Why Traditional “Risk” Models Miss the Mark
Insider risk management or “insider threat management,” is often the elephant in the room. The topic itself is so taboo in some organizations that the terms are “softened” to descriptions such as “insider trust,” “employee enablement,” and “employee loyalty.” While there is nothing wrong with these descriptors (it matters not what the program is called but the substance that underlies it), employing such euphemisms tends to distract and detract from the true objective – risk management.
Threats from insiders (employees, contractors, partners, etc.) must be understood in the proper context. Most “experts” simply focus on the threat itself (i.e. the actions of insiders that cause harm). This, however, is shortsighted and results in a purely reactive security posture. This focus must be able to build and deliver an actionable program that encompasses asset impacts, the vulnerabilities to those assets, and the threats posed.
Risk management is an aggregation of the assessment of harm to a given asset, taking into account the likelihood that a particular threat could exploit a known vulnerability. Risk management is a discipline that is applied to a wide range of domains including financial risk management, security risk management, cyber risk management, etc. At its core, regardless of the domain to which it is applied, risk management includes some information on asset impacts, vulnerabilities, and threats. Removing one of the three elements from the equation, removes the ability to conduct proper risk management. Too often the terms risk and threat are used interchangeably, which leads to a mischaracterization of the problem itself. This then leads to asking the wrong questions and pointing the ship in the wrong direction. Threat is an element of risk. Threat does not equal risk and simply conducting a threat assessment is not, in itself, managing risk. Risk comprises three elements: impact, vulnerability, and threat.
For example, conducting a traditional NIST or ISO assessment where network and information security controls are examined and gaps identified and scored is best describes as a “vulnerability” assessment. Likewise, conducting a review to determine the most likely threat actors and their relative capabilities to attack is a “threat” assessment. Moreover, conducting a business impact assessment or a more tailored assessment to determine the level of harm to the organization if an asset were to be compromised is an “impact” assessment. The parts (impact, vulnerability and threat) are individually valuable, but must be combined to represent and capture true risk.
Why Most “Risk” Models Miss the Mark
- Wrong Focus
Traditional security models largely focus on external threats and network, software, or device vulnerabilities yet most breaches are caused by negligent insiders or the social engineering of insiders by hackers. Moreover, a significant amount of breaches are intentionally facilitated by trusted insiders themselves. Thus, focusing only on the outside hacker and vulnerabilities misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes that insider threats cannot be prevented. As such, most controls and resources are dedicated to detecting network threats only or patching vulnerabilities, which loses sight of the real problem – employee behavior. As a result, the cycle of compromises and breaches continues.
Solution – Focus on Insiders (i.e. those to whom access is granted)
- Roughly two-thirds of all security events are caused by insiders.
- Employees are the most cited culprits of security incidents.
- The great majority of intellectual property theft is committed by insiders.
- Risk is Largely Misunderstood
Traditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with these views is that they fail to properly combine the three essential components of risk – impact, threat, and vulnerability.
Solution – Properly Define Risk
True risk is the likelihood that a given asset can be compromised by an identified threat by exploiting a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your business. Stated another way, without a defined impact to an asset, there is no risk. Similarly, if there is no threat or vulnerability there is also no risk to an asset. It is, therefore, the combination of all three that define and capture the true risk posed to an asset.
- Wrong Questions
Traditionally, security managers have relied on NIST, COBIT, and ISO frameworks for measuring “risk.” These frameworks, however, only provide a way to assess network-centric organizational risk not insider risk. They are mostly vulnerability models and do little to inform an organization about specific asset risks. Thus, a security manager seeking to protect critical assets will be left with many unanswered questions.
Solution – Apply an Asset-Focused Insider Risk Model
Effective security requires an effective security risk model that assesses and manages risk by focusing on insiders’ interaction with critical assets. All threats are not equal, nor are all vulnerabilities and assets. Effective risk management requires risk prioritization. First, assets must be properly identified and impacts determined. Second, specific threats and vulnerabilities related to each asset must be identified. Third, risks to each asset must be properly measured. Lastly, mitigation strategies must be developed. Through this method, an organization can more effectively apply security measures in the most efficient and cost-effective manner leading to an enhanced security risk posture.
Contact ITMG to Help Your Company Assess and Mitigate True Insider Risk
ITMG leverages a proprietary assessment methodology that is structured to deliver tailored solutions to meet the needs of any organization. It combines real-world, intelligence-grade risk assessment approaches with the best practices of traditional assessment methods such as NIST, ISO, and COBIT. Our team of bona fide experts has the real-world experience necessary to properly assess your organization’s insider risk posture. Contact ITMG today to learn more about how we can help! You can also visit our Facebook, Twitter, and LinkedIn pages for more updates and insights into the world of insider risk management.