Purpose Intellectual property (IP) theft is an increasing threat that can lead to large financial losses and reputational harm. These attacks are typically noticed only after the IP is stolen, which is usually too late. This paper aims to investigate the psychological profile and the socio-technical events that statistically predict the likelihood of an IP threat. Design/methodology/approach This paper analyses 86 IP theft cases found in court documents. Two novel analyses are conducted. The research uses LLMs to analyse the personality of these insiders, which is followed by an investigation of the pathways to the attack using behaviour sequence analysis (BSA). Findings These IP theft insiders scored significantly higher on measures of Machiavellianism compared to the normal population. Socio-technical variables, including IP theft via photographs, travelling overseas, approaching multiple organisations and delivering presentations, were identified. Contrary to previous assumptions that there is a single pathway to an attack, the authors found that multiple, complex pathways lead to an attack (sometimes multiple attacks). This work, therefore, provides a new framework for considering critical pathways to insider attacks. Practical implications These findings reveal that IP theft insiders may come across as charming, star employees rather than the stereotype of disgruntled employees. Moreover, organisations’ policies may need to consider that IP theft occurs via non-linear and multiple pathways. This means that sequences of events need to be considered in detecting these attacks instead of anomalies outright. The authors also argue that there may be a case for “continuous evaluation” to detect insider activity. Originality/value This paper offers a new framework for understanding and studying insider threats. Instead of a single critical pathway, this work demonstrates the need to consider multiple interconnected pathways. It elucidates the importance of a multidisciplinary approach and provides opportunities to reconsider current practices in detection and prevention.
Read full abstract