Despite years of investment in cyber security policies, controls and monitoring, insider threats remain one of the toughest risks to manage. Firewalls and detection tools can block opportunity, but they cannot eliminate people’s intent. At the heart of the issue is not just cyber security systems, but people.
What drives employee behaviour is often nested in the psychological contract – the unwritten expectations of trust and fairness between employer and employee. When that contract holds, employees go above and beyond what is expected to protect the organisation. When the contract breaks, even loyal employees may bend rules, ignore policies, or disengage from security altogether.
The 2023 research conducted by the Cyber Security Center of the University of Warwick, The Impact of an Employee’s Psychological Contract, highlights this connection. It found a clear link between employees’ perceptions of trust and fairness and their willingness to follow, or bypass, cyber security rules. This risk is not limited to disgruntled insiders; it also affects otherwise loyal staff whose expectations have quietly eroded.
The study draws a direct line between personnel security and overall cyber resilience. Once the psychological contract is breached, the risk profile shifts. Technical safeguards can only go so far: if employees are unwilling to comply, even the most sophisticated technology controls are weakened. Ultimately, whether a person acts or holds back comes down to a decision shaped by trust, values, and individual free will.
Understanding the psychological contract
The psychological contract is not a formal agreement. It is the sum of the unwritten promises, commitments, and expectations between an employer and an employee. It forms quietly during recruitment, onboarding, and daily interactions.
It explains why an employee may stay late to work without being asked or go out of their way to protect confidential information. It also explains why they may begin “working to rule,” disengage from security practices, or, in extreme cases, deliberately bypass security controls.
Unlike a legal contract, the psychological contract lives in the mind and heart. It is sustained by trust, mutual respect, and fairness. Once the contract is broken it takes significant and genuine effort from both sides to repair.
When the contract breaks
A breach of this contract fosters negative beliefs about the organisation. The breach reduces trust, weakens engagement, and can erode performance. Research has shown that breaches lower employees’ sense of obligation, commitment, and satisfaction. Employees who feel promises have been broken often withdraw effort, and in extreme cases, may retaliate through sabotage, theft, or other harmful behaviour.
Importantly, breaches are often subjective. An employee may feel let down even if the organisation believes it has acted reasonably. A denied promotion, poorly managed organisational change, or perceived unfair treatment can all trigger this sense of betrayal. Unless the organisation is alert it may not detect the employee’s shift in sentiment, or if it is detected it will be because a harmful act has been committed or harm has been caused through wilful inaction.
When the psychological contract is damaged, employees tend to respond in predictable ways:
- Reduced discretionary effort and “quiet quitting” – doing only what is formally required until another job is found.
- Rule-bending – bypassing processes they no longer believe are fair or necessary.
- Withdrawal of trust – assuming the organisation will not act in their best interest.
- Retaliation – in rare cases, engaging in harmful behaviour toward the organisation.
This is where the insider threat risk emerges. A single breach can undermine years of enterprise policy development, training, and control implementation.
Research confirms these patterns. The 2023 University of Warwick study found a clear and significant linkbetween breaches of the psychological contract and lower compliance with information security policies. Younger employees reported breach levels about 23% higher than older colleagues, and managers experienced 7% more breach than non-managers despite being slightly more compliant. Interestingly, temporary staff, about one in ten of the workforce, reported 20% fewer breaches and showed marginally higher compliance than permanent employees.
A tale of two employees
Consider two employees in critical roles, both with privileged access to sensitive systems:
- Alex has a strong, intact psychological contract. He feels valued, respected, and fairly treated. When Alex discovers a security gap, his instinct is to report it promptly and work with IT to close it, even though exploiting the gap could have given him personal advantage.
- Jordan once had that same trust, but it has eroded. Promises broken during a restructuring left him doubting leadership’s good faith. When Jordan comes across the same security gap, his reaction is different: “Why should I care? They wouldn’t care about me.” Even without malicious intent, Jordan’s disengagement increases the organisation’s vulnerability.
The difference between Alex and Jordan is not policy or process, it is the state of their psychological contract. And every organisation has its Alexes and its Jordans. The risk lies in which group is growing.
Why policies and controls are not enough
When insider threat events occur, organisations often respond by adding more rules, checks, and monitoring. While these measures are necessary, they rarely address the root cause: a motivated individual choosing to act against the organisation’s interests or a careless individual indifferent to the organisation’s security needs.
Controls can block opportunity, but they cannot remove intent. Once intent is formed, once someone decides to bypass the rules, the person’s free will becomes the deciding factor.
This is where the psychological contract matters most. If it remains intact, employees are far more likely to make decisions that align with organisational values, even when presented with opportunities to do otherwise. But if it is broken, even the strongest safeguards may not be enough to prevent harmful actions.
Recognising early signs of a breach
For leaders, the ability to detect a damaged psychological contract early is critical. Some signs include:
- Sudden disengagement from team activities
- Increased resistance to procedural compliance
- Withdrawal from collaborative problem-solving
- Escalating cynicism or negative commentary about leadership decisions
These behaviours should not be dismissed as “attitude problems.” They are indicators of risk to personnel security and cyber resilience.
Educating for awareness and repair
Spotting early signs is only the first step. Few organisations actively educate employees, let alone leaders, on the psychological contract. Yet awareness is the foundation of prevention.
Education could cover:
- How the psychological contract forms – so leaders and employees understand the role of everyday interactions.
- How to be alert to and recognise signs of breach – so both managers and staff can act early.
- How to repair trust – including acknowledgement, open dialogue, and consistent follow through. That requires a high level of organisational and individual maturity.
Just as important, employees themselves need to understand their role in maintaining the psychological contract. This means recognising that trust is reciprocal, taking responsibility for their own actions, and avoiding a victim mentality when expectations are not met. By giving individuals ownership and responsibility, organisations foster resilience at both ends of the relationship, but this requires a high level of maturity from both the organisation and its people.
By embedding this awareness into security culture programs, organisations equip their people, both leaders and employees, to address trust issues before they escalate into security risks.
A maturity pathway for organisations
Organisations seeking to strengthen resilience can:
- Set clear expectations from the beginning (including in the pre-employment screening process).
- Model and enable open communication and provide genuine organisational support.
- Acknowledge the psychological contract as a factor in insider threat risk and include it in security awareness training.
- Equip leaders to recognise early signs of breach and integrate trust-building strategies into performance and change management.
- Embed psychological contract health checks into risk assessments, linking findings to both cyber and personnel security measures.
The payoff: mature organisations and trusted employees
Mature organisations do not just rely on policies to manage the risk of insider threat. They build cultures where trust, respect, and fairness underpin security. In such environments, employees are less likely to exploit vulnerabilities, even when they could, because they feel a personal stake in the organisation’s wellbeing. They genuinely care.
Educating both leaders and employees on the psychological contract fosters resilience that technology alone cannot deliver. It is not about replacing controls, it is about strengthening the human decision-making that sits behind them.
Final thought
When it comes to insider threat, the deciding factor is rarely opportunity – it is choice. And choice is shaped by trust. For leaders, this means the psychological contract is not a soft HR concept, but a frontline defence for both personnel security and cyber resilience.
