New tool monitors e-mail language to catch workplace thieves

Person typing on laptop
People who are stealing confidential information...become increasingly focused on their position as an insider and pay less attention to their day-to-day work. Indeed, the language that insiders tend to use in e-mails is suggestive of the fact that they are finding their general duties more cognitively demanding.
Professor Paul Taylor
New research reveals that when people begin to steal confidential information from their employers, their language use becomes negative and detached…

Psychologists have developed a system that could help organisations to identify workplace threats with upwards of 90 per cent accuracy. The tool, which is the brainchild of researchers at Lancaster University, monitors language use in e-mails to identify individuals stealing confidential information from their employers.

The system, details of which have been published in the journal Law and Human Behavior, is based on psychological observations concerning changes in the language use of people involved in nefarious workplace activities.

Analysis revealed that employees actively participating in insider attacks became much more self-focused, using words such as ‘I’, ‘me’ and ‘my’. They were also found to be less willing to mimic the linguistic styles of their colleagues, and tended to use a greater proportion of negative language in comparison.

The Lancaster-based academics examined the contents of e-mail correspondence sent during the course a six-hour workplace simulation. By picking out instances of insular, negative and non-empathetic language, they succeeded in identifying 80 to 90 per cent of the individuals involved in stealing confidential information and passing it on to a third party.

Retrospective analysis

To learn more about how e-mail language can be used to identify insider threats, I spoke to Paul Taylor, study leader and Professor of Psychology at Lancaster University.

"Our analysis was conducted retrospectively," he began. "We examined e-mail traffic after the simulation had been conducted. Since then, we’ve begun building a system that can perform this task automatically. Of course, different companies use different e-mail setups, so our system would need to be tailored to the specific needs of the customer. Even so, this is a process that can be performed automatically."

One of the most challenging tasks for Professor Taylor and his colleagues was to provide a definition of ‘worrying’ traffic. Before they could agree upon an appropriate threshold, the team had to investigate how the language use of individuals involved in information theft changed over time.

"One of our most interesting findings concerns what psychologists call ‘function’ words," Professor Taylor explained. "These are the words that join together language dealing with content. It’s largely believed – and research supports this notion – that we have no conscious awareness of using function language; it’s very difficult for us to control. Since we’re not conscious of using these words, we don’t tend to notice when our function language changes.

Professor Taylor and his colleagues found that when individuals initiate insider attacks, their function language becomes more insular. Moreover, their e-mail correspondence tends to adopt a more negative tone and there is a reduction in the extent to which they mimic the language of their co-workers. The psychologists contend that these changes are symptomatic of attackers’ inadvertent attempts to distance themselves from their colleagues.

To catch a thief...

"The changes that we observed in attackers’ language style mapping (LSM) were particularly striking," said Professor Taylor. "Essentially, LSM is verbal mimicry. Previous research has demonstrated that high levels of verbal mimicry are associated with effective communication. In hostage negotiations, for example, high levels of LSM are more likely to result in the hostage taker surrendering. Also, in police interviews, LSM is associated with confessions.

"Our results show that people who are stealing confidential information from their employers tend to decrease their language mimicry," he continued. "They become increasingly focused on their position as an insider and pay less attention to their day-to-day work. Indeed, the language that insiders tend to use in e-mails is suggestive of the fact that they are finding their general duties more cognitively demanding. This makes sense because they are trying to carry out their daily responsibilities without attracting the unwanted attention of their peers."

During the simulation, 54 participants were divided into teams and instructed to work together to gather and share information on ‘suspects’. One quarter were asked to covertly obtain information and deliver it to a third party without raising the suspicions of their co-workers.

Impressive accuracy

The psychologists’ subsequent analysis of e-mail traffic enabled them to identify 80 to 90 per cent of insider threats. Interestingly, language-use change increased as the simulation progressed meaning that by the end of the test, the researchers succeeded in identifying 92.6 per cent of insiders.

This level of accuracy is certainly impressive. However, a system such as this will ultimately be judged by its ability to spot threats without erroneously identifying innocent workers. I asked Professor Taylor whether any overlap had occurred during the trial.

"There were a few false alarms, but our system is pretty good at getting correct hits," he replied. "I would always argue – and I hope we’ve made this clear in our paper – that an organisation should never view a system like this as a silver bullet. We have developed a tool to assist security managers, not replace them.

"No matter what method you use, you will never eliminate the possibility of mistakenly identifying an innocent person," Professor Taylor continued. "For example, an employee might simply be having an incredibly bad week at work. Alternatively, they could be experiencing difficulties at home. If they’re not in the mood to engage with their colleagues, it is possible that they will be flagged up by the system. However, this is not necessarily a bad thing. It provides an opportunity for that person’s manager to have a chat with them and see whether anything is wrong."

Real-life tests

Finally, I asked Professor Taylor whether he and his team have any plans to test their system within a real-life workplace environment. If so, is the tool likely to achieve similar levels of accuracy?

"We have some tentative plans," he answered. "We’ve already tested the tool within a semi-real-life setting here at Lancaster. Do I expect it to achieve the same levels of accuracy? At this stage, it’s difficult to say. I’d be surprised if we reached the 92.6 per cent figure that we hit during our simulation. However, I’m confident that we can achieve accuracy levels that are significantly higher than chance.

"As you can imagine, we’ll need to jump through number of ethical hoops before we can deploy this system within a real-life organisational setting," concluded Professor Taylor. "The bottom line, however, is that it will save companies time and resources. Our tool will help security managers to focus their attentions in the right places."

If you would like to learn more about using e-mail language to identify workplace threats, check out the full article: ‘Detecting insider threats through language change’ (pay barrier)…



Lets face it, so long as Theresa May is home secretary we're not likely to see any progressive change in drug policy in the UK. I mean, the woman just made Qat a class C drug against solid scientific evidence. Reminds me of the reclassification of cannabis as mentioned in this article. Can someone please give these politicians a good shake and make them see that what they're doing is extremely counterproductive! Argh!!

Commented Anonymous on
Cannabis psychosis: are politicians making the situation worse? Ltd, Ebenezer House, Ryecroft, Newcastle-under-Lyme, Staffordshire ST5 2UB
Tel: +44 (0)1782 741785, Fax: +44 (0)1782 631856,
Registered in England and Wales  Co. Reg No. 4521155   Vat Reg No. 902 1814 62