Insider Risk Management Litepaper

Insider risk has a long history. Sun Tzu, for example, recognised the value of insider information. Outside of espionage, however, the formalisation of an insider risk programme is a relatively recent phenomenon. Insider risk has often been connected to state actors and governmental institutions, but insiders also pose a significant threat to non-governmental organisations. Over the years, non-governmental organisations like universities and companies have recognized the threat posed by insiders. Organised crime and state actors also target their organisations looking to acquire valuable knowledge. Insider incidents can undermine national, economic, academic, commercial and broader security interests.

The Problem

Insider incidents can have a devastating impact on an organisation as research by Gurucul shows, with 54 per cent of insiders acts resulting in operational disruptions, 55 per cent resulting in the loss of critical data and 38 per cent resulting in brand damage. It is therefore alarming to see the rapid increase of insider incidents in recent years. Insider incidents have increased by 47 per cent and costs connected to these incidents have risen 31 per cent from 2016 to 2020. The 2020 survey by Gurucul shows that 68 per cent of the respondents think that insider acts have become more frequent. Another study concludes that 90 per cent of organisations feel vulnerable to an insider attack. While awareness of the issue increased due to major insider attack incidents in the past, organisations continue to underestimate or mismanage insider threats.

A 2021 report by Forrester concluded that Insider risk management is of greater concern for 74 per cent of companies now than before the COVID-19 pandemic, making better protection of sensitive data a top priority. As a result, 82% of decision-makers are focused on better protecting company data in the remainder of 2021. That same report states that 71 per cent of the respondents agree that the traditional approach to data leak prevention is not working, furthering the shift to a more holistic security program. The Forrester report further concludes that seven in ten respondents say their firms will create a dedicated insider threat capability and/or team. Three in four respondents agree that a dedicated insider risk capability will improve their overall data protection posture and maturity.

Code 42 and the Ponemon Institute state that a remote, unsupervised, collaborating, off-network workforce creates a perfect storm for data leaks from insiders. Since COVID-19, 61 per cent of IT security leaders said their remote workforce was the cause of a data breach. They also reported that since the start of the pandemic, their employees have been 85 per cent more likely to leak files than they were pre-COVID (28% pre-COVID to 52% today). (Code42 Data exposure report, Ponemon institute for Code42)

Why are insider acts on the rise?

The rise of insider acts can be attributed to four primary factors. First of all, organizations have improved perimeter security through investments in firewalls, intrusion detection systems
and access management systems, among other technologies. This causes hostile actors to increasingly rely on insiders in order to bypass increased security measures and accomplish their collection needs. This phenomenon is often referred to as the cyber security waterbed effect: If (cyber) measures to prevent external actors from penetrating your network become more successful, external threat actors will try to use insiders to gain the desired access to your sensitive information.

Secondly, organisations and individuals have expanded their reliance on digital technology to process and share sensitive information, increasing the likelihood of an insider incident. This technologization provides threat actors with numerous opportunities to gain access to sensitive information. Furthermore, emerging technologies enable insiders to cash out on their stolen assets through social media or the dark web while maintaining anonymity.

The evolution of work practices has also been attributed to the rise of insider incidents. Overall employee loyalty and engagement is decreasing due to reliance on short-term contracts and increased employee mobility, decreasing loyalty and engagement with employees.

Finally, geopolitical tensions between strong states cause some states to use more aggressive measures to obtain sensitive information. As technological and economic dominance will likely tilt power relations between nation-states, these actors will increase their efforts to obtain information through insider acts.

Who are Insiders?

Threat actors can be external or internal. The programmes of Signpost Six focusses on internal threat actors, but the two kinds of actors are strongly connected. External threat actors use internal threats actors when they fail to penetrate the organisation from the outside. The internal threat actor or insider is a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network, system, or data. There are two types of insiders who have important differences:

  • The intentional insider: This insider has intentionally gained or misused access to sensitive information in a manner that negatively affects the organization he or she works for.
    There are 3 types of intentional insiders:

    • Self-motivated: Insiders who are motivated by a personal objective and act with malicious intent.
    • Coerced: These people are tricked or threatened to conduct malicious acts without malicious intent.
    • The infiltrator: Insider who intentionally joins the organisation to do harm.
  • The unintentional insider: This insider has accidentally affected the confidentiality, integrity or availability of an organisation’s information or information systems, possibly by being tricked by an outsider’s use of social engineering

The six different insider act categories

The acts that insiders engage in are divided into six categories, as shown in the picture below.

Figure 1: insider act categories


: Sabotage is one of the three most common intentional insider acts according to Carnegie Mellon University and entails a deliberate act aimed at undermining or incapacitating an organisation through obstruction, disruption or destruction.

Data (and property) theft

: This category entails the insider’s use of access to steal or exploit data, material and intellectual property from an organisation. Common targets of data theft include source code or scientific formulas. Industrial and economic espionage often fall within this category.

Unauthorised disclosures

: Unauthorized disclosures account for the majority of insider acts and entail the communication or physical transfer of classified information to an unauthorized recipient. Although this is closely related to data and property theft we view it as a separate category with a focus on media leaks and to contrast it with whistleblowing. Whistleblowing concerns the use of certain official procedures to report wrongdoing while unauthorised disclosure is used by insiders to air a disagreement with official policy, influence political decisions or satisfy their ego without using the proper channels and procedures when disclosing the information.

Workplace violence

: This act is often addressed in programmes not directly related to insider risk. Violence can be psychological as well and includes corporate bullying, sexual harassment, and discrimination. It directly impacts the lives and health of workers and their productivity.

Fraud and corruption

: Fraud is any act of deception carried out with the purpose of unfair, underserved and unlawful gain and is also in the top three most common insider acts worldwide. Corruption distinguishes itself from fraud by going beyond direct financial objectives including impairing integrity and moral principles.

Insider trading

: This act concerns the trading of a corporation’s stock or other securities by individuals with access to non-public information about the company. The objective is to profit from the information by trading financial instruments.

Critical Pathway to Insider Risk (CPIR)

Researchers have examined hundreds of subjects convicted of a range of insider acts, as well as those who were simply removed from their organisations rather than arrested. This research has given way to a more complex path, rather than individual profiles, to insider acts, especially incorporating the person-environment interaction. Most insiders appear to follow a common pathway, becoming disgruntled towards their organisation or society resulting in an insider act, this is called the “Critical Pathway to Insider Risk” (CPIR).

The CPIR helps raise awareness around signals of risky behaviour. Behaviour often reveals itself earlier than technical indicators, which is why it is very important to link different behaviours and types of conduct. Often the indicators and information are present, but the biggest hurdle is timely action based on the ability to connect the right information; “connecting the dots.”

The pathway model has five core elements: personal predispositions, stressors, concerning behaviours, problematic organizational responses and the crime script. The crime script phase provides the most tangible evidence and the greatest opportunity for detection. It is preferable, of course, to stay far ahead of this phase and to bring the individual back to the set norm with the right organizational response. We use the CPIR to understand the process and interaction between employees and the environment, which in turn could be used to intervene or engage in preventive action.

Figure 2: the Critical Pathway to Insider Risk (Shaw and Sellers, 2015)

A problematic organizational response can cause or escalate insider incidents as shown in figure 2. The role of an organisation in detecting and responding to concerning behaviour is key in mitigating insider risks. In 97% of insider cases colleagues already noted concerning behaviour and most insiders violated lesser rules before engaging in more serious acts. Our approach enables both managers and employees to recognize and act on troubling behaviours early, thereby reducing insider risks within the organization. An insider risk programme provides organisations with the necessary awareness and organizational structure to detect and properly respond to employees who display suspicious behaviour.

The Solution

Signpost Six believes any holistic insider risk management programme should encompass a clear vision, a charter, with measurable deliverables across the whole spectrum from ‘identify’ to ‘recover’ in which lessons learned from incidents are used to improve prevention efforts. A holistic approach means proactively managing the organisation, collecting and connecting the dots from both technical and non-technical sources, and responding appropriately when concerning behaviour is identified.

We reviewed the best practices from numerous insider risk frameworks to select the most impactful countermeasures for insider risk. Three of these frameworks were especially influential. These were from the Centre for the Protection of National Infrastructure in the UK, Carnegie Mellon University’s Software Engineering Institute, and the US government’s insider risk Program Maturity Framework. Signpost Six believes just eight strong countermeasures can effectively address insider risk. A summary of these countermeasures are addressed below:

  1. An insider risk assessment identifies the highest insider risks and critical assets within the organisations. This information helps to prioritise the pilot and implementation phases of the insider risk programme.
  2. Privacy and legal considerations establish the boundaries for data collection and investigation within the programme.
  3. IT and physical infrastructure cover the insider risk technology stack with a special focus on identity and access management.
  4. Governance, leadership, and culture ensure that the programme has strong oversight capabilities and the right culture to ensure programme success.
  5. Training and education create general awareness and develop knowledge and skills for a wide variety of roles.
  6. Employee and third-party life cycles ensure that insider risk safeguards are embedded and aligned in both these critical processes throughout their life cycles.
  7. Data sources and analysis ensures the core team has correct and sufficient data to analyse red flags and plan interventions.
  8. Case management and response mechanisms define a process for formal investigations and organisational responses.

Figure 3: insider risk countermeasures

We emphasise prevention because organisations have a duty of care towards their employees, first and foremost. This means organisations should foster a healthy work environment that allows employees to thrive and raise issues safely. A holistic programme should be efficient, utilising existing processes, tools and structures as much as possible. This way, an insider risk programme can be embedded in the organisation more sustainably.

1. Insider risk assessment

The first step in controlling insider risk is conducting a risk assessment based on the eight overarching countermeasures, identifying the critical organisational assets and determining the high insider risks within the organization. This assessment helps to prioritize measures and their implementation.

An important part of the insider risk assessment is the concepts of likelihood and magnitude. The classic definition of risk is the multiplication of probability (Likelihood) and impact (Magnitude). In order to better estimate these two elements, it is necessary to divide them into several sub-elements, as outlined in the figure below. Further decompositions of these two concepts are possible and even encouraged in relation to risk assessments. Likelihood, for example, can be decomposed into the frequency of the scenario attempted and the vulnerability to the attack, which can be further decomposed into the threat actor’s capability and the organisation’s resistance to attack. When dissecting the two pillars of the risk assessment, it quickly becomes apparent that a robust information position and a general understanding of the context at hand is essential in assessing the risk; particularly concerning the various threat scenarios, the organization’s vulnerability/resilience, the threat actor, and the potential consequences of insider incidents.

Figure 4: risk and its component parts

Each model is a tool for bringing clarity to complexity. This also applies to the systematic approach to the insider risk assessment. It is important that input is sought from across the organization and that the reporting and methodology fit in as much as possible with the working methods already present within the organization; for example, by using existing risk classification scales. Making the risks and potential damage to the organization clear and visible also contributes significantly to putting the issue on the agenda at the board level.

2. Privacy and legal considerations

Unlike other types of security programmes, which typically target external, physical or information security threats, insider risk programmes focus on people, which can raise a host of ethical and privacy concerns. Such considerations are relevant throughout the entire employee lifecycle: pre-, in- and post-employment. Therefore, an effective insider risk programme should balance the protection of an organisation’s critical assets with the preservation of employee privacy. If done correctly, a good people culture and a consistent consideration of privacy can guard against unintentional (personal) data breaches, reduce the risk of intentional insider acts and protect innocent employees.

An insider risks program is established to prevent the misuse of sensitive data. Sensitive data refers to data that is critical for the performance and continuity of an organisation. This can entail personal data of personnel or clients, and it is with that type of data where ethics and privacy are most relevant. Three core principles will ensure high ethical standards and at the same time serve as a grounding for privacy compliance:

  • Proportionality: Any insider risk programme has to be designed to focus on critical assets and the assessed risk against those assets. Security measures should therefore correspond to the risk levels and remain workable for employees. Being proportionate is a sensitive matter that requires close consideration of ethical implications at every turn in the development of your insider risk management programme.
  • Consistency: Assuming that an organisation has a Code of ethics, a Code of conduct, or both, then insider risk management programmes have to be synchronised with the core values expressed in those codes. Additionally, organisations are advised to explain those values clearly, why those values are encouraged and how they can be applied in practice. If employees are clear about the values of the organisation they work for, they will be facilitated to exercise their individual judgement, which in turn positively affects the culture of ethics and eventually even decrease the risk of insider acts.
  • Transparency: Where consistency is about being clear on paper, transparency is about being clear in your communications and proactively engaging with employees who might have concerns or questions. That way the core values and the codes and policies they are described in becoming accessible. As a result, all employees will become aware of what they can reasonably expect for the organisation.

It is widely acknowledged that employers have the right to log and monitor employee digital activities and to internally share personal employee data within strict boundaries. However, the way It is collected and dealt with is very sensitive to privacy concerns. Keep in mind the principles of proportionality, consistency and transparency as you embark on insider risk management. Having a privacy friendly insider risk management programme is a complex undertaking. It requires a cross-organisation effort that combines the core principles of ethics with both organisational values and regulatory compliance.

The core principles of proportionality, consistency and transparency should guide insider risk policymaking. In and of themselves, however, those principles are not sufficient to achieve privacy compliance. To have privacy-compliant insider risk policies, organisations are advised to consider the best practices listed below:

  1. Regulation and legislation: These are the foundation of compliance, and every insider risk programme.
  2. Concise and value-led communication: Don’t be too focused on the content of regulations and the legislation itself. Communication should explain why the organisation finds specific policies so relevant by emphasising the values of privacy and ethics behind insider risk policies.
  3. Training and education: Educated employees keep data more secure and private and decrease the risk of unintentional privacy breaches by personnel. Well-trained personnel also provide the necessary checks and balances that are needed for a balanced insider risk programme.
  4. Privacy and data impact assessments: Organisations are likely to encounter personal data throughout their insider risk management programme. To prevent any non-compliance, a privacy or data privacy impact assessment should be conducted before any personal data is collected or processed.
  5. Leadership support: This is key if you want employees to trust your insider risk management programme. A lack of leadership support or commitment undermines the entire programme. Executive leadership and management are encouraged to emphasise and show their commitment to data privacy.
  6. Information security safeguards: Organisations have a responsibility to protect critical information and prevent its misuse or leakage. All scenarios have to be addressed to ensure data remains secure. Part of that effort is the preparation of insider risk incident runbooks. In times of incident response, organisations can easily forget privacy and confidentiality concerns and potentially risk aggravating the situation.

3. IT and physical infrastructure

Insider risk is fundamentally about people, but the modern working environment is filled with technology. To prevent and mitigate insider risks, security principles on IT and physical infrastructure should be applied in the organization. We have chosen the following principles of Jerome Saltzer and Michael Schroeder from MIT, whose security principles have survived the test of time:

  1. Keep security designs as simple and small as possible. Complex systems decrease understanding and increase failure rates.
  2. Default settings matter; this means denying access to data and resources by default.
  3. Check all people requesting access at all times. As adversaries will be patient and constantly looking for gaps.
  4. Forced collusion, entailing the need for two people to review or action something sensitive.
  5. Access privileges, employees should be given the least set of privileges necessary.
  6. Psychological acceptability, security procedures and tools should be easy to use.
  7. Don’t over-control, organisations should compare the cost of circumventing security with the resources of a potential attacker.
  8. Logging, keeping logs provides context to actions and an opportunity to learn
  9. Defence-in-depth, multiple layers of security controls lower the chance that a single control failure will expose sensitive assets.

The principles result in a cybersecurity framework that has five functions and is also called the security defence matrix:

  • Identify: Develop the organisational understanding to manage risk to systems, people, data, assets and capabilities
  • Protect: Outline appropriate safeguards to ensure delivery of critical infrastructure services
  • Detect: Defines the appropriate action to identify a cybersecurity event
  • Respond: Defines the appropriate action to respond to a cybersecurity event
  • Recover: Develop plans for resilience and actions to restore capabilities that were impaired

Figure 5: the security defence matrix (Yu, 2020)

Mapping countermeasures to these functions can help you understand how balanced your insider risk approach is. Are you more focused on prevention or resilience? What about the protection of people vs digital assets?

Identity and access management

An important part of insider risk management programs in relation to IT is the identity and access management of an organisation. Identity and Access Management (IAM) can mitigate insider risks as it provides organisations with several insurances regarding accessing sensitive data. It all starts with identity assurances, checking that the person who is requesting access is actually the person that they say they are. Access assurances make sure people have the access they need to do their work. Activity assurances provide reasonable certainty that people use their access correctly. IAM can be seen as an umbrella concept that consists of three domains that in turn relate to certain technologies :

  • Access Management (AM): focusing on gaining access to data by different types of identities
  • Identity governance and administration (IGA): Giving the right persons the right resources under the right conditions. It also entails a critical look at the segregation of rights, preventing an employee from carrying out an entire process alone.
  • Privileged account management (PAM): PAM is focused on getting in control of accounts with high privileges such as administrator accounts on the infrastructure and social media accounts. To properly conduct PAM an overview of all privileged accounts in the organisation and what you can do with them should be made. Now an assessment on which controls are needed to safeguard access to these privileged accounts can be made. In addition, organisations should also want to monitor how people use these accounts and intervene when necessary.

Physical security

There is a close connection between identity and access management and physical security. Issues with physical access controls make up 8 per cent of all intentional insider activity, according to the insider threat database of Carnegie Mellon University. Most insiders use subtle approaches to circumvent physical security barriers. Groups with elevated physical access but not the necessary training like janitorial staff or security staff are often targeted by outsiders, who use social engineering to make the target group share information carelessly or by applying pressure.

4. Governance, leadership and culture


Programmes and processes need governance. It provides for smoother scaling, better communication, faster execution and little in the way of politics. A model for the governance of a holistic insider risk programme is generally composed out of four different entities:

  1. Senior leader. A programme is unavoidably cross-functional but ultimately must fall under one function’s leadership whose senior leader is solely accountable for ensuring the programme operates within the scope of its mission and vision.
  2. Executive council. This entity consists of senior stakeholders across key business and functional units. It is focused on future-oriented tasks, helping keep the programme proactive, adjusting policies and keeping oversight. Research shows that separating fact-gathering bodies from decision and regulatory bodies improves decision making.
  3. Insider risk core team. A separate core team headed by the programme manager is responsible for gathering and analyzing facts. It is tasked with raising awareness about insider risk and liaising with the executive council to transfer the key changes to the threat.
  4. Support group. The expertise required to collect and interpret all signals is too broad to be contained in one group, thus the core team relies on an informal support group of subject matter experts.

Figure 6: governance model

Even without the proposed managerial structure, a critical look at how an organisation deals with insider risk can produce valuable insights. Possessing an adequate governance structure is an organization’s best tool in mitigating insider risks. Furthermore, an insider risk programme should be supported by strong oversight capabilities and the right culture to ensure its success.


Just as a professional culture depends on leadership, so does the success of an insider risk programme. Trust flows naturally from accountability. It is built first when leaders take accountability for themselves and then by holding others accountable in a positive, principled way. Leaders need to be flexible in their approach to insider risks as there is no one way to provide support to their employees. Choosing a credible leader is essential for achieving cooperation across all employees and functions of an organisation.


Culture is one of the most pervasive characteristics of an organisation and absolutely critical for good security. It is the instinctive habit that employees learn and repeat through direct guidance or informal observation. It is one of the most challenging elements to influence, and many fail to even try as a result. Still, culture can be influenced by the proper support of senior leaders, and every effort should be made to convince these leaders that culture can indeed be changed.

Seven distinct factors within an organisation influence whether people do right or wrong.

  1. Clarity on norms, values and responsibilities matter; the clearer the expectations the better people will adhere to these expectations.
  2. Role-modeling is another factor as people read norms applicable to them from others, especially their role models.
  3. Ability to achieve the desired behaviour or norms.
  4. Commitment is important, are employees motivated to invest efforts that serve the interests of the organisation?
  5. Transparency allows employees to see the effects of their behaviour.
  6. Openness for employees freely discusses opinions, dilemmas and feelings at work.
  7. Enforcement, are people within the organisation valued and rewarded for exhibiting desired behaviour and punished for undesirable behaviour?

5. Training and education

Training and education are another integral part of Signpost Six’s set of countermeasures, as they create general awareness, develop knowledge and make sure responsible personnel have the right skillset. Conducting training on several levels is essential, as, across the organisational levels, employees should be familiar with insider risk management and should know how to act upon it depending on their professional role. People often recall the red flags after incidents have materialised. Awareness training builds the right attitude towards insider risk and enables people to act upon early signals appropriately. Note that insider risk training should not exist without professional and anonymous reporting channels.

Training and educational programmes should have clear objectives enabling contribution to the right professional/security culture within an organisation. Furthermore, participants should understand the rationale for an insider risk programme and understand the full spectrum of the critical pathway. Finally, participants gain insights through training on their own vulnerabilities in relation to the Critical Pathway.

Training essentials

  • Training plans should focus on tracking, measuring, and evaluating training components to ensure that the training programs cover intentional and unintentional threats.
  • The training offerings have to be differentiated to meet the needs of specific employee groups.
  • To increase engagement, the training should rely on rewards and offer a variable programme.
  • Learning needs to be continuous, or people forget. Therefore an educational campaign has to have continual iterations.
    Consider providing general training for all employees upon hiring and bespoke training for specific employee groups or specialist roles.

Employee segments and training content

Figure 7: recommended training per role

Adjusting the training to specific employees can be done by differentiating the programme into five types of roles.

  1. All employee training should raise awareness of the organisation’s culture and security practices, explain insider threats and explain the CPIR model.
  2. Line manager training should emphasize enabling managers to recognize and respond to concerning behaviour. Managers who handle critical assets should be prioritized in the training process.
  3. Confidential data system managers are expected to participate in additional training focused on information disclosure policies, data classification and data handling requirements.
  4. The insider risk core team gets specific training on tasks related to managing insider risks.
  5. Bespoke roles include but are not limited to HR professionals, corporate investigators and legal advisors. Training for this group focuses on their duties and how they should collaborate with the insider risk team and reporting structure.

Specific attention must be paid to the fact that training programmes must be embedded in the broader insider risk management programme, so employees are equipped with the skills to act on (early) signals. Without repeated employee training, insider risk management programmes will be limited in their effectiveness.

6. Employee and third-party lifecycles

The employee and third party lifecycle serve as a framework for the necessary mitigation measures at each stage of the relationship between employers, employees and other individuals with authorized insider access. These may include suppliers, (service) providers and (research) partners. The model helps to understand how an organization can manage employee and third-party insider risks by taking advantage of a proactive, risk-based cyclical approach.

This approach helps to prevent, detect and respond to insider risk. The iterative model consists of five distinct phases, based on the understanding that insider risk consists of what people bring to the organization, their interaction with the organization, and the period during which the relationship is terminated or renewed. The model encourages consideration of insider risk at every stage of the relationship.

Figure 8: employee and third-party lifecycle

The cyclical approach to employee and third-party relations is a holistic approach that includes, but is not limited to, HR, line management, procurement, IT and integrated security. A holistic approach is essential to avoid siloed or fragmented risk management. Traditionally, the individual steps of the cycle are responsibilities assigned to different departments, meaning that measures and information flows are not aligned, and insider incident indicators can be missed because they occur in separate silos. A well-managed lifecycle will result in a productive organization that is more resilient to insider risks.

Data sources and analysis

The seventh countermeasure entails the correct use of data and analysis to allow insider risk managers to detect red flags and plan potential interventions. There are many data sources present within organisations that could be used for insider risk. Where does one begin? The Critical Pathway for insider risk is a useful starting point. The CPIR informs what to collect and a risk assessment and associated critical asset list provide guidance on where you should collect. After all, why collect data that doesn’t relate to the critical pathway or critical assets?

Figure 9: data sources along the CPIR

What types of data are available and how should they be selected? It’s impossible to visually observe all employees at all times to assess insider risk. Here is where technical tools, like data loss prevention (DLP) and user and entity behaviour analytics applications (UEBA) can help. These tools can monitor users while respecting their privacy.

Data loss or data leakage prevention (DLP), solutions protect critical data by first scanning for sensitive data at rest (i.e. in storage), in use during an operation or in motion (e.g. when

transmitted across a network). It evaluates what it finds against defined policy definitions, also known as ‘detection rules’. When well-defined, these rules are capable of identifying violations and automatically applying pre-defined remediations such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking the activity of the user.

User and entity behaviour analytics (UEBA) systems are technical controls that help detect anomalous behaviour. An overview of how these systems work is provided in the figure below.

UEBA systems can profile users and detect anomalies based on a range of analytics approaches, from basic analytic rules that leverage signatures, pattern matching and simple statistics to advanced analytics that apply machine learning algorithms.

Figure 10: the UEBA process

Each UEBA system has its own qualities and characteristics, generally, the more quality data sources are ingested, the better the user profiling will be. Most UEBA solutions leverage machine learning and behaviour analytics to analyse and correlate interactions between user accounts, systems, applications, IP addresses, and data. These baselines are then used to identify and flag significant deviations in user behaviour and create informed narratives for the analyst.

The protective monitoring of employees in the workplace needs to be introduced carefully, transparently and with clear goals defining the legitimate interest of the employer. This is the case for implementing UEBA systems as well. Organisations need to conduct a data privacy impact assessment to comply with GDPR and should gain explicit approval from privacy, legal as well as any works council or labour union before implementation. An organisation should also be sure to only collect personal data in proportion to its purpose. This proportionality requirement is a feature of GDPR and other strict privacy regulations.

Although powerful, tools cannot solve the insider risk problem alone. Humans are needed to analyse, interpret and contextualise the output from tools before deciding on any interventions. The analysis and interpretation of data is a large domain in itself.

8. Case management and response mechanisms

A holistic Insider risk program incorporates a case management process along with proper response mechanisms to learn from and effectively react to insider acts. When connecting the dots between various data points in your organisation, you are bound to gain more insights into behavioural cues and (early) warning signals or red flags. In case management, one of the key objectives is to investigate context and motives to define and understand the category of insider you are dealing with. To understand how to recover from insider acts, organisations need to identify the incident impact. Incident impacts can be divided into five broader categories: Impact on operations, value, reputation, culture or liability.

Managing insider risks is challenging as it may be difficult to establish whether an incident is an insider case or undertaken by outside actors. Furthermore, insider acts are often committed by departing employees. Monitoring or investigating former employees is much more difficult, especially when it concerns a private organisation. Another issue might be the source of the alert. Anonymous alerts can leave investigators with little to work with. Other common shortcomings that organizations encounter when managing an insider case are a lack of preparation, a lack of readily available investigators and limited access to remediation advice.

When managing a case, anonymity must be maintained as long as practically possible. When employee details become known to the insider case management team they must be handled with the utmost confidentiality. Furthermore, a pre-established plan, procedure, and guidelines help to manage an active case. To ensure the integrity of the process, all activities by the insider case team are logged. The insider case management team is similar to a regular incident response team, but team members should pay extra attention to keeping the process confidential due to its sensitive nature.

The case management process

Signpost Six has identified six steps for the case management process. At the heart of this process are the individual employee and his or her critical pathway as you can see depicted in the figure. The six steps are:

  1. Collect. Collect the dots to connect the dots. Collection of alerts through technical systems, surveys or reporting tools.
  2. Review. Cases have to be reviewed by seeking extra data, looking at the employee’s position and by reviewing similar behaviour within the organisation.
  3. Analyze. Analysis by case management team relying on experts, resulting in overview for decision-makers in next phase.
  4. Decide. senior authority decides on follow-up action:
    – Accept the risk
    – Investigate
    – Directly intervene
  5. Investigate. Conducted by own professionals or third-party consultants
  6. Respond. An investigation should provide organisations with several insights into improving their insider risk management.

Figure 11: the case management process

Recovery mechanisms

When recovering from incidents, organisations should make a distinction between short-term and long-term actions. Secondly, communication is vital and each type of incident requires a different kind of consideration. Communication can help correct or prevent rumours, build confidence, deter others from acting in the same way and finally has to be conducted so any accomplices will not be tipped off. Finally, organisations should learn from insider incidents and incorporate the lessons learnt. To quickly recover from incidents, organisations should have an adequate data recovery system, implementing controlled access to the backup storage facilities.

9. Programme Implementation

To implement proposed countermeasures, a programme always starts with an insider risks assessment, including a maturity assessment of countermeasures. The risk assessment looks at threats, countermeasure deficiencies and organisational context to help develop a strategy and roadmap later on in the implementation process. The assessment also provides the first opportunity to introduce insider risk to senior leadership and to gain an understanding of who is supportive. Gaining the explicit support of one or more members of senior leadership is critical to securing necessary resources and enabling wider adoption.

Following the assessment, a small pilot will be conducted to demonstrate value and will leverage the countermeasure maturity assessment performed in the risk assessment phase. The pilot will have its own governing body and strategy. The pilot helps to develop a plan for the long-term rollout of an effective insider risk program, which will help your organisation detect, prevent, and respond to an insider act.

Figure 12: steps in implementing an insider risk capability

Each organisation is likely to have its control framework, but insider risk countermeasures will likely span several frameworks. Once the countermeasures have been assessed, threat scenarios can be plotted on a risk heat map. Based on an expert judgement for scenario likelihood and impact validation workshops with leadership, rank and plot the scenarios along the likelihood and impact dimensions of the heat map.

The risk assessment, proposed strategy and roadmap have to be discussed with senior stakeholders to inform them of the threat landscape, the current maturity of countermeasures and the residual risk presented by insiders. Once senior management support is secured, and key stakeholders have been identified, is it time to set up the insider risk programme governance structure formally.

Setting up the program is generally done by following five steps. First of all, a senior leader is designated, which establishes the insider working group, consisting of 3 to 7 executives. An insider core team is established to spearhead the program and oversee operational aspects. When this is done, an initial programme framework should be developed, which is submitted to executive management to gather feedback.

Few organisations start with full programme implementation, instead of using a pilot is common practice, as it demonstrates the value and provides early feedback on bottlenecks. Select an appropriate line of business or function for the pilot. Start small, one location (or country) with limited complexity but of critical importance. It’s essential to establish the perception of success for an insider risk management programme. This is especially true early in the establishment of the programme. Without quick wins, other attractive projects may crowd out funding for insider risk.

The previous steps provided a manageable and overseeable scope of insider risks management. These steps should now be used to rollout the broader programme. The critical steps to consider for implementing the programme on a broader basis are:

  • Evaluate the focus area pilot programme and calibrate the programme based on the results
    and lessons learned. A formal go/no go decision should be made and communicated.
  • Engage key stakeholders to serve as ambassadors for programme rollout.
  • Develop a road map for the broader implementation. Be sure to include a focus on privacy
    considerations for different geographies.
  • Execute training and communication programmes.

Once a full rollout is approved, start integrating your programme as much as practically possible into existing organisational structures. For example, ensure the insider risk is considered in the wider enterprise risk management programme.

To conclude, it must be noted that there is no one activity that will ensure you ‘solve the insider problem’. You will have to regard insider risk management holistically. In the end, an insider risk program should become part of your regular risk management processes.


Insider risk management cuts across all layers of an organization, from strategic to operational and tactical, and cross-departmental. This means you need to be able to build bridges. You need to understand how the organization is positioned to manage insider risks and what that particular organization needs. No organization is the same. No person is the same. Every insider risk journey teaches lessons for all parties involved. This keeps the subject challenging and all practitioners stay on their toes. In the end, the real focus of a programme is to protect employees and the value of an organization.

Key take-aways:

  1. There is no silver bullet. There is not one activity that will ensure you ‘solve the insider problem’. You will have to regard insider risk management holistically.
  2. Insider risk programmes help organizations detect, prevent, and respond to an insider act.
  3. Balance positive with negative incentives (both play a role in deterrence but positive incentives are more powerful, lasting and foster a good organizational culture)
  4. Focus on employee protection and organisational introspection!
  5. Make insider risk part of your regular risk management processes and integrate it in your existing structures there where you can.
  6. And finally, regard insider risk as an opportunity: This is a very new but growing field of interest. As we stated initially, the stronger the outer defences become, the more likely external threats will find their way through trusted insiders.

We emphasise prevention because organisations have a duty of care towards their employees, first and foremost. This means they should foster a healthy work environment that allows employees to thrive and to raise issues in a safe manner. A holistic programme should be efficient, utilising existing processes, tools and structures as much as possible. This way an insider risk programme can be embedded in the organisation more sustainably.

An insider risk management programme, therefore, requires a continuous effort to ensure it is fit to address the changing threat landscape. This means periodically reassessing the (insider) threat environment, processes and countermeasures to reach desired maturity levels.