Working PIby Carlos R. Salazar, MSCJ, CFE
Why do bad actors win? Let us save the suspense and get straight to the answer of the question.
The Big Reveal Upfront
Bad actors win because they are more committed and prepared to perpetrate the bad act than the targeted stakeholder is committed to prevent it. In other words, we allow them to win.
Let that sink in.
This is not merely an uncomfortable truth, it is the fundamental operational reality across every sector tasked with safeguarding people, institutions, and assets. Whether in corporate intelligence, financial crime mitigation, law enforcement, cybersecurity, or child protection, bad actors thrive because they approach their objectives with relentless focus, strategic adaptability, patience, and an unwavering commitment to success—while their opposition is often reactive, fragmented, and bureaucratically constrained.
This is not due to a lack of intelligence or resources. It is due to a failure of mindset, strategy, and execution.
For too long, governments, corporations, and regulatory bodies have clung to outdated models of security and risk mitigation, operating under the illusion that compliance equates to protection, that deterrence is enough, or that bad actors will eventually be stopped through conventional means. They will not.
Simple questions, such as “Why do bad actors succeed?” have profound implications. Yet, suppose we refuse to acknowledge the true answer. In that case, we will continue down the well-worn path of reactive protocols, regulatory catch-up games, and passive defenses—all while bad actors innovate, pivot, and exploit vulnerabilities faster than we can close them.
The uncomfortable truth is that society has been playing defense in a game where bad actors are always on offense. If we seek to change the outcome, we must change the approach. We must outmatch their commitment, surpass their adaptability, and dismantle the very conditions that allow them to thrive. This is not just about strengthening laws, tightening controls, or deploying better technology, it is about fundamentally shifting the way we think, act, and fight back.
The question is no longer why bad actors win. The real question is: When will we finally stop letting them?
The Psychology of Bad Actors
Commitment to Success—Bad actors often exhibit a steadfast commitment to their deceptive behaviors and bad acts. Unlike their victims, who often underestimate potential threats, bad actors approach their craft with purpose, focus, and adherence to lessons learned and best practices.
• Intrinsic Motivation: Bad actors are driven by an intense internal determination, that is not merely rooted in the desire for monetary gain, but also from the exhilaration of outsmarting others. Their commitment is exponentially amplified by lacking ethical constraints, allowing them to easily bypass all social norms of morality and decency.
• The Dark Triad Traits: Psychological traits such as narcissism, Machiavellianism, and psychopathy—collectively known as the Dark Triad—enable bad actors to operate with impunity, confidence, and cunning. Narcissism provides them with a sense of superiority, Machiavellianism refines their manipulative abilities, and psychopathy suppresses any feelings of remorse, allowing them to exploit their victims without reservation. (The Dark Triad—comprising narcissism, Machiavellianism, and psychopathy—was first identified by psychologists Delroy Paulhus and Kevin Williams (2002) as a framework for understanding the three manipulative and exploitative personality traits.)
Adaptability and Innovation: Bad actors are nothing if not adaptable. Their ability to pivot, innovate, learn from failures, and capitalize on “best practices” keeps them ahead of the victims they target.
• Flexibility in Tactics: Bad actors continually learn from their mistakes and evolve, whether by exploiting complacency, regulatory loopholes, adjusting to new technologies, or pouncing on evolving market conditions and prevailing sentiments. Their ability to pivot without hesitation allows them to stay ahead of defenses.
Consistency in Efforts: Bad actors are not dissuaded when their efforts are temporarily thwarted or initially unsuccessful. They will find a way to carry out the bad act and their commitment will often far outlast the commitment of their target to protect itself.
• Persistent Targeting and Exploiting Vulnerabilities: Bad actors systematically probe for weaknesses, whether in systems, processes, or human behavior. Their persistence often pays off—they are willing to invest their patience to exploit vulnerabilities.
• Learning From Failure: Bad actors approach failure not as an end, rather as a learning opportunity. They analyze unsuccessful attempts to refine their techniques, increasing their success rate over time.
(story continues)
Victim Vulnerabilities
Bad actors not only thrive due to their strengths, but also due to the weaknesses of their victims or the weaknesses of the stakeholders charged with protecting the intended victim. Complacency, ignorance, and overconfidence in prevailing defensive measures create fertile ground for the exploitation of those they target.
• Overconfidence: Many individuals and organizations believe they are immune to bad acts based on their belief that they are impervious to victimization. Moreover, many organizations also fall into a false sense of security, believing that they are protected against bad actors by merely having codified operational protocols in place.
• Complacency and Reactive Thinking: Instead of anticipating threats, many organizations only respond after an incident occurs. This reactive model ensures that bad actors remain ahead, consistently identifying new gaps prior to the implementation of preventive measures.
• Bureaucratic Inefficiencies and Resistance to Change: In many sectors, outdated protocols, slow-moving bureaucracy, and resistance to innovation create vulnerable environments where bad actors thrive. As post-incident organizational reactive debate commonly ensues, bad actors continue to move forward with speed, precision, and commitment.
Applicability Across Sectors and Ignoring the Red Flags
The psychological composition of bad actors—combined with the corresponding vulnerabilities of their targets, is not confined to any single domain. This dynamic is pervasive across the socio-economic landscape, affecting industries, institutions, and societal structures. Whether in corporate intelligence, fraud risk mitigation, criminal justice, or child abuse and exploitation, the patterns remain the same: bad actors persist, adapt, and exploit weaknesses, while those responsible for prevention often react too late or relegate red flags to innocuous occurrences.
1. Corporate Intelligence: In the realm of corporate intelligence and competitive business strategy, bad actors thrive by leveraging deception, human behavioral vulnerabilities, data manipulation, and insider threats. Organizations that fail to prioritize proactive intelligence gathering and risk assessments become susceptible to corporate espionage, intellectual property theft, and fraudulent financial schemes.
Ignoring the Red Flags:
• Overlooking suspicious insider behavior and assuming loyalty from long-term employees.
• Failing to conduct human intelligence-based comprehensive due diligence before mergers, acquisitions, or partnerships.
• Relying solely on compliance-based security, rather than dynamic, intelligence-driven countermeasures.
2. Fraud Risk Mitigation and Financial Crimes: Bad actors capitalize on gaps in oversight, trust-based systems, and regulatory loopholes. From investment fraud and identity theft to large-scale financial crimes, their success hinges on victims being either unaware or unwilling to acknowledge their vulnerabilities.
Ignoring the Red Flags:
• Underestimating the sophistication of fraud schemes, assuming bad actors only use unsophisticated tactics.
• Failing to continuously update fraud detection protocols, leaving outdated security measures in place.
• Overreliance on automated fraud prevention without human intelligence to identify evolving threats.
3. Criminal Justice and Law Enforcement: In criminal justice, bad actors—whether violent offenders, organized crime figures, or cybercriminals—exploit procedural inefficiencies, legal loopholes, and systemic blind spots to avoid detection and prosecution.
Ignoring the Red Flags:
• Law enforcement agencies often prioritize reactive responses over intelligence-led policing.
• Judicial systems may fail to recognize repeat patterns of behavior among criminals who exploit procedural delays.
• Lack of interagency cooperation often allows bad actors to move freely across jurisdictions, exploiting fragmented intelligence-sharing.
4. Child Abuse and Exploitation: Few areas illustrate the commitment, adaptability, and persistence of bad actors more than child exploitation and abuse networks. Predators operate with methodical patience, leveraging digital platforms, exploiting lax one-to-one interaction policies in youth sports, legal technicalities, and the reluctance of organizations to confront uncomfortable truths.
Ignoring the Red Flags:
• Underestimating the lengths predators will go to groom/exploit children.
• Failing to enforce strict oversight in adult/coach-to-minor interactions where exploitation often takes root.
• Institutional inaction, where organizations prioritize their reputation instead of confronting blatant grooming and abuse allegations head-on.
A Universal Lesson: Vigilance and Proactive Strategies
The common thread across these sectors is that bad actors do not succeed in isolation—they thrive as their victims underestimate them, the stakeholders charged with protecting others ignore warning signs or resist necessary changes, and the fallacy of “That will not happen to my business, organization, or child.” Breaking this cycle requires:
• Proactive Vigilance: The process whereby red flags are acknowledged and investigated immediately.
• A Shift From Passive Compliance to Proactive Intelligence: Understanding that prevention is not a static process but a constantly evolving effort.
• A Cultural Change: In risk management, where commitment to countering bad actors matches (or exceeds) their commitment to exploitation.
• Education and Awareness: Where public, private, and non-profit sectors, pursue educational campaigns that are empowered to go beyond the basics, to make an impact on potential victims, corporate and individuals alike.
• Insular Knowledge Sharing: For internal collaboration between sectors, law enforcement, and other stakeholders is key to limiting the open-source intelligence available to bad actors. By sharing closed-circuit intelligence, insights, and best practices, organizations reduce vulnerabilities and empower those they protect.
(story continues)
The Takeaway: Our Turn to Win
Until stakeholders embrace these principles across industries, bad actors will continue to win—not because they are inherently superior, but because they are simply more prepared, more persistent, and more committed than those tasked with stopping them.
That ends now.
We have the power, intelligence, and the capability to shift the tide. What has allowed bad actors to thrive is not their brilliance but our collective hesitation—our tendency to stay within the safety of outdated protocols, our reliance on reactive measures, and our failure to anticipate and adapt at the same relentless pace as those who seek to exploit us.
It is time to change the mindset. Prevention is no longer a passive function—it must be a proactive, ongoing pursuit that mirrors the same commitment, persistence, patience, and adaptability that bad actors have leveraged. From corporate boardrooms to courtrooms, from regulatory agencies to local communities, from youth sports to criminal investigations, we must forge a culture that refuses to be complacent, unprepared, or outmaneuvered.
The key to winning is not just acknowledging vulnerabilities, it is owning the responsibility to counter them with an unwavering commitment to vigilance, intelligence, and action. The battlefield is not theirs to dominate. It is ours to reclaim.
Winning requires more than acknowledging the problem—it demands action. The fight against bad actors must be waged with the same relentless adaptability, strategic foresight, and unyielding commitment that they employ. No single institution can combat these threats alone. This is a collective mission, requiring a unified front from intelligence and investigative professionals, national governing bodies, the private sector, law enforcement, and beyond.
Marching Orders for Those on the Front Lines
For the Intelligence Community and Investigative Professionals:
• Be Proactive, Not Reactive: Intelligence gathering must move beyond responding to past incidents and shift toward predictive analysis and preemptive action.
• Disrupt the Playbook: Study how bad actors innovate and get ahead of their adaptation cycles before they exploit new gaps.
• Cross-Industry Collaboration: Intelligence–based strategic alliances between the public and private sectors can expose vulnerabilities before they are exploited.
• Leverage Human Intelligence (HUMINT): While digital forensics and OSINT (Open-Source Intelligence) are powerful tools, the human factor—source networks, behavioral analysis, and proactive insider threat mitigation remains a critical yet underutilized asset.
For National Governing Bodies and Regulatory Agencies:
• Close the Gaps Before They Are Exploited: Regulations must evolve at the same pace as threats. This means real-time intelligence sharing and a commitment to reducing bureaucratic inertia that slows policy changes.
• Legislation That Empowers, Not Hinders: Laws should not simply penalize crime after the fact—they should incentivize proactive risk mitigation and enhance private sector collaboration in intelligence sharing efforts.
• International Cooperation is Non-Negotiable: The fight against financial crime, cybercrime, and transnational threats cannot be won in isolation. Geopolitical intelligence alliances must be fortified to disrupt cross-border criminal enterprises.
For the Private Sector:
• Security is a Business Imperative: Too many companies treat risk mitigation as an afterthought until they become victims. Risk intelligence and fraud mitigation must be built into corporate DNA.
• Combat Complacency at the Leadership Level: Executives must stop assuming “it won’t happen to us” and invest in forensic due diligence, internal threat assessments, and real-time intelligence feeds.
• Zero Trust Beyond Cybersecurity: The principles of Zero Trust—assuming that every access point, insider, and external vendor could be compromised—should be applied to all levels of business operations.
For Law Enforcement and Criminal Justice Systems:
• Break the Cycle of Reactive Policing: Intelligence-led policing must take precedence over traditional, case-by-case response models.
• Dismantle Criminal Networks, Not Just Isolate Incidents: Criminals operate in ecosystems. Addressing only the immediate crime without dismantling the infrastructure that enables it, is a losing strategy.
• Enhanced Interagency Communication: Fragmented intelligence is a gift to bad actors. Federal, state, and local agencies must share actionable intelligence seamlessly and in real time.
A Unified Call to Action
The solution to winning is not in isolated efforts, but in a collective, innovative, proactive, and committed approach across all sectors.
• Cease Underestimating Bad Actors: They are more organized, more persistent, and often more innovative than we give them credit for.
• Challenge Institutional Complacency: The illusion of security is more dangerous than the acknowledgment of vulnerability.
• Committing to Adaptability: Risk landscapes evolve daily—our response must be just as dynamic.
The battlefield is not theirs to dominate, but ours to reclaim. The time for passive defense is over. It is our turn to win.
About the Author
Carlos is an Executive Corporate Intelligence Leader, Certified Fraud Examiner, multi-industry contributor, and public speaker with 35 years of combined experience in law enforcement, major crimes, and private-sector corporate consulting. He is well known for leading high-stakes engagements across multiple industries domestically and internationally. He is also a Multi-Sector Entrepreneur and Founder / Advisory Board Chair of C. R. Salazar Intelligence Group. Connect with Carlos on LinkedIn at: Linkedin.com/in/carlos-r-s-a2a75b117
We’re always listening. Send your story submission/idea to the Editor: kendra@orep.org.
