Why do People Reveal Secrets?
BY KARL PAYEUR
© 2011 FrontLine Security (Vol 6, No 3)

First, it assumes that the person holding a secret voluntarily wants to reveal it. While this happens very often, it ignores cases where secrets are revealed involuntarily. The latter can be of particular concern to the business community, where ­personnel are not always trained in the best practices of confidentiality. Second, that explanation has limited value as a vulnerability assessment tool. “MICE” offers some specific and useful indicators to watch for, but by focusing on a few of them, it misses other factors and most importantly the bigger picture. Thus, to understand why people reveal secrets, it is necessary to first look at general cognitive and decision-making processes, and then at how specific factors fit in that picture.

To understand the problem of disclosure of secrets in a way that makes it easier to identify vulnerabilities of personnel holding ­sensitive information, we can divide wrongful disclosures into three categories: involuntary, purely voluntary and “cost-benefit” voluntary. This model will help organizations develop indicators and solutions that will make them more efficient against industrial and economic espionage.

Involuntary disclosures
Wrongful disclosures are involuntary when an employee does not measure the consequences of revealing a certain piece of information to someone else, or when the employee has not been made aware of the value of the information he knows. Organizations can easily reduce this vulnerability.

Careless employees are a weak link. Competitors can track employees who discuss work-related matters in public settings to gather valuable information. Employees speaking freely may not know that others are listening. A spy may build a rapport with his target to facilitate information gathering. A target may be invited to a conference, which may seem like a “safe” environment, yet can represent excellent opportunities for a spy. Networking at such events may make the employee overly trust that his counter-part only has positive intentions when making conversation. Another example of a careless employee is one who may leave valuable data on social media about their work or themselves. When used effectively, ­personal data eventually becomes the source of phishing attacks against other employees.

The second type of involuntary disclosure can occur when employees do not know that the information they hold is sensitive. When told that they revealed a secret to a competitor, they reply that they thought it belonged to the public domain. A related scenario would be for an employee to divulge a piece of information that seems benign in and of itself, without knowing that this is the missing part of a larger puzzle for the competitor.

Indicators to monitor in order to limit the risk of involuntary ­disclosures are straightforward, and solutions relatively easy to implement. Examples of indicators include:

  • Do employees know what information is sensitive and why?
  • Do employees know what work-related matters must not be ­discussed outside of the workplace and why?
  • Does the organization have a culture of awareness and ­common sense?

As long as an organization establishes and maintains proper awareness, the risk of involuntary disclosures will decrease significantly.

Pure voluntary disclosures
Pure voluntary disclosures happen when an employee knowingly gives a competitor valuable information for free and often without calculating the consequences of doing so. Those who hold grudges and those who are at odds with the organization’s values represent a higher risk to the organization.

There is a multitude of reasons why employees become ­disgruntled (fired from job, poor work environment, not getting due credit and respect for work done, the list is endless), but they all share one thing in common: revenge. Revealing secrets is one sure way “to get even.” Competitors who are aware of disgruntled employees may attempt to exploit their perception of unfairness by offering them a chance to meet this goal.

Strong ideological values and beliefs can also drive someone to share secrets with competitors if the latter are perceived as defending the “right” or “just” cause.

The common theme motivating ­individuals in this situation is a feeling of injustice. For example, left-wing radicals working in firms that thrive in a free market are more likely to leak sensitive information if it advances their cause. There is an irreconcilable difference between the employee’s mind set and the organization’s mission statement and values. Employees with grievances about the way an organization conducts its business also represent a higher risk. If the employee believes there has been a breach of trust that upsets his or her core values, he/she may feel compelled to tell others about it to relieve themselves of the mental load.

Indicators of this are moderately difficult to monitor because employees will often hold back on their true feelings. Examples of indicators include:

  • Was the employee leaving the organization dealt with in a respectful manner? Did the employee have access to sensitive information? If so, has the access been removed immediately?
  • Are employees resentful of the work environment?
  • Does the organization encourage loyalty?
  • Are the employee’s beliefs in accordance with the ­organization’s mission statement and values?

Dealing effectively with grudges will depend on the relationship managers have with their employees. One solution is to assess an employee’s set of values through background checks and regular security reviews.

“Cost-benefit” voluntary disclosures
The last category represents the toughest challenge to any organization. These disclosures are often difficult to detect and prevent because often they will be planned and covert. The employee knows not to reveal secrets, but weighs the gains of doing so against the risks and consequences of detection. “Cost-benefit” voluntary disclosures can result from external or internal pressures.

External pressure also refers to coercion in “MICE” and is frequently characterized by a “lose-lose” situation. For example, the competitor may blackmail his target with embarrassing revelations (extra-marital affair, secret homosexuality, gambling problems…), threaten his security or the security of friends and family, or capture him with the intent of extracting sensitive information by force. The only gain achieved by the target when giving in is the cessation of negative consequences.

Internal pressure is associated with positive gains by the person revealing a secret. These gains can be material or social. First, ­material gains include secrets exchanged for things such as money, sex or gifts. Potential material gains will pressure the ­target into thinking how his personal life could benefit from these gains. The target will be vulnerable to revealing secrets if he places high value in material gains, places low value in ­loyalty, and believes the ramifications of detection are low.

Second, increased social status and improved bonding experience enhance perceived social gains. A target may share secrets to impress and seduce a potential partner, not realizing that ­person was sent to exploit that vulnerability. The target may also be asked to prove his worth in order to belong to group by sharing what he knows. With improved bonding, the competitor can exploit close relationships of his target. The target may let his guard down and disclose information to a friend or a partner with no need to know, or after an intense personal moment such as sex.

Indicators here are difficult to monitor because they entail ­having a good knowledge of an employee’s personality and personal life. Background checks and periodic security reviews are ­important, but this does not imply that intrusive investigations are always needed. Rather, good managers can build rapport with employees and achieve the same result in a more efficient, trustful manner. Examples of indicators include:

  • Is the employee’s life in order?
  • Is the employee trained in protecting himself and in ­maintaining situational awareness of his surroundings?
  • Is the employee’s personality likely to make him vulnerable to material or social gains? If so, how?

Organizations must develop a case-by-case plan to mitigate risks from these types of disclosures. However, as a baseline, organizations should strongly consider developing a trustful ­system for employees to come forward when pressured by competitors, building contingency plans against external ­pressures, and developing risk profiles.

====
Karl Payeur is an intelligence analyst at The Northgate Group and an M.A. candidate at the Norman Paterson School of International Affairs.
© FrontLine Security 2011

RELATED LINKS

Comments

CLICK HERE TO COMMENT ON THIS ARTICLE