Dr. Eric D. Shaw, Consulting and Clinical Psychology, Ltd.

 

Home • Clinical Practice • Consulting • Clinical Practice Policies • Credentials • Publications and Research • Contact Info

 

Case 5: Detecting Insider Risk and Deception—a Bank Systems Administrator 

Several years ago a New York bank woke-up to find its accounting computers sabotaged.  The destruction was so finely designed that every effort to revive the destroyed data was met with a technical obstacle that simply stated, “I’m smarter than you and got here first.”  Clearly this was the work of an insider, intimately familiar with the system.  Days before the destruction, the contract SysAdmin who had designed, installed and worked with the accounting department on the system for the last 20 months, earning over $500,000 in the process, had quit.  While he had been a model employee for the last two months prior to his departure, the three preceding months had been filled with acrimony.  A new supervisor, viewing his overtime costs, noting his refusal to answer to IT management because of his close relationship with the accounting department, had decided it was time for a change. 

But her efforts to get this employee to train back-up or document system code were met with angry refusals.  According to the FBI agent investigating this case, as the conflict mounted, the subject decided it was time to resign and leave the bank a destructive goodbye note.  The investigator believes the subject used the three month period between his resignation and departure to design the elaborate sabotage of the system, while feigning loyalty to cover his efforts. 

Having acquired copies of the emails between the subject and his supervisor, we wanted to find out if WarmTouch could detect the deterioration in their relationship and the deception campaign the employee used to cover his sabotage.  The figure below displays simple measures of risk associated with disgruntlement derived from actual perpetrator e-mail with his supervisor around three months prior to an attack.  The risk assessment utilizes no formula for “normal” or “appropriate” psychological state or attitudes.  The subject's’ scores on measures indicative of psychological states are compared only to his or her own preceding mean scores.  A significant change can signal a need for increased attention.  This figure displays measures for several sample psycholinguistic variables for the specific hostile message being considered on April 10th (in blue) and compares it to mean levels of these indicators in his previous communications with his supervisor.  At the figure indicates, these values are more than double this subject’s mean scores (in purple), indicating a need for concern.  The availability of this data would leave little doubt of the importance of this change in the subject’s emotional state.  In addition, independent security access to this information would have militated against the frequent problem of supervisor reluctance to report concerns to personnel or security staff. 

The next figure deals with the same case at a later date when the subject deceived his supervisor with charming pleasantries as he prepared his attack.  Like his supervisor, normal email screening measures would also have been deceived by his cover story.  However, the specialized measures used in the figure below (Psychological Distance) revealed the continued existence of intense underlying hostility, indicating the presence of deception in his pleasant, overt communications.   

The figure below demonstrates the persistence of covert hostility as overt hostility diminishes.  In this case, we now know that the subject began to actively plan his attack when he stopped sending threatening emails and shammed loyalty, an effort at deception that the psycholinguistic measures employed picked up.

Psycholinguistic Threat Measures: Mean Scores vs. Recent Email Four Months Prior to Attack

Measure of Covert Hostility or Psychological Distance Prior to August Attack 

 The figure below demonstrates the persistence of covert hostility as overt hostility diminishes.  In this case, we now know that the subject began to actively plan his attack when he stopped sending threatening emails and shammed loyalty, an effort at deception that the psycholinguistic measures employed picked up.

Psycholinguistic Measurement of Deception: Overt vs. Covert Deception 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This early test of the software used the communications of a known violator to see if the program could, after-the-fact, detect changes in his psychological state indicative of risk and penetrate his efforts at hiding his underlying negative attitudes. 

 

© Copyright 2009 by Eric D. Shaw, Ph.D.

 

Contact: DrShaw@DrEricShaw.com (E-mail is not secure. Please do not send private information.)  Phone 202-686-9150