Corporate pre-crime: The ethics of using AI to identify future insider threats

Remember “Minority Report”? Artificial intelligence can spot employee behavior that suggests a future risk. Here’s how to use that data ethically and effectively.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

To protect corporate networks against malware, data exfiltration and other threats, security departments have systems in place to monitor email traffic, URLs and employee behaviors. With artificial intelligence (AI) and machine learning, this data can also be used to make predictions. Is an employee planning to steal data? To defraud the company? To engage in insider trading? To sexually harass another employee?

As AI gets better, companies will need to make ethical decisions about how they use this new ability to monitor employees, particularly around what behaviors to watch out for and what interventions are appropriate. Information security teams will be on the front lines.

In fact, some types of predictions about employee behaviors are already possible. "The reality is that it's really easy to determine if someone is going to leave their job before they announce it," says one top information security professional at a Fortune 500 company, who did not want to be named. "I started doing it ten years ago, and it's actually highly reliable."

For example, an employee about to leave the company will send more emails with attachments to their personal address than usual, he says. This is important for security teams to keep an eye on, since departing employees might want to take sensitive information with them when they go, and they will try to download everything early, before they tell their managers about their plans.

This is a valid security concern, and employees are notified ahead of time that the company monitors their work emails. "Most of the time, if we know the person is leaving, we put them on a high-risk list of users that have additional controls in place," he says.

He wouldn't tell the employee's manager that the employee was planning to go, he added. "We've never done that and I don't see a situation where we would do that," he says. "And we've had dozens of those situations."

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.