American View: Why do many “insider threat” programs focus on the wrong things?

Risk Management11 Mar 2025

In brief, by misunderstanding the causes of misbehaviour issues. I know it’s best practice to restate your premise since some readers skip over an article’s title. In this case, though, I suspect it was the title that got people here, so I’d just as soon get on with it: The “wrong” things to focus on in this case are accidents, errors, and omissions. If you’re already fully on board with this assessment … Thanks for coming. See you next week.

For everyone else, cybersecurity experts and behavioural scientists have been studying this problem for years. The data shows that anywhere between half and — I swear, I’m not making this up — a whopping 96% of all preventable security incidents that were caused by user behaviour can be traced to accidents, errors, and omissions. That’s the primary reason, I believe, that the “security awareness” (or “security human risk management” if you prefer) field has exploded in popularity amongst corporate security departments over the last decade. Trying to pre-empt unnecessarily risky behaviour is an awareness professional’s top priority.

The thing is, preventing accidents is just as difficult in the cubicle farm as it is on the open road. No matter how much time you invest teaching people the “rules of the road” or how many times you remind people to consistently follow road safety protocols, accidents still happen. In Windows as on the motorway, distractions, multitasking, fatigue, misperceptions, and bad timing all conspire to make even the most seasoned and responsible car or PC driver screw up from time to time.

To illustrate my argument, let me offer a painfully recent example: over this last weekend, I spent a couple hours with my in-laws providing technical support. We’d helped my father-in-law replace his 12-year-old computer last month and his new machine was giving him some trouble. Since I’d installed his new machine, tech support was my job … and I was happy to help.

Hard to believe, I know. Usually, providing free tech support friends and relatives is the bane of every tech worker’s existence.

My father-in-law may be a pensioner, but he’s still sharp when it comes to office technology. He worked with computers for the last half of his career and isn’t intimidated by them. When he called and asked for help, he clearly articulated two problems: first, he was routinely receiving error messages that his backup software wasn’t completing incremental writes to his dedicated backup drive. Second, his Microsoft Office applications wouldn’t open because of a licensing issue. I recognised those issues and promised to sort them.

I tackled his backup problem first. Sure enough, the external drive I’d migrated over from his previous machine was (a) running way too hot, (b) was running flat-out even though it (c) wasn’t mounted by the file system. I suspected drive corruption but ran the normal troubleshooting steps anyway: power cycle the drive, reboot the computer, use disk utility to check the integrity of the file system, and attempt to fix any discovered errors. When these steps proved useless, I knew I’d have to get my father-in-law a replacement external hard drive. Easy enough.

Then we went after the much less challenging Microsoft Office problem. His old software had been bought long before Office 365 came around and the new machine wanted a fresh, modern O365 annual subscription. My father-in-law didn’t want recurring charges, so I promised to get him an annual license when I picked up a new hard drive.

One quick trip to the Base Exchange later and we were all set. I installed a lovely new external SSD, formatted it, set it to be the new primary backup target, and off it went. Easy as pie. Then we set up my father-in-law’s Office 365 account, scratched the silver goo off the back of his license card, and attempted to register it. Keyword = “attempted.” Microsoft told me that the license key I’d entered was either invalid or had already been activated.

Having seen this error before after fat-fingering a string of characters, I re-entered the new license key, meticulously checking each character thrice before hitting “enter.” Same error message: “The key you just bought is garbage.” I did a quick look through the support articles to see if I’d missed a crucial step somewhere and they were largely useless. Tried to enter the key again, reading off each character out loud so FIL could double-check my typing. Danged portal still wouldn’t take it.

“An error has occurred. Abort, Retry, or Ignore?”

I gave Microsoft’s “AI-powered support agent” a try and confirmed my suspicions that it sucked. Totally useless. I then got in the queue for live tech support. There were 84 people in front of us and the expected wait would probably cause us to miss dinner.

While I was waiting, my father-in-law asked if he could take a crack at it. I was delighted; an extra set of eyes is always helpful, pride be damned. At first, FIL confirmed what I’d already done: he read off the first digits exactly as I’d entered them … until the very last character. He called out a “Z” where the character was clearly a “7” … except that it wasn’t. My father-in-law had carefully scratched away the last of the tiny silver goo stains on the card and discovered a hidden stroke underneath the final number. Both of us, looking at it 99.9% cleared, both with and without glasses, had read an unmistakeable 7 just like the character three spaces before it. Only … once that last little smudge was cleared away, we saw our error.

I reentered the license key string with a Z at the end and it worked. I’d wasted almost an hour after my eyes has seen what they expected to see (i.e., a 7) instead of what was actually there (i.e., a Z with its “feet” tucked under a blanket). That’s how everyone’s brain makes their life unnecessarily difficult: misinterpreting reality rather than displaying a 1:1 image of everything in one’s field of view, sans edits. I saw what I’d expected to see and didn’t notice the telltale smudge.

The good news is that my father-in-law took the discovery in stride. We shared a laugh and got on with it. A few minutes later we had his Office apps registered and had confirmed that FIL could open and edit his older files. Everything was back to normal, so I left.

The thing was … I knew that if our adventure had taken place in a corporate environment it would probably have been taken completely out of context. Maybe the original PC swap was performed incorrectly (or even incompetently!). Maybe the backup drive had been … sabotaged! Maybe the O365 license key had been stolen or resold. Maybe the whole reason the user was sidelined was a deliberate attempt to cripple another department’s projects. The corporate security mindset often devolves into wild paranoia: everyone is a latent criminal or active enemy agent. Threats hide behind every cubicle wall, just waiting to undermine the organisation.

Unless you’re the protagonist of a 1980s schlocky action flick, ninjas are not lurking in every shadow waiting to ambush you. Relax.

This paranoia, then colours every reported tech problem as a potential act of wilful disruption. After all, if a task is easy to perform and isn’t performed to standards, then the actor must have violated the company’s rules deliberate! This is what I mean when I say that accidents, errors, and omissions are the bane of a well-intentioned insider threat program. On paper, our seeming inability or unwillingness to activate a software license seems implausible. The task is simple: read what’s on the card and type it into the data field on the website. Anyone can do that! Therefore, to not perform the task correctly on the first try must be due to malicious intent. LET LOOSE THE HOUNDS! SKULLDUGGERY IS AFOOT!

Except that’s obviously not what happened. A combination of fatigue, distraction, and in-attentional blindness got in the way of two older dudes noticing a tiny smudge on a small card in bad light. There was no “malicious intent.” It was just a normal, everyday goof-up; the kind made every day by millions of workers across the globe.

That’s why one of the first and most important lessons learned by security awareness people is that accidents happen. In truth, most preventable incidents aren’t signs of treason. Treating them as such is counterproductive to solving a behaviour problem and is astoundingly corrosive to worker morale. Viewing your users as an army of communist saboteurs both alienates good workers and turns the security department into an active liability rather than a trusted support center.

I ask you to remember this silly tale the next time one of your users borks something up and an insider threat analyst leaps to the conclusion that the cause of the incident be attributed to deliberate malfeasance. While that might be true, it’s far more likely that ill intent was never a factor. Good people make mistakes all the time … and so do I. Nothing insidious about it.