Step 3 of 5 to Quantifying Insider Risk

by Mike Tierney | Feb 08, 2017

Define Risk Levels

In order to establish controls that allow the organization to properly detect insider risk, you must first know where you should be looking. Each position within your company has a relative level of risk associated with it. For example, a position that has access to and works directly with intellectual property puts the organization at a much higher level of risk than someone who has limited access to customer contact data. A measured response is needed for each position, relative to its level of risk. Put not enough emphasis on monitoring risky users and you will find your organization a victim of an insider attack. Put too much emphasis on ‘eyes on glass” monitoring of users that pose no real risk to the organization, and you will have wasted time, budget, and energy.

How Should You Assign Risk?

So, you can see that it is important to first assign risk levels and then, based on the risk assessment, make decisions on the controls that should be in place. There are a few levels at which you can assess and assign risk:

  1. Based on Position – Risk can most easily and accurately be assigned by looking at a given role or position within the organization. While the person occupying a position may change over time, the position itself will have similar access, working locations, employee autonomy, etc.
  2. Based on Department – In some cases, an entire department – regardless of specific role – presents a similar risk to the organization based on their access to confidential information, an ability to transmit/export data, etc. A good example is the Sales department.
  3. Based on an Individual – In extremes cases, an individual may have extenuating access to company data regardless of title, position, or functional role, such as the founder of a company.

The goal is to quantify a degree of risk using some method of scoring (can be 1-10, grading A-F, even by asking Y/N questions and adding up all the Y answers). The calculation method isn’t as important as is working through the assigning risk process and doing it consistently. The scores should be determined using a number of both objective and subjective criteria (to properly inject the organization’s view on the risk a position, department, or individual poses), such as:

  • Access to confidential information
  • Ability to export data
  • Ability to freely transmit data over unsecured channels
  • Amount of supervision
  • Whether they work locally or remotely
  • How much damage would a given employee (based on department, position, or themselves) do if they decided to steal information

The list above is by no means comprehensive, but does provide direction around the types of criteria you should use to start developing a scoring system. The focus should be on the ways any employee can pose a risk to your organization, and how detrimental the repercussions of malicious actions would be if they were to be taken by a given employee.

Once you have decided upon and finalized the questions used on your risk scoring worksheet, along with the associated scoring method, you will work through each of the positions, departments, and individuals, and have a number of scores.

See Guide Essentials: Quantifying Positional Risk Worksheet – use this worksheet to see examples of how you might assign risk scores.

 It’s important that the criteria used be consistently across every single position, department, and individual. Why? Because when you run your very first assessment of risk and, based on your model, come up with a risk score of, say, 7 – what does that even mean? Right. Initially, nothing.

It’s not until you look at various positions, individuals, and departments and begin to see the similarities and differences in how you scored each, and use those comparisons to group risk scores into simpler levels – such as Low, Medium, and High (shown below) – that will correspond to everyday controls you will implement to detect and prevent risk (detailed in the next section).

Lastly, because risk will shift over time as new technologies, security policies, and IT processes are put in place, it’s important to perform a periodic review process to ensure the correct risk levels are assigned (and, therefore, risk controls are in place). This can be quarterly, semi-annually, or annually. You’ll need to decide how often to review both the questions and scoring system used.

Once a given risk score has been defined for a given position, department, or individual, the score should be communicated - to HR to empower them as a source of intel around personal and personnel issues that may signify a need for elevated scrutiny by your security team, and to your security team itself so they can align proactive measures to risk.