While originally tasked with researching insider threat detection and deterrence, we discovered through the Empathy process that employees often have difficulty adhering to information security policies. This can lead to the weakening of even the most sophisticated and well-conceived countermeasures by the accidental creation of new vulnerabilities, credential mishandling, system misconfigurations, and the unintentional leaking of intellectual property and private information. There are many more ways in which an employee can damage a company’s information systems and operations through misuse of company technology.

Intentional insider attacks certainly sound threatening, and while they can be devastating to an organization, unintentional harms appeared to be a lower hanging fruit in terms of harm reduction. A 2018 study found that actions taken by a “careless employee or contractor” were reported by 64 percent of companies to be the root cause of insider-related incidents (Ponemon Institute, 2018). Each of us can recall a major breach that had unintentional employee actions at their roots. The widely-publicized credit card breach at Target all started with a vendor’s mishandling of system credentials, and the 2016 hacking of the Democratic National Committee was greatly exacerbated by employees falling for phishing scams and sharing credentials through insecure channels (ObserveIT, 2018; Kirk, 2016).

This is a persistent problem with many companies competing to develop better tools and procedures for training and monitoring employees. As we further digitize our businesses and daily lives, these issues will continue to plague organizations large and small. The need for solutions like the one we propose will only grow going forward.