Threat types – from carelessness to intent
Persons who have been entrusted with access to or information about Vienna International Airport can endanger security at the airport through careless (unconscious) action or through intentional action. These threats can cause significant damage, and may even cost people’s lives. These threats equally affect all infrastructure types and practically every organisational environment.
Careless actions in the context of security culture can be categorised as negligent or unintentional actions, though the boundaries are often unclear.
Threats from "unintentional action"
Even the best employee can unknowingly make a mistake that represents an unintended risk for Vienna International Airport. Examples of this include employees who are proud of their specialist knowledge and reveal confidential information to an unauthorised person. This includes persons who improperly dispose of confidential documents or leave access cards and keys unattended.
Considerable danger also stems from persons who are familiar with security guidelines but who ignore them in general or in certain areas. This can often be due to overconfidence or errors in assessing a particular danger. Inattention can be recognised and exploited.
Even though such incidents will always occur, organisations with an active security culture can work successfully to minimise such events.
Reveal confidential information to unauthorised or outside persons
Openly show confidential documents or passwords
Dispose of confidential documents that are no longer needed in the recycling bin: these must absolutely be destroyed or shredded
Give airport IDs or keys to anyone or leave them unattended
Discussion: insiders and insider threats
An insider is a person who has or had authorised access to or knowledge of resources, tools, or processes of an organisation. This person normally works directly for or under contract with the organisation.
An insider becomes an insider threat as soon as this knowledge is used intentionally against the organisation. This person has an advantage over an outsider because he or she is generally familiar with the security policies and procedures.
Frustration – idea for revenge – planning – execution
There are many causes for frustration, feeling insulted, and states of distress. The important thing is that vigilant colleagues or supervisors get through to an affected person in a state of distress in time. This means not missing the crucial phase in which a person can still be reached at a rational and emotional level. When an upset person seems to have calmed down, it may be too late. As soon as you recognise that a person is in distress, approach this person. It is often enough to talk to the person, or recommend that they seek help. In no case should a person see violence as the only means by which to be seen or respected, or to achieve his or her goals or higher purposes such as justice.
Frustration, feeling insulted, and states of distress – practical examples:
Some persons who become insider threats are insulted by complaints of colleagues or customers, or they were frustrated in their attempts to gain respect, prosperity, and attention because someone blocked their career path. Other persons harmed companies after they were let go. Personal injury was exacerbated by financial troubles.
This group of insider threats also includes politically or religiously radicalised persons or persons who have become unreliable due to a psychological condition or illness. Radicalisation is usually a gradual process that leads over time to changes in an individual’s personality, values, and behaviours. Ultimately, this person approves of, supports, or carries out concrete acts of violence.
The causes of radicalisation can be social, financial, or mental crises combined with fixed, irrational internal conceptions or religious or political concepts.
Signs of radicalisation can include:
Significant changes in appearance, behaviour, clothing, or lifestyle combined with a retreat into their “own world”
Narrow perspective: black-and-white thinking, a friend-foe mindset
Increasingly aggressive espousing of religious or other values that are incompatible with the respective norms or generally accepted values and that do not allow for other opinions or discussion
Repeated derogatory statements towards persons with other attitudes, religions, or cultures
Past incidents stemming from insider threats at airports
Employees of an outside company used their airport IDs to smuggle passengers past passport control.
A crew used its knowledge of the catering loading and unloading process to smuggle drugs.
A former employee felt that he/she was treated unfairly and thus leaked internal information to public media.
Collusive threats (insider plus external attacker)
In addition to threats stemming solely from insiders, insider threats can also include persons outside of the organisation. These threats by or with third parties can also be caused unintentionally or intentionally.
This type of threat refers to when one or more insiders collude with an external bad actor to damage an organisation. Cyber criminals are often involved in this, recruiting one or more insiders to facilitate assassinations, fraud, intellectual property theft, spying, or a combination of all of these things.
Concretely, an IT employee of a major European airline was recruited by the Islamic State to cause an aircraft to crash.