Intro to Quantifying Insider Risk

by Mike Tierney | Jan 31, 2017

Risk is one of those subjective concepts that usually fall into vague categories like “low” and “high” – which has very little meaning on its own, and only has value when you tie those categories to actions (which we will cover later in this guide). To properly quantify the insider risk within your organization, we want to initially walk you through how to begin thinking about insider risk, as it is more a fluid and shifting concept than, say, the static risk assessment associated with whether your systems and applications are completely up to date on their patches.

What Does It Mean To "Quantify Your Insider Risk"?

It goes beyond the simple establishing “are we at risk” (like assigning your company a DEFCON value), as that has no specific actionable outcome when it comes to individual employees. Quantifying your insider risk is about understanding the positional risk each role within the organization inherently has, based on criteria such as their access to data and systems, and then making that understanding actionable by putting controls in place to detect, and ultimately prevent, insider risk.

The quantifying of insider risk is also not a one-time exercise. It’s actually about knowing on an on-going basis where your insider risk is before it impacts the organization.

Before you begin, it’s critical to understand the four fundamental “laws” of the dynamic nature of insider risk.


Every position has an inherent risk level

Risk has a lot to do with the data a given position in the organization has access to. This makes employees like privileged IT an obvious candidate. While they, too, need to be monitored, everyday users – such as a sales person with access to customer records, or a scientist at a drug company developing a new drug – can also pose a threat to the organization.


Every employee represents a potential risk

If you take the position every employee & contractor carries some level of risk, regardless of how long they’ve worked at the organization, you set yourself up for success. New employees, who have therefore not yet built up any loyalty to the organization as a whole, are always a possible risk. Those that have had been employed for some period of time can become disgruntled due to changes in the organization that impact them personally. Tenured employees are also susceptible to thoughts of having put many years into the organization’s success, generating a feeling of being entitled to more than just their current compensation. This does not mean you cannot or should not trust your people. It does mean that you should confirm your trust through verification.


Insider risk is constantly shifting

Unlike other forms of risk that are static and can simply be addressed and eliminated by making specific changes, insider risk uniquely poses itself as a shifting threat – where the risk can fluctuate, causing the organization’s focus to move from one person of interest (POI) to another over time. Previously loyal employees and contractors can go through changes in their personal life (e.g. taking on additional debt, addictions, etc.), or changes in their career (e.g. being passed over for a promotion) that can shift their loyalties from the organization to themselves


Insider threat actions are almost always Preceded by leading indicators

Insiders are people. So it should come as no surprise that threat actions don’t occur in a vacuum, but nearly always follow other events or actions. In 92% of insider threat cases, the threat actions are preceded by a negative work event (such as being passed up for a promotion)1 These eventsleave digital exhaust that can be used to detect, but they also show up in ways that can simply beobserved – if you are looking for them.

As you can see, insider risk begins the day a position is filled with, well, an insider. It continues to exist all the way through (and sometimes beyond) their last day of employment or engagement. This can make the task of effectively dealing with insider risk daunting. But if you invest some time in the groundwork of quantifying who poses a risk and to what degree, you focus efforts on those truly posing a active risk, and attain the goal of proactively identifying threat indicators or behavior – protecting both the organization and its employees.

So, what steps do you need to take to quantify and address insider risk?

To quantify your insider risk, you need to address the following steps that will be covered throughout the remainder of this guide:

  1. Involve the right people within the organization – How you define and address insider risk is something that will involve a number of positions within the organization.
  2. Adjust your Hiring Process to Address Insider Risk – Preventing insider risk starts with specific actions taken on an employee’s very first day.
  3. Define Risk Levels – Defining the risk each position possesses will serve as the basis for establishing levels of controls necessary every day through the end of employment.
  4. Align Risk Levels with Everyday Controls – Based on positional risk scores, you will determine which controls should be in place to detect and identify insider risk.
  5. Address Risk During your Termination Process – Whether an employee is quitting or is being terminated, specific steps need to be taken to ensure no data is inappropriately taken.