Key Takeaways:
- You can’t fix insider fraud or sabotage with firewalls alone—these are people problems, not just process problems, so you need to consider perpetrator motive in your control design.
- Behavioural science and criminological theory offer practical ways to design smarter, cheaper, and more effective controls.
- Mapping threat types to motivations is the secret sauce to stopping expensive mistakes—before they hit your bottom line.
Why this matters to your business
If you think trade secrets theft, sabotage, or internal fraud is something that happens to “other companies,” let me burst that bubble. These threats are not random—they’re often deeply personal. And they’re expensive. The Association of Certified Fraud Examiners (ACFE) estimates that internal fraud alone costs businesses 5% of annual revenue. For a $100M business, that’s a $5M hole—every year.
And that’s just the financial side. The reputational cost? The loss of trust with investors or research partners? The delay to your product launch because someone leaked your IP to a competitor? That stuff doesn’t show up on a balance sheet… until it does.
So how do we stop it?
Let’s talk motive (yes, like in crime dramas)
We often forget security and fraud actors have different motivations. Some actors are in it for profit. Others want revenge, power, or validation. If you treat all threats the same—say, by rolling out the same boring training module to every department—you’re wasting money and creating a false sense of security.
This first table helps you step back and align your controls to the actual psychology of your adversary.
Table 1: Motivation-Based Threat Profiling
| Threat Type | Key Motivations | Relevant Theory | Considerations for Control Design |
|---|---|---|---|
| Organised Crime | Profit, group objectives | Routine Activity Theory | Target hardening, threat intel, supply chain vetting |
| Insider Threats | Revenge, stress, entitlement | Control Theory | Strengthen social bonds, build fair culture, early intervention |
| Nation-State Actors | Money, Ideology, Coercion, Ego (MICE) | MICE Theory | Access controls, vetting, protective security |
How to use this:
When assessing security risks, we often fail to ask “What is the likely motive”. If your AI is being stolen by an employee, that’s an insider threat, not a problem with cyber criminals. The control response (culture, access rights, change monitoring) needs to reflect that nuance.
Behavioural theory helps at every risk stage
Here’s the bit I wish someone had told me 10 years ago: criminological theories don’t just help you after something goes wrong—they help you design better systems from the start. I use these theories for risk indentification, design risk treatments, and frame executive dialogue.
Table 2: How Behavioural Theory Supercharges Risk Management
| Risk Stage | How Theories Help |
|---|---|
| Risk Identification | Reveal root causes and hidden risk signals |
| Control Design | Tailor controls to motivations (not just compliance) |
| Risk Assessment | Improve likelihood and impact estimates |
| Monitoring & Review | Spot early warning signs and behavioural red flags |
| Training & Awareness | Shift from checkbox compliance to ethical behaviour reinforcement |
How to use this:
When you’re building your next fraud control or insider risk program, don’t start with a control library—start with questions. What kinds of pressures might lead someone to rationalise stealing research data? Where are the opportunities? Who might feel disengaged or unfairly treated? These insights help you focus resources where they’ll have the most impact—without overengineering.
Choosing the right theory for the job
Criminological theory might sound academic, but it’s just a lens—a way to make better sense of why risks materialise. I often get asked, “Which theory should I use?”. The answer is: it depends, which is helpful-unhelpful. Here’s a guide I use in consulting to help organisations focus their resources.
Table 3: Best-Fit Theories for Common Security Risks
| Risk Area | Relevant Theories | Why It Matters |
|---|---|---|
| Espionage | MICE (Money, Ideology, Compromise or Coercion, Ego), Routine Activity, Swiss Cheese | Explains varied motives, layered failures, and access points |
| Trade Secrets / IP Theft | Routine Activity, Crime Opportunity, MICE | Focuses on access, motivation, and weak controls |
| Internal Fraud / Corruption | Fraud Triangle, Routine Activity, Control Theory | Addresses personal pressure, weak oversight, and cultural cues |
| Sabotage | Opportunity Theory, Strain Theory | Tied to frustration, injustice, and lack of guardianship |
| Workplace Violence | Strain, Social Learning, Routine Activity | Driven by grievance, modeled behaviour, and opportunity |
| Supply Chain Diversion | Crime Pattern Theory, Opportunity Theory | Helps pinpoint vulnerable choke points and recurring loss patterns |
How to use this:
Say your business is about to enter a new research partnership with a university or foreign lab. You’re worried about losing your IP or trade secrets. Start by applying MICE Theory to understand potential risks on the other side: Are their staff well-paid? Are there ideological risks? How vulnerable is your business partner or their employees to coercion or bribery? Then combine that with Crime Opportunity Theory to assess access and controls.
You don’t need to become a criminologist—but bringing these concepts into boardroom discussions will make your risk strategies more intelligent and effective.
What you should do next
- Reassess your threat profiles – If your risk registers don’t account for behavioural motivations, rewrite them.
- Train your teams on motive-driven threats – Stop relying on bland compliance modules. Teach managers how to spot early red flags.
- Map controls to theories, not hunches – Don’t throw money at controls that don’t match the motive. Use behavioural theory to guide investment.
- Get smarter about culture – Your culture is your first control. Build fairness, transparency, and connection before a bad day turns into a $10M incident.
One final (uncomfortable) truth
You can’t patch human vulnerability like you patch software. Your best firewall is a culture that understands why people do the wrong thing—and a strategy that uses that insight to get ahead of the next crisis.
So, if you’re ready to move beyond checkbox security and build a behavioural-led risk strategy, let’s talk. I’ve got frameworks, models, and a whole lot of lessons learned the hard way.
Further Reading:
- Clark, Ronald V., and John E. Eck. 2016. Crime Analysis for Problem Solvers in 60 Small Steps. Washington, DC: Office of Community Oriented Policing Services. https://cops.usdoj.gov/RIC/Publications/cops-w0047-pub.pdf
- Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org
- Curwell, P. (2022). Applying the critical-path approach to insider risk management.
- Curwell, P. (2021). HUMINT cycle and the recruitment of insiders.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.