Insider Risk Assessment
Understanding what security risks your organisation faces is essential for developing the appropriate and proportionate security mitigation measures.
There are a range of risk assessment models available which all follow the same principles:
- Identify the critical assets in your organisation
- Identity the threat (based on the intent and capability of those who could carry out the threat)
- Assess the likelihood of that threat happening in your organisation
- Assess the impact to your business if the threat occurred
- Review the adequacy of existing countermeasures
- Proposal of new proportionate measures to reduce security risks
The risks that have been identified are then used to inform the security mitigations that you implement. Carrying out a security risk assessment is crucial in helping security managers audit, and communicate to the executive Board, the security risks to which the organisation is exposed.
CPNI has developed a risk assessment model to help organisations centre on the insider threat. The process focuses on employees (their job roles), their access to their organisation’s critical assets, risks that the job role poses to the organisation and sufficiency of the existing counter-measures.
Working through the CPNI personnel risk-assessment model will help organisations:
- Conduct security risk assessments in a robust and transparent way
- Prioritise the insider risk to an organisation
- Evaluate the existing countermeasures and identify appropriate new measures to mitigate the risks
- Allocate security resources (personnel, physical or cyber) in a way which is cost effective and proportionate to the risk posed.
TIP: If you are carrying out a security risk assessment it is important that the results are factored into your wider corporate risk register.