Insider profiles II. Features

As a follow-up to the previous post, where we described the existing typologies of insiders, we are now going to delve deeper into a more psychological profiling of these individuals. Firstly, it must be said that scientific research on this type of sample is complicated, for obvious reasons, something which, on the other hand, is very typical when it comes to studying criminals and offenders.

We must also point out that, in the same way as we cannot talk about a single, standard type of insider, neither is it possible to pinpoint a sole psychological or psycho-criminological profile, as each insider typology has its own characteristics. Nevertheless, in this post we are going to profile the typologies that are related to the general category of the intentional insider (see previous post).


Psycological traits

If we had to pinpoint the features that, to a greater or lesser extent, are common to each type of intentional insider as a “basic pattern”, several psychological traits come to mind:


An insider usually falls within the scope of an introverted personality and tends to be an individualistic, calm individual who enjoys solitary activities and does not need constant external stimulation.

Their ability to concentrate is good and they can work for quite long periods of time on cognitive, high-performance tasks. It is a characteristic that, in some measure, is related to the profile of the computer programmer or IT industry professionals.


Insiders also demonstrate a psychological trait that is closely linked to criminal behavior and to problematic individuals, namely narcissism. They are usually people whose self-perception is, to some extent, distorted, who have a highly egocentric view of the world, and who believe that their importance, image and attraction surpass those of others.

They overestimate their own self-worth, which makes them feel that they are (or should be) a source of admiration for others. In themselves, these narcissistic traits do not represent a problem above and beyond the individual’s social relations, as sometimes they suffer from a certain amount of rejection as a result of this feeling of omnipotence and egocentricity they exhibit.

Nevertheless, this psychological trait can be much more problematic when it is coupled with the characteristics described below.

Lack of empathy

This is characterized by an inability to recognize and experience what others are feeling and by special difficulty in grasping an understanding of the traits proper to the people they mix with.

To sum up, someone who has a lack of empathy is unable to put themselves in other people’s shoes; hence, they do not feel bad if they hurt other people or behave in a way that has an adverse affect on them. In this case, the insider may appear insensitive to the damage they cause their company or other colleagues, which will not stop them from engaging in behaviors that are destructive or put other people at great risk.

Intolerance of criticism

Also linked to this narcissism is another trait that can be related to insiders, namely oversensitivity to other people’s opinions. Someone who believes they are superior to others manages criticism poorly and cannot tolerate any underestimation of themselves or of their professional development.

In the case in question, this is an element that can cause clashes in the workplace, leading to situations of dismissal or revenge that could be behind insider attacks. Sometimes this overconcern regarding what others might be thinking can give way to feelings of jealously about other individuals whom they believe are hogging the limelight or undermining their importance.

This is another factor that can obviously cause employment conflicts.


Someone who is highly narcissistic and lacks empathy may look on others as objects that can be manipulated and conned for their own benefit. Many contexts, as well as the working environment, offer opportunities for reaping rewards, even if this entails having to cheat, rob and swindle the company or colleagues.

Moreover, dishonest people rationalize their behavior, justify it and convince themselves that what they are going to do is not that wrong or stems from an exonerating need or circumstance. Saboteurs and moonlighters tell themselves that they are selling their company’s data because they have been unfairly dismissed or because the company has not paid them what they deserve.

This rationalization assuages any feeling of blame or rejection resulting from their behavior, enabling them to carry it out with moral authority and even prolong it.


In relation to the above, this trait reveals someone who is extremely profit focused; whose mind is a reward calculator and who only shows loyalty to themselves. The problem with greed is that they always want more and economic returns rank high above the group, commitment and standards.

These types of people usually change job frequently; when they are at one company they are thinking about another that can offer them a little more money or a higher-paid job. This means they are solely motivated by profit, which is very dangerous in the context of insiders, as they are the ones that are always willing to sell information or data to someone else.


The intolerance to criticism that we mentioned previously generates angry, revengeful responses targeted at the source of the criticism, whether a colleague or a superior. But this anger or revenge does not always take on a physical or violent form and is sometimes reflected in a very subtle, devious way through sabotage or unintentional negligence that generate damage and losses.

In this way, we might come across a careless insider who, out of neglect, accidentally misplaces an external memory containing privileged information about the company, or be confronted with a saboteur who makes everyone believe they have lost it out of carelessness, when really they have done it on purpose.

This type of insider can be caught out when the number of slip-ups starts to add up, when they repeatedly make mistakes or are always involved in accidents linked to the loss of information.


We are now going to pinpoint some of the core aspects of the modus operandi (MO) most frequently used by these insiders. We are not going to examine the technical details or the IT methods used, but the elements of their MO that may be more visible and noticeable to these insiders’ colleagues and superiors.

Firstly, before becoming an internal hacker, an insider is a problem employee. Prior to committing their crime, most insiders have already attracted the attention of their superiors or colleagues on account of issues in the workplace. Arguing, a lack of discipline, constant complaints and a bad atmosphere usually precede these types of people, which can be explained by the psychological traits we mentioned above.

Secondly, insiders are usually loners and it is unusual to find teams of insiders within the same company or institution. They may have someone else on the outside profiting from their attack or directing it, as in the case of a mole, but inside the company their MO will be solitary.

They sometimes do overtime, get to work early or leave after their colleagues, they show an interest in finding out about processes, systems and information they are not responsible for and they prefer silent or secretive hacking techniques.

Thirdly, the planning versus the impulsiveness of their MO enables us to match them to an insider typology. The MO of moonlighters and moles is more carefully planned and pre-meditated in terms of time, technique and penetration level in comparison with saboteurs or disloyal insiders.

The latter are more emotional and spontaneous, and may even act just hours after they have been dismissed or following a serious conflict. This will affect the self-protection measures implemented by the insiders themselves, which are going to be poorer and more careless in the case of both of these latter typologies.

When a cyber attack occurs in a company and there is a suspicion that it could have originated internally, we recommend analyzing the company’s last six months in an attempt to locate any members of staff who have been dismissed and may hold some kind of grudge against the company or the people most impacted by the attack.

In this case, the HR Department is a helpful source of information that must coordinate with the Security Department in these types of situations.

The attack will be linked to the employee’s competence level. Within the MO used by an insider, their behaviors and capabilities are contingent upon the skills and knowledge they have. To cite a non-cybernetic example, an employee who works in a warehouse and wants to rob their company may steal some goods from the warehouse, but they cannot tamper with an accounting balance or forge an invoice because they will not have access to it or the know-how to do so.

Nevertheless, it must also be taken into account that the insider may attempt to manipulate the attack in order to direct suspicion towards other people or departments, even though they will always be limited by their levels of access and knowledge. Using the same example as above, an accountant may forge an invoice, but they can also steal from a warehouse if they have access to it.

This means that employees who are at a higher level and have greater knowledge and capabilities can use a wider range of methods of attack in their MO.

Last but not least, we must analyze the how, where, when and what of an attack in order to be able to correctly filter any possible suspects linked to it.

Like any other hacker, an insider cannot stop being how they are when they attack and neither can they rid themselves of the features of their personality, their psychological traits, their personal and social (labor) constraints or their circumstances. An intrusion technique may be similar in two different attacks, but above and beyond this technique, we must collect signs that lead us to these personal indicators that enable us to individualize the attacker.

This is the new approach to preventing and fighting cybercrimes, Cyberprofiling.

Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities