When does a trusted employee become a risk?
Insider threats do not emerge overnight—they are often the result of a gradual shift driven by workplace and personal factors. While organisations focus on technical defences, they can overlook the human element: the psychosocial hazards that can turn loyal employees into potential insider threats.
To explore this topic, let’s start with Jessica’s story – a trusted insider whose workplace experience led her down a dangerous path.
Case study
Jessica, a 38-year-old IT specialist at a critical infrastructure company, was known for her exceptional skills and dedication. Over her five years with the company, she became a trusted insider, managing sensitive systems with high levels of access. However, a series of workplace challenges began to take a toll on Jessica’s mental health.
Her troubles began when a new manager, known for micromanaging and dismissing employee input, took over the team. Jessica’s concerns about unrealistic deadlines and lack of support were ignored, leaving her increasingly isolated. Adding to this, she was passed over for a promotion she had been working toward for years, with little explanation. Her confidence and morale plummeted.
The stress of these changes, combined with a lack of organisational support, created a perfect storm. Jessica began to feel undervalued and resentful. Over time, her frustration escalated, and she started to disengage from her work. Eventually, Jessica used her privileged access to leak confidential company data, causing significant reputational and financial damage to her employer.
An investigation revealed that Jessica’s shift from trusted insider to insider threat could have been prevented. Had her concerns been taken seriously and psychosocial hazards such as poor management practices been addressed, the organisation could have supported her, ensuring her loyalty and wellbeing while protecting itself from harm.
Case conclusion
Jessica’s case highlights how unaddressed psychosocial hazards can act as a catalyst for insider threats, revealing the complex interplay between workplace dynamics, employee wellbeing, and organisational risk. These challenges are not isolated incidents but part of a broader framework explored in organisational behaviour and psychosocial safety theories.
Preventing such incidents requires a dual focus: fostering a psychologically safe workplace environment and implementing proactive measures to identify and address early warning signs. By recognising psychosocial hazards as both a workplace health and safety concern and a potential driver of insider threats, organisations can adopt integrated strategies that protect both their people and operations.
The solution lies in addressing these risks through supportive workplace practices, robust insider threat management programs, and actionable insights derived from behavioural science.
Insider threat defined
The term ‘insider threat’ is defined as: “An employee or contractor who has, or had (i.e. former employee or a supply chain vendor), legitimate access to the assets of an entity and used that access to cause harm.”
An associated term is ‘trusted insider’ who is a person the entity has invested its trust in.
Clearly, both terms refer to people. People in the workplace. People who have undergone pre-employment screening. People who an entity has decided it can take the risk of trusting. However, people are not static.
Change can be driven from outside the workplace, such as health issues, personal relationships, or recruitment by foreign states or organised crime. Change can also be driven within the workplace, such as bullying, being passed over for promotion, or sexual harassment. There is a well-understood pathway for people to move from being a trusted insider to becoming an insider threat.
Dr Eric Shaw’s Critical Pathway to Insider Risk
The Critical Pathway to Insider Risk (CPIR) framework provides a structured approach to understanding and mitigating insider threats by analysing the interplay between personal predispositions, workplace stressors, concerning behaviours, problematic organisational responses, and mitigating factors.
Drawing on behavioural science and extensive insider risk research, the CPIR highlights how workplace stressors – such as poor leadership, unmet expectations, or exclusion from decision-making – can amplify individual vulnerabilities, potentially leading to harmful actions. By integrating the CPIR framework into organisational risk management, entities can identify potential threats earlier and implement tailored interventions, fostering a safer and more resilient workplace.
Psychosocial safety
Psychosocial hazards refer to aspects of work design, the work itself, and the interactions between employees which can negatively influence their mental health and emotional wellbeing. These hazards are things at work which create stress and in turn reduce our ability to cope.
Amendments to the Work Health and Safety (WHS) Regulations 2011 came into effect on 1 April 2023 give more specific details on how to meet WHS duties and protect employees from psychosocial hazards and risks.
While psychological health has always been a feature of the Work Health and Safety Act 2011, the updated regulations impose a stronger obligation on employers to actively manage psychosocial risks and create a psychologically safe work environment.
To meet these obligations, organisations must adopt the hierarchy of controls outlined in the WHS Regulations, supported by Safe Work Australia’s model Code of Practice. Practical measures include:
- Anonymous employee surveys to monitor workplace satisfaction and identify emerging stressors.
- Robust grievance mechanisms with transparent follow-up processes to address concerns effectively.
- Employee Assistance Programs (EAPs) to provide mental health support and resources.
Aligning psychosocial safety with broader legal frameworks, such as anti-discrimination laws, strengthens organisational governance and reduces exposure to legal and reputational risks.
As stated by the General Manager of Comcare’s Regulatory Operations Group, Justin Napier:
“Psychological injury prevention is a significant focus for work health and safety regulators and should be a priority for employers. These injuries account for around one third of all new workers’ compensation claims Comcare receives, and we expect that trend to continue.”
Employers must recognise psychosocial hazards not only as WHS issues but also as drivers of insider threats. A psychologically safe workplace reduces risks of employee disengagement and disgruntlement – key factors in preventing insider threats and safeguarding both organisational wellbeing and operational security.
Linking psychosocial safety to insider threat programs
By integrating psychosocial hazard management into insider threat programs, organisations can create a unified approach to employee wellbeing and organisational resilience. This dual focus not only ensures compliance but also proactively mitigates risks, safeguarding critical infrastructure and fostering a supportive, productive workplace culture.
Because people can change quickly in terms of loyalty and attitudes toward their workplace, organisations need tools to gain insight into individual and team attitudes. These tools must be deployed frequently enough to detect and assess emerging risks – whether as WHS issues needing support or indicators of insider threat requiring action. Such an approach benefits both the employee and the organisation by mitigating risks before they escalate.
Teamgage solution
A solution like Teamgage helps organisations proactively manage psychosocial hazards and insider threats by enabling real-time insights into employee sentiment, emerging stressors, team dynamics and more.
Unlike traditional HR surveys that open and close, Teamgage is always on, giving employees a safe, anonymous way to share concerns whenever they need to. In addition to a research-validated question set, Teamgage can also include questions on specific risk areas unique to a team, department or organisation too.
This targeted, continuous feedback loop ensures that issues are successfully identified early, before they escalate into serious problems. Leaders gain real-time visibility into employee sentiment, allowing them to take proactive steps to address concerns effectively, strengthen engagement and prevent risks. Employees feel heard and valued, fostering trust, transparency, and collaboration.
By integrating tools like Teamgage into their risk management framework, organisations can create a psychologically safe workplace that leads to better decision-making, reduced burnout and a more resilient workforce. At the same time, organisations protect their critical assets by reducing insider threats and maintaining operational stability.