Toggle Main Menu Toggle Search

Open Access padlockePrints

Identifying insider attacks through language change in an immersive police operations simulation.

Lookup NU author(s): Dr Steven Watson


Full text for this publication is not currently held within this repository. Alternative links are provided below where available.


Introduction Insider attacks are dangerous because such individuals circumvent defences and attacks can occur over protracted periods. Co-workers often fail to identify or report warning signs in their colleagues. Additionally current detection methods have difficulty identifying attacks until after they have begun. We sought to remedy these issues by identifying language markers indicative of insider activity. Method One hundred and ninety-one participants took part in a 6-hour simulation designed to mimic the environment and tasks associated with police investigations into organised crime. The simulation required three teams of four persons to work together via email to identify members of criminal gangs, and to plan their arrest. Following a familiarisation round, one member from two of the teams was approached covertly and tasked with stealing information in exchange for £5 per task completed. Those selected to act as insiders scored highest on a Dark Triad scale. We manipulated two factors as part of the study: Time Pressure (30 mins vs. one hour per round) and Workplace Hierarchy (designated team leader vs. no hierarchy). We compared insiders and non-insiders on language style matching (LSM), and language use related to self-focus (personal pronouns use), positive and negative emotional content, and cognitive complexity. Results A series of linear mixed effects models showed that insiders had lower LSM, p = .009, greater self-focus, p = .021, and plausibly used more negative emotion words than non-insiders, p = .109. Insiders used more positive emotion words when under high time pressure or when there was no hierarchy, but only in the round of the game immediately after becoming an insider. Discussion We propose that tracking emails for these language cues can provide a method for identifying potential insider threats that is free from judgement biases. Automatic scanning of email may also reduce the need for more intrusive access to employee emails.

Publication metadata

Author(s): Watson SJ, Taylor PJ, Conchie SM, Doodson J, Jolley D

Publication type: Conference Proceedings (inc. Abstract)

Publication status: Published

Conference Name: European Association of Psychology and Law

Year of Conference: 2017

Acceptance date: 01/03/2017