Author: Polygraph Examiner Maryna Surkis, a graduate of the VAP Polygraph Examiner Courses in the Fall of 2024.

A successful Ukrainian enterprise builds its reputation for years and develops a loyal customer base. Until a new company appears on the market, suspiciously similar to it: the same profile, the same methods, even a recognizable style of communication.

The worst moment comes when customers begin moving to the “newcomer” one by one, and an internal audit reveals the shocking truth: the “heart” of the business — its database — has been stolen.

It was not a bold hacker attack or a technical failure. It was a “quiet leak” organized by someone who wished you good morning every day. The database left the company at least four months before anyone noticed. It was done by an insider — someone who had legal access and knew the system from the inside. In the hands of a former colleague, such information turns into a weapon: he knows not only what to sell and to whom, but also where the company’s weak spots are.

This situation illustrates the main paradox of modern security: we spend millions protecting ourselves from external threats while often underestimating those who are already inside the system. According to the Ponemon Institute, in just two years the number of insider incidents increased by 44%, while the average annual cost of their consequences for companies is already measured in tens of millions of dollars — from 15.38 to 19.5 million, depending on the assessment period.

At the same time, an insider is not always a spy in the usual sense. International studies describe at least five types of internal offenders:
– saboteur;
– intellectual property thief;
– fraudster;
– spy;
– unintentional insider.

Behind each of them are different motives, different levels of awareness, and different scales of threat: one acts out of revenge, another for profit, a third in the interests of an outside force, and a fourth creates risk through negligence or carelessness. It is precisely this diversity that makes the insider threat one of the most difficult to detect and assess.

The mechanics of such actions were described back in the middle of the last century by Donald Cressey in his concept of the “Fraud Triangle.” For a violation to become possible, three conditions usually have to come together: access, incentive, and internal justification of one’s own actions. “I am underestimated.” “I created this myself.” “They owe me.” The international MICE model details these incentives even more precisely: money, ideology, coercion, and ego. Such a risk becomes especially dangerous when an employee has already internally distanced himself from the company or is at the stage of dismissal. It is at such moments that accumulated resentment, self-interest, or a sense of impunity can turn into action. One of the most well-known examples was the case of Anthony Levandowski, who downloaded more than 14,000 files before leaving Google, which later became the basis of a high-profile case involving the theft of trade secrets.

It is precisely such cases that reveal the limits of purely technical control. DLP and UBA cybersecurity systems record digital activity, access, and anomalies, but they do not see the main thing — human intent. They cannot answer the key question: is this a random mistake, negligence, or a deliberate act? It is exactly where technology stops that the work of a polygraph examiner, applying the concealed information detection methodology — Guilty Knowledge Test (GKT) — becomes especially important.

This is not about a “lie detector” in its simplified, everyday meaning. GKT works not with abstract fear, but with significant information stored in a person’s memory. If a person is involved in a leak, data transfer, or agreements, their memory contains not abstract ideas, but very specific details: file names, the nature of the information, the method of transfer, the communication channel, the sequence of actions, the terms of agreements, and the circumstances of concealing traces. It is precisely these individually significant images that acquire the force of stimuli during the examination.

This is the practical value of GKT: it makes it possible not only to identify the possible involvement of the guilty person, but also — no less importantly — to remove suspicion from those who have no connection to the incident. In a crisis situation, this protects not only individual people, but also trust, fairness, and the psychological climate of the entire team.

The role of the polygraph examiner in the corporate security system is strategic and four-level. The first level is screening, which makes it possible to identify risks that, under certain conditions, may pose a threat to the company. The second is scheduled examinations, since they make it possible to notice changes in an employee’s behavior, motivation, or internal state in time, before this develops into concrete actions. The third is screening upon dismissal, when it is especially important to assess potential risks related to loyalty, intentions, and the preservation of confidential information. The fourth level is an internal investigation, when the incident has already occurred and digital traces have been destroyed, distorted, or are insufficient for an unambiguous conclusion.

In such situations, the polygraph becomes one of the few tools capable of going beyond the purely technical picture of the event and helping to establish not only the fact of the violation itself, but also the involvement of a specific person, their role, motives, and internal awareness of the details of the incident. Where digital traces break off or prove insufficient, the role of the polygraph examiner begins and becomes stronger.

Ultimately, the most effective security is the kind that works preventively. In this system, the polygraph is not merely a tool, but an important link in the early detection of risks, allowing a threat to be seen in time — at the point where losses can still be prevented, reputation protected, market advantage preserved, and the future of the business safeguarded.

References

1. Cybersecurity and Infrastructure Security Agency (CISA). Insider Threat Mitigation Guide. November 2020.
2. Ponemon Institute & Sullivan Privacy. Cost of Insider Risks Global Report. 2023.
3. SIFMA. Cyber Security Insider Threat Best Practices Guide (3rd Edition). July 2024.
4. Morozova T.R. The Concealed Information Detection Methodology in Polygraph Examinations: monograph. 2nd edition, supplemented and revised / scientific editor O.M. Morozov. Kyiv: Alerta, 2006. 486 p.
5. NATO Cooperative Cyber Defence Centre of Excellence. Insider Threat Detection Study. (Kont et al.)
6. Federal Bureau of Investigation Behavioral Analysis Unit. Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks. 2015.
7. U.S. Secret Service National Threat Assessment Center. Mass Attacks in Public Spaces – 2018. July 2019.
8. Verizon. 2023 Data Breach Investigations Report.
9. https://www.ebsco.com/research-starters/law/fraud-triangle
DLP (Data Loss Prevention) — systems for preventing data leaks. They monitor and block the external transfer of confidential information.
UBA (User Behavior Analytics) — systems for analyzing user behavior. They detect anomalies: unusual login times, suspicious requests, and large downloads.