Share

A computer is a wonderful thing. It can streamline procedures, making tasks less arduous to perform. A computer is also an object to be feared. Its ability to store mass information means that facts—both the good and less flattering—can expose leaders and organizations to certain dealings that insiders may wish not to divulge to the public. People may grow afraid of the computer by how much it could reveal about individuals’ lives.

Rapid advances in computing brings the world to an inflection point in how much information should be released to the general public. Should every piece of data about the minutiae of business operations in corporate and government life be made available for everyone to see? Should an organization be absolutely transparent in its operations?

The benefits of open organizations are obvious. Leaders can be held accountable when projects fail and unlawful acts arise. The public becomes aware of particular situations and learns how business runs. Democracy is strengthened as citizens become informed and engaged.

On the other side of the debate, what are the costs to being open and forthright? Can an organization be harmed by transparency? Would people have more to lose than what they could gain from a full and open society?

Along with the rise in the use of the World Wide Web (WWW) since the 2000s, governments around the world have introduced e-government[1] programs to facilitate public administration and provide government services online. Underlying the theme of e-government is the movement to make government more responsive to the needs of citizens. Implementing web applications and other modern information and communication technologies have made government open, allowing people to interact efficiently with government agencies.

The drive toward open institutions, however, has created new problems, not just for public organizations but for private companies as well. The ease with which data can be transferred between multiple organizations poses a risk in sending information into the wrong hands. Websites connect to various third parties to receive text and images and to share preferences. The interconnectedness of the WWW enables data to flow to whomever and wherever there’s an established link to receive information. The WWW is made up of numerous links, connecting people and things around the world in a global computer network.

Transparency is a paradox, illuminated by David Pozen, in that it both solves and creates problems. Pozen explained how open government has undermined democratic principles and transparency is not a virtue to uphold but rather transparency is a means to an end.[2]

To understand transparency: one needs to look at what would be lost relative to what would be gained when information is disclosed or withheld. Pozen examined the tradeoffs of privacy and articulated that protecting privacy along one dimension may compromise it along another dimension.[3] In effect, a person or an organization may choose to disclose certain information to protect a certain aspect of privacy, but then the very same disclosure may result in leaving the person or organization vulnerable to another form of privacy risk. There’s no universal definition of what privacy means. A privacy interest can form in a variety of situations. A homeowner may install video cameras in all the rooms of his house to ensure protection of personal belongings against theft. The homeowner, in this instance, gives up his interest in keeping all of his possessions private. The installed cameras, while serving to protect the homeowner’s property, may be used to snoop on the private activities of the homeowner and his guests.

A corporation may fully disclose its methods of a novel product and receive a patent for its invention. In exchange for giving up its secret in how its product delivers a better service to customers, the corporation can dominate the market and charge a high price for the innovative product. The corporation gives up its interest in maintaining secrecy in its product design. The disclosure may leave the corporation vulnerable to a number of privacy concerns where the invention can be reverse engineered by others to exploit technical weaknesses, identify potential suppliers, or find other things that the corporation may not want to be publicly known.

Multiple government agencies may agree to share client records related to vaccinations, voter registration, and unemployment compensation. These agencies use a secured web application to transfer information about individuals who participate in various programs. While a computer system is in place to protect the data from unauthorized access, the ability to share disparate data sets opens up the possibility for personnel to combine the data sets to create comprehensive profiles on thousands of residents. The combined single database poses new risks that may expose vulnerable populations to increased scrutiny and potential abuse.

The foregoing examples illustrate privacy tradeoffs across different organizational contexts. Compromising one aspect of privacy for the benefit of another is not only a concern in the public sector but can be an issue in private business and personal life. A person needs to think through all possible cases in which disclosure might impact other areas.

Legal scholars have developed frameworks to mitigate and balance privacy risks. One framework organizes data into four categories. By reviewing data as belonging to raw personal data, pseudonymized data, anonymized data, or non-personal data,[4] an analyst would be able to determine the extent to which a particular group of information can be made available for external use. The definitions of the four categories may be arranged along a continuum where personally identifiable information (PII) makes up raw personal data at one end of the scale and non-personal data (for example, weather data or public transportation scheduled routes) are at the other end of the scale. Non-personal data generally do not contain PII. Pseudonymized data and anonymized data would fall somewhere in the middle with the former category closer to the raw side and the latter category approaching near the non-personal side. Information that’s pseudonymized may not readily point to a particular person; but with some level of effort, pseudonymized data could be deciphered to reidentify an individual.[5] On the other hand, techniques to anonymize a person or a group of people can make it more difficult to reidentify specific individuals. Along the continuum, information that’s non-personal and anonymized poses little risk to privacy in comparison to raw data and pseudonymized data. While raw personal data should not be a part of an open data initiative, non-personal data may be considered for public release.

Another framework draws on information security practices to analyze the risks of data releases according to privacy controls, privacy threats, privacy harms, privacy vulnerabilities, and data utility.[6] Altman and his team applied these dimensions across the phases of information management from data collection to data processing to the releases of results and data sets, highlighting technical and managerial approaches that preserve privacy interests and permit certain levels of access.

Two computing methods mentioned in Altman’s study are worth elaborating here. The methods provide mechanisms to avoid having to transmit raw personal data. Instead of accessing raw data directly, external users can use a specialized web application to select certain predefined parameters and submit a query. The specialized web application controls what types of data and the amount of information that can be displayed to the user. The user would only receive information in a limited and constrained format based on the result of the query. The second method (an emerging technology) is homomorphic encryption,[7] where encrypted data can remain encrypted in storage and yet can be searched and analyzed. An organization wouldn’t have to decrypt and release a data set in plain text, but rather can provide access through a specialized software program that allows an authorized user to process encrypted data without the need of actually seeing it in raw form.

As advancements in information technology (IT) are rapidly developed and brought to market, there’s a new concern regarding how government acquires the latest technology.[8] Machine learning and artificial intelligence (AI) may be delivered in such a form that public managers don’t understand how the systems operate to process and output information. In the past, public managers were involved in the design phase to ensure contractors had developed an IT system according to a government program’s specific business rules and functional requirements. Public managers understood the logic of information management systems, because of explicit instructions that were programmed in those systems. Today’s machine learning systems may rely on implicit rules and assumptions (gained from training data) that enable algorithms and computational methods to generate inferences and conclusions based not on human logic but on machine logic [emphasis mine].[9] The way a machine thinks is not the same as how a human thinks. This is the critical difference at play in the development of AI. A machine learning system used in a government program may be opaque to a high degree that allows decisions and the administrative process to elude accountability, precisely because machine logic functions on a separate plane.

To balance secrecy and disclosure whether it’s a black box IT system, national security classifications, or information more broadly, organizations can establish a panel of subject matter experts to oversee the administrative process and provide technical guidance. The Fundamental Classification Policy Review (FCPR), initiated by the Secretary of Energy in 1995, brought together technical experts across the Department of Energy to review the department’s entire classification system. A guiding principle in the FCPR’s effort was not to find a benefit to release information but to answer the question why certain information must be protected based on reasoned judgment.[10] What’s the inherent risk? Experts reviewed and updated their criteria to be in line with current needs and risk levels in maintaining classified documents.

The Interagency Security Classification Appeals Panel (ISCAP) is an example of a multiagency forum composed of senior level representatives from the Departments of Defense, Justice, and State, the National Archives and Records Administration, the Central Intelligence Agency, the Office of the Director of National Intelligence, and the National Security Council. ISCAP has authority to review public appeals to declassify and release previously classified information, permitting group members to deliberate and come to a consensus on what should and should not remain secret. Aftergood showed how the group-led effort provides an effective check on agency discretion with the ISCAP voting to declassify 495 of 769 classified documents (64% of the time) from 1996 to 2008.[11] Left on its own, an agency may well decide to continue to retain a classified document for several decades. Brought together in a forum, other agencies would weigh in on the matter and discuss the merits of why a particular document needs to be withheld from public inspection.

During the Obama administration, the U.S. Digital Service (USDS) and 18F were established to facilitate government-wide efforts to design and implement web applications and IT infrastructures. These two groups assembled technical teams to provide guidance and support to federal agencies. In a review of similar teams created at the state and local levels, Mulligan and Bamberger explained how USDS and 18F had exemplified a new model for leading and coordinating cross-agency efforts to manage information technology programs.[12]

It needs to be noted that, under the second Trump administration, 18F was shuttered[13] and USDS was reorganized as the “U.S. Department of Government Efficiency (DOGE) Service” with an expanded scope that reaches into or touches upon human resources management, contracts and grants management, federal funding, rulemaking, voter registration, and nuclear technology.[14] The new DOGE Service has been given authority by President Trump to provide more technical guidance beyond the field of computer science. A future review of USDS operating as DOGE should be conducted to determine, among other things, if the group continues to represent a model of cross-agency IT coordination.

The impetus behind the establishment of FCPR, ISCAP, 18F, and the original USDS was the need to understand the complexities of changing situations and to grapple with evolving circumstances. The single agency, multiagency, and government-wide groups demonstrate the value of soliciting expertise from others to deal with a particular environment that’s deeply technical.

Determining what should be disclosed and what should remain secret is not an easy task. A lone person or a single organization shouldn’t decide too hastily to release information without examining the impacts of the release. A team of competent individuals is better positioned to evaluate the risks, pointing out any downsides that another person may not have considered or may not be aware of. Consulting partner organizations can afford them an opportunity to provide feedback on how a data release may impact their operations. A partner may have objections to the proposed disclosure.

A decision to make information publicly available is not a trivial matter without consequences. Once it’s released, the now public information may be difficult to pull back, control, and hold again. Disclosing previously held information can be like releasing the proverbial genie out of the bottle. Leaders should be cognizant on how information can spread—especially when it’s transmitted across the World Wide Web.

Evidence for Practice

• Preserving privacy varies by context and can change from one situation to another.

• Releasing or withholding information needs to be reasonably justified.

• Consulting relevant experts on deciding what to disclose allows for a discussion that will result in a reasoned judgment to keep information confidential or make it public.

Next Steps for Leaders

• Leaders should regularly review their criteria on classifying information and determine if requirements and needs have changed. Factors involving changes to laws and regulations, changes to internal operations, and changes to agreements with partner organizations may require updates to classification criteria and operating procedures. Sunshine laws, disclosure requirements, data sharing, and privacy protection are particular areas to focus on. The terms classification, classifying, and classified documents are meant to be interpreted broadly to apply to any organization (public and private) that has a need to retain confidential information for internal use only.

• An internal committee should be established to review and approve changes, provide technical guidance, and oversee the administrative process on matters related to information protection, retention, and transmission. The committee should include representatives from external partners if those partners have agreements to share and use information.

• Government agencies (federal, state, and local) should review their procurement procedures and make any necessary adjustments to adequately evaluate and test AI systems before they can be used in operations. Contractors may be unwilling or unable to disclose their algorithms, computational methods, and other system design elements. If public managers aren’t able to provide instruction in the course of designing an AI system, they can and should provide direction on what outputs the system must produce. Procurement focus would change to ensuring system outputs match the expectations of a government program.

Share

Open for Discussion

Is your organization completely transparent in how it operates? How often do you discuss the risks of disclosing certain types of data? Have you ever had an instance where you regretted the release of information? Feel free to submit your answers in the comment section. If you’re not comfortable sharing your experiences, you can talk to a specialist at Peaceful Governance Institute (PGI) in private; click this link to call the PGI hotline support.

Leave a comment

Hotline Support

Notes

1. E-government is shorthand for electronic government.

2. David E. Pozen, (2020) “Seeing Transparency More Clearly,” Public Administration Review 80(2): 326–327.

3. David E. Pozen, (2016) “Privacy-Privacy Tradeoffs,” The University of Chicago Law Review 83(1): 222.

4. Frederik Zuiderveen Borgesius, Jonathan Gray, and Mireille van Eechoud, (2015) “Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework,” Berkeley Technology Law Journal 30(3): 2077, 2114–2122.

5. Pseudonymized data typically replaces PII with another kind of unique identifier. Instead of using a person’s driver’s license number, for example, a six-character alphanumeric code may be used to identify the person without referencing his driver’s license number. The method of creating the code is only known to the owner of the data and not shared with any third party.

6. Micah Altman, Alexandra Wood, David R. O’Brien, et al., (2015) “Towards a Modern Approach to Privacy-Aware Government Data Releases,” Berkeley Technology Law Journal 30(3): 2011–2013.

7. For more information, see the following: Martin Albrecht, Melissa Chase, Hao Chen, et al., (2018) “Homomorphic Encryption Standard,” 21 November, (Toronto: HomomorphicEncryption.org). (Accessed 31 March 2026 at https://homomorphicencryption.org/standard/.) and Craig Gentry, (2009) “A Fully Homomorphic Encryption Scheme,” PhD Dissertation, September, (Palo Alto, CA: Stanford University). (Accessed 31 March 2026 at https://crypto.stanford.edu/craig/craig-thesis.pdf.)

8. Deirdre K. Mulligan, and Kenneth A. Bamberger, (2019) “Procurement as Policy: Administrative Process for Machine Learning,” Berkeley Technology Law Journal 34(3): 773–852.

9. Mulligan and Bamberger: 814–817.

10. Steven Aftergood, (2009) “Reducing Government Secrecy: Finding What Works,” Yale Law & Policy Review 27(2): 409–410.

11. Aftergood: 407.

12. Mulligan and Bamberger: 830–833

13. Jason Miller, (2025) “After Rocky History, GSA Shuts Down 18F Office,” Federal News Network, 1 March. (Accessed 26 April 2026 at https://federalnewsnetwork.com/reorganization/2025/03/after-rocky-history-gsa-shuts-down-18f-office/.) and Karoun Demirjian, and Madeleine Ngo, (2025) “Dozens of Government Technology Specialists Fired,” New York Times, 3 March. (Accessed 26 April 2026 at https://www.nytimes.com/2025/03/03/us/politics/18f-technology-specialists-fired.html.)

14. Executive Office of the President, (2025) “Establishing and Implementing the President’s ‘Department of Government Efficiency’,” Executive Order 14158, 20 January, Federal Register 90(18): 8441–8442. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-02005.)

Executive Office of the President, (2025) “Reforming the Federal Hiring Process and Restoring Merit to Government Service,” Executive Order 14170, 20 January, Federal Register 90(19): 8621–8623. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-02094.)

Executive Office of the President, (2025) “Implementing the President’s ‘Department of Government Efficiency’ Workforce Optimization Initiative,” Executive Order 14210, 11 February, Federal Register 90(30): 9669–9671. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-02762.)

Executive Office of the President, (2025) “Ending Taxpayer Subsidization of Open Borders,” Executive Order 14218, 19 February, Federal Register 90(36): 10581–10582. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-03137.)

Executive Office of the President, (2025) “Ensuring Lawful Governance and Implementing the President’s ‘Department of Government Efficiency’ Deregulatory Initiative,” Executive Order 14219, 19 February, Federal Register 90(36): 10583–10585. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-03138.)

Executive Office of the President, (2025) “Implementing the President’s ‘Department of Government Efficiency’ Cost Efficiency Initiative,” Executive Order 14222, 26 February, Federal Register 90(40): 11095–11097. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-03527.)

Executive Office of the President, (2025) “Preserving and Protecting the Integrity of American Elections,” Executive Order 14248, 25 March, Federal Register 90(59): 14005–14010. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-05523.)

Executive Office of the President, (2025) “Zero-Based Regulatory Budgeting To Unleash American Energy,” Executive Order 14270, 9 April, Federal Register 90(71): 15643–15646. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-06466.)

Executive Office of the President, (2025) “Ordering the Reform of the Nuclear Regulatory Commission,” Executive Order 14300, 23 May, Federal Register 90(102): 22587–22590. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-09798.)

Executive Office of the President, (2025) “Reforming Nuclear Reactor Testing at the Department of Energy,” Executive Order 14301, 23 May, Federal Register 90(102): 22591–22593. (Accessed 26 April 2026 at https://www.federalregister.gov/d/2025-09799.)

Subscribe now

Share

“Acquiring and using information is a cornerstone of economic activity. In order to channel resources to their most productive ends, needs and capabilities must be identified.”[1]

Any organization, whether it’s a small business, a community center, or a public institution, needs information (data more precisely) to make accurate decisions. Without information, an organization may make a mistake or fail to reach its goals. How will the manager know how much to produce? How many customers should be served? How many dollars need to be spent and received? Answering these questions necessitate gathering and analyzing information. Collecting information is just an important task in business as it is with managing financial transactions and hiring employees.

As with anything else in business, information has a cost. Purchasing a mailing list has a certain price. Tools to manage and analyze data come with various prices. Cloud computing or a computer server has a cost to store and process data. Even without modern conveniences provided by the Internet, managing records on paper by hand with pencil and calculator has a cost involved. Time itself adds to expenditures in terms of the level of effort necessary to collect, review, and catalog information.

Given information’s relative importance in business and in decision-making, how can an organization control its expenses in obtaining and processing information? Are there practical strategies to minimize information collection without sacrificing quality? Does an organization need to acquire all available data?

A casual observer might say information management is cheap and even free. One can download and use all sorts of software apps for little to no cost. Another can subscribe to free web services. None of these options are actually free. It may appear to be free to the user. But, in fact, costs are borne by the software developer or service provider. Using freeware and shareware software applications and the risks they bring is a whole separate topic for another essay. For now, I will offer the common refrain, “Buyer beware,” which remains even more relevant today with modern information and communication technologies.

In the drive to develop artificial intelligence (AI) to a level that matches human thinking capability, tech companies have based their data models on grabbing whatever information is available on the World Wide Web, regardless of whether the information is a fact, an opinion, or a lie. Data are indiscriminately being gathered and stored like a vacuum cleaner sucks up dust and debris. OpenAI, the developer of ChatGPT, asserts that the performance of language models can improve by adding more data by the billions. Software engineers tested OpenAI’s assertion with a data model comprising 1 billion parameters over a collection of 20.3 million documents containing 16.2 billion words.[2] It’s amazing how technology has evolved. The latest feats in computing, nevertheless, don’t resolve the fundamental question on whether the generated output is true or relevant.

In my own research, I explored the history of data analysis and was struck by the insight of John Tukey, a renowned statistician. Tukey reminds us that statistics is one facet of data analysis and that statistics should be used as a basis to form a judgment, not to validate a proposition.[3] Data analysis is a scientific discipline that requires a rigorous inquiry into the problem at hand.

Users of information technology (IT) and AI especially need to be wary about the software that they’re using to make forecasts and decisions. A person can do immediate checks by corroborating computer results with other sources. Utter reliance on AI output could lead to pursing a wrong path, purchasing a faulty product, issues that negatively impact personal well-being, or perhaps war. One study created a provocative fictional story in which the U.S. and China relied on a stream of outputs from their AI systems, and the results had led both countries to launch nuclear missiles against each other.[4] The authors of the study showed how generated outputs could not present the real reason behind each state’s actions. What was missing in the output was the context of what was really happening on the ground. Leaders in the war game scenario had made a grave decision based on a false narrative that failed to bring all the data points together into a coherent whole.

Despite its technical limitations, AI will be used for better or worse. I remain optimistic that AI will reach maturity. Chatbots, in their present form, communicate like adolescents. They still have much to learn, indeed.

In terms of business application, there’s a better alternative. Advanced IT systems with data analytical tools[5] exist that will enable companies to process their production data to create efficiencies in how they manufacture their products. What is more important is choosing the right kind of information to enter into the IT system. Companies themselves have a wealth of internal information in their offices and production facilities. The emphasis here is on using internal, proprietary data as the input in IT systems. Organizations don’t need to rely on an open-source system where much of its external information is questionable. A private system containing the organization’s proprietary data will ensure that managers receive valid results.

While adoption of information technology had risen dramatically from 2005 to 2010, Brynjolfsson and McElheran found that the adoption rate was uneven across the manufacturing sector with 70% of manufacturing plants choosing not to adopt.[6] Study results indicate that non-adopters tend to be those companies where leaders play a more hands-on role in production activities and the tenure of managers is longer.[7] The study suggests that the decision to use advanced IT systems is largely dependent on the size of the company. Large producers are likely to adopt while small producers are not. This difference would correlate with a firm’s ability to invest in information technology. Small companies may neither have the cash to purchase computer hardware and software nor have the expertise to use such equipment.

Organizations can find other avenues and develop methods to analyze their data without being heavily reliant on information technology. To start: leaders can utilize the talents of their employees who have expert knowledge or years of experience. Organizations have already invested in natural intelligence by employing people. Workers have the brain power to understand the operating environment, troubleshoot whenever something goes wrong, and make necessary corrections. Workers are available resources to process internal information.

Crawford and Sobel developed a seminal paper on how information can be collected and transmitted between two parties, a principal and an agent. Numerous studies were produced in the literature to explore and extend Crawford and Sobel’s concept of strategic communication. The core question is in deciding how much information to send to a decision-maker. Crawford and Sobel’s contribution was in finding that communication can proceed when the goals of both parties are closely related.[8] In an organization, the manager’s and worker’s interests would be aligned. An external partner who contracts with an organization would have shared goals with the organization. In these two cases, there would be an incentive to communicate and transfer information. Shared or similar goals or interests among internal and external parties forms the bedrock for knowledge sharing and information transfer.

The literature suggests that there are three general avenues for collecting information for decision-making purposes.[9] It could be centralized where the principal (a corporate leader or a single organization) collects all information and makes a decision. Centralization of all efforts could be time consuming for the principal. In another avenue, the principal can delegate all work including the decision to an agent. Delegating all efforts to another person or entity might be less expensive but poses high risk in depending on someone else to make critical decisions. The third avenue divides the task of information collection to an agent and the decision-making task to the principal. In this last approach, the leader would wait a certain period for his expert to analyze acquired information. Once the expert sends her analysis to the leader, the leader will decide on a particular action based on the expert’s results. One can see that most organizations would employ the third avenue for information collection and decision-making.

Studies examined how the different avenues play out to achieve equilibrium or an optimal environment. One study considers the factor of time to determine the effect of making a decision early or later in the process. Grenadier and his team found differing effects from the perspective of an agent in that an early decision is beneficial under delegation and a later decision is optimal under centralization.[10] Argenziano and her team found that a decision (made by the principal) may be more precise when advice is provided by an expert (the agent), regardless of the amount of acquired information.[11] Argenziano’s conclusion suggests that collecting more information may not be necessary. Less information may be sufficient, so long as it is valid. It’s assumed that the expert would only acquire just enough information as needed to provide credible and justifiable recommendations. It is clear from the literature that an agent carries weight and influence to provide advice to a principal.

The burden of data acquisition and analysis is placed on an agent. Just how much data should be collected? A better question to ask is how can all the collected information be reviewed and analyzed quickly?

Mandler examined a method by organizing data in less fine (more coarse) categories.[12] His method reduces complex information down to manageable chunks (binary categories), which would allow a person to make a quick decision. Instead of reviewing many solutions in great detail, one can generalize solutions into a smaller set of broad scenarios. An implication of such an approach is in cost savings. Evaluating the former approach would entail a higher cost, additional time, and more information in comparison to the latter approach. Some degree of precision may be lost in generalizing categories, but the same objective and intent would still be achieved. Mandler’s method implies less information can be collected.

The idea of drilling down complexity to binary categories may facilitate work for analysts to quickly weigh the pros and cons of competing priorities. Mandler’s method may be useful in a government agency where analysts are constrained by time to evaluate multiple policy options. Each option or priority would be equally time consuming to collect and analyze relevant data specific to each one.

The struggle to provide equal treatment to competing priorities is compounded by the interests of political leaders. Leadership may be biased toward one particular priority over another (building weapons versus providing health care, for example). And while a civil servant who conducts the analysis would evaluate each priority on its merits in a non-partisan manner, the civil servant still faces time pressure to complete an unbiased analysis. Patty examined this situation and found that when a political leader’s preferences are known, the civil servant will likely follow the leader’s prerogative and invest her time and energy in evaluating the leader’s preferred priority.[13] The other priority loses out. This is not to say that the least preferred priority would not be evaluated fairly. The civil servant would be driven to gather information that the leader cares about most. That means focusing on the leader’s preferences. Patty’s study shows that in the U.S. government it is the process to collect and analyze information related to a particular policy option that is politically motivated. The civil servant is not biased. It’s the process.

The civil servant performs her job to develop a credible case and deliver it to the leader. The leader can take the advice or ignore it. The civil servant has no control on what the leader ultimately decides.

In sum, various organizations from the public sector to the private sector have options to better manage and process their internal information for improved decision-making. If funding is available and capacity exists to use technology, an organization can invest in an advanced IT system with data analytical tools and the IT infrastructure that supports those tools. Leaders should carefully weigh the risks and opportunities if they intend to use an AI chatbot as the emerging technology remains relatively immature.[14] Unintended consequences may result when decisions are based solely on AI outputs.

With or without information technology, an organization still needs procedures and a methodology for how it manages information in general and conducts data analysis in particular. It could control the entire process internally or contract out to partners. Leaders need to develop a strategy and a protocol to ensure all parties understand their roles and when results of the analysis are needed to make timely decisions. Timing may be critical in certain situations where a decision must be made at a specific point in time.

In all instances of making decisions, the leader wants to be certain that his decision is based on credible information. It is not necessary to collect all available data, parts of which may be irrelevant or dubious. Data quality remains more important than data quantity. A few factual and authoritative documents would build a stronger case than an exhaustive compilation of unsubstantiated opinions. An organization can defer to staff members’ expertise and experience to fill in any gaps and synthesize the limited collection of acquired information. A person remains involved in communicating recommendations to the leader, who in turn will decide on which recommendation to pursue.

While information technology can certainly play a role in information management, organizations should not discount the ability of the human operator. People still have roles to oversee the process and to make the actual decision. Human intelligence remains more capable than artificial intelligence in the areas of nuance, context, and synthesis.

Evidence for Practice

• AI chatbots are wholly inappropriate for complex, sophisticated decision-making where the results of critical decisions can have consequential impacts.

• Involving people in a coordinated effort to collect, analyze, and report information remains crucial to good management practice.

• Experts assigned to evaluate options for decision-makers can save time by limiting their information collection effort to a small and strategic set of credible data. Less information may produce meaningful and fruitful advice.

Next Steps for Leaders

• Leaders should review their procedures and methods pertinent to information management, information collection, and data analysis. If data collection forms are long or complicated, consider revising the forms by simplifying or generalizing the questions and responses. Can the forms by shortened to obtain only what you need for your particular project or goal? Do staff and partners understand their roles and responsibilities to ensure the information process from collection to analysis runs smoothly? Will the decision-maker receive the results of the analysis in time to make a decision? Is it clear who makes the decision? Is it a machine or a human who decides on what action to take?

• Leaders should analyze their operating environment to determine what’s the best and most suitable IT solution that will meet business needs and organizational objectives. All division managers should be consulted to get their input and secure their buy-in. Are there old and outdated IT systems that need to be upgraded? Would an enterprise wide IT system work across all divisions, or should each division have its own system? Do current employees have skills and abilities to use an advanced IT system with data analytical tools?

Share

Open for Discussion

How does your organization manage and analyze information? Are you using ChatGPT or some other AI chatbot to help you make decisions? Did you encounter any problems in the outputs? Feel free to submit your answers in the comment section. If you’re not comfortable sharing your experiences, you can talk to a specialist at Peaceful Governance Institute (PGI) in private; click this link to call the PGI hotline support.

Leave a comment

Hotline Support

Notes

1. Jerry Green, (1982) “The Current Status of the Interface Between Information Science and Economics,” in Research Opportunities in Information Science and Technology, (Alexandria, VA: National Science Foundation): 17. Accessed 28 February 2026 at https://green.scholars.harvard.edu/sites/g/files/omnuum5981/files/green/files/the_current_status_of_the_interface_between_information_science_and_economics.pdf.

2. Jared Kaplan, Sam McCandlish, Tom Henighan, et al., (2020) “Scaling Laws for Neural Language Models,” arXiv:2001.08361v1, (Ithaca, NY: Cornell University): 4, 7. Accessed 28 February 2026 at https://doi.org/10.48550/arXiv.2001.08361.

3. Edward Y. Uechi, (2023) “Chapter 2: Technological Development,” in Business Automation and Its Effect on the Labor Force, (New York: Routledge/Productivity Press): 30–31.

4. Matthew Price, Stephen Walker, and Will Wiley, (2018) “The Machine Beneath: Implications of Artificial Intelligence in Strategic Decisionmaking,” PRISM 7(4): 93–95.

5. Advanced IT systems are enterprise grade information management systems designed specifically to meet the needs and requirements of particular organizations, typically built from a base design provided by IBM, Microsoft, or Oracle. The advancement includes tools and proprietary methods for users to carry out data analysis functions. An organization’s internal data are imported for deep analysis. The IT system operates in a closed network that’s restricted to employees.

6. Erik Brynjolfsson, and Kristina McElheran, (2016) “The Rapid Adoption of Data-Driven Decision-Making,” American Economic Review: Papers & Proceedings 106(5): 138.

7. Brynjolfsson and McElheran: 136–137.

8. Vincent P. Crawford, and Joel Sobel, (1982) “Strategic Information Transmission,” Econometrica 50(6): 1450.

9. I summarize the three avenues and add my interpretation in the paragraph based on cogent and succinct descriptions provided in: Rossella Argenziano, Sergei Severinov, and Francesco Squintani, (2016) “Strategic Information Acquisition and Transmission,” American Economic Journal: Microeconomics 8(3): 136–137.

10. Steven R. Grenadier, Andrey Malenko, and Nadya Malenko, (2016) “Timing Decisions in Organizations: Communication and Authority in a Dynamic Environment,” American Economic Review 106(9): 2570–2571.

11. Argenziano et al.: 140.

12. Michael Mandler, (2020) “Coarse, Efficient Decision-making,” Journal of the European Economic Association 18(6): 3006–3009.

13. John W. Patty, (2009) “The Politics of Biased Information,” The Journal of Politics 71(2): 393.

14. Recent news reports highlight competing AI chatbots from Meta and xAI (Grok) are still in the development stage (works in progress).

Reuters, (2026) “Meta Pushes AI Model ‘Avocado’ Rollout to May or Later, NYT Reports,” Reuters, 12 March. Accessed 15 March 2026 at https://www.reuters.com/technology/meta-delays-rollout-new-ai-model-nyt-reports-2026-03-12/.

Fred Lambert, (2026) “Musk Admits xAI ‘Not Built Right’ — Weeks After Tesla Invested $2 Billion,” Electrek, 13 March. Accessed 15 March 2026 at https://electrek.co/2026/03/13/elon-musk-admits-xai-built-wrong-rebuild-tesla-spacex-investment/.

Subscribe now

Share

“All authority implies the exercise of power, power in the sense of the capacity to bring about change, to bring about transformation. A leader needs to have power, and that power needs to be the right kind of power for the function involved. We call authoritarianism the use of excessive power beyond that needed to carry out the function in question. Authoritarianism is a distortion of functional power, because it tends to distort the structural characteristics of the organization itself. Authoritarianism often stems from a problem in the personality of the leader.”[1]

Dr. Otto Kernberg, a psychiatrist and expert on personality disorders, commented on the purpose of executive leadership from the perspective of psychoanalysis. His insight on how a person should lead has bearing and tremendous gravity at this particular moment in time. It’s 2026. A leader needs a certain degree of power to accomplish objectives. However, the power he wields can be taken to extreme ends. And if that leader has an unresolved internal conflict within himself, he may use power, which was legitimately authorized initially, to exact his will against others and perhaps society, which then becomes an illegitimate use of authority. Indeed, the U.S. Supreme Court reviewed President Trump’s assertion that he has “extraordinary power to unilaterally impose tariffs of unlimited amount, duration, and scope.”[2] A leader assumes a powerful role, and in the right hands or evil hands, his powerful role can be used justly or wrongly.

How should a person act when he or she is appointed or elected to a position of authority? Should she coerce people to follow along by dictating rules and threatening punishments? Or, should she support people to gain their cooperation by working with them instead of against them?

Studies abound in the literature on leadership. In one corner, scholars examine a leader’s physical appearance. According to Murray, followers are likely to choose a leader who is physically imposing or intimidating.[3] Another article makes the claim that a person’s facial structure is a predictor for earning higher profits.[4]

The preoccupation on physical looks is emblematic of narcissism, a personality disorder. A person with narcissistic tendencies is self-absorbed with her own image and strives to present her outward appearance in ways that will return constant admiration, whether deserved or not, from others. Certain leaders may capitalize on their level of attractiveness to increase clients, raise revenues, and influence change.

Research indicates, however, that narcissistic leaders can do more harm than good. An example in the computer industry from 1992 to 2004 showed that these types of leaders implemented bold actions in their organizations, and their decisions resulted in extreme swings in financial performance (“big wins and big losses”).[5] A pattern has emerged where narcissistic leaders go through three stages during their tenure; they start by introducing a vision and taking decisive actions; then they’re confronted with anger, frustration, and even antipathy by their followers, as questionable financial and ethical decisions come to light; and finally the organization in which they lead must face the prospect of letting the leader go or accommodating to the leader’s plans.[6] Narcissistic leaders bring with them not only vision and inspiration but also volatility and chaos to their organizations.

Are inborn characteristics a precondition for leadership? A review of books on government leaders identified unusual drive, political and managerial acumen, dealing with difficult situations, and obtaining buy-in from both internal and external stakeholders as common attributes of leadership.[7] Of these qualities, unusual drive may be considered innate. All other attributes can be learned through training or experience. Based on his review, Van Wart found that leaders cannot “simply rely on their natural leadership talents,” but that they must “continuously hone” their skills and abilities over a lifetime.[8] Whether or not a leader has inborn traits, it is incumbent on the leader to navigate and maneuver among obstacles in front of her, and that involves an ability to assess and adapt to a changing environment. “To lead change does not require charisma, but it does require basic managerial or transactional competence [emphasis mine].”[9]

The type of organization (private or public), the relative stage of its growth (startup or established), and its organizational values are factors that could promote or thwart a particular leadership style. One study suggests that an innovative leader who values freedom and creativity might not achieve much in a bureaucratic institution where employees prefer to follow strict procedures.[10] Another study suggests that a forceful leader who commands his employees to meet specific goals would be a better fit in a dynamic startup as opposed to a more stable company.[11]

Having a more directive style that’s similar to transactional leadership may lead to unintended consequences or worse. Imposing too much structure on employees could lead to an increase in counterproductive work behavior.[12] In other words, employees will react unkindly to a pushy boss in a variety of ways to push back against aggressive tactics. One negative action would lead to another in a transactional leader. Continued aggression could veer into territory that makes the environment ripe for unethical behavior. The transactional leader becomes oppressive or manipulative to compel people to do things that they would not otherwise commit under their own volition. Brown and Mitchell examined the difference between ethical and unethical leadership and described the corrosive effects of the latter and how unethical leadership can lead to ineffective functioning of organizations and even to their dissolution, such as in the high-profile cases of Enron and WorldCom.[13]

Research on ethical leadership indicates a self-perpetrating process that will reward itself. In other words, being morally good as a leader sets the tone and creates an atmosphere that would elicit equally moral behavior in people. A person would not have a motive to harm others. Employees will reciprocate in kind to a leader who demonstrates strong ethics.[14] By observing ethical behavior in their leader, employees are willing to support the organization in ways that go beyond their official job description.[15] An ethical leader will turn out ethical followers, bringing the good out of everyone.

Ethical leadership is aligned with other styles, namely empowering leadership and transformational leadership. A common theme in these styles is in their support for people’s well-being. These types of leaders do not force anyone to comply with rules. They can motivate people to follow along willingly. Transformational and ethical leaders support employees to show initiative and think proactively. And this way of leading could potentially result in innovation. If employees are made to feel empowered psychologically to try something new, they would be more than willing to experiment with a novel approach.[16] Simply saying the organization is innovative or that the leader values innovation is inadequate to produce an innovative product or service. People need to be reassured that there will not be repercussions in the event that their experiment fails. Finding a new approach often takes a number of failed attempts (trial and error) before success can be realized. The transformational leader in this regard nurtures people’s latent abilities by creating a safe environment.

Of course, nobody likes to fail. And this is where a narcissistic leader is left dumbfounded. The narcissist being so enamored with self-worth and pride cannot face up to the fact that he may have failed. It requires humility to see that a mistake was made. A humble leader who realizes that she had made a faux pas will accept it and change course immediately. This type of leader—the opposite of a narcissist—knows when an error was made and will make necessary corrections. Rather than pursuing the same course over and over again like a stubborn fool, the humble leader reassesses the situation, consults with others, and decides on the next best alternative solution.

Recent studies indicate that humble leadership is generally positive. Most important, humility transcends cultural boundaries. A humble leader can be seen in both Western and Eastern societies. Humility is associated with an empowering leadership style that increases employee commitment.[17] Companies led by humble leaders have proven to outperform earnings expectations in comparison to those companies led by narcissistic leaders.[18] Latest research belies the myth that being humble is somehow weak or inadequate. A humble leader can be just as strong as, if not better than, a narcissistic one.

The evidence from the literature is clear on the type of leadership that can bring people together and transform an organization or a country for the better. Choosing a strongman who imposes his will on others with coercion would result in frustration among his followers and a level of volatility that would not permit gains achieved in the short term to have any long-lasting positive effect. The outcome is an overall net negative to keep a strongman leader in power. Tolerating and accommodating a narcissistic leader is the worst thing to do, as the narcissist will relentlessly infiltrate and corrupt the entire system to the point of making the organization unrecognizable.

Is there a better choice?

There is a better choice. Companies and societies can choose an ethical leader who supports and nurtures people to perform at their absolute best. This type of leader does not need to resort to pressure or force to compel anyone to do anything, especially if it’s an illegal act. He knows how to motivate people through persuasion and communication to move them to act lawfully and responsibly. The ethical leader creates the conditions which are conducive to productivity, cooperation, and innovation. The outcome is a positive one where most people are likely to feel satisfied as gains accumulate steadily over time.

The difference in leadership styles cannot be starker. One can lead with an iron fist and leave people miserable. Or, one can lead with a compassionate heart and keep people content. Choosing one or the other will produce dramatically different outcomes.

I will end the essay with a quotation. Executive leadership, properly understood, is a selfless pursuit that puts ego aside. A leader has so many other things to worry about than to think about himself. He must think about others and lead them to where they need to go.

“Although usually perceived through individuals, leadership is a group process. Indeed, the literature on contemporary leadership emphasizes the idea that leadership itself is constantly being socially constructed, making it both subjective and a moving target.”[19]

Evidence for Practice

• Emerging research shows that humility provides value to an organization. A humble leader is not a sign of inadequacy but can work to develop the workforce and meet and exceed goals.

• An organization assumes tremendous risk and potential liabilities when it decides to be led by a person who exhibits narcissism, a personality disorder.

• A leader is not necessarily born with innate qualities but must continuously learn the craft of leadership, especially if he or she moves from one organization to another.

Next Steps for Leaders (the Governing Body, actually)

• Leaders need to be supervised just as much as subordinates do. A leader usually reports to a higher authority. This would be the Board of Directors, shareholders, a legislative council, or some other form of governing body. The leader’s supervisor (governing body) should review the performance of the leader on a regular basis to ensure that the leader is acting in accordance with established rules. The governing body should not be afraid to threaten the leader with disciplinary action, dismissal, or forced resignation.

• When searching for a new leader: the selection committee should find the right person who has a leadership style that matches the organization. A mismatch in personality, ethos, and standards could cause friction at best or be destructive at worst with current management and employees.

Share

Open for Discussion

What type of leadership is in your organization? Is it transactional, transformational, empowering, or ethical? Are you led by someone who nurtures your professional growth? Do you follow a leader who keeps everybody in their lane, never swerving off course? Feel free to submit your answers in the comment section. If you’re not comfortable sharing your experiences, you can talk to a specialist at Peaceful Governance Institute (PGI) in private; click this link to call the PGI hotline support.

Leave a comment

Hotline Support

Notes

1. Otto F. Kernberg, (2009) “Organizational Leadership in a Time of Ideological Turbulence,” Gregorianum 90(4): 821.

2. Supreme Court of the United States, (2026) “Learning Resources, Inc., et al., Petitioners v. Donald J. Trump, President of the United States, et al.,” No. 24–1287, 20 February 2026, Supreme Court of the United States: 20. (Accessed 20 February 2026 at https://www.supremecourt.gov/opinions/25pdf/24-1287_4gcj.pdf.)

The U.S. Supreme Court decided by a 6–3 ruling that President Trump does not have the authority to impose tariffs under the law that was invoked.

3. Gregg R. Murray, (2014) “Evolutionary Preferences for Physical Formidability in Leaders,” Politics and the Life Sciences 33(1): 42–43.

4. Elaine M. Wong, Margaret E. Ormiston, and Michael P. Haselhuhn, (2011) “A Face Only an Investor Could Love: CEOs’ Facial Structure Predicts Their Firms’ Financial Performance,” Psychological Science 22(12): 1481.

5. Arijit Chatterjee, and Donald C. Hambrick, (2007) “It’s All about Me: Narcissistic Chief Executive Officers and Their Effects on Company Strategy and Performance,” Administrative Science Quarterly 52(3): 375–380.

6. Constantine Sedikides, and W. Keith Campbell, (2017) “Narcissistic Force Meets Systemic Resistance: The Energy Clash Model,” Perspectives on Psychological Science 12(3): 404–408, 412.

7. W. Henry Lambright, and Madison M. Quinn, (2011) “Understanding Leadership in Public Administration: The Biographical Approach,” Public Administration Review 71(5): 784–785.

8. Montgomery Van Wart, (2013) “Lessons from Leadership Theory and the Contemporary Challenges of Leaders,” Public Administration Review 73(4): 561.

9. Van Wart: 561–562.

10. Yair Berson, Shaul Oreg, and Taly Dvir, (2008) “CEO Values, Organizational Culture and Firm Outcomes,” Journal of Organizational Behavior 29(5): 626–628.

11. Keith M. Hmieleski, and Michael D. Ensley, (2007) “A Contextual Examination of New Venture Performance: Entrepreneur Leadership Behavior, Top Management Team Heterogeneity, and Environmental Dynamism,” Journal of Organizational Behavior 28(7): 882–883.

12. Brian C. Holtz, and Crystal M. Harold, (2013) “Effects of Leadership Consideration and Structure on Employee Perceptions of Justice and Counterproductive Work Behavior,” Journal of Organizational Behavior 34(4): 504, 509.

13. Michael E. Brown, and Marie S. Mitchell, (2010) “Ethical and Unethical Leadership: Exploring New Avenues for Future Research,” Business Ethics Quarterly 20(4): 587–591.

14. Brown and Mitchell: 584–586.

15. Mitchell J. Neubert, Cindy Wu, and James A. Roberts, (2013) “The Influence of Ethical Leadership and Regulatory Focus on Employee Outcomes,” Business Ethics Quarterly 23(2): 276–277, 284–288.

16. Anne Nederveen Pieterse, Daan Van Knippenberg, Michaéla Schippers, and Daan Stam, (2010) “Transformational and Transactional Leadership and Innovative Behavior: The Moderating Role of Psychological Empowerment,” Journal of Organizational Behavior 31(4): 613.

17. Amy Y. Ou, Anne S. Tsui, Angelo J. Kinicki, David A. Waldman, Zhixing Xiao, and Lynda Jiwen Song, (2014) “Humble Chief Executive Officers’ Connections to Top Management Team Integration and Middle Managers’ Responses,” Administrative Science Quarterly 59(1): 51, 60–61.

18. Oleg V. Petrenko, Federico Aime, Tessa Recendes, and Jeffrey A. Chandler, (2019) “The Case for Humble Expectations: CEO Humility and Market Performance,” Strategic Management Journal 40(12): 1950, 1958–1959.

19. Van Wart: 562.

Subscribe now

Share

The president of a small company had caught his Information Technology (IT) manager at playing video games on a number of occasions. The leader finally had it and decided to fire the manager under the assumption that the manager wasn’t doing his job. What the president failed to understand was that his manager had kept the computer network operating flawlessly without a single instance of downtime. The network and computer systems were running so well and smoothly that the manager had plenty of free time on his hands. The manager said, “No worries,” and had accepted his boss’ decision. But just minutes before his departure, he installed some malicious code that would execute six months later and would self-destruct without leaving a trace of the act. The software time bomb did indeed go off, and the company’s financial system was toast. The president had no idea how it happened or whom to blame.

The foregoing dramatization is based on a true account. Damage to an information system may not always be attributable to an outsider who breaches the network perimeter. An information security disaster can be created by a privileged employee who has all the access provided to her by authority of her job position. The high-profile cases of Chelsea (Bradley) Manning and Edward Snowden should serve as a warning to corporations that the private sector needs adequate safeguards against insider threats just as much as government.[1] An insider can arguably do more harm to an organization’s data assets than a computer hacker can dream.

With cybersecurity becoming increasingly critical across all sectors of the economy, leaders must understand exactly who is a threat and not necessarily need to know what technical control can stop the threat. Technology is important, but it is not the be-all and end-all to protecting information. A security system can go down or be bypassed. What is equally important if not more is understanding the motivations and attitudes of individuals who may commit a cyberattack. “Technical solutions can identify occurrences but understanding human factors allows employers to act preventatively.”[2] Information security is not simply a matter of implementing technology but involves developing rules and standards for people to follow. Breaches of cybersecurity is a people problem—not a tech issue.

At a U.S. Senate committee hearing on 3 May 2017, the then-director of the Federal Bureau of Investigation, James Comey, responded to a question about addressing insider and outsider threats in the federal government. Director Comey answered, “Technically it is a matter of law and policy. It’s about the security culture inside our organizations.”[3] His point stressed the need for information security policies.

Who is an insider? Can an outsider also be an insider?

Rowlingson explored the definition of an insider and concluded that a person can vary by profile: technically skilled in computers in some and little knowledge of computers in others; employees in an organization and contractors affiliated with an organization; and computer users in a physical office and remote users who connect from home.[4] An insider isn’t necessarily someone who has deep computer knowledge to penetrate an IT system. An insider may be the least savvy prone to making mistakes. She may also be a partner not employed with the company but has a connection to the company’s records. It can be hard to detect or easy to overlook because employees are “often viewed as responsible, honest, and patriotic because of passing a background check…”[5] It is not unusual to see a good person turn rogue. This wider view of potential perpetrators expands the traditional definition of an insider.

Knowing all actors who could do harm leads to a question of why. What motivates a person to commit a breach? It must be noted that a security issue may not be malicious. A security violation may be unintentional or an innocent mistake made by a person who wasn’t trained or aware of the issue. Breaches can be either malicious or non-malicious.

Studies examined people’s proclivities to comply and not to comply with security policies. Individuals were found likely to break security rules when they learn techniques to rationalize their rule-breaking behavior to deny responsibility, to say that no one was harmed, or to explain that their act was warranted in order to complete a task.[6] The tendency to break rules could be countered by appealing to individuals’ beliefs on intrinsic benefits (accomplishment and fulfillment), intrinsic costs (guilt and embarrassment), vulnerability, safety of resources, and self-efficacy. Bulgurcu and team found that individuals who hold attitudes of intrinsic benefits and costs and have self-efficacy have the intention to comply with information security policies.[7]

Fear through the use of warning messages may play a role in compelling users to abide by security practices. An example of a warning message is a brief note that is automatically inserted at the top of an incoming email message that indicates it is from a sender unaffiliated with the recipient’s organization. Another example is a message that displays when a user is about to log in to her computer or to a website. The warning includes language that indicates the user may be fined or imprisoned for committing a prohibited act.

Research suggests that warning messages universally applied to all computer users could backfire. Fear-inducing messaging is a double-edged sword in view of self-efficacy. Johnston and Warkentin highlighted that some may choose to reduce their fear instead of acknowledging that a threat exists in compliance with the warning; and as a result, they suggested a recommendation “[to] devise a strategy in which end users are exposed to fear appeals with language suitable to their efficacy level.”[8] People with high self-efficacy may react differently when actions are forced upon them. Sending an automated warning may be effective for a recent new hire. The same warning, however, may not be effective when sent to an experienced employee who already knows how to handle himself.

Research has emerged to move beyond the analysis of tangible consequences of cyberattacks and into the domain of understanding human behaviors. In developing a comprehensive threat analytical model, Greitzer and Hohimer included in their model several psychosocial risk factors in which a concerning behavior such as disgruntlement, disengagement, poor performance, or self-centeredness could act as a trigger that provides a catalyst for a person to carry out a malicious act.[9] Along a similar vein, Willison and Warkentin followed the approach to examine offenders’ thought processes to understand what led them to be disgruntled, what caused them to have a perception of injustice, or how they’re able to rationalize away their responsibility.[10] A novel study formalized a theory for researchers to understand how employees across an organization can behave in certain positive ways to protect the organization’s data, converting insiders into stewards of information security.[11] The new concept would make cybersecurity a shared responsibility among all employees—not compartmentalized only for IT experts to manage.

Analyzing behaviors that pose risks would need to be presented in a format that is useful to take action by decision-makers. The literature indicates that a substantial amount of data would need to be collected on individuals in order to consider a range of human factors. How will all the data be summarized with a degree of coherence? And more importantly, can personal privacy be preserved in light of all the data that would be saved and stored?

A monitoring tool was proposed for the Department of Defense to measure user behavior that’s akin to the Fair Isaac Corporation (FICO) credit score. Along a similar purpose of FICO, which enables lenders to measure consumers’ creditworthiness, the User Online Risk Score (UORS) model, according to Roberts, would measure an employee’s risk level in using and accessing an organization’s information resources and IT systems. Capturing data on an employee’s use of login credentials, access to physical and digital information sources, visits to websites and the Dark Web, changes to work-related stressors and events such as demotions and complaints, and influences from external sources, UORS would report behaviors across seven dimensions in a dashboard viewable by the employee and actionable for management.[12] Not only would it benefit the organization in mitigating security risks, UORS would benefit the insider in that the computer user would be able to see for himself where he needs to make needed corrections.

The literature points out the problem of insiders as a major concern for information security. As physical boundaries are blurred with remote, telework, and hybrid work arrangements and organizations rely on contractors, grantees, and partners, the definition of who is an insider expands to include many individuals that hitherto would not have been considered. An outsider can indeed be an insider. Anyone of these actors could commit a cyberattack that causes serious harm to an IT system or leads to a considerable loss of records.

Monitoring holds the key to mitigating and preventing security breaches, whether they’re malicious or accidental. Technical tools can be implemented to monitor the operations of an organization’s physical and technological assets. But the same technology used to protect computer hardware and software may be useless or inappropriate in supervising humans. If technology is used to monitor people, technology can be neutralized through techniques of rationalizing personal actions. It becomes apparent that monitoring human behavior requires employing methods that are not created by computer scientists but rather are devised by behavioral experts. Tools and measures based on psychology and social behavior would be better suited at analyzing a person’s past actions and in predicting how the person may react in the near and distant future. Social scientific methods provide for the more appropriate means to evaluate people’s behaviors and actions.

While this essay has focused on the insider threat as a sub category under information security, conventional threats coming from outside an organization (examples such as an anonymous hacker and an enemy agent) continue to pose high risks to an organization. Management must remain vigilant on all possible security breaches and must be capable of handling both the outsider threat and the insider threat.

A final point that needs to be said is the potential for an organization to abuse its power in collecting too much data on anybody who has access to information. Not only would it raise administrative costs but reviewing too much activity may infringe on a person’s privacy and civil liberties. Not to mention the overly obtrusive monitoring—the “big brother” effect—can be creepy that may induce ill will among employees against their employer. Balance is necessary here to collect a certain, limited amount of data that effectively predicts future behavior, on one hand, and does not invade personal privacy, on the other hand. Securing data and the entire IT infrastructure should not come at the expense of individual freedom. Both data and privacy can and must be protected.

Evidence for Practice

• Organizations will be positioned to prevent security breaches when managers can identify and promptly address motivational factors or triggers in an employee’s behavior and attitude that would give rise to committing an information security violation.

• An information security policy needs to be crafted in a way that considers human behavior, intrinsic benefits, and intrinsic costs in people’s willingness to comply with mandated rules. Not doing so could enable individuals to break the rules and use techniques to rationalize their behavior to escape culpability.

• Fear tactics to force employees to comply with cybersecurity rules should be applied carefully with an attention on crafting nuanced warning messages tailored to different types of computer users. Security messages that play on human emotion may produce the opposite effect in certain individuals who already know the risks and take voluntary actions to protect themselves.

Next Steps for Leaders

• The head of the IT Department should consult with the head of the Human Resources (HR) Department on how their departments can collaborate on cybersecurity initiatives, security awareness training, and other related programming. Each department provides complementary expertise to implement an effective information security policy that’s human centered.

• The IT Department should evaluate current programs to raise awareness of security risks to determine if they’re producing desired effects. Security programs would need to be changed or adapted if they’re not achieving expected outcomes.

• The HR Department should review procedures on disciplinary action in cases of information security violations. How does the organization hold a person accountable for a security breach? Is there due process to allow for discovery of facts and a fair hearing of the alleged violation?

• The HR Department should review procedures on offboarding an employee for separation. Does the exit interview ask questions to ascertain whether the departing employee holds any grudges or negative attitudes toward the organization? Are all of the departing employee’s login credentials, access codes, and identification cards inactivated, so that nobody can use the credentials to gain access into any system or facility? Does the supervisor provide direct and immediate supervision as the departing employee completes final tasks in the last few days of employment?

Share

Open for Discussion

Have you witnessed or experienced a security breach in your organization? How did the organization respond? Do you talk about security risks and the potential threats in internal meetings? Feel free to submit your answers in the comment section. If you’re not comfortable sharing your experiences, you can talk to a specialist at Peaceful Governance Institute (PGI) in private; click this link to call the PGI hotline support.

Leave a comment

Hotline Support

Notes

1. Stew Magnuson, (2013) “Companies Ill-Prepared to Fend Off Insider Threats,” National Defense 98(720): 30.

2. Mike Patterson, (2019) “Insider Threats: More Than Just an IT Problem,” National Defense 104(790): 18.

3. U.S. Senate Committee on the Judiciary, Full Committee Hearing, (2017) “Oversight of the Federal Bureau of Investigation,” 3 May 2017, U.S. Senate. (Accessed 27 December 2025 at https://www.judiciary.senate.gov/committee-activity/hearings/05/03/2017/oversight-of-the-federal-bureau-of-investigation.)

“Senate Judiciary Hearing with FBI Director James Comey,” Transcript of meeting, 3 May 2017, CNN. (Accessed 27 December 2025 at https://transcripts.cnn.com/show/ath/date/2017-05-03/segment/02.)

4. R. R. Rowlingson, (2005) “Inside and Out? The Information Security Threat from Insiders,” Journal of Information Warfare 4(2): 27–28, 35.

5. William E. Kelly, (2018) “Insider Threats: Enemies Within Our Government,” American Intelligence Journal 35(2): 8.

6. Mikko Siponen and Anthony Vance, (2010) “Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations,” MIS Quarterly 34(3): 489, 496, 499.

7. Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat, (2010) “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” MIS Quarterly 34(3): 540–542.

8. Allen C. Johnston and Merrill Warkentin, (2010) “Fear Appeals and Information Security Behaviors: An Empirical Study,” MIS Quarterly 34(3): 562.

9. Frank L. Greitzer and Ryan E. Hohimer, (2011) “Modeling Human Behavior to Anticipate Insider Attacks,” Journal of Strategic Security 4(2): 41–43.

10. Robert Willison and Merrill Warkentin, (2013) “Beyond Deterrence: An Expanded View of Employee Computer Abuse,” MIS Quarterly 37(1): 1–20.

11. Clay Posey, Tom L. Roberts, Paul Benjamin Lowry, Rebecca J. Bennett, and James F. Courtney, (2013) “Insiders’ Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors,” MIS Quarterly 37(4): 1189–1210.

12. Stephen A. Roberts, (2021) “DoD Has Over 3.5 Million Insiders – Now What?: A User Online Risk Score Framework To Reduce The Insider Threat,” The Cyber Defense Review 6(4): 124–126.

Subscribe now

Share

The chief executive officer (CEO) of a large corporation takes pleasure in threatening all of his employees to increase sales. He accosts his sales agents to “push, push, push, until they succumb!” Everyone has so much fear that they keep to themselves like hermits in their cubicles. A few individuals begin to show signs of distress. The CEO doesn’t care. He knows he can fire those souls and hire newbies to feed his hunger for endless growth.

In a team meeting, colleagues discuss a work-related topic. They share their experiences. Suddenly, one person raises his arm, points to the wall, and shouts an off-color remark. The entire room goes silent, stopping the conversation like hailstones hitting the window. The supervisor doesn’t say a word, appearing unfazed by the outburst as if it were a natural occurrence. The abradant colleague is known by everyone to create friction among the team from time to time.

Do these two fictitious personalities sound familiar? Did you encounter a similar situation? If yes, how did you feel? Did you feel demoralized?

The actions portrayed in the above examples can be described as workplace bullying, especially if the acts persist over time causing stress and emotional harm on others. Such acts are not illegal, but they are, nevertheless, disruptive in carrying out business. Insults, verbal abuse, and other unruly behaviors stop the flow of work. Some employees may find it difficult to complete assigned tasks. Left unchecked and unaddressed, unruly behaviors could affect the performance of the team. One’s work and the work of others will suffer as a consequence of what may seem like innocent conduct at the time but are in fact vicious or underhanded tactics.

Is there anything that can be done to stop unruly and outrageous behavior? Should a person fight back, remain silent, or quit her job?

Bullying and a closely related issue of harassment are growing concerns that can have detrimental effects on the well-being of workers. The academic literature shows that these types of negative behaviors have increased over the past few decades. Depending on the parties involved and the circumstances of the cases, studies indicate that the proportion of affected workers can vary from a low percentage to a large share of the workforce. One study that surveyed 17,524 U.S. workers across the private and public sectors reported 8.1% being harassed in the past 12 months and found that “workplace harassment [is] associated with significantly higher rates of serious mental illnesses, disrupted sleep patterns, and psychosocial distress symptoms.”[1] Another sample of the American workforce showed bullying to have a direct relationship with stress but an indirect one with mental health.[2] In other words, workers’ mental health decreases as bullying increases.

Workplace bullying can manifest itself in varied forms, which make it difficult to prosecute aggressive behavior. Behaviors of this sort can span a wide spectrum from physical assault to verbal abuse to emotional and psychological manipulation. The aggression can be non-sexual or sexual in nature and perpetrated by either sex. Both women and men can be a bully. And between the bully and the bullied is a power dynamic of one person trying to assert control over another person.

A framework has been proposed that examines all forms of aggression along a continuum, so that an investigator can evaluate relevant actions that led to the violent outburst and related consequences that followed after the incident. Berlingieri described how this framework can explain bullying in the context of organizational and social processes, changing the study of bullying from understanding why it happened to how it occurred.[3] Aggressive behavior doesn’t just erupt by chance but is a collection of interrelated issues that preceded the eruption.

The RAND Corporation has a model that evaluates whether a person has a propensity to engage in aggressive behaviors. Does the person have a preference for committing such an act? The individual “may have some degree of positive (or accepting) attitudes about the behavior and may have beliefs that rationalize or even glorify it.”[4] Such a person has a perverse idea to think, in his mind, that bullying or harassment is somehow a good thing to act out. This insight is instructive in getting to the root of the problem. Aggressive interpersonal behavior is a psychological problem.

By understanding a person’s preferences for certain types of behavior, Matthews and Farris explained how aggressive behavior can be reduced or even continued by the influence of peers and leaders. An individual’s propensity to engage in a particular act can be inhibited by disapproval of his peers or it can be stimulated by observing others in carrying out the deed.[5] Leadership and peer groups can set a good example by demonstrating positive attitudes and socially acceptable norms to combat aggressive behavior. Exhibiting the opposite by leaders and peers would perpetuate aggression.

Studying how positive interpersonal behaviors can counteract negative ones is an area of research in the literature. Lutgen-Sandvik and her team tested several hypotheses to evaluate how treating people with respect, soliciting feedback from others, and instituting virtues in an organization (the positive side) are related to bullying and bullying’s effects (the negative side) on the workforce. A key finding is that negative actions have a stronger influence over positive ones; moreover, positive outcomes would diminish as bullying continues.[6] This is not to say that positive interpersonal and organizational values contribute nothing. The study suggests that positive behaviors can strengthen mental health, which in turn can alleviate stress. Instituting positive attitudes and values brings benefits to the workforce.

Creating a positive atmosphere is a step in the right direction. But that still doesn’t address the root cause. There will be victims who would want to seek redress for a bully’s persistent acts. Are there legal remedies to help those who were violated?

Morris compared recent efforts to pass legislation in numerous states against the practice of existing tort law. Morris explained how intentional infliction of emotional distress (IIED) tort is more effective and flexible over a new law in that IIED tort can handle a wide range of cases of aggression and by contrast a statute could encourage frivolous claims and undermine protections against discrimination.[7] A growing body of IIED case law shows that a court would accept a workplace bullying case when extreme and outrageous behavior has persisted over a period of time and has demonstrated an intent to cause harm. Aggressive behavior is narrowly defined to refer to an act that is extreme and outrageous.

An act committed one time at random would not be allowed in a court of law. Only under certain circumstances where a single instance is egregious and malicious (such as in wrongful termination or a false accusation) would a single instance of bullying be allowed. The action by the perpetrator must be so bad to cause irreparable harm to the victim.

To summarize what can be done to deal with bullying in the workplace: a lawsuit may be pursued in cases where an extreme behavior has caused significant harm. Legal action, however, may be expensive and can take time to resolve. It would sustain tensions in the employer-employee relationship, ending in a permanent breakup.

Organizational policies such as zero tolerance or a complaint process may be implemented. But an internal policy has limitations. A policy prescription might not be followed if leaders don’t enforce it or employees perceive it as ineffective or a waste of time. Leadership needs to construct an anti-bullying policy that effectively addresses specific egregious behaviors and puts in place meaningful sanctions that unequivocally tell perpetrators that their abnormal acts are not acceptable.

An organization may establish a culture that reinforces virtues and certain positive values such as dignity, respect, and cooperation. Exhibiting these values throughout the organization (from the CEO down to the cleaner) provides a buttress to protect everyone against individual aggression. A bully may think twice about acting on his impulse when he knows that everyone would not accept such behavior. A positive environment might keep aggression at bay and in check.

However, a positive organizational culture by itself is not enough, as research indicates that continued bullying will diminish positivity’s effects. An organizational policy is necessary to stop aggressive behavior when it happens. Implementing a well-crafted policy coupled with positive values will cover all the bases to keep staff motivated and productive, on one hand, while preventing recurrences of abuse and violence, on the other.

Organizations have ways to deal with bullying and outrageous behavior in the workplace. It does not have to drag on for weeks or months to a point where it harms workers and affects performance. Workplace bullying can be managed. And the bully can be controlled.

Evidence for Practice

• Positive attitudes and virtues may diminish in currency in the face of incessant bullying.

• An effective anti-bullying policy must be precise in what particular types of aggressive behavior are socially unacceptable. This is dependent on organizational culture, because organizations will have differences in opinion in how aggression is interpreted in each organization.

• A civil action case may be brought to hold a bully and potentially his employer liable for damages.

Next Steps for Leaders

• Reexamine your human resources policy or personnel handbook. Do you have specific behaviors and acts identified as prohibited? What disciplinary actions do you take to handle the prohibited acts? Are supervisors trained on promptly identifying and addressing inappropriate behaviors?

• Review your grievance and complaint procedures and recent cases in the past 12 months. Were complaints resolved to the satisfaction of parties involved? Do you see any patterns or common issues arising from the complaints? Are employees aware of the procedures to know that they can submit their grievances confidentially? Your complaint procedures may need to change based on your review.

• Conduct an internal survey to ask your employees for their opinion on what they value. This will allow you to identify attitudes, values, and beliefs shared by your employees. It could further lead to identifying specific behaviors that most people would find unacceptable. Results of the internal survey will inform how you’ll define your organizational policy.

• Consider developing a code of ethics for all employees to follow. This will contribute to establishing professionalism in your organization.

Share

Open for Discussion

Have you witnessed or experienced bullying at work? How did your organization respond? When was the last time you discussed workplace culture and employee well-being in your meetings? Feel free to submit your answers in the comment section. If you’re not comfortable sharing your experiences, you can talk to a specialist at Peaceful Governance Institute (PGI) in private; click this link to call the PGI hotline support.

Leave a comment

Hotline Support

Notes

1. Jagdish Khubchandani and James H. Price, (2015) “Workplace Harassment and Morbidity Among U.S. Adults: Results from the National Health Interview Survey,” Journal of Community Health 40(3): 557, 559.

2. Pamela Lutgen-Sandvik, Jacqueline N. Hood, and Ryan P. Jacobson, (2016) “The Impact of Positive Organizational Phenomena and Workplace Bullying on Individual Outcomes,” Journal of Managerial Issues 28(1/2): 44.

3. Adriana Berlingieri, (2015) “Workplace Bullying: Exploring an Emerging Framework,” Work, Employment & Society 29(2): 346–350.

4. Miriam Matthews and Coreen Farris, (2022) “Harmful Interpersonal Behaviors in the Department of the Air Force: Informing Prevention and Response,” RAND Corporation: 5.

5. Matthews: 6.

6. Lutgen-Sandvik: 44–45.

7. Sarah E. Morris, (2016) “Tackling Workplace Bullying in Tort: Emerging Extreme and Outrageous Conduct Test Averts Need for Statutory Solution,” ABA Journal of Labor & Employment Law 31(2): 268–293.

Subscribe now