Insider Risk: Defining the risk equation
Many corporations invest significant resources to improve their defenses against external threats but too often fail to adequately protect themselves from internal risks—risks created by insiders with direct access to critical corporate assets. Neutralizing internal threats is as important to strengthening overall security and reducing organizational risk as protecting against external attacks.
Today’s insider risk programs typically rely solely on mitigation as the remedy to address every insider risk. But this approach leaves out critical measures to address all components of risk. To execute a successful insider risk program, the entire organization must be engaged to accurately evaluate key factors that contribute to risk: threats, vulnerabilities, and assets.
The Risk Equation
While definitions of risk vary, for the sake of simplicity, I’ll refer to the following classic equation:
Total Risk = f (Threat x Vulnerability) Asset Value
Total risk is a function of the threat/vulnerability paring and asset value. Asset valuation may be expressed either in qualitative (e.g. monetary), quantitative (e.g. relative importance) terms or a hybrid version employing both criteria.
This formula also fits well for assessment purposes, as residual risk can be calculated by subtracting the control gap or applied countermeasure efficacy from the calculated total risk.
When addressing insider challenges, the commercial enterprise should focus on managing the associated risks, taking into account the threats, related vulnerabilities, and affected assets.
There are myriad tools on the market for detecting insider threat based on indicators from structured data sources, e.g. databases, logs, and spreadsheets. The difficult part of threat detection is processing the messy, unstructured data sources, such as social media, emails and metadata, the processing of which also necessitates non-technical means and administrative controls.
With a lack of widely adopted standards and few compliance requirements for insider risk programs outside the Federal Industrial Security realm, assessing where an organization’s insider vulnerabilities reside can be challenging.
Identifying what deserves the greatest protection is perhaps the most fundamental, and yet most overlooked aspect of an insider risk program. Tangible and intangible critical assets need to be identified, categorized, labeled and given appropriate physical, logical, and administrative controls.
Accounting for all parts of the risk equation requires collaboration from the entire organizational enterprise to manage their insider challenges properly. When considering the risk equation’s three contributing factors, the singular means of mitigation to address insider threats needs to be expanded to include a comprehensive array of risk treatments.
Stay tuned for my upcoming four-part blog series where I will explain the eight components every organization must consider when developing a successful insider risk program.
Need Help with Your Insider Risk Program
As the workplace becomes more complex and insider risks increase, organizations must ensure they can detect anomalies and prevent incidents before they happen. Leidos is your trusted partner to ensure the protection of your company’s critical assets and help you prevent an insider incident before it occurs.Our array of insider risk solutions and team of insider risk experts are ready to assist you through all phases of assessing your current risk profile, creating and administering a comprehensive insider risk management program – including the best technology for your specific needs – and helping you to respond to insider incidents if they do occur properly.