5.3.23 > Shayla Treadwell, Ph.D.

As a cybersecurity professional, working in a volatile, uncertain, complex, and ambiguous world means consistently putting out fires. When thinking about putting out small fires, typically one would think of working through small problems that need to be solved quickly before they become bigger.

But what happens when there are many small fires? What risks do you open your organization up to when people unintentionally open themselves up to risk? Targeting unintentional insider threats all organizations to build security-first cultures while building organizational resiliency so that if something goes wrong you don’t simply bounce back but bounce forward.

Q> What is an unintentional insider threat and how are businesses impacted by them?

Carnegie Mellon University defines an unintentional insider threat as, “A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data who through action or inaction without malicious intent unwittingly causes harm or substantially increases the probably of future serious harm to the confidentiality, integrity, or availability of the organization’s resources or assets, including information, information systems, or financial systems.”

The definition of unintentional insider threat is noteworthy because:

  • 34% of businesses are affected by insider threats globally
  • 66% of companies believe insider threat attacks are more likely to occur today than in the past
  • Companies have seen a 47% increase in insider threat indents happening over the last two years

The impact of an unintentional insider threat can lead to data breaches, financial, production loss, reputational damages, and must more. Although organizations have policies and procedures in place to help employees, mistakes continue to happen. These mistakes, if not mitigated, pose a major threat to the operational resiliency of organizations.

Q> What are the pathways traditionally used by individuals who fall victim to being an unintentional insider threat?

There are four main attack vectors of unintentional insider threats. These vectors include:

  1. Accidental Disclosure – This occurs when sensitive information is posted on public websites or sent to unauthorized parties.
  2. Social Engineering – Typically delivered through methods such as phishing, tailgating, or USB plants, where there are emotional factors and curiosity assists cyber criminals with the spreading of malware or spyware.
  3. Improper Disposal – This occurs when sensitive information is either improperly disposed of, stolen, or lost.
  4. Lost Devices – Occurs when devices such as laptops, smartphones, or hard drives are stolen or lost.

Though there is a heavy emphasis in the industry on phishing and business email compromise, it takes up approximately six percent of unintentional insider threats. A great majority of unintentional insider threats are nested in accidental disclosure, 49%, and improper disposal, 28%.

Q>What are some of the organizational factors that lead to an increase in unintentional insider threats and poor organizational resiliency?

The reality is unintentional insider threats are often a result of failure in human performance. Like any other risk, human risk can never be eliminated, but there are many mitigating factors that organizations can consider to drive organizational resiliency and security mindfulness.

Working Environment 

An individual working environment can cause them to be distracted or lose focus. There was an uptick in individuals reporting this as an issue during the COVID-19 pandemic. Working remotely is a norm in many organizations, and identifying best practices to limit distractions so something that should be communicated to employees.

Along with distractions, poor management, lack of resources, and inadequate security protocols create a working environment where organizational resiliency can be lacking increasing human risk.

Employee Fitness 

Life is not always easy. People deal with injuries, stress, anxiety, and illness daily in the workplace. By not having the proper resources to navigate issues, organizational resiliency can be impacted.

Ensuring that there are company resources available to assist with helping individuals do life is important. This also allows for cyber and IT organizations to build relationships with human resources organizations to address these issues.

Flow of Information 

Having poorly written procedures and processes can lead to unintended insider threats and poor organizational resiliency. This is due to providing employees with limited direction on the proper use and storage of sensitive information.

Workforce Planning 

Having a poor workforce strategy that understands the allocation of work is key to building resilient organizations. Being mindful of the segregation of duties, difficulties in completing tasks, and job pressure have an impact on employees and how susceptible they are to be an unintentional insider threat. Knowing the knowledge, skills, and abilities that are needed to complete a task is instrumental for proper planning for mitigating human risk.


Finding ways to minimize unintended insider threats can lead to more resilient organizations. This is possible by helping cyber and IT organizations and their leadership focus on those intentional threats and vulnerabilities.

More than ever, it is important to embed cybersecurity practices into the fabric of organizations. This allows for security to be embedded into the fabric of organizations, which keeps employees, customers, shareholders, and key stakeholders safe.

Shayla Treadwell Ph. D,  Vice President, Cybersecurity Center of Excellence Governance, Risk & Compliance, ECS

Shayla Treadwell is a results-oriented thought leader with experience in Cybersecurity governance, compliance, and integrated risk management who takes an organizational psychology approach to influencing cyber hygiene and culture. She is adept in navigating complex problems and is adept in formulating strategic solutions to build success.

You can Connect with Dr. Shayla Treadwell here at https://www.cybersecuritysummit.org/speakers/shayla-treadwell/

And on LinkedIn at  https://www.linkedin.com/in/shayla-treadwell/