Insider Risk Assessment
Understanding what security risks your organisation faces is essential for developing the appropriate and proportionate security mitigation measures.
There are a range of risk assessment models available which all follow the same principles:
- Identify the critical assets in your organisation
- Identity the threat (based on the intent and capability of those who could carry out the threat)
- Assess the likelihood of that threat happening in your organisation
- Assess the impact to your business if the threat occurred
- Review the adequacy of existing countermeasures
- Proposal of new proportionate measures to reduce security risks
The risks that have been identified are then used to inform the security mitigations that you implement. Carrying out a security risk assessment is crucial in helping security managers audit, and communicate to the executive Board, the security risks to which the organisation is exposed.
Personnel Security Risk Assessment
CPNI has developed a risk assessment model to help organisations centre on the insider threat. The process focuses on employees (their job roles), their access to their organisation’s critical assets, risks that the job role poses to the organisation and sufficiency of the existing counter-measures.
Working through the CPNI personnel risk-assessment model will help organisations:
- Conduct security risk assessments in a robust and transparent way
- Prioritise the insider risk to an organisation
- Evaluate the existing countermeasures and identify appropriate new measures to mitigate the risks
- Allocate security resources (personnel, physical or cyber) in a way which is cost effective and proportionate to the risk posed.
TIP: If you are carrying out a security risk assessment it is important that the results are factored into your wider corporate risk register.
Personnel security measures help to reduce the risk of an insider attack but can be labour-intensive, costly or delay business. CPNI’s guide to Personnel Security Risk Assessment explains how to assess and prioritize risks so that security measures are implemented cost-effectively, in proportion to the level of risk.
- the purpose of risk assessment,
- who should be involved in conducting the risk assessment,
- how risk assessment fits within the risk management cycle,
- how risk is calculated by examining the likelihood and impact of threats,
- the methodology used by CPNI, which focuses on insider risk and is simple, robust, flexible and transparent.