The Insider Threat
: Responding to Behavioural Indicators in Critical National Infrastructure Organisations

Student thesis: Doctoral ThesisDoctor of Philosophy


The insider act occurs when authorised and legitimate access provided by an organisation is misused. The damage that an insider can cause is wide ranging, and includes acts such as fraud, sabotage and theft of data. Within a Critical National Infrastructure (CNI) organisation, the insider can cause significant harm such as loss of critical assets or data which could disrupt critical services and lead to repercussions further down the supply chain.

Research suggests that behavioural indicators are often evident prior to an act taking place, but usually remain unreported. This research identifies behaviours which might be observed across five acts: sabotage, fraud, theft of data, terrorism and espionage, and incorporates expert opinions and perceptions to produce a consolidated list of behavioural indicators which is structured around components of the Counterproductive Workplace Behaviour (CWB) literature. Through this analysis, the different stages that the insider might progress through in developing their intent have been identified, which can influence the types of behaviours that may be evident. This is presented in a pathway model, and extends the literature in this area.

The behaviours were tested with non-experts in a focus group, and this found that the behaviours of more concern were those which impact the team, such as conflict and bullying. The analysis within this study identified that contextual factors including sector, organisational, team and actor attributes may influence the types of behaviours that are of concern; suggesting that organisations should tailor behavioural indicators for their training and awareness material.

There is limited research on the factors which influence reporting likelihood. This study addresses this gap, through interviews with experts in CNI organisations and focus groups with non-expert employees to understand the factors which influence reporting. This has identified that factors such as training and awareness, clear reporting responsibility, and strong reporting culture can improve reporting likelihood. Key inhibiting factors include fears associated with damaging relationships, and the potential for consequences such as reprisal.

This research has used bystander intervention theories and Social Identity Theory as a combined theoretical framework, and has identified that these theories help understand reporting inclinations. Social Identity Theory is particularly important in the workplace environment, where there are influences such as group dynamics. A strong team identity can both encourage and inhibit reporting depending on whether the intent is to protect the group member, or the team from a threat that is posed by that individual. The research presents a proposed model for responding to behavioural precursors associated with one particular type of insider act; theft of IP/data and is based on elements of bystander intervention theory and incorporating the influences of social identity theory to reflect these findings. Extensions to the model include the provision of feedback to the person who reports, and to reflect that the line manager may repeat some of the stages as part of their decision-making process.

Recommendations based upon this research are made for CNI organisations, which includes to strengthen reporting culture, consider combinations of behaviours that could be of concern, and remove the obligation for employees to diagnose what type of act the behaviours might suggest.
Date of Award1 May 2022
Original languageEnglish
Awarding Institution
  • King's College London
SupervisorBrooke Rogers (Supervisor) & Julia Pearce (Supervisor)

Cite this