Cyber Laws For CxO
Be Aware... Be Empowered
May-June 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Knowledge+
Human Bombs Inside an Organization
Terrorism is the bane of the modern society. Whether we are in business or Governance or we are simply the common men on the street, we need to worry about the impact of terrorism on our lives. As organizational heads we often see that our business goals need to be modified because we need to guard our back against the effect of terrorism that is in the environment.
In manufacturing companies, there was a time when “Security” meant preventing stealing of some of the products of the company. A good frisking at the exit gate was all that was required to manage. Today, this is least of the botherations. A reputed company today has to guard against a Bomb being placed in a Car which is parked in the basement, A truck laden with explosives ramming into the building or even a computer virus that disrupts the activity. Hence in addition to the Physical security with Armed Guards, Electronic and Chemical sensors, CC TV monitoring systems etc there is a complete layer of information security with Firewalls and other gadgets.
Despite the large investments made by Companies in Physical security devices and Information security, the CEO is still not confident that the security is reliable. The reason is that all the security measures indicated earlier tries to guard the Company against external threats.
But a major part of the threat to a Company comes from within. It may not be a Kasab who rams into the Company walls in a Truck to create problem, but a trusted car driver who drives the CEOs car with his wife and children in the back seat and RDX inside the boot.
In such a scenario, Security in Corporate Space requires a holistic approach which combines Physical, Information and Human Aspects.
In 2007, FBI and Critical Infrastructure Threat Analysis division of US found that Mr Dhiren Barot, a notorious Al-Qaeda agent who was arrested in UK had instructed one of his terror team mates to secure an employment in a hotel in UK to learn how to deactivate fire and security systems. In 2008, we saw the happening of the 26/11 attack on Mumbai hotels where the terrorists displayed a remarkable knowledge of the interiors raising suspicions that some of them had perhaps collected information after working in the hotel for some time in the house keeping section.
Again the 2007 plot to explode Jet fuel pipelines at JFK International Airport was masterminded by Russel Defreitas who had been a Cargo handler at the Airport. Recently we observed a crude bomb in the cargo section of a plane in Cochin which could perhaps be a trial run to test the security at the airport.
In our own country the Rajiv Gandhi assassination plot succeeded because of the role Nalini played as an insider.
Such Human Bombs are sitting inside many of our organizations, receiving pay packets from our companies and acting as the agents of the external terrorists.
Unless we identify and eliminate these inside threats who are sitting as human bombs within our organizations, the security strategy of a Corporate is incomplete.
Approach to Defusing the Human Bombs
As a first step towards eliminating the insider threats to terrorism, we need to identify the employees who have a propensity for “Deviant Behaviour” and classify them as “No Threats”, “Probable Threats”, “Potential Threats” and “Real Threats” and then initiate appropriate actions. This is a very sensitive operation HR persons will jump at the security person when such a suggestion is made. Many CEOs also may consider this atrocious. Unfortunately, the threats are so serious that even atrocious measures need to be tried if we need to limit the risk of terrorist attacks.
In order to reduce and eliminate if possible the possibility of errors, the findings in the Classification exercise needs to be validated with a suitable observation of the behaviour of the short listed persons more closely and the classification reviewed before crystallization.
Once the classification is complete, corrective action plan has to be initiated. While real threats need to be kept at a distance and sent packing, the potential threats need to be avoided from sensitive positions while continued to be put under surveillance. The probable threats may contain those who need guidance and self improvement behavioural training to bring them back from “Deviant” to “Normal” status.
The whole exercise of weeding out people on the basis of a behavioral trend classification needs to be addressed in close association with the HR department and as a part of the regular corporate training programmes. Like all behavioural tests, they would be administered by experts in a different non-work environment through games and exercises and extrapolated to work situations.
This is an area of research and the assessment may give raise to interesting observations of people. There may be the “Silent Killers” who appear to be loners, attend to work once assigned but otherwise remain idle, inquisitive about unrelated work and showing keen interest particularly in the security issues. There may people who display “Systematized Absenteeism” such as being absent on specific days of the week or month, and leaving without trace. There may be people who display abnormalities in how they get motivated for work. People with high greed quotient have long been tagged as potential fraud risks and they continue to be terror risks as they are amenable to act as “mules” and carry out malicious instructions from others without knowing the real implications.
There are two major strategies that a security professional should consider implementation. First is the “Whistleblower Policy” with appropriate confidentiality, witness protection and filter to avoid victimization. Key to a successful Whistle blowing policy is to appoint an external ombudsman rather than relying on an internal official.
The second strategy is to devise appropriate HR programmes map the deviant behavioural tendencies through well established behavioural science approaches.
Eric Berne’s Ego Gram Approach
Eric Berne introduced the theory of “Transaction Analysis” according to which he suggested that people appear to transact from three types of ego states called Parent, Adult and Child ego states.
By observing the behavioural patterns of people in different circumstances real and imaginary, it is possible to draw a rough ego-gram of a person to identify the relative development of the different ego states of a person and to identify which ego state dominates his behaviour.
Typically the ego gram of a deviant person would display an unbalanced development of the ego states.
Similarly, Eric Berne also propounded a theory of “Scripts” that drive a human being to a type of behaviour during his life. He classified the scripts into 4 types, I am OK-You are OK being the idealistic position to I am OK –You re Not OK or I am Not OK, You are Not OK as scripts driving criminal tendencies.
Identifying such script maps individuals in an organization is a task that precedes the next corrective step.
Mapping the ego grams or Scripts of individuals identified as potential or probable threats is achieved through not only game situations but also through extensive data mining techniques using Natural Language Processing Techniques, Artificial Intelligence through CCTV analysis, monitoring of behaviour in social networking sites etc.
Additionally, basic steps such as Ethical training, obtaining of ethical declaration etc need to be used appropriately.
The human de-risking process in an organization is a complex exercise but one which is essential. In the current rage amongst HR managers for a “no Holds Barred Recruitment”, some of these strategies may appear impractical. Only time will tell if they are critical to the survival of organizations in a terror filled world around us.
Naavi
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.