In the workplace setting an employer provides money and / or other benefits to a person in exchange for their labour, knowledge, and time. The relationship is formally set out in a contract which details obligations that fall upon both the employer and employee, contractor, or volunteer – a principle known as quid pro quo. Examples of obligations include an employer providing a safe workplace, an employee working to a required standard of quality and time, and both parties behaving in the workplace in accordance with stated organisational values and the common law.
The lubricant which enables the working relationship to operate smoothly and for mutual benefit is trust. A definition of trust is: firm belief in the reliability, truth, or ability of someone or something.
In the workplace, both parties trust that the other will behave in alignment with clearly agreed expectations and workplace culture, appreciating these can be far more subjective than a contracted rate of pay or leave entitlements that are made clear in law. There is also an implied element of trust that in circumstances which are not scripted precisely in the contract then the employer and employee will tend to act to protect the interests of the other party. For example, an employee who sees a colleague stealing in the workplace will tell the employer.
Turning to research about trust, a long-term study[1] investigating people’s neurological responses to trust situations concluded that building a culture of trust is what makes a meaningful difference to individuals’ relationship with work and hence to the enterprise they are a part of. The research indicates that people in ‘high-trust’ enterprises are more productive, have more energy at work, collaborate better with colleagues, and stay with their employers longer. This high-trust environment meets their individual needs. The study offers eight management behaviours that can foster employee trust, making clear that leaders and managers are the fundamental enabler to grow trust. Leaders must provide the conditions for success – clear direction and suitable resources – then allow people to get on with the task, albeit supervised (coached) but not micromanaged.
Accordingly, employees become ‘trusted insiders’. The same level of employer trust can be extended to contractors and volunteers. The key distinction is not the employment status that is the distinction, but rather the level of trust that has been offered by the enterprise to a person in the workplace.
In any process of employment, the employer will scrutinise the candidate. The purpose of screening is to:
- determine if the candidate’s claims of qualifications and previous employment are accurate,
- ascertain if the candidate has demonstrated behaviours which may not align with the purpose and culture of the enterprise they are seeking to be part of, and
- to understand the candidate’s psychology and motivations.
All this information is gathered to determine if the candidate is qualified and able to do the job, to ascertain if the candidate is aligned with the enterprise’s values, to assess if the candidate will be a good cultural ‘fit’ and so is likely to succeed in the enterprise. This likelihood of success is important for the candidate, their soon-to-be colleagues, and for the enterprise.
However, people change. The candidate who was assessed and deemed suitable to join the enterprise, to become an employee, to be a trusted insider will inevitably change over time because of drivers impacting them. This change is not their fault, it is natural. The drivers that may change a person’s behaviours and motivations encompass many things including workplace events, changes in their personal life, their health, the impact of external events stemming from such things as the economy, society, and geopolitical developments.
Because people change over time, employers need to have a means of understanding how their people may be changing. Change may be benign, or the person may be changing in ways that could be harmful to the enterprise, or harmful to employees, or harmful to the person who is changing. This approach to understanding employees aligns to workplace health and safety themes of employers have a legal duty to be alert to and promote the health and wellbeing of their people. As well as management’s legal obligations to safeguard the security of the assets and operations they are responsible for.
When it comes to people changing there are two ways to recognise if a person may be undergoing change: they tell you, or their changing behaviour is observed. Which of these ways do you think is the most reliable to indicate when a trusted insider might be on the road to becoming an ‘insider threat’ – that is, a person who uses their legitimate access to enterprise assets and operations to cause harm to the enterprise and the people within it?
Let’s look at two recent Australian case studies to see how trusted insider can move to insider threat and can manifest in workplace harms.
Case Study One: Bankstown-Lidcombe Hospital Nurses
The first example I offer to illustrate how real and consequential the risk of insider threat is in Australia is the behaviour of two nurses, as reported in Australian media on 13-14 February 2025.
Two nurses employed in the state government enterprise NSW Health, at Bankstown-Lidcombe Hospital, reportedly engaged in an online chat forum with an Israeli person. The nurses were recorded on video saying they would kill any Israeli patient they might be required to give medical assistance to as part of their employment as nurses at Bankstown Hospital.
One of the nurses, Ahmad Nadir, reportedly told the Israeli person in the online chat that he “had no idea” how many Israelis who had attended Bankstown Hospital he had sent to “hell”.
The other nurse in the chat, Abu Lebdeh, reportedly said she would not treat Israeli patients but would “kill them”. Lebdeh reportedly went on to say that Israel is Palestine’s country, not your (Israel’s) country.
The nurses were on-shift and in their nursing ‘scrubs’ when they engaged in this online video chat.
NSW Health stood down both nurses immediately once the chat video was made public. The police are gathering evidence to ascertain if charges may be laid.
This is an insider threat case, in Australia in February 2025, and it has gained international headlines.
These nurses were employed by NSW Health at the time of the incident. They presumably showed no signs of violent tendencies or, hopefully, of overt anti-Semitism or a willingness to kill patients when reviewed in the candidate pre-employment screening process.
I mentioned earlier that people change based on drivers they encounter through work and personal life. It is possible that the 7 October 2023 Hamas attack on Israel, and the ensuing war in the Middle East, triggered within Lebdeh and Nadir latent behaviours and attitudes that they have been exposed to historically.
Nadir fled Afghanistan as a 12-year- old and became an Australian citizen in about 2020. In contemporary Australia, perhaps within their community, they may have been influenced by the wave of anti-Israeli sentiment and violence that has swept the globe, and especially Western democracies, in the wake of the 7 October attack. Mainstream media, social media, chat forums, the United Nations, and many governments have spread an anti-Israel view and pro-Palestinian narrative, which will have influenced some peoples’ views.
My comments about an external event possibly ‘triggering’ Lebdeh’s and Nadir’s behaviour align with comments made by the Director-General of the Australian Security Intelligence Organisation (ASIO) on 19 February 2025 when he said in his Annual Threat Assessment:
“Anti-Semitism festered in Australia before the tragic events in the Middle East, but the drawn-out conflict gave it oxygen – and gave some anti-Semites an excuse.
Jewish Australians were also increasingly conflated with the state of Israel, leading to an increase in anti-Semitic incidents.
The normalisation of violent protest and intimidating behaviour lowered the threshold for provocative and potentially violent acts. Narratives originally centred on “freeing Palestine” expanded to include incitements to “kill the Jews”. Threats transitioned from harassment and intimidation to specific targeting of Jewish communities, places of worship and prominent figures.”
Bankstown Hospital is listed as a critical hospital under the Security of Critical Infrastructure Act 2018 and is required to mitigate risks arising from malicious or negligent employees or contractors. As such, it should have an insider threat program – although it is unclear whether one is in place.
How might an insider threat program help mitigate such risks?
The starting premiss of an insider threat program is to identify aberrant behaviour – it does not target a person based on their attributes. However, as Australia’s Counter-Terrorism Coordinator says: “We must remain alert and be responsive to this ever-evolving security landscape.”
To that end, an effective insider threat program would have recognised that the rise in anti-Isreal and anti-Jewish sentiment in Australia may result in some employees undergoing personal changes, perhaps being adversely affected such that their workplace behaviour may evolve to be a harm in the workplace and perhaps to themselves.
Reports indicates that Nadir and Lebdeh are Muslim and may have been susceptible to evolving attitudes and behaviours inimical to the requirements of NSW Health and Bankstown Hospital to accept and heal all people who come to the hospital, treating them with respect and impartiality. An insider threat program may have recognised Muslim employees could be adversely affected by external drivers and taken steps to mitigate such a risk. Ideally, this would involve early intervention and engagement intended to inhibit such a situation developing. Failing that, the program could have monitored vulnerable employees’ attitudes and behaviours with the aim to stop them causing harm.
Nadir and Lebdeh’s reported behaviour show that harm was realised. Whilst NSW Health, on 12 February 2025, stated that there is no evidence that any Israeli patient has been harmed or killed at Bankstown Hospital, this insider threat event has inflicted serious harm to the confidence people have in healthcare system which is a pillar of Australian society. Of course, if medical professionals in Bankstown Hospital hold such homicidal views, it stands to reason there could be others across Australia’s health system holding similar sentiments. This insider threat act has resonance across all of Australia and also internationally.
There is reporting that an employee at Bankstown Hospital reported instances of colleagues (not named in media reports) chanting anti-Israel slogans and wearing pro-Palestinian clothing, images of which were allegedly posted on the hospital’s website, in the wake of the 7 October 2023 Hamas attack on Israel. It appears that the reports did not trigger an investigation from Bankstown Hospital management. Instead, the employee who reported the incidents apparently received a form of caution for lodging the complaint.
An effective insider threat program would encourage such employee reports because the behaviour could indicate a potential insider threat and so would warrant serious consideration and thorough investigation.
Let’s extrapolate this point to highlight the value of an insider threat program.
What if the employee report from 2023 had identified the behaviour of a person who was subsequently investigated and found to have attitudes that would support harming an Israeli (Jewish) patient? Intervention at that point could have allowed the hospital to provide support to an employee, potentially helping the employee to reconsider and restrain their violent views. Perhaps the employee could have remained at work with a support package.
Or, what if the employee was not assessed and later went on to harm a patient? Aside from the harm to the patient, the employee would have self-destructed and, further, the reputation of Bankstown Hospital and NSW Health could have been severely damaged, likely resulting in legal consequence. Healthcare professionals at the hospital would have been deeply affected and mortified, both emotionally and professionally, by such an event.
This Bankstown Hospital case brings perhaps the most significant component of managing insider threat to the fore, and that is ‘trust’. When a person is admitted into a group or is employed, there is both implicit and explicit granting of trust to the newcomer.
Recalling my earlier comment that there are two ways to recognise if a person is changing: they tell you, or their behaviour is observed. In this example the behaviour of the nurses was observed.
[1] Paul J, Zak, The Neuroscience of Trust: Management behaviours that foster employee engagement, Harvard Business Review, January-February 2017 pages 84-90.
Case Study Two: Australian Defence Force Soldier on Espionage Charges
Alleged Russian spies Igor and Kira Korolev were charged in July 2024 in Australia over allegations they were sending Australian classified defence information to Russia while Ms Korolev was working for the Australian Defence Force (ADF) – Army.
Ms Korolev, who was reportedly employed with the ADF as an information systems technician for several years, had allegedly undertaken non-declared travel to Russia while on leave from the ADF. During her travel, she allegedly instructed her husband – who remained in Australia – to log into her ADF account from their Brisbane home to access information.
The Commonwealth Director of Public Prosecutions (DPP) will allege in court the couple worked together to access ADF material related to Australia’s national security interests. They are each facing one count of preparing for an espionage act.
As of March 2025, the couple remain in custody whilst investigators review materials contained in numerous ICT devices seized by police. Much of the content is reportedly in Russian, requiring translation for use by both the defence and prosecution teams. Translations should be complete to allow further consideration by the courts from 7 March 2025.
Based on media reports, the Korolev’s migrated to Australia and took up Australian citizenship, with Kira eventually joining the ADF and gaining a Commonwealth security clearance.
What do these case studies show us?
The Korolev example has different features to the Bankstown Hospital example. A key difference is the level and type of scrutiny applied to nurses compared to an ADF member. A person joining the ADF is subject to significant and intrusive security vetting, far more than would be required for nurses. This means that the ADF can rightly have a high level of expectation of an ADF member acting in accordance with ADF values and security obligations whereas nurses are held to a different standard aligned to the Hippocratic Oath and keeping assets such as medicines and patient information secure from theft and misuse.
Korolev would have been subject to a thorough examination of her background, particularly given that she was a Russian citizen who attained Australian citizenship, unlike the nurses.
Korolev would be required to have a Commonwealth security clearance in order to be employed as an information systems technician and so Korolev would have been subject to intrusive examinations of her background, assessment of her motivations for joining Army, extensive interviews to confirm information she would have provided, police checks, an ASIO national security check, and psychological assessments.
Further, Korolev would have been provided significant security training and briefings so she would have a very clear understanding of organisational expectations, her responsibilities and the level of trust that the Australian Government had placed in her. The Bankstown Hospital nurses would not have been subject to such a high level of scrutiny.
Now, recall my statement that there are two ways to recognise if a person is changing: they tell you, or their behaviour is observed.
Whilst all I have to draw on is media reporting with not further insights, it appears that the Bankstown Hospital nurses engaged in behaviour that demonstrated their views with respect to potentially harming patients based on nationality or religion. They ‘outed’ themselves; however, I anticipate investigations may undercover information indicating their views were known to some of their colleagues.
With respect to Korolev, she would have known that she was obliged to report overseas travel to Russia, indeed she may well have had to seek permission from ADF in order to travel there, so her reported behaviour indicates she chose to behave in a way that was not aligned to the security culture and obligations that she had willingly committed to.
In both cases, harm was caused by people’s behaviour. And these harms are potentially very significant and have far-reaching consequences.
The Bankstown Hospital nurses have damaged public confidence the hospital, in NSW Health, and in the public health system nationally.
Korolev may have provided classified or national security-relevant information to Russia, potentially causing harm to Australia’s defence and national security.
These examples show that insider threat is real and it is a threat within Australia today. Australia’s contemporary work culture and laws have tilted towards employees having an expanding array of rights, be they real or asserted, perhaps without also appreciating the employment obligations they have as a quid pro quo.
Employees must play their part. The people responsible – both morally and legally – for the government entities, critical infrastructure, businesses and other enterprises – the very institutions that keep Australia’s society and economy functioning – must also assert their rights to protect the assets and operations they are responsible for so that every other person, be they employee, stakeholder, or client can access and benefit from the services provided.
Protecting against the insider threat is a shared obligation between employers and employees. This shared obligation is the understanding that needs to be reached in the workplace. Achieving that understanding requires a positive security culture underpinned by an effective insider threat program. Put another way, this is a notion of ‘trust but verify’ in terms of enterprise security – taking action to protect assets and operations from harms inflicted by a trusted insider.