Skip to content

Insider Risk Assessment

Understanding what security risks your organisation faces is essential for developing the appropriate and proportionate security mitigation measures

Last Updated 14 December 2020


There are a range of risk assessment models available which all follow the same principles:

  • Identify the critical assets in your organisation
  • Identity the threat (based on the intent and capability of those who could carry out the threat)
  • Assess the likelihood of that threat happening in your organisation
  • Assess the impact to your business if the threat occurred
  • Review the adequacy of  existing countermeasures
  • Proposal of new proportionate measures to reduce security risks

The risks that have been identified are then used to inform the security mitigations that you implement. Carrying out a security risk assessment is crucial in helping security managers audit, and communicate to the executive Board, the security risks to which the organisation is exposed.

Personnel Security Risk Assessment

CPNI has developed a risk assessment model to help organisations centre on the insider threat. The process focuses on employees (their job roles), their access to their  organisation’s critical assets, risks that the job role poses to the organisation and sufficiency of the existing counter-measures.


Working through the CPNI personnel risk-assessment model will help organisations:

  • Conduct security risk assessments in a robust and transparent way
  • Prioritise the insider risk to an organisation
  • Evaluate the existing countermeasures and identify appropriate new measures to mitigate the risks
  • Allocate security resources (personnel, physical or cyber) in a way which is cost effective and proportionate to the risk posed.

TIP: If you are carrying out a security risk assessment it is important that the results are factored into your wider corporate risk register.

Personnel security measures help to reduce the risk of an insider attack but can be labour-intensive, costly or delay business. CPNI’s guide to Personnel Security Risk Assessment explains how to assess and prioritize risks so that security measures are implemented cost-effectively, in proportion to the level of risk.

It explains:

  • the purpose of risk assessment,
  • who should be involved in conducting the risk assessment,
  • how risk assessment fits within the risk management cycle,
  • how risk is calculated by examining the likelihood and impact of threats,
  • the methodology used by CPNI, which focuses on insider risk and is simple, robust, flexible and transparent.

CPNI has also developed a quick 10 step guide to effective insider risk management.

Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.