Measuring the effectiveness of an insider threat programme is an important way to ensure resources are being focused in the right areas. Continuously assessing the threats and vulnerabilities to an organisation's assets and the mitigations that have previously been put in place, can be done in a number of ways.
- Maintain reference to the organisation's risk register to ensure threats and vulnerabilities remain current and that risk mitigators remain effective and necessary. Risk assessment is a continual process.
- Protective Security Management Systems (PSeMS) can help provide a solid overall framework for integrating security into an organisation. Part of this work involves defining metrics to help measure success of various security mitigations.
- CPNI's Personnel Security Maturity Model can help baseline an organisation's insider threat programme, providing guidance for advancing insider threat mitigation.
- CPNI's SeCuRE tool helps organisations measure their security culture.
- Each security campaign should allow for evaluation of impact to assess lessons learnt. CPNI has evaluation materials available to help with this.