnerable to this flawed thinking. The second-best way to defeat it is to objectively question every assumption we make and actively seek out for alternative motivations. The best way, though, is to get to know people and ask them what in blazes they’re doing. Odds are, something suspicious-but-strange was motivated by a bizarre childhood experience that has no bearing whatsoever on the case at hand … because people are weird.
 People still wrote physical letters back then.
Title Allusion: None this week
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.