Espionage, nudge theory and the office fridge: Why the Netherlands understands that insider risk is all about us humans.

If you’ve ever taped a note to the office fridge stating, “John, please stop stealing my oat milk” (Sorry John, but we all know it’s you!), you’ve already dabbled in nudge theory, the subtle art of influencing human behaviour. 

The Dutch Approach: Proactive, Not Punitive 

In early 2025, the Netherlands brought nudge theory into the mainstream by passing the Espionage and Internal Threat Prevention Act. This law made headlines not for its punitive reach, but for its proactive posture. Instead of only criminalising insider espionage, it nudges organisations to build better internal security practices. The Act requires behavioural monitoring, internal ethics, workplace culture, and employee wellbeing as key pillars for maintaining national security. 

This legislative move reflects a growing recognition: insider threats are driven by human behaviour, and preventing them requires more than firewalls and access controls. It demands understanding why insiders,  employees, contractors, and trusted personnel deviate from norms in the first place. 

Why Security Conversations Should Start with People 

Security discussions often focus on external threats,  nation-state actors, ransomware groups, or phishing campaigns. However, insiders are uniquely positioned to cause harm. They have legitimate access, deep institutional knowledge, and often, unmonitored autonomy. 

Many organisations employ screening techniques to identify those unsuitable for sensitive roles. Yet even the most robust processes can be fallible. Recent history is littered with insiders who, despite passing thorough vetting, later became sources of chaos. Edward Snowden, for example, passed one of the most effective screening processes to date, yet committed one of the most impactful acts of espionage in history. His decision only materialised years after his Top-Secret clearance was granted, following a long period of loyal service. 

The key question is: does something change in an individual before they become a threat? 

The Psychology of “They Deserved It” 

Do you know colleagues who feel unfairly treated at work? Do they have access to sensitive IP or customer data? Jerald Greenberg’s (1990) research on organisational justice offers food for thought. When employees perceive a lack of fairness or transparency, trust erodes. Resentment festers. Retaliation becomes rationalised. Insider incidents often begin not with a plan, but with a feeling. 

Burnout and Accidental Risk 

Most insider threats are not malicious. They are human. They are exhausted. From Maslach & Jackson’s burnout research (1981) to Agnew’s General Strain Theory (1992), the data is clear: when people feel under sustained pressure, risk tolerance increases and decision-making suffers. Corners are cut, training is bypassed, and phishing attempts succeed, sometimes catastrophically. 

This is where “nudging” at the policy level, as the Dutch have demonstrated, can have a real-world impact by encouraging organisations to monitor not just work practices, but morale. 

The Power of Trust and Authority 

The infamous Milgram experiments of 1963 proved what many security professionals suspected: people will do the wrong thing if someone in authority tells them it’s appropriate. Levine’s 2010 study further showed that humans are inferior at detecting deception.  Insider Risk is less about the obvious thief in the night, and more about the human environment, unmonitored and unchecked. 

Spotting the Signs Before It’s Too Late 

Insider incidents rarely come out of nowhere. Shaw and Fischer’s “Ten Tales of Betrayal” (2005) laid the groundwork for understanding pre-incident behaviours: sudden financial distress, policy violations, changes in demeanour. These signals are subtle, but they are there;  we just need to look.  And like any good nudge, the key is noticing the behaviour before the damage is done. 

How the Dutch Linked Psychologists and Office Fridges 

By understanding one inalienable truth: humans respond better to cues than commands. The Netherlands’ Espionage and Internal Threat Prevention Act is not designed to punish, but to prompt. It pushes organisations to adopt behavioural monitoring, ethical leadership, and mental health support,  not because they must, but because it is clearly advantageous.  Just as putting fruit at eye-level in a cafeteria nudges people to eat better, shaping the culture, environment, and systems around employees nudges them toward secure, ethical choices. 

Take Action: Change Behaviour, Change Outcomes 

Insider risk is not just a technology problem or a compliance checkbox. It is a psychological puzzle. Whether you’re a government, a global enterprise, or simply someone guarding oat milk in the office fridge, the principle remains the same: change the behaviour, change the outcome. 

What can your organisation do today to nudge employees toward better security habits? Start by focusing on culture, communication, and wellbeing, because the best security starts with people. 

Ready to Build a Culture of Security?

Empower yourself and your organisation to recognise, prevent, and respond to insider risks.
Signpost Six’s Insider Risk Awareness offers interactive e-learning and expert-led workshops designed to raise awareness and foster a proactive security culture.