Why do a Personnel Security Risk Assessment?

Trusted Insiders – employees, contractors, suppliers and business partners – are the ideal threat vector given their legitimate access and inside knowledge, yet many businesses are immature in the way they manage these risks.

A 2007 CPNI survey found many organisations don’t employ a structured approach to Personnel security, leading to development of guidance material on Personnel Security Risk Assessments (PSRA) to change the status quo. My experience is this dial hasn’t really shifted in Australia since the survey was published. The PRSA forms the basis of a structured, risk-based approach to managing insider risk.

What is a Personnel Security Risk Assessment?

The PSRA enables business to focus its limited prevention, detection and response resources to those areas, and position numbers (roles), of highest risk. In high security organisations, this often translates to low risk staff not being exposed to intrusive background investigations and ongoing monitoring in comparison to staff in high risk roles.

---

---

The PSRA also informs design of an organisational vetting standards (i.e. what background checks are performed given the risk). This ensures employees are not subjected to intrusive checks and expenses incurred by the business for no real purpose.

Under the CPNI methodology, there are three types of PSRA:

• Organisational PSRA – identifies enterprise level threats and risks, including the main risk types. Organisational PSRAs lack sufficient detail to identify business unit specific risks and corresponding internal controls.
• Group PSRA – focused at the Business Unit level (or lower) or alternately specific functional groups (e.g. finance, engineering, ICT, senior executives).
• Individual PSRA – focuses on the risk a specific individual poses, typically managed through vetting (employment screening / background investigations) and Continuous Monitoring / Continuous Evaluation (CM/CE).

The remainder of this article focuses on Organisational and Group PSRAs.

How do you complete a PSRA?

The PSRA follows the ISO31000 methodology, as follows:

Step 1 – Scoping

As with any risk assessment, scoping is probably the most important step as it can inadvertantly exclude material risks. When scoping, I ask questions such as:

• What is the organisation’s strategy?
• What are the critical assets (or core business activities) requiring protection?
• What regulatory or ‘social licence to operate’ considerations are there?
• What does the threat landscape look like (determined by the threat assessment)?
• What are the organisation’s high risk roles?

Understanding these factors allows the PSRA to be properly scoped.

Step 2 – Risk Identification

Risk Identification involves identifying sources of risk involving employees, contractors and other trusted insiders. Not every risk is applicable to every organisation, so there is an element of qualifying suggested risks whilst building the risk register.

Common categories of Personnel Security risk include:

• Espionage (nation state, economic or industrial)
• Sabotage (physical, data and ICT)
• Information and data theft or fraud
• Workplace violence, harassment and bullying
• Terrorism and extremism (i.e. politically motivated violence)
• Organised Criminal Infiltration
• Corruption and conflicts of interest
• Intentional internal control compromise
• Physical theft and fraud
• Issue Motivated Violence (i.e. non-political violence perpetated by Issue Motivated Groups)

Step 3 – Risk Analysis

Once identified, the risk assessment process can begin. This involves determining the Consequence and Likelihood of any risk materialising (i.e. a ‘risk event’). This formula results in the determination of a risk rating. It is customary to provide two risk ratings – inherent and residual – reflecting ratings without and with internal control coverage.

Adequate control coverage has the effect of reducing either the consequence or likelihood of a risk event occurring, whilst inadequate or ineffective control coverage has the opposite effect.

Step 4 – Risk Evaluation

Risk Evaluation involves determining whether the risk rating assigned to a given risk lies within the organisation’s risk tolerance (‘risk appetite’). This is a topic in itself which I will cover later, however for any risk treatment there are four options:

• Accept the risk
• Reject the risk (i.e. don’t do something)
• Transfer the risk (e.g. to a supplier, insurer)
• Treat the risk

Step 5 – Risk Treatment

Risk treatment requires evaluating the specific situation to determine how you can change a situation to reduce or modify the risk. Ways to treat personnel security risks include:

• Implementing additional controls such as vetting, user activity monitoring or management oversight
• Business process redesign to increase transparency or reduce the need for high level account privileges
• Policy changes, including implementing and enforcing compliance via IT systems
• Use of analytics for insider threat detection
• Implementing and communicating internal reporting programs for staff who identify suspicious acticity
• Cultural change and security awareness training

Risk treatment plans should be incorporated into programs, frameworks, policies, systems or business processes to ensure they are implemented effectively.

Step 6 – Communication and Consultation

Communicating throughout any risk assessment process is critical, as is engaging with stakeholders including management and relevant business functions (e.g. HR, Legal, Security, Risk, etc) when completing the risk assessement, evaluation and treatement process. Employee representatives are another critical stakeholder group to ensure their privacy is respected.

Step 7 – Monitoring and Review

The last step in the PSRA process is to ensure the assessment is periodically updated, ideally through an annual or biannual refresh depending on the extent of change in your organisation. The longer personnel security risks go unrecognised, the greater the vulnerability.

Further Reading

• CPNI (2013). Personnel Security Risk Assessment: A Guide, 4th Edition, https://www.cpni.gov.uk/resources/personnel-security-risk-assessment-guide-4th-edition
• Curwell, P. (2021). HUMINT cycle and the recruitment of insiders
• Curwell, P. (2021). Product tampering: A form of workplace sabotage
• Curwell, P. (2021). Defining your ‘Threat Universe’ as a building block of your intelligence capability
• Curwell, P. (2022). Building your supplier integrity framework
• Curwell, P. (2022). Business espionage – the sale of intellectual property on the dark web
• Curwell, P. (2022). Los Angeles rail hijackings – a form of cargo theft
• Curwell, P. (2022). Never heard of Research Security? Why safeguarding your research today is critically important
• Curwell, P. (2022). Understanding high risk roles
• Curwell, P. (2022). Understanding the risk of organised crime infiltration in your business
• Curwell, P. (2022). What’s the problem with conflicts of interest?
• Standards Australia (2022). AS4811:2022 Workplace Screening, https://store.standards.org.au/product/as-4811-2022

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.