‘The Enabling Role of Internal Organizational Communication in Insider Threat Activity – Evidence From a High Security Organization’

This paper explores the role of internal communication in one under-researched form of organizational crisis, insider threat – threat to an organization, its people or resources, from those who have legitimate access. In this case study, we examine a high security organization, drawing from in-depth interviews with management and employees concerning the organizational context and a real-life incident of insider threat. We identify the importance of three communication flows (top-down, bottom-up, and lateral) in explaining, and in this case, enabling, insider threat. Derived from this analysis, we draw implications for communication and security scholars, as well as practitioners, concerning: the impact of unintentional communication, the consequences of selective silence and the divergence in levels of shared understanding of security among different groups within an organization.

The paper is structured as follows. First, we review pertinent literature to outline the theoretical background to this study, culminating in our research question. Then we elucidate the research context and our methodology. Next, we present and then discuss our findings. Finally, we conclude by identifying implications for theory, practice and further research.

Insider Threat as a Form of Organizational Crisis
Insider threat refers to danger from individuals with privileged levels of access to an organization's resources due to their internal position in the organization (Nurse et al., 2014, p. 214), such as employees, contractors or trusted third parties (Searle & Rice, 2018, p. 14). Crisis concerns 'a specific, unexpected, non-routine event or series of events that creates high levels of uncertainty and a significant or perceived threat to high priority goals' (Sellnow & Seeger, 2013, p. 7). Two main categories of insiders are evidentmalicious insiders, who intentionally undertake wrongdoing for some kind of gain (e.g. financial), and non-malicious, or accidental insiders, who unintentionally harm the organization (e.g. through oversight) (Nurse et al., 2014). This distinction has some synergy with SCCT's crisis types of accidental (unintentional) or preventable (sometimes intentional) crises that emerge from stakeholder behaviour, alongside victim crisis in which an organization is attacked by internal or external agents beyond its control. In terms of insider threat, Searle and Rice (2018, p. 14) demarcate 'passive threat' as disengaged employees, who withdraw their full effort and attention from work tasks or whose inaction towards colleagues facilitates, or tacitly condones, an insider's behaviour. Thus, taken from a multi-level perspective (i.e. the role of the individual within the broader organization), insider threat presents an important context to study crisis communication through challenging the boundaries separating victim, accidental and preventable crisis types. For example, while Coombs (2007) suggests that rumour and workplace violence comprise the victim categorywhere an organization has only weak attributions of responsibility and thus risks mild reputational threata multilevel insider threat lens considers the workplace environmental triggers for these harmful employee behaviours. Through expanding explanations for employee deviance, Searle et al. (2017) contrast individual 'bad apples' with team or organizational level typologies that demonstrate the impacts of cultures, climates, leadership and relationships in producing 'bad barrels' or even 'bad cellars'. The #MeToo Movement has graphically shown the severe reputational threat to organizations that can follow from facilitating or ignoring the emergence of harmful norms, behaviours and communication practices.
Given the conceptual similarities, insider threat can be positioned as a form of potential, or actual, organizational crisis. A significant proportion of insider threat research focuses on technological determinants and implications, including monitoring of employees' cyber activity (D'Urso, 2006;Legg et al., 2013). Studies have largely focused on individual characteristicspsychological, behavioural and socialassociated with distinct insiders. This focus includes personality traits of narcissism, Machiavellianism and psychopathy; behaviours, notably impulsivity and aggression; and poor-quality social relationships (e.g. Legg et al., 2013;Shaw et al., 1998). Such focus concerns the influence of deviant individuals within an organization, rather than examination of how a particular organization's working environment can negatively affect an otherwise 'good' employee and trigger insider threat behaviour. A few exceptions have attempted to provide a comprehensive framework to explain insider threat that incorporates individual, social, and organizational factors (e.g. Legg et al., 2013;Nurse et al., 2014;Searle & Rice, 2018;Whitty, 2021). Most recently, Knight and Nurse (2020) developed a framework for effective external corporate communication after cyber security incidents. Yet there remains a relative blind spot regarding the connections between internal organizational communication and insider threat in either the communication or the security literature.

Communication Environment, Responding to Risk and Voicing Concern
This research gap remains despite prior study indicating a wide range of internal organizational communication impacts, including employee job satisfaction and engagement, workplace relationships, organizational culture, organizational productivity, security and crisis (e.g. Men & Bowen, 2017;Taylor & Bean, 2019). Examination of the role of communication in insider threat thus involves attention toward both organizational culture (values, beliefs and assumptions that characterize an organization) and organizational climate (behavioural evidence that creates meanings concerning the various policies and practices) (Schneider et al., 2013) pertaining to security. For example, open organizational communication environments, which value employee input and demonstrate concern for employee interests, have been linked to organizational citizenship behaviour (OCB) (Walden & Kingsley Westerman, 2018). OCB includes voluntary protective security actions such as reporting a colleague's organizationally threatening behaviour to leaders (Morrison, 2014). Within safety critical contexts, silence about known risks can escalate threat, making employee voice critical to crisis prevention.
Bottom-Up Communication. Employee voice is central for internal whistleblowing (Skivenes & Trygstad, 2010)the raising of concerns internally about a problematic issue or behaviour witnessed within an organization to organizational leaders. 'Speaking up' behaviour within one's employing organization indicates that individuals feel psychologically safe (Edmonson, 1999), identify with the organization, care about interpersonal work relationships and feel empowered (see Morrison, 2014, for a review). Critically, employees must perceive the chances of retaliation for such action as low (Gravley et al., 2015). In participatory, rather than authoritarian, cultures, bottom-up communication also involves proactive problem identification (Bisel & Arterburn Adame, 2018;Mao & DeAndrea, 2018). Extant research indicates that, although time intensive, an inclusive bottom-up approach to communication enables organizational agents to identify dissent and build consensus and a sense of community amongst stakeholders (Lewis et al., 2001). Conversely, employees often remain silent on workplace concerns out of resignation towards the status quo ('acquiescent silence'), to protect themselves ('defensive silence') or to protect others ('pro-social silence') (Van Dyne et al., 2003Dyne et al., , p. 1359. Top-Down Communication. Leaders influence a host of organizational and employee level outcomes and meaning-making processes (Fairhurst & Connaughton, 2014), including safety behaviours (Clarke, 2013). Leadership may be defined, for example, by personal attributes, formal position or style (Eglene et al., 2007). Seeger and Ulmer's (2003) taxonomy of leaders' communication-based responsibilities includes espousing moral values, information about organizational operations and being open to signs of problems (p. 59). Leaders' reluctance or lack of capability to discuss complex matters of ethics and values with their employees can create norms that restrict or re-direct information flows (Seeger & Ulmer, 2003). Leader communication affects the formation of organizational culture, as well as the coherence of organizational climate across employee groups and organizational levels (Schneider et al., 2013). Research shows employees will be responsive to risk when they are able to access risk information and formal training, but their recognition of hazards also requires continual reinforcement through leadership modelling (Ford & Stephens, 2018). Knowledge sharing is enhanced where managers signal a willingness to act on employees' inputs (Detert et al., 2013) thus demonstrating that they are trusted (Nerstad et al., 2017). Further, employees receiving dialogic communication from leaders which is 'information rich' are likely to be satisfied in their jobs and inclined to work towards the organization's collective interests (Men, 2014). Certain organizational leaders may be particularly influential in this respect. For example, the communication of Human Resource leaders sends powerful key values and trustworthiness signals about the organization, which line managers can then reinforce (Searle, 2018).
Lateral Peer-to-Peer Communication. Nonetheless, while leaders may set the tone of the communication environment, this tone can be reinforced, challenged and negotiated by individual employees and teams. Individuals, both consciously and unconsciously, learn from their direct experiences and through interacting with their colleagues about how to behave and communicate, and this extends to deviance norms (Robinson et al., 2014). Indeed, a leader-centric view of organizational norm setting has been challenged, with recent study revealing how similar or lower-ranking individuals are the most accurate and preferred sources of social norm information (Dannals et al., 2020).
Given empirical endorsement of the relationship between work behaviour and internal organizational communication, in this study we address one overarching research question: What role, if any, does internal organizational communication play in insider threat behaviour? The next section outlines our research context, followed by our methodology.

Research Context
This case study involves a high security organization comprising part of the UK's critical national infrastructure (CNI). CNI organizations provide essential services that enable functioning and safe societies (e.g., see CPNI) 1 and therefore insider threat activity in these organizations may have wide societal consequences. However, given the focus on insider threatrather than the organization per seand the exploratory nature of the research question, our case study can be defined as instrumental (Stake, 1995). The organization is a relatively closed system, having limited external permeability and operating with very strict procedures and controls (Men & Bowen, 2017). To start and maintain their employment, all employees require various levels of national security clearance (vetting) that can be removed if concerns about one's personal or professional conduct are raised. The specific insider threat incident we examined is outlined later in the 'Findings -Critical Incident Overview' section.

Data Gathering
Data collection comprised in-depth interviews and supplementary review of Human Resource (HR) and security documents. We chose in-depth qualitative interviews as our main data collection method because we were interested in the first-hand perspectives of individuals with unique insights. Before gathering data, the researchers' project plan and data collection approach underwent rigorous ethical review from their institution and the research funder, ultimately resulting in ethics clearance. In advance of data gathering, the two researchers gained appropriate security clearance, and they were accompanied for the duration of their time on site by a security representative, with the exception of the interviews themselves.
Due to the understandable security sensitivities of this organization, insider threat incidents with potential for further exploration were first identified by the organization's security leaders and then discussed with the researchers. Selected cases were then collaboratively chosen because they represented, at face value, seemingly distinct types of insider threat comprising potentially different underlying causes and motivations that the researchers thought could be explored further (see Nurse et al., 2014), and those the organization's leaders believed would provide important organizational learning. Access to interviewees was facilitated by the security lead to ensure that those being interviewed were clear they had authority to talk to the researchers about these events. We therefore must acknowledge that, to some extent, the organization's gatekeepers were actively involved in the design of the research, starting with the interpretation of the incidents as 'critical'. While this raises various epistemological and methodological issues (see limitations section), the rationale for this approach was twofold. First, practically, as is common in qualitative research (e.g. Riese, 2019), our study was predicated on examining commercially sensitive critical incidents. Organizational gatekeepers are those who are privy to, and who can facilitate access to, sources of organizational data; we therefore recognized that our study must deal with topics considered relevant and potentially impactful to these individuals who act as brokers to the wider organization. Second, these organizational gatekeepers have specialized knowledge of the organization and which members could assist with our key informant purposive sampling (Patton, 2015;Payne & Payne, 2004). Key informants are individuals who, due to their social positions, have extensive or specialist knowledge about 'other people, processes or happenings' that makes them valuable information sources (Payne & Payne, 2004, p. 135). We wanted to collect and compare different perspectives from: (1) individuals with direct knowledge of the insider threat incidents (e.g. those implicated as 'insiders', their co-workers and team members, line managers, security specialists), and (2) individuals in the organization who represented different professional expertise and roles, as well as distinct departments, work groups and place in the hierarchy. This approach enabled a strategic but relatively comprehensive capture of both the particular insider threat incident and wider experiences of the organization, and illuminated important areas of convergence and divergence between individuals and groups (see findings section).
Accordingly, individuals were selected for face-to-face interview 2 over a two-week period at the organization's premises. Interviewees included three senior managers with oversight of the organization, two mid-level managers and one non-manager selected for their specialist experience/closeness to the case (HR, security and communications), and four mid-level managers and six non-managers with direct experience of the insider threat cases in the two departments where insider threat had occurred (commercial operations and science and technology). The latter group included one 'insider' (who we term here the Subject of Interest -SOI), co-workers, team leaders and pertinent security staff. This sample of 16 individuals 3 broadly reflected the composition of the organization's workforce, comprising mostly (though not exclusively) white males and longstanding employees (average tenure across this sample is 11 yearssee Appendix A). All interviews lasted approximately 60 minutes and were audio-recorded and transcribed in full.
Our interviews comprised a semi-structured approach covering two distinct areasgeneral and specific context and the critical incidents (selected insider threat cases)with the focus and questioning adapted to the individual's particular role and experience. All interviews commenced with standard questions pertaining to individuals' job roles and basic work histories. We then focused on context setting, eliciting perceptions and experiences of the organization's culture and climate (e.g. organizational ethos and values; structures and leadership; control systems and rules; the organization's different departments and teams; employee relations, communication and engagement; HR, reward and disciplinary processes) and the meanings employees derived. Further probes explored the nature and exchange of communication. For relevant individuals, we used a critical incident focus (Flanagan, 1954) in considering events that led up to the insider threat case as well as what occurred during and following the incident. This approach was inspired by the 'timeline technique' that facilitates complex event recall (Hope et al., 2013). Reported quotes are anonymized to preserve respondents' confidentiality, using identifiers that range from I4 to I20.
In addition, security and HR documentation for the insider threat cases was collected. These materials included disciplinary letters, interview transcripts with the SOI, investigation reports and organizational/HR policy documents. Annual engagement survey results were also reviewed. Due to confidentiality restrictions, we cannot report this data here, nor did we systematically analyze this data. Instead, it was reviewed at a first pass level with relevant sections identified that informed our understanding of the research context (Bowen, 2009). These insights also informed specific interview probes. For example, survey results indicated consistently low satisfaction levels regarding organizational communicationthis insight was used to probe what was or was not satisfactory regarding organizational communication, as well as how employees communicated with each other and their managers. Reference to such documentation also enabled cross-checking of our own and interviewees' understandings of organizational processes and how the critical incidents unfolded and were handled. These cross-checks increased the validity of our analytical interpretations (Whittemore et al., 2001). Other interview probes were informed by relevant research and theory, including the key themes outlined in our literature review.

Interview Analysis
Analysis of our interviews was informed by an interpretive framework, leaning on sensemaking and Interpretative Phenomenological Analysis (IPA) traditions. Sensemaking is a cognitive process that occurs as individuals search for meaning around events and experiences particularly when events disrupt routine organizational functioning, such as crisis or insider threat cases Kim, 2018). To employ sensemaking, therefore, means attending to how individuals enact contexts and select meanings from their environment (Wieland, 2020, p. 468). These selections can reveal perspectives on personalities, roles, power relations, and normative expectations that are critical for interpretive analysis. Through our use of the timeline questioning technique (Hope et al., 2013), antecedents, mediators and consequences of insider threat could be more easily identified for subsequent analysis (this paper primarily reports on antecedents and mediators). Similarly, IPA prioritizes detailed accounts of individuals' lived experience, illustrated in their own words and reproduced by the researcher to critically consider 'what it means' to express specific feelings and concerns about a particular situation (Larkin et al., 2006, p. 113).
Practically, we broadly mirrored Braun and Clarke's (2006; four stages of reflexive thematic analysis: data familiarization, initial code generation, theme generation and review and defining and naming themes. Interviews were coded using the NVivo software package. The primary coding approach was open coding (Strauss & Corbin, 1998) assigning tentative codes to sections of data that captured interviewee reflections and discourse on pertinent issues relevant to our research question. Through constant comparison and reflection on the possible links, we moved from inductive firstorder codes to second-order themes (Brown & Coupland, 2015) until no new substantive observations or linkages occurred. The resultant coding was independently checked, verified or negotiated by the two authors in the interpretation and assignment to categories and wider themes. This recursive activity was undertaken following each interview transcript coding and then again collectively on coding completion. The process was further strengthened by reflections and comparisons from each author's field notes and memos made during data collection and the early stages of analysis. Specifically, we drilled into areas of convergence and divergence to examine interpretations, patterns and differences across these interviews, thereby increasing analytical credibility.

Findings-Critical Incident Overview
As part of our wider insider threat study, three cases of insider threat were selected and investigated; due to space constraints, only one is presented here, chosen for its communication themes (for others, see Searle & Rice, 2018). This critical incident involved a longstanding nonmanagement employee (SOI) who had, without reason or authority, accessed top-secret documents from the organization's computer network, hoarded them, and in some instances, shared them with team colleagues. This was a breach of the organization's IT acceptable use policy and its 'need to know' principle, both of which are designed to ensure employees only access information that is both directly required for their work duties and fits their security clearance level. Given the high security status of the organization as part of critical national infrastructure, information is shared with the fewest people possible. As one interviewee reflected: Potentially … people accumulate information they didn't need to know in the course of their job role … security, they have to worry about things like spying, in a worst-case scenario. Obviously that is very rare but they do have to consider that possibility. And that's why the 'need to know is applied. (I13) Employees' surfing, hoarding and sharing of cyber-based information can be problematic for organizations generally. These activities have the potential to compromise security, breach data protection, create organizational inefficiencies through slowing and cluttering systems and may distract employees, making them less productive (Neave et al., 2020). While the insider threat case we focus on in this paper reflects senior management/organizational policymakers' ideas of a critical and problematic incident, as we detail below, there was a strong consensus across all of those interviewed (managers and non-managers, including the SOI) that such behaviour was problematic for organizational security.
HR and security documents revealed that these breaches occurred over a seven-month period, averaging 371 files accessed each month. Following this discovery by a manager, an official investigation was launched, revealing the SOI's prior warnings for similar information hoarding. When confronted, the SOI initially justified their actions as 'natural curiosity', but swiftly accepted the actions as errors. The formal disciplinary investigation recorded a motivation to obtain a 'bigger picture' of the organization. While the SOI was aware of their hoarding actions, they confined their subsequent document access to assisting team members' work and promotion applications. Following Nurse et al.'s (2014) typology, this incident can be classified as an intentional but non-malicious threat. The SOI apologized and demonstrated a change in their subsequent behaviour. The disciplinary investigation found this was 'gross misconduct' necessitating a final written warning, with a permanent HR record, and ongoing random cyber-security checks.

Thematic Findings
We present our thematic findings under two macro headings: constraints to bottom-up communication, and constraints to top-down communication that together, we propose, act as enablers of insider threat behaviour.

Constraints to Bottom-Up Communication
Significantly, critical incident reflections from the SOI's team indicate that they were aware of the SOI's unusual cyber activities. Five wider organizational context factors appeared to collectively restrain the sharing of security concerns with leaders who could have proactively intervened. Instead, within the team, the SOI's behaviour was (re-)framed as benign, and remained so until notification of an official security incident rendered this characterization unsustainable.
Lateral Communication as a Constraint to Reporting. An integral facet of the flow of bottom-up communication regarding the critical incident involved the lateral communication and relationships between colleagues. With hindsight, team members recognized that they had encouraged these hoarding activities, particularly as the information collected and shared by the SOI had material benefits in assisting their promotion applications or general work. Co-workers described the SOI's actions as team (rather than organizational) citizenship behaviours which significantly filled an information vacuum that arose following changes to promotion criteria. They agreed the SOI was a quiet and introverted person, somewhat awkward in their social interactions; subsequent professional support revealed an autistic spectrum diagnosis. Team members regarded the SOI as a valuable information provider, reinforcing this social position through in-team jokes and banter. One mid-level manager explained: The whole jokey thing has egged him on a little bit to be that kind of figure who knows all the information …We should never have been accepting those type of jokes sustained over years of him working here … it made him feel part of a team I think … because he's such a quiet person you know there was an opportunity there for him to have a joke and a laugh with people … I think it made him feel like it was normal and it was good (I14).
Colleagues were aware of ongoing similar security breaches but in acknowledging the personality 'quirks' of this individual who struggled socially and had non-malicious intent, enacted a protective, pro-social silence (Van Dyne et al., 2003). Team members, including the SOI, reflected that these activities were problematic and risky for security, indeed I14's discourse 'like it was normal and good' implies the behaviours were, in fact, the opposite (e.g. see López-Couso & Méndez-Naya, 2012). These jovial and inclusive social team dynamics and benefits implicitly suppressed organization-level security concerns. Concurrently, through various comments, colleagues acknowledged the SOI's security vulnerability: 'Of anybody in the team … I would probably say that it [an insider threat] was going to be him' (I14).
Fear and Distrust of HR. An important contributing factor to this incident arose from the climate of fear regarding HR, with their heavy-handed and inconsistent approach creating a more general suppression in raising colleaguerelated security concerns. Interestingly, this was an issue most deeply reflected on by interviewees with management roles. A senior manager explained: 'they [employees] distrust HR. I think because it sets off disciplinaries and grievances too regularly, or their perception is you are into some formal process very quickly' (I19). Further, mid-level managers indicated inconsistencies in HR processes, as one explained: It really depends on who you get on the end of the phone [with HR]. Sometimes I have been told, it is entirely up to you. Sometimes, it must be done to the blueprint and you know, that's unnecessarily harsh and then the person's a bit disgruntled … It's very uncertain. You never really know what you are accountable for. (I14) While mid-level line managers' hesitancy was also related to dealing with the aftermath of HR discipline, including disgruntlement within their teams, HR representatives themselves saw things differently. HR interviewees perceived unwillingness, but also some incompetence, in managers' responses to counterproductive work behaviour. One senior HR manager explained: All of the line management would generally expect HR to take a significant role in any [disciplinary] process … that's come out of our leadership assessments that we just don't have managers equipped to work through those processes themselves … it's kind of like, 'here you go, this is what happened, can you please discipline my employee and send him back once you have finished?' (I20) Management Communication, Management Accountability. Senior managers concurred that reporting internal team security concerns was a line (mid-level) manager responsibility. One explained: 'The monitoring aspects of what we do, risk indicators … it's in our expectations of line managers that they would have responsibility for understanding motivation and report to security if there is a change in that behaviour' (I19).
Similarly, several non-managers endorsed this perspective of line managers as central to team members' behavioural monitoring. Some appeared disengaged from any role in the organization's wider security culture, with comments relating to colleagues not following the correct security procedures as 'not my problem' (I6). Accompanying such demarcation between nonmanagers and management roles was a sense of non-managers' powerlessness. Their position in the hierarchy evidently obfuscates their part in security: '[At] my lowly level, I probably don't have the understanding of an exec [utive]' (I15). Senior manager-led internal communication on all kinds of organizational matters appeared to specifically influence employees' lack of confidence concerning 'speaking up'. Direct experience of ineffective upwards communication and circulating stories about how such efforts have been received by management in the past created a climate at odds with the security culture. For example, one non-manager explained what happened when one, in their words, 'rocked the boat': You either just get ignored or 'oh god, he's off again' kind of mentality … there was one [employee] that blew the whistle on certain things and I personally think … he complained about the right thing to the wrong person and got hounded out (I15).
Vetting. A further concern, raised frequently by non-managers, that restrained their willingness to raise security concerns, involved the rigorous security vetting on which all employees' employment was conditional. In this organization, vetting involves ongoing disclosure of a wide range of personal information. The pivotal value of this security clearance to the ability to remain employed produced an unintended heightening of anxiety for employees in raising any potentially inappropriate concerns about colleagues. These fears spanned disclosure of mental health issues through to direct misconduct. As one non-manager reflected: 'There is always the concern that what you say will come back on you …. It's the whole thing of the [security] clearance' (I4). Anxiety, along with pride in their specialized expertise, was interwoven in employees' professional identities: 'We are working at a one-off place and there is an element of, "it's a privilege to have a specialised job… I wouldn't like to lose that' (I6). Paradoxically, as each employee is securitycleared, it arguably reduces their attention and vigilance towards others' behaviours. As one interviewee explained: 'It's not complacency, but there is a general feeling here that if you have been given one of these [security passes] you are trustworthy, we trust each other, and you do each other no harm' (I9). Inherent to professional security clearance were notions of professional ethics, denoting both employees' trustworthiness and implied discretion. Employees' 'special' identity might also produce a defensive silence ( Van Dyne et al., 2003) towards others in this 'club'.
'Need to Know' Principle. A cornerstone of this shared professionalism is the 'need to know' principle. As a strong organization-wide value, it has significant consequences for bottom-up communication, as well as lateral, peer-level communication. Interviewees across all participant groups concurred that they should not discuss, nor enquire, about aspects of work with which they were not directly involved; the high security nature of the organization's operations underpinned this ethos. However, a further unintended consequence was non-managers' reluctance to challenge their colleagues' behaviours, even when intuitively considered alarming, for fear of overstepping this cultural boundary. As one non-manager outlined: In terms of noticing behaviours and identifying issues within a team, they should be picked up by people … share and exchange, communicate more … sometimes this 'need to know' culture, where you blinker things off, gets to an extreme where people don't say anything. (I7) Consequently, as both managers and non-managers reflected, this key principle fuelled their failures to engage with and discuss security breach incidents across the organization and restricted organizational learning opportunities. Such reluctance stemmed from a desire to protect the organization's reputation, as a senior manager explained: Lots of security incidents don't get talked about … partly because of the reputational risk to the organization, we don't want the press picking up [the information] … there is some support messaging needed to go out across the organization to say … here are some examples of how we have had to deal robustly with people, as a message to staff to make sure they remain compliant. (I19) Senior managers thus recognized the value of sharing such information to enhance staff compliance; however, this connection between bottom-up compliance and top-down communication is problematic and comprises the focus of our next section.

Constraints to Top-Down Communication
Three significant factors were revealed in our analysis that constrained topdown security communication within this organization, diluting or fragmenting both shared understandings of inappropriate security behaviours and the organization's ability to mitigate actual insider threat incidents.

Balancing Formal and Informal Security Communication within a Strong
Hierarchy. Traditionally, the organization had been heavily guided by written rules pertaining to procedures and employee behaviour, but the interviews revealed that management had attempted to introduce a less formal style of control: We have come from a place of being a very parent-child, rule compliant organization, with everything written down of expectations of staff … to a place of more trust and peer-peer relationships … it's all about giving some parameters for people to work in, but … taking grown up decisions for themselves. (I16) However, both management and non-management responses reflected a relatively unchanged authoritarian organization with a persistent strong hierarchy, notably described as 'the treacle' (I17). While regarded by senior managers as a logical and protective structure, mid-level and non-managers viewed it and its accompanying bureaucracy as a barrier to clear communication, about security or otherwise: 'It [information] has to come down through several layers … I sometimes think that it doesn't come through with the same message' (I17). Although strategic changes to organizational communication culture were mirrored in shifts to more open physical workplaces, several interviewees commented that more support was needed in how to practically manage the transition to a new informal approach, especially pertaining to security reporting. A non-manager reflected: We are doing 'hot desking' [shared desk space] and everything like that … we are doing sharepoint … The only thing not open, which I think it should be, is that emotional, psychological bit-the part you say, 'that is missing from my colleague's understanding'. (I8) Implicit Assumptions rather than Explicit Instruction. These transitions within the organization thus appeared to increase ambiguity for employees regarding how the 'need to know' principle should now be applied. Further, there was a lack of standardized employee guidance both on entering the organization and in navigating their working lives. A non-manager reflected the resultant consequences for the reported critical incident: It could well be that when [the SOI] first started the job someone went, right you have got clearance … crack on, have a look where you want. They might really have just not said to him, every time you go on the folder, this is only to be used for X Y Z. (I15) Another mid-level manager concurred, outlining the necessity of clearer organizational communication and reinforcement around process controls: 'People shouldn't just nose around because they can … it was highlighted to us during training, but still I think that subtlety can be lost' (I12). There are particular consequences for security risk behaviours that do not fall within the standard threat parameters. As a mid-level manager explained: 'If it was a big pile of printed information … I would say shred it immediately. That's one of the warning signs [of insider threat] … [but] folder surfing was never a warning sign that we were trained in' (I14). Indeed, this ambiguity is noted in the critical incident's disciplinary documentation with the SOI insisting that 'there had been comments made about their computer holdings, et cetera, but not a warning'. Indeed, neurodiversity can create subtle over-attention (Lorenz et al., 2016) causing the distinction between 'comments' versus 'a warning' to produce either an unwitting, or strategic, re-interpretation of managerial discourse that enables the gravity of actions to be diminished. It arguably also reflects a wider formal rule following organizational culture, rather than evidence of a deeper, reflexive engagement with complex notions of security.
Varying Managerial Approaches. Compounding organizational top-down security communication ambiguities further were evident differences in the local level approaches of managers. The regular restructuring of teams in response to an almost bi-annual transition at the top of the organization added further inconsistency. Preceding and during this critical incident, the SOI's team had multiple different managers, each sending varying signals as to what constituted acceptable security behaviours. One mid-level manager explained: We merged in with another group … suddenly you have got a different boss … and he is far less tolerant of sharing things [information], that's when it starts to trigger, ah yes, I need to warn people that you know, just having a folder full of information might not be acceptable. (I14) Further consequences of leadership changes include the probability that individual warning signs go either unnoticed, or are insufficiently monitored by new incumbents who instead are focused on becoming acquainted with their new environment and relationships. Each leader transition produces fresh security uncertainty amongst non-managers with expectations and boundaries again shifting and autonomy levels being re-drawn; this leads to fragmentation within the security climate.

Top-Down Communication
In our high security organization case study, top-down communication norms frame responsibility for insider threat-related reporting as a managerial preserve while discursively positioning non-managers as passive, in roles of compliance. Clear disconnects were evident between senior leaders' targeted attempts to transform security communication from a formal authoritarian, leader-follower approach into informal peer-to-peer based. Non-managers' consequent relative disengagement from security and silence positions only mid-and senior-level managers as 'in charge' of, and accountable for, reporting security concerns. Critically, peer-peer informal security monitoring becomes a vague organizational aspiration rather than an important security layer. Concurrent with these perceived role demarcations are tensions between senior-and mid-level managers regarding communication concerns. Midlevel managers align more often with non-manager perspectives, particularly concerning the barriers to effective security communication. This divergence within management levels exacerbates the fragmentation in climate regarding shared understandings and the enactment of security protocol.
Inconsistent managerial approaches to security were evident in this case. Leadership style and leadership communication have been widely discussed within the organizational literature, specifically how such factors have positive or negative impacts on employee security engagement and behaviour (e.g. Clarke, 2013;Willis et al., 2017). Our findings show how frequent team management changes compound these factors. Successive leaders with more active or passive approaches to internal security threats, as well as more or less openness and explicit discussions of security matters, have tangible consequences on employee perceptions and enactments of security. Frequent leadership changes directly contribute to divergent notions and manifestations of security within teams, including their proactive identification of threats, acknowledgement of their emergence, and willingness to speak up and to engage in their correction. Indeed, both managers and non-managers behave according to their own implicit assumptions and interpretations of 'security'.
Our findings indicate a value to leaders dedicating time to understanding their role in the development and manifestations of security assumptions, notions of insider threat and the communicative framing of security climates across their organization. At a theoretical level, our findings are important to the development of more comprehensive models of crisis communication. They suggest that leaders help frame internal security communicationand therefore to some extent also resultant security behavioursthrough both their explicit and unintentional communication. While SCCT, for instance, emphasizes how managers can promote certain interpretations of crisis to external stakeholders through a strategic communicative focus on certain issues and values (Coombs, 2007), our study reveals these framing effects arise, too, from unintentional internal managerial communication. This advances our understanding of how this particular form of crisis, insider threat, can emerge in the first place.

Bottom-Up Communication
Our findings further suggest that bottom-up communication flow is significant in explaining the enabling role of internal communication in insider threat activity. We demonstrate how organizational communication norms, namely here the 'need to know' standard, can constrain bottom-up communication, effectively silencing individual employees from raising valid concerns about colleague behaviour to managers. This principle, together with formal security vetting, represents critical components of individuals' identities as trustworthy and discreet security professionals and illuminates the material significance of discursive outworkings of professional identity (Kornberger & Brown, 2007;Scott & Trethewey, 2008). Concurrently, the omission of clear and consensual understanding of the circumstances in which this principle should or should not be applied increases ambiguity about 'speaking up'. Distrust of the HR departmentconsidered hostile by non-managers and unpredictable by managersreinforces such hesitancy. Further, the distinct affective tone of fear of 'getting in trouble', reduces non-managers' (and in some cases midlevel managers') willingness to raise valid security concerns. Our findings here concur with prior research on the role of this emotion in silence (Kirrane et al., 2017) and of place in the hierarchy with the willingness to 'voice up' (e.g. see Morrison, 2014). Research on employee reticence to voice concerns explains how speaking up can challenge the powerful status quo, indicating a negative appraisal of current management practices, including detrimental repercussions for others, or simply as a futile activity from a lower-level employee (Morrison, 2014). In addition, the likely further consequences we reveal for mid-level managers in dealing with negative repercussions within their teams (e.g. staff disgruntlement, low morale), echo the selective silence that pervade from self-protection concerns. Direct experiences and vicarious learning on the viability of 'rocking the boat' produce self-protection needs (Sprague & Ruud, 1988), to create a form of 'taken for granted self-censorship' (Detert & Edmonson, 2011) in relation to authority figures.
Our findings support the curtailing of internal whistleblowing within organizations in which employees perceive themselves as having little organizational power compared to managers (Skivenes & Trygstad, 2010). Yet this form of employee voice is central to mitigating insider threat. Searle and Rice (2018) have dichotomized insider threat into active and passive forms, with passive threat constituted by the withdrawal behaviours of colleagues that serve to facilitate an insider's organizationally threatening activities. Similarly, Kassing's (2002) framework of employee voice distinguishes active-passive from constructive-destructive dimensions, to conceptualize upward communication (voice) as a form of dissent. The type of voice we detect in this case aligns with passive-destructive voice, which is characterized by 'murmurings, apathy, calculated silence, and withdrawal' (Kassing, 2002, p.191), and with acquiescent silence (Van Dyne et al., 2003). Further, within a wider organizational culture that comprises little active dissent towards authority, we also see prosocial silencederived from a team protection motiveand defensive silence, which serves as a means of maintaining their security clearance and professional identities. These distinct drivers and forms of silenceacquiescent, defensive and prosocial (Van Dyne et al., 2003) constitute warning signs of potential insider threat activity.

Lateral Communication
Our findings thus far represent an imbalance in power relations between managers and non-managers in this organization, but they also illuminate the significant influence of individuals and groups without formal leadership roles in sensemaking around organizational security. We demonstrate the criticality of local team dynamics and social roles in the development of communication norms that legitimize risky behaviour and produce forms of collective moral disengagement (Bandura, 2016). 'Nerds', 'geeks' and 'on the spectrum' were terms interviewees repeatedly used to discuss themselves and others in this organization, providing the potential to excuse counterproductive work identities and norms of behaviour (c.f. Creech, 2020). Further, we found growing employee and management recognition that neurodiversity diagnosis and support could be invaluable for some employees. The critical incident case does include an individual who was subsequently diagnosed as having Autism Spectrum Disorder (ASD); our study therefore, reflects how insider threat behaviours can involve a complex interplay of environmental and individual difference factors. Individuals on the autistic spectrum may be overrepresented in particular sectors, notably science and technology (Baron-Cohen et al., 2001). These individuals possess a host of positive qualities (e.g. attention to detail, pattern recognition), concurrent with occasional requirement for further workplace support to better navigate communication and social challenges (Lorenz, et al., 2016). Digital hoarding behaviour may be associated with ASD (Van Bennekom et al., 2015), but it is also common within general working populations and is increasingly recognized as a security risk in modern organizations (Neave et al., 2020). Importantly, research indicates good practice towards neurotypical individuals in the workplace is good practice (Hagner & Cooney, 2005).
A further lateral communication dimension in this critical incident is the strength of team cohesion and an arguably misplaced local loyalty (Hildreth & Anderson, 2018). Yet this case arose partly in response to the replacement of HR procedures considered important by this team (promotion). The opacity of the new requirements prompted the SOI to fill the resultant information void; thus, it was a direct response to inadequate organizational communication. An additional facet of this team's cohesion that contributed to the insider threat was the use of humour and its unintended consequences. Extant research shows humour has a number of important social functions, several of which apply to this case (Wood & Niedenthal, 2018). First, humour offers a means of rewarding and reinforcing individuals' behaviour, here tacitly encouraging and inadvertently condoning the SOI's activities. Second, it can ease social tension and signal team affiliation through teasing and banter. Third, it produces non-confrontational reinforcement of social rules, here team citizenship, at the expense of organizational rule compliance. Further, within cognitively diverse teams, humour's subtler messaging for these latter two functions may not be acknowledged by those with ASD due to important neurological cognitive and affective processing differences (Lyons & Fitzgerald, 2004). Critically, laughter can offer an important coping mechanism alleviating embarrassment and managing anxiety that can arise from moral threats, creating both a way to disengage and diminish the significance of these organizationally threatening actions (Page & Pina, 2015). Our critical incident team members registered the subtle corrective messaging of their ironic humour serving multiple functions, deflecting serious risk, reframing the SOI's actions as benign and preserving both team and professional credibility (Kwon et al., 2020;McCreaddie & Harrison, 2018) without having to directly face its potentially negative security implications. Our findings support the significant role of humour, social influence and local loyalty (Desmond & Wilson, 2018) in reducing individuals' internal whistleblowing, especially where risky behaviour is regarded as well intentioned (Hildreth & Anderson, 2018). In this context, selective silence is pro-social ( Van Dyne et al., 2003) as well as personally beneficial (Stouten et al., 2019).

Conclusions
This study has revealed the enabling and unintentional role of internal organizational communication in one under-researched form of organizational crisis, insider threat. In doing so, we make three important research contributions to the areas of organizational communication, organizational crisis, security and insider threat, which have practical value for organizational managers.
First, we demonstrate that insider threat can, and should, be considered a form of potential organizational crisis in which internal organizational communication may play an enabling role. Communication frames matter, not just for strategic external communication with stakeholders in the aftermath of a crisis, but also to enhance understanding of how crisis emerges in the first place through employees' accrual of intended and unintended security messages. Second, we advance insight into the fragmentation of security climates that create barriers to bottom-up communication and employee voice and result in selective collective silence around insider threat activity. Bottomup selective silence represents, on the one hand, loyalty and empathy for particular local relationships, with individuals' problematic work behaviours reframed as benign; and on the other, reticence to raise valid concerns to organizational authorities and senior managers because of fear of their perceived over-reaction to minor non-malicious misdemeanours. Employee selective silence is symptomatic of a closed-communication environment, characterized by hierarchies, technical rules and formal reporting of concerns regarded essentially as a manager's role. High stakes vetting may facilitate both a belief that trustworthy individuals are employed in a workplace and that individuals operate within a 'safe harbour' (Bienefeld & Grote, 2014). Conversely, in such an environment, problematic or unsafe behaviours may flourish undetected. Accordingly, when internal whistleblowing fundamentally conflicts with one's team norms and professional identity (in this case, being discreet), reporting will be reduced (e.g. Gravley et al., 2015). Our findings therefore strengthen the value of challenging leader-centric perspectives on power in organizations to instead consider the interplay and coherence between different organizational levels and employee perceptions (Dannals et al., 2020;Fairhurst & Connaughton, 2014) in enhancing effective and secure functioning.
Third, we demonstrate that the skewed balance away from 'softer' elements of security communication, specifically role clarity and relational and behavioural expectations, in favour of formal elements including vetting, policies and discipline can be detrimental to all three internal communication flows. Rebalancing in this respect might be of particular value to science and technology organizations, which are more likely to employ greater numbers of neurodiverse individuals who may particularly struggle in contexts with inconsistent and intangible directives and social cues (Baron-Cohen et al., 2001).

Limitations and Further Research
As is common to qualitative interview-based research, our data comprises personal and retrospective recall derived from a sample of interviewees (largely from a similar demographic) within one relatively unique organization. Future research might investigate the generalizability of our findings, both within and beyond high security organizations. Individuals from different organizations, with different professional identities and work norms (which do not prioritize hierarchical authority, confidentiality and discretion), might provide quite different results. Nonetheless, we propose that our threeflow communication framework can be usefully applied elsewhere.
Additionally, we encountered a variety of issues associated with case study research, such as the fact that the critical incidents examined were framed as such by senior managers in the organization. There is no doubt that the need for access influenced the research process (Riese, 2019). However, through a process of relationship building and a genuine spirit of academic-practitioner collaboration on a common objective (understanding the protective security of organizations), we were able to cultivate a space for constructive and critical engagement that we hope is evident in this paper and worthwhile to our academic and practitioner colleagues alike.

Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was funded by the Centre for Research and Evidence on Security Threats (ESRC Award: ES/N009614/1), which is funded in part by the UK security and intelligence agencies (see the public grant decision here: https://gtr.ukri.org/projects?ref=ES%2FV002775%2F1). The funding arrangements required this paper to be reviewed to ensure that its contents did not violate the Official Secrets Act nor disclose sensitive, classified and/or personal information.

ORCID iD
Charis Rice  https://orcid.org/0000-0003-2094-4597 Notes 1. https://www.cpni.gov.uk/critical-national-infrastructure-0. 2. One individual was interviewed via telephone due to their availability. 3. One individual was interviewed twice due to their role as an insider threat specialist who provided: (1) an overview of all selected insider threat cases, associated official handling procedures by management and important security context information; (2) a personal perspective on the development of the insider threat cases and the organization's general and security-specific culture.