A Professional Approach to ‘Whole-Person’ Insider Risk Management

Picture by  Andrew Neel


  • Insider risk management is more important than ever before
  • The demand for insider risk professionals is growing 
  • Training, now online, is a key component to the professionalisation of the function and a starting point for each organisation embarking on an insider risk journey.

Insider threats have a long history. Sun Tzu recognised the value of insider information, and the ancient Egyptians had a thoroughly developed system for the acquisition of intelligence. Today, the threat of insiders has expanded beyond nation-state espionage and impacts organisations of all sizes. Insider risk now includes data theft, workplace violence, insider trading and sabotage. Organisations often treat these threats using different processes, but there is a compelling case to place their treatment under one insider risk programme. This would allow managers and analysts to develop deep expertise into their organisation’s specific risks and the psychology behind why insiders act.

The whole-person approach

Our understanding of why insiders act has increased in the last two decades. In 2015, Eric Shaw and Laura Sellers made an important contribution to this understanding by defining a critical-path model for insider risk (CPIR) based on a review of over 1500 insider risk cases. This pathway approach, depicted in figure 1, has long demonstrated its value in other fields and represents the best available device for applying knowledge acquired from research on insider acts. Above all, it demonstrates that insider risk is primarily a human issue. While technology is needed for capturing abnormal activity in user accounts, the challenge will always remain to tie the correct actions to what is in a person’s mind.

Figure 1: The critical pathway to insider risk (CPIR). Adapted from Shaw and Sellers.

Increasing insider risks as a sign of the times

A survey by Cybersecurity Insiders revealed that 90 per cent feel that their organisations are at risk from insider acts. Despite its acknowledgement, most organisations aren’t aware of the CPIR, nor have they addressed insider risk. This is concerning for two reasons. First, there is evidence that insider risks have been increasing. Research by the Ponemon Institute indicates that insider incidents have increased 47 per cent and their associated costs by 31 per cent, and that is only since 2018. The second and perhaps more urgent reason is that COVID-19 has significantly increased the stress on employees. Stressors are a critical component in the CPIR, amplifying underlying personal predispositions. Many organisations survived the first wave of the virus with heavy government assistance, but the second wave has forced some organisations to reduce headcount in recognition of the new economic reality the virus has created. We expect this trend to continue, pushing at-risk individuals further down the critical path. COVID-19 has also impaired the growing professionalisation of the field by limiting the availability of in-person training. This professionalisation trend grew in response to the rising trend in insider acts, but progress has been disrupted in a time of elevated risk. Many, if not most, in-person professional courses on insider risk have been cancelled. We know because we’ve had to cancel ours as well. Webinars have increased in response, but these fail to provide the depth required for those managing insider risk.  

Insider risk professional education

To address this gap, we at Signpost Six have taken the opportunity to deliver a full insider risk education online. What does the online training contain?

  • Over 11 hours of recorded modules and interviews with leading insider risk experts from government, business and academia. 
  • A 175+ page theory book that contains the material covered in the videos plus additional appendices on topics such as job descriptions for insider risk managers and analysts and insider risk worst practices. 
  • Questions and assignments that, if passed, allow trainees to become certified insider risk programme managers. The course can also be used to fulfil CPE requirements from numerous professional associations. 
  • Monthly Q&A sessions with Signpost Six experts.
  • On request, a private session with Signpost Six experts for sensitive discussions.

Figure 2: the cycle of protection and training components

Insider risk professionals may wonder how our programme differs from others in the market. We believe our training is unique in three ways:

  1. It applies the CPIR and psychology to nearly every module, keeping the focus on human decision making. Our emphasis is on prevention, reducing heavy reliance on expensive technical solutions, but detection, response and recovery are also covered. 
  2. It re-imagines the insider risk programme governance structure and recommended countermeasures to increase comprehension and reduce the implementation burden.
  3. It contains exclusive interviews, including with Dr Eric Shaw, the creator of the CPIR. In addition, we leverage our diverse expertise to add insights into risk and reasoning processes, among other topics. You will not find this information in other offerings.

Curious to find out more? Register at https://training.signpostsix.com/ to view the introductions to each module for free. Sign up for the training before 1 January 2021 and receive a 20 per cent discount. 

Knowledge is the basis for prevention, especially during these uncertain times. Want to help your coworkers before they become derailed and help protect your organisation’s critical assets in the process? Take our training and be a part of the solution. We are eager to support you on the journey. 

Related Blogs