GLASGOW CALEDONIAN UNIVERSITY EMAIL FOR CORRESPONDING AUTHOR: firstname.lastname@example.org MIND THE GAP: HRD’S ROLE IN KEEPING ORGANISATIONS SAFE Abstract Purpose This paper addresses a significant gap in HRD research and practice; people security.
Design/Methodology/Approach This mixed-methods exploratory study, across the public and financial sectors, included sequentially: a literature review; a focus group of security and HR specialists; a survey of HR professionals; and, four UK in-depth studies. The latter is the focus of this paper.
Findings The study assessed the strength of organisational security culture, and identified key interventions around the employee lifecycle to improve people security including: recruitment; promotion; performance management; and exit; and, particularly, the role of training, organisational learning and education.
The study confirms that HRD/M has a key role to play in organizational security, but that there is little evidence that HR professionals have sufficient training and there is strong support for HRD and education to support them in this complex activity.
Research Limitations/Implications Only four case studies, in two sectors, have been conducted, all within the UK. Therefore, this work needs to be extended across other sectors and to other countries.
Practical Implications Guidance will be provided to HRD/M academics and practitioners to ensure students, organisations and employees treat people security as seriously as physical and cyber-security, and have the necessary skill-sets.
Social Implications The findings of this research could contribute to more secure workplaces and ultimately provide a safer socio-economic environment; nationally and globally.
Originality/value This study has the potential to enhance the strategic, political and socio-economic contribution of HRD/M.
People Security, HRD, HRM, Security, Line Managers, Public Management
Paper’s importance This paper addresses a significant gap in both the fields of public policy and HRD research and practice; people security. The current global environment of insecurity and external physical threats e.g. from the ISIS, and cyber threats from unfriendly powers or economic competitors has resulted in a considerable focus on physical and cyber-security. However, whilst clearly important ultimately physical and cyber security may be breached; by people, and some of these may be within i.e. employees who pose an ‘insider threat’.
Acts such as: fraud; embezzlement (e.g. Enron, Nick Leeson); industrial espionage; sabotage; information leakage (e.g. Edward Snowden); and, most recently, misuse of social media may not have been intended by the employee when they joined the organisation. However, life events such as: a family member or friend blackmailing or persuading a previously loyal employee to act contrary to the interests of the organisation; dissatisfaction with the employer, following a perceived breach of the psychological contract; or, conversion to a hostile cause, may contribute to an employee/s becoming an ‘insider threat’. CPNI research (2013) indicates that 75% of ‘attacks’ are self-initiated, with only 6% the result of deliberate infiltration. In other words employers’ ‘insider threats’ are already working for them. The outcomes of such ‘attacks’ include financial losses (e.g. Barings Bank was sold for £1 following Leeson’s activities); demise of the business (e.g. News of the World following the phone hacking scandal); reputational damage (e.g. MPs’ expenses); and at worst could result in death or injury as was intended by the attackers at Glasgow Airport in 2007, one of whom was a doctor employed at a local hospital; the last profession you would expect to engage in a terrorist attack and consequently damaging the hospital’s reputation.
This paper addresses the following research questions:
How robust are pre-employment screening, recruitment and selection processes
What additional steps are taken for existing employees applying for promotion?
How are ‘exits’ managed?
What steps do managers take when they observe changes in employees working patterns or behaviours? None of these in themselves means something is wrong in terms of personnel security, however they suggest the need for some investigation, at the very least from performance management and duty of care perspectives.
What role can HRM/D faculty working with their practitioner colleagues play in heightening awareness of this increasingly important issue.
This paper has been undertaken through an extensive literature review; recent and ongoing empirical research through surveys of HR professionals and organisational case studies1 in vital infrastructure organisations, in the public (PubOrg1, PubOrg2 (a unit of the NHS) and private sectors (FinCo (the financial division of a MNC); FinSuppCo (supplies services to major financial institutions); and, the development of conceptual models to address this vital research and practice gap. The authors will also refer to important and ongoing future work exploring the important role which can be played by HRD and HRM professionals and line managers who carry many operational HR responsibilities within organisations to defend them against an ‘insider attack’.
This paper will: explore the business case for people security; define people security and what is meant by an insider attack; explore the limited literature to date on people security; present and discuss a typology of insider threats; explore the role that HR can play in mitigating insider threats. The paper continues by considering the role that organisational learning, training and education can play in mitigating against insider attacks and in effect ‘mind the gap’ in organisational security before presenting conclusions and ideas for future research.
THE BUSINESS CASE FOR PEOPLE SECURITY
Whilst many organisations take reasonable, albeit not foolproof, care at the initial recruitment stage there is often little in place in terms of HRM and management systems and practices to detect potential future problems or tell-tale signs during an employee’s service. Even in terms of pre-screening how well equipped are recruiters to ascertain whether the candidate in front of them has the correct identity, passport, visa and/or qualifications?
Whilst some organisations have policies and practices related to people security, such as we have found and discuss below at PubOrg1, PubOrg2 and FinSuppCo, these strategies need to be adopted more widely to reduce security risks in organisations. A further weakness regarding people security relates to the limited level of competency HR professionals have in this area, although PubOrg1 and PubOrg2 have provided some training. In addition a particular concern relates to the professional education of the profession, as the topic of, of people security currently does not explictly feature on the curricula of HRM/D professional programmes or the CIPD’s professional framework, apart from indirectly through coverage of recruitment2. Therefore HRM/D and other specialist academics, such as cyber-security experts, have a role to play in educating HRM/D professionals in this area so that they in turn can educate their HR colleagues, senior and line managers within their employing organisations, as well as ensuring greater security awareness amongst employees. This paper is an attempt to breach that gap.
There are a number of reasons why an organisation may be subject to an insider attack. These include attempts to infiltrate an organisation by organised crime groups, supporters of terrorist causes, single issue/domestic extremist groups, industrial or state sponsored espionage, or simply as an act of retaliation by disgruntled or disaffected staff. The impact of an insider attack could be catastrophic for an organisation. The most high profile ‘insider’ in recent times would arguably be Edward Snowden (Gayathri, 2013; Schmitt 2014; Harding 2014). The impact of the information he disclosed via the Guardian newspaper reporter Glen Greenwald and documentary film-maker Laura Poitras has affected the global reputation of the United States and indirectly the UK Government (over the role played by GCHQ). However, Snowden is not alone, with a fellow American, Bradley Manning, responsible for leaking military secrets to WikiLeaks ( BBC News 2013; Londono 2014).
A key strategy to focus the minds of senior executives on the need to take people security seriously is to demonstrate the bottom line impact of neglecting this area. Using employee fraud as an example of ‘insider attack’, a recent ACFE Report to the Nations on Occupational Fraud and Abuse (2014) reported that survey participants estimated that the typical organization loses 5% of revenues each year to fraud.
If applied to the 2013 estimated Gross World Product, this translates to a potential projected global fraud loss of nearly £2.47 trillion. Whilst the median loss caused by the frauds was £97,000, 22% of cases involved losses of at least £670,000. Furthermore no sector was immune from such threats. The report revealed that the banking and financial services, government and public administration, and manufacturing industries continue to have the greatest number of cases reported, while the mining, real estate, and oil and gas industries had the largest reported median losses.
The AFCE (2014) study also provided further insight into the type and roles of employees involved in fraud, which it is suggested could help organisations develop appropriate people security risk assessment policies. A particularly interesting finding was the exponential impact of collusion on the level of fraud. Collusion helps employees evade independent checks and other anti-fraud controls, enabling them to steal larger amounts. The median loss in a fraud committed by a single person was £53,500, but as the number of perpetrators increased, losses rose dramatically. 2 = £133,750, 3 = £237,400 and 4/+ = £334,380+. Beattie and BaMaung (2015b) therefore argue that organisations need to ensure they have appropriate checks and balances in place to mitigate against such actions e.g. increasing the number and rank of signatories for different levels of financial authority.
Furthermore the AFCE found that employee frauds were more likely to be committed by employees working in certain areas, clearly where there are more opportunities. The AFCE found 77% of frauds were committed by employees working in: accounting, operations, sales, executive/upper management, customer service, purchasing and finance. This was mirrored in one of Beattie and BaMaung’s (2015b) case studies, FinCo, where a large multinational, which has a strong ethical values culture, suffered significant financial losses due to separate cases of embezzlement by individual employees, working in the finance function, within UK and South American business units.
Interestingly, they have taken the decision to prosecute, which they hope will act as a deterrent to potential future perpetrators; not a decision always taken by employers who somewhat short-sightedly see the resultant publicity as negative, whereas with good PR it can be turned into a positive outcome demonstrating that the organisation will not tolerate corruption in any form or at any level. Such actions combined with more positive findings from the AFCE (2014) study show that where there were anti-fraud controls, fraud losses were reduced and were of shorter duration. Thus there is a strong business case for taking the subject of people security seriously, and it presents the HR profession with a powerful argument for playing a more significant strategic role in organisations than is often currently the case.
Further evidence for the need to take people security more seriously in the mid-2000s and beyond, is the growing evidence that the ongoing economic recession is exacerbating fraudulent acts at both the shopfloor and senior executive levels (AFCE, 2014; Singleton & Singleton, 2010).
In summary, these findings provide a strong case for reviewing and enhancing the role of people security both for organisations, but also for national economies that cannot afford such financial leakage during the current era of austerity. This paper continues by defining the field of people security.
DEFINING THE FIELD OF PEOPLE SECURITY BaMaung and Beattie (2014) argue that the role of the Human Resource Management function in ensuring the security and integrity of an organisation has long been ignored or been unrecognised by many organisations. Either senior management have not acknowledged this role, and/or HRM professionals themselves do not recognise security as being one of the key pillars of their function, exacerbated by their lack of education on this area discussed above. However, without an effective people security management strategy, structure and processes, the potential for insider infiltration and attack, or counter productive work activities is increased, potentially leading to fraud, theft (physical or data), damage, or espionage (see Figure 4 below).
All of these will have the potential to have a negative impact on the organisation including its corporate reputation, as can be seen in the recent history of the financial services sectors in the USA and UK.
However, Beattie and BaMaung (2015a) acknowledge that people security alone is not sufficient to combat ‘insider threats’ and ‘attacks’. There are three aspects to organizational security within contribute to enhancing its resilience. These are:
Combined together, they form an integrated approach to security management, which in turn will enhance the resilience of an organisation to the threat of an attack. However, unless all three aspects are present, an opportunity exists to exploit existing vulnerabilities (BaMaung and Beattie, 2014).
All three elements are inter-related and equally important, however there is a lack of research in the field of people security (BaMaung and Beattie, 2014), compared to cyber and physical security.
However, it is argued here that there is a need to acknowledge the role played by the HR function in organisational security and resilience; whilst by no means underestimating the importance of physical and cyber security it is people who breach physical and cyber defences, either accidentally, or more seriously, through malevolence.
We further argue that there is a need to engage HR professionals, including through professional bodies such as the CIPD and SHRM, to identify ways to focus their attention on people security and to equip them with the skills, knowledge and attitudes to undertake this critical strategic role. Encouragingly, this research was recognised in an editorial in the CIPD’s professional journal, People Management, as one of the leading business school research ideas for 2015 (Beattie, 2015). This study, through an extensive literature review, empirical research and conceptual development attempts to address this vital research and practice gap.
To obtain organisational ‘buy-in’ regarding the key role HRM plays in ensuring its security, it is essential to demonstrate the impact that failure to acknowledge this relationship could have. The aspect of security most relevant to the HRM function is that of an ‘insider threat’ or ‘insider attack’, where an employee commits a hostile act against their organisation. This could take many forms including theft, vandalism, espionage, or which results in serious reputational damage, and we explore the nature of ‘insider threat’ next.
DEFINING AN ‘INSIDER THREAT’ There are various interpretations of what constitutes ‘an insider’, and what their modus operandi is. The Centre for the Protection of National Infrastructure (CPNI)3 relate to insider activity as follows:
‘Some attacks, whether from criminals, terrorists or competitors seeking a business advantage, may rely upon the co-operation of an insider. This could be an employee or any contract or agency staff (e.g. cleaner, caterer, security guard) who has authorised access to your premises. He or she may already be working for ...’4
Within the USA, the issue of insider threats to Critical Infrastructure has received much comment and a precise definition of the insider threat is provided as:
‘The insider threat to critical infrastructure is one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm’ (Noonan & Archuleta, 2008 pp. 11).
The impact of and motivation of disgruntled employees has been examined in relation to employee computer crime (Willison & Warkentin, 2009), however they do not identify a clear role for the HR function in organisations, which we explore next.
THE INSIDER THREAT AND HR
An initial literature search on personnel or people security management, human resource management, and their relationship to insider threat revealed a number of papers and books including Analoui (1995); Colwill (2009); Furnham and Taylor (2013); Lacey (2009); Blackwell (2009); Blackwell (2009a); CPNI (2009), (2012), (2013); and Stephens & Mortell (2010). However, in general, there appeared to be a lack of literature or material, particularly UK or European based covering this subject area.
A search of US literature including Jackson, 2012; Nixon and Kerr (2008); Catrantzos (2010); Catrantzos (2012); Power & Forte (2006) and Richards (2000) revealed work in the field of personnel security management, but there was still a relative paucity of publications on personnel security in comparison with physical and cyber-security. However, it was noted that a considerable amount of research has been carried out on ‘cyber-insiders’ or ‘cyber protection measures’ against insider attack e.g. Randazzo et al (2004); Cappelli et al (2009); Moore et al (2008); Udoeyop (2010); Kowalski et al (2008); Keeney et al (2008); Ruppert (2009); Garcia (2009); Hanley et al (2009); Spooner et al (2009); Brackney & Anderson (2004); Furnell (2004); Cappelli et al (2008); Tarver (2005); Cappelli et al (2007); Melara et al (2003); Bishop et al (2009); Udoeyop et al (2009); Moore et al (2009); Bowen et al (2009); Liu et al (2008); Blackwell (2009); Spitzner (2003); Schultz (2002); Cappelli et al (2012), and Schneier (2000).
The focus of much of this research has been on technological or ‘cyber’ solutions to an insider attack. The mitigation measures identified focus on the role of information security and data management practices, rather than the role human resource departments can play in such circumstances. There has been some discussion on the role of HR in mitigating insider threat (Power & Forte, 2006), however, this does not necessarily take account of the UK and EU’s different government and legal systems, HR practices and cultural values. The rest of this literature review focuses on the developing, and increasingly important, field of ‘People Security’ with a particular, although not wholly exclusive focus on the UK context.
PEOPLE SECURITY The Role of People Security As noted above, personnel or people security has been significantly under-researched in comparison to physical, and in particular cyber-security. However, whilst still lagging significantly far behind the other two legs of the ‘security stool’ the role of people in security breaches and protection has become increasingly prominent. This has even been seen in the development of the terminology being used, for example until very recently the term ‘personnel security’ was used to denote the human aspects of security. However, increasing recognition of the complexity of the modern workplace and labour market has seen a shift to the term ‘people security’ which Beattie and BaMaung (2015b) define as being:
‘…the strategy and practices to identify, mitigate and manage insider threats
within organisations, and nations, undertaken by key stakeholders including
the HR function, senior and line management, associated professionals, and
appropriate national agencies’.
This semantic, and policy shift, can be seen in work carried out independently, although concurrently, by both agencies such as CPNI, and academics (e.g. Beattie and BaMaung) working in the field. There are a number of reasons why ‘people security’ is a more apposite, contemporary term and these are discussed below.
Firstly, it reflects that not all individuals working for today’s organisations are actually direct employees, with many being provided by subcontractors or agencies employed by a third party. Secondly, personnel tends to suggest that the management of people should only be by the HR function within the organisation. This is now a very dated construct as many operational aspects of HRM, such as recruitment and selection, performance management, induction, learning and development, discipline and grievance, have been devolved to line managers (Beattie, 2006).
Indeed Beattie and BaMaung (2015b) argue that such activities where practiced well by line managers, supported by senior managers and organisational culture, can contribute significantly to creating a positive security culture. The HRM function’s role here should be strategic through developing appropriate policies and practices, providing training to senior managers, line managers, employees and third party partners, as well as working closely with their other professional partners in security including risk, security, finance and IT specialists. This role is discussed further in the section on Mitigating Insider Threat, however prior to that we explore the complexity of people security, as the more understanding we have of the field the better we can mitigate against the risk of insider threats and attacks.
The complexity of people security Beattie and BaMaung (2015b) argue that one of the factors that complicates people security is that employees are not a homogeneous group. This can even be seen within the structure of organisations where employees at different levels have different levels of responsibility and access to key information, as well as their interactions with one another.
For example in many organisations the key source of power is held by senior management. Therefore a key question here is whether or not organisations have sufficient checks and balances in place to ensure that such power is not misused, for example do non-executive directors have sufficient knowledge to question and challenge the actions of executives. Even this comparatively simple hierarchical description of the workforce is further complicated when you take into account other employee variables such as gender, age, educational background, profession, ethnicity etc.
To start to help organisations analyse the risk across different levels of the organisation Beattie and BaMaung (2015b) have developed a ‘circles of people security’ model (see figure 1), which applies a traffic light system, similar to the risk assessment process adopted in many health and safety strategies, to identify where their potential vulnerabilities may lie.
Figure 1 Circles of People Security (Beattie and BaMaung, 2015b)
The above model reflects the circles of people security within an organisation reflecting both levels of authority, but also levels of risk they may present within an organisation. The model can be adjusted to reflect the context of an organisation in terms of its sector, its lifecycle and contemporary challenges. Beattie and BaMaung recommend that this circle is reviewed at regular intervals e.g. as part of the corporate risk register protocols, or if there has been significant change in the organisation’s circumstances including: changes in the senior management; a significant recruitment drive; and, moves into new markets, particularly overseas.
In the example presented in Figure 1 above using a conventional traffic light system, applied to a ‘hypothetical’ online financial services organisation, each category of ‘insider’ has been assessed as follows. Senior Management are shown as having a strong green signal. This signifies that they have been fully risk assessed in relation to financial probity, and commercial confidentiality. Line managers have also been assessed as green, although not quite so strongly, given they are a larger group, may have been subject to slightly less rigorous checks and may not have quite the same level of organizational commitment as senior managers, whose remuneration packages may be more closely linked to the financial (and regulatory) success of the business.
The frontline workforce have been highlighted as amber, again representative of the larger numbers of individuals involved and the lighter touch of screening and/or vetting they may have undergone. Also, although by no means exclusive, employees at this level with lower pay scales may be more vulnerable to financial pressures, which may result in inappropriate behaviour. However, it should be noted that there are less opportunities to do so, and the resultant damage, may be considerably less than that of senior managers.
A separate cadre of the frontline workers has been further highlighted in red. These are those employees who are in key positions to protect (or breach) the internal and external boundaries to the organisation’s assets. These include the security workforce (often an outsourced function) and IT administrators who grant different levels of access to the organisation’s IT systems. There is a danger that individuals from both of these groups of staff, again often at relatively low pay grades, could use their privileged access to either their own advantage, or by being manipulated by organized crime gangs and other hostile groups to do so.
This situation could be assisted by one or a combination of the following: poor pre-employment screening; poor ongoing management by line managers; and, lack of checks and balances. During their research Beattie and BaMaung (2015b) observed an example of this when a young, inexperienced and part-time employee informed them that she had been left alone in charge of a cash office handling £1000s every day for three months, prior to satisfactory police criminal records checks on her being received. Such poor practice left both the individual, through poor duty of care, and the organisation, through poor security management, at risk.
However, we also demonstrate the application of the model (see Figure 2) related to actual events where people security was breached, at the highest level of the organisation. In the case of Enron a long-serving senior manager, Jeffrey Skilling, who reached the heights of Chief Financial Officer, and ultimately Chief Executive was convicted of fraud and was jailed for 24 years (Carney, 2013). Here the high risk was with senior management, not junior employees, however they paid a high price for his criminal activity as Enron collapsed with the loss of 20,000 jobs; whilst of course many customers also suffered severe detriment.
In the case of Enron, the Chief Executive is highlighted in bold red, as this is where the principal threat came from. As seen in other recent corporate scandals, e.g. Fred Goodwin and RBS (Winnett & Mason, 2012), inappropriate leadership behaviours, such as corruption and bullying, cascade down the managerial hierarchy of an organisation resulting in a host of serious consequences including regulatory investigations and punishments; criminal prosecutions; the loss of reputation, and in some instances the business ceases with the loss of employment and financial cost to customers,as in the case of Enron due to the the criminal and immoral activities of their ‘leader’. Indeed in their empirical study of white collar criminals Norwegian academics Arnulf and Gottschalk (2013) identify individual, such as Skilling, as having had ‘heroic’ status prior to being unmasked as criminals, and that this combined with their executive power induces them ‘to commit large-scale opportunistic crimes late in their lives’ (p.96). They also share the narcissistic traits also observed in profiles of other inside attackers such as Nick Leeson and Edward Snowden.
Another element of the ‘insider threat’ are the individuals who work for an organisation as part of a ‘labour supply chain’ (see Figure 3), where the further away the control is from the employer, the weaker that chain is; part of the justification for ‘people security’ as opposed to ‘personnel security’. For example an organisation’s HR department can check that the appointment of a new Chief Financial Officer goes through all due diligence checks, however how sure are they that their subcontractors are applying appropriate diligence checks on their staff. Even organisations such as the NSA discovered, to their cost, post-Snowden that the vetting agency employed by them to screen potential recruits were not actually fulfilling their contractual obligations (Nissenbaum, 2014; Associated Press in Washington, 2014). Perhaps one consequence of the growing awareness of people security issues and the insider threat is that the recent and rapid expansion of outsourcing activities such as HR recruitment, IT services etc. will not only slow down but may even see such functions return in-house to increase levels of control; such developments may also enhance organizational ‘security culture’ by demonstrating that these issues are taken seriously by the top of the organisation.