We have built a massive machine to stop data theft.
If an employee tries to download 5,000 sensitive files to a USB drive, we catch them (increasingly). We have User Entity Behaviour Analytics (UEBA), Data Loss Prevention (DLP) agents, protocols, and budgets dedicated to this single problem. It is a success story.
But this success has created a dangerous strategic blind spot.
By becoming experts at detecting Information Theft, we have inadvertently convinced ourselves that we are managing all insider risk. We aren’t. We are aggressively managing the one domain that generates the most logs, while the other seven remain largely unmonitored.
The Insider Risk Blind Spot (Curwell, 2026)
Here is why our focus is skewed, and why the risks of the next decade require a completely different approach.
The Taxonomy of Neglect
Practitioners generally recognise 8 distinct insider risks. Look at this list and ask yourself where your budget goes:
I suspect 90% of your resources are dedicated to #1 (and maybe a bit to #8), leaving the other seven exposed.
The Evidence of the Gap
These “neglected” domains are no longer theoretical anomalies. For example:
#6 Foreign Interference (The “Imposter”) Increasingly, the most pervasive threat isn’t a spy stealing blueprints; it’s foreign interference like the 2024-2025 “North Korean IT Worker” fraud scheme.
The Blind Spot: These trusted insiders don’t trigger DLP alerts because they aren’t trying to steal data—they are trying to keep their jobs.
The Risk: They represent a pre-positioned sabotage force with “commit access.”
#2 Sabotage (The Kinetic Insider) In 2022, saboteurs cut the fiber-optic cables for the German Rail network in two separate locations.
The Blind Spot: The precision of the cuts implied “insider knowledge.” No firewall or UEBA could stop the physical attack enabled by inside info.
The High Cost of “Silent” Risks
We focus on Information Theft because it is “Noisy” (spikes in logs). But the “Silent”, Low Probability High Impact (LHPI) risks often cost more.
Consider Société Générale. The rogue trader (Jérôme Kerviel) didn’t steal money directly; he compromised Internal Controls (Domain 8).
The Fine: €4 MILLION (Poor compliance).
The Loss: €4.9 BILLION (Control failure).
We spend millions optimising for the fine, while ignoring the bankruptcy-level risk.
3 Steps to Monitor the Other Seven Domains
We don’t need to throw away DLP, but we must pivot:
1. Re-tune UEBA for Context: Ingest Physical Access (PACS), HR, and OT data. A threat isn’t just “downloading files”—it’s an angry employee entering the facility at 3 AM.
2. Validate Identity, Not Just Activity: To catch the “Imposter,” move beyond background checks to biometric validation.
3. Monitor “Integrity,” Not Just “Confidentiality”: Detect changes to business logic (e.g., “Why was this sensor threshold changed?”), not just the movement of files.
The Takeaway
We have solved the “easy” problem of data leakage.
The “hard” problems—sabotage, fraud, and foreign interference—are still waiting for us.
It’s time to turn the lights on in the other seven rooms of the house.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
In Australia, a cyber incident hits a small business every six minutes, with an average cost of around AUD $49,600 (ACSC, 2024). Some analysts estimate that 50–60% of SMBs never fully recover after a serious breach — a stark reminder that security, including Microsoft Insider Risk Management, is a matter of business survival.
Insider threats remain an underappreciated risk for many SMBs.
The good news: if you already have Microsoft 365 E5, you own tools like Purview IRM, Sentinel, and Defender to protect your trade secrets and IP. Microsoft’s 2025 updates strengthen insider risk detection — but remember, technology alone won’t replace a complete insider risk management program.
Managing insider risk protects your business and your investors
According to the Australian Cyber Security Centre (ACSC, 2024), a cyber incident hits a small business roughly every six minutes, with an average cost of AUD $49,600 per incident. Even worse, some commentators suggest that 50–60% of SMBs never fully recover after a serious cyber attack. That’s not just IT drama — that’s business survival at stake.
If your business is R&D-intensive — biotech, advanced manufacturing, materials science — then your currency is intellectual property. You breathe it, you sweat it, and let’s be honest, you probably worry constantly that someone will steal it. And the reality? That threat isn’t always knocking from outside your firewall. Often, the biggest risk comes from inside your own walls: departing scientists, disgruntled engineers, or even well-meaning employees who don’t realize that “just sharing” can leak your crown jewels.
When it comes to insider threats, most large companies, let alone SMBs, are still playing catch-up. In this article I will explain how you the tools you’re probably already paying for through your Microsoft licensing can help. But first, a short case study:
Case Study: The GSK Scientist
In a high-profile U.S. DOJ case, a GlaxoSmithKline scientist emailed proprietary drug formulas to a company in China, causing over $500 million in lost R&D and IP value.
Now imagine this scenario under Microsoft Purview + Sentinel in 2025:
The formulas live in SharePoint, Teams, or OneDrive and are labeled with sensitivity (e.g., “Confidential – R&D”).
Purview ties labels to protection rules: “cannot be emailed externally — or must require justification.”
Attempting to email triggers Insider Risk Management (IRM) alerts or blocks the action.
Sentinel’s UEBA detects abnormal behavior — unusually large downloads, off-hours activity, or new endpoints.
Alerts are combined across Purview, Defender XDR, and Sentinel, giving analysts a clear, high-priority case.
Purview’s data risk graph visualises 30 days of activity, helping triage faster.
With early detection and response by configuring tools you already have, this sort of damage to IP, commercialisation timelines, and investor confidence could be significantly reduced — maybe even avoided entirely.
If you already have Microsoft 365 E5, you own more of the solution than you think. And now, the latest 2025 updates to Purview and Sentinel have added serious muscle to detect and prevent insider threats — but only if you integrate them into a proper insider risk program and fill in the process gaps.
How Purview + Sentinel Fit Into Your Insider Risk Program
Here’s how Purview + Sentinel support the implementation of your Insider Risk Program:
Program Component
What Purview / Sentinel Provide (2025)
What Program Managers Must Do
Gaps / Limitations
Asset Identification & Classification
Sensitivity labeling and Unified Data Catalogue classify documents, Teams content, and metadata.
Maintain your IP inventory, map critical projects, and align labels to business value.
Doesn’t cover physical lab notebooks, test rigs, or bespoke machinery metadata.
Policy Definition & Risk Indicators
Configure policies in Purview IRM (e.g., “sharing of Confidential documents”) and integrate generative AI risk indicators.
Decide which policies matter, define thresholds, and engage legal/HR.
Microsoft provides generic templates—not biotech-specific models like gene sequences.
Behavioral Analytics & Detection
Sentinel UEBA builds baselines, flags deviations, and correlates with IRM alerts.
Tune models regularly, review false positives, and interpret alerts in domain context (e.g., why a scientist downloaded 10 GB after hours).
Entity profiles may miss domain nuances like lab equipment logs or custom LIMS.
Continuous Monitoring & Log Retention
Sentinel Data Lake allows long-term retention and unified analytics; Purview data risk graphs visualize user activity over time.
Decide which logs to ingest (QMS, LIMS, endpoints) and maintain connectors.
Doesn’t automatically capture lab instrument logs or IoT devices without custom integration.
Access Control & Offboarding
IRM ties into DLP and Entra conditional access; alerts feed into Defender XDR & Sentinel for unified incident management.
Enforce least privilege, automate offboarding, and review permissions periodically.
No direct control over physical access systems or lab network zones outside Microsoft domain.
Training & Culture
Insights highlight risky behavior trends and feed training content.
Run tailored awareness programs, embed reporting culture, and address willful breaches.
Tools don’t provide morale incentives or human trust programs—that’s still on you.
Incident Response & Investigation
Alerts integrate across IRM and UEBA; workflows allow escalation.
Define incident playbooks, coordinate with HR/legal, and conduct root cause analyses.
Doesn’t integrate into lab SOPs, physical forensics, or external partner investigations.
The takeaway? The tools assist, but they don’t replace your program. Success comes from aligning process, domain knowledge, and tool tuning.
Benefits and Limitations of the Lastest Update
Most SMBs already have Microsoft 365 E5, which as of 2025 includes:
Microsoft Purview Insider Risk Management & Information Protection – label sensitive data, prevent unauthorized sharing, and configure insider risk policies.
Microsoft Sentinel – aggregate alerts, correlate user/device/system events, and analyze anomalous behavior with UEBA.
Defender for Cloud Apps – monitor shadow IT, risky data exfiltration, and suspicious external sharing.
These tools are powerful — but they work best when embedded in a full insider risk program that combines technology, policies, monitoring, and response.
The benefits of UEBA illustrated with a simple example: Meet Dr. Lee, your molecular biologist: Normally, Dr. Lee downloads 2 GB from SharePoint each evening. UEBA quietly learns that pattern. One night, Dr. Lee downloads 20 GB and tries to email a zip labeled “Confidential – Patent2027” externally. Purview IRM immediately flags it. UEBA notices the 10× spike and unusual context — after hours, from a new endpoint — correlates it with the IRM alert, and surfaces a high-priority anomaly. Analysts see it in Sentinel, triage the alert, and kick off the response. The key point here is that UEBA doesn’t monitor every email or attachment. That’s IRM/DLP territory. Instead, UEBA focuses on patterns, deviations, and context, giving you the early warning signs before any damage is done.
When it comes to using this practically, however, there are some limitations that you’ll need to keep in mind:
QMS/LIMS logs: These systems store formulas, protocols, and test data. Purview and Sentinel don’t automatically ingest them — you’ll need APIs, Syslog, or custom connectors to detect anomalies in your crown-jewel IP.
Physical security systems: Badge access logs (e.g., Gallagher Command Centre) can feed into Sentinel UEBA via REST APIs, correlating physical and digital access.
Policy alignment: Insider Risk Management policies must coordinate IT, compliance, and R&D to cover all sensitive assets effectively.
Let’s talk dollars — because even the best plan is irrelevant if it’s financially out of reach.
Access via E5: Your Hidden Advantage
If you already have Microsoft 365 E5, many Purview insider risk features — IRM, sensitivity labeling, and analytics — are already included. You don’t need to pay more; you just need to turn them on and configure them thoughtfully.
Sentinel Pricing Model
Sentinel charges per GB of data ingested, plus extra for long-term retention.
The new Sentinel Data Lake GA reduces the cost of historic logs (1–2 years).
High-volume sources like IoT devices or lab instrument logs can push ingestion costs up, so start with high-value systems first.
Implementation & Ongoing Management Costs
Consulting to deploy, tune, and integrate Sentinel + Purview usually starts around USD ~$25,000 for modest scopes. Costs typically cover:
Policy workshops — which trade secrets need which protections
Connecting QMS/LIMS/instrument logs via custom middleware
You’ll also need a security analyst or compliance lead (or a good consultant) to monitor alerts, triage cases, and evolve the models.
So what does this mean for you? The cost of doing nothing is far higher: lost investor confidence, competitive leakage, and compromised commercialization. Even a single IP breach that trims your valuation by 5% in a funding round could outweigh all of these tool and service costs combined.
Putting It All Together: 6 Steps to Roll Out an Insider Risk Program
Here’s a practical roadmap you can follow:
Audit Your E5 Entitlements Check which Purview insider risk features you already have. Chances are, you own more than you think — just waiting to be switched on.
Pick Your Initial Policy Domain Keep it simple. Start with protecting R&D documents, blocking external sharing of “Confidential” files, and monitoring abnormal downloads.
Connect Critical Systems Gradually Ingest data from SharePoint, Teams, QMS/LIMS, and instrument logs. Use the Insider Risk Indicators import path where possible. Start with your crown-jewel systems; you can expand later.
Enable UEBA in Sentinel Turn on UEBA and let it build behavioral baselines over 30–90 days. This is where the tool learns what “normal” looks like for your team.
Tune, Triage, Repeat Review alerts, adjust thresholds, suppress noise, and track metrics like alert volume, conversion rates, and response times. Insider risk management is iterative — not a set-and-forget exercise.
Embed Process, Training & Governance Align IT, HR, legal, and management. Implement offboarding, access reviews, insider threat training, and domain-specific workflows. Tools alone aren’t enough; people and processes make the difference.
Call to Action: Pick a Small Use Case & Make It Real
Insider threats aren’t theoretical — they directly put your trade secrets, research, and commercialisation efforts at risk. Your Microsoft 365 E5 licence already gives you powerful tools, but only if deployed strategically within a formal insider risk program.
Start small: pick a critical system or high-value dataset, configure your policies, turn on UEBA, and watch how the alerts and patterns help you detect anomalous activity early. Over time, scale your coverage. Don’t let leaks or fraud cripple your business.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Small-medium businesses (SMBs) in innovative sectors face unique risk management challenges—IP theft, insider threats, and foreign interference aren’t just “big company problems.”
Implementing three SMB risk management frameworks—SMB1001 (Gold/Platinum), AS 8001:2021, and ASIO’s Secure Innovation guidance—gives you a best-practice program without reinventing the wheel.
For SMBs, this approach isn’t just smart risk management—it boosts investment appeal, protects your supply chain, and helps you scale with confidence.
If you’re a founder or executive at a knowledge-intensive SMB—think biotech, medtech, software, deeptech or advanced manufacturing—then I’ve got news for you: your biggest threat might not be a cyber breach. It might be someone inside your business walking out with your IP and handing it to a foreign competitor.
Yeah. Grim.
The worst part? Most SMBs don’t even realise they’re a target—until it’s too late.
In my last post, I argued for collapsing insider threat, fraud, and integrity risk programs into one integrated workforce risk model. Today, I’ll show you how to go even further—by adding cybersecurity and innovation security to the mix using three standards already built for SMBs.
Spoiler alert: you don’t need a bespoke program or a 100-page strategy deck. Just plug and play with SMB1001, AS 8001, and ASIO’s Secure Innovation guidance.
Why You Need a Whole-of-Business Risk Lens
Innovative SMBs are juicy targets.
You’ve got valuable research data, intellectual property, and commercialisation plans. You’re agile, fast-growing, and often working with overseas partners. That’s a goldmine for corporate spies, fraudsters, and even state-backed actors.
Don’t believe me? Ask the Australian startups quietly briefed by ASIO on foreign interference. Or look at the biotech company that lost its trade secrets in what started as a “friendly” joint venture.
Here’s the “triple threat” that innovation-driven SMBs face:
Cyber Security breaches that expose your R&D and IP.
Insider Threats from employees, researchers, or suppliers with too much access.
Fraud and Integrity failures that destroy trust, attract regulators, and scare off investors.
Three Standards. One Smart Strategy.
You can cover all these risks by combining three existing frameworks. Here’s how they work together:
1. SMB1001 (Gold or Platinum) – Your Cyber Backbone
Designed specifically for SMBs, SMB1001 provides cyber maturity models from Bronze to Diamond. For high-growth and innovation-focused businesses, Gold and Platinum are the sweet spot.
Gold gives you:
Cybersecurity policies for staff and contractors
Acceptable use rules (no, your intern shouldn’t be crypto mining on the R&D server)
Background checks, access reviews, incident response plans, cyber awareness training
Platinum adds:
External audits
Continuous monitoring and automated alerts
Integration with HR and procurement
Real-world testing like penetration and social engineering simulations
These controls are critical—but they don’t explicitly cover fraud, integrity, or culture.
SMB1001 produced by Dynamic Standards International
Which brings us to…
2. AS 8001:2021 – The Fraud, Corruption & Insider Threat Muscle
This standard fills the governance and integrity gap.
It requires:
A fraud and corruption control policy, code of conduct, and clear accountability
Whistleblower protections and reporting channels
Regular controls testing and board-level reporting
A leadership culture that promotes ethical behaviour
But protecting IP, innovation, and research requires one more layer…
3. ASIO’s Secure Innovation Guidance – Your National Security Overlay
This free advisory framework from ASIO (yes, the spy agency) focuses on protecting Australian innovation.
It recommends:
Security risk assessments tailored to IP, R&D, and commercialisation
Vetting foreign collaborators, investors, and suppliers
Government engagement for threat intelligence and support
Building a “secure innovation” culture, driven by leadership
Most businesses never think to ask: Could this partnership be a risk? But in today’s landscape, that’s not paranoia—it’s smart due diligence.
You’re building the future. Don’t let it get stolen, leaked, or sabotaged by someone you missed on a risk register.
You don’t need to reinvent the wheel. You need structure, culture, and clarity.
When you combine SMB1001, AS 8001, and ASIO’s Secure Innovation guidance, you’re building more than a compliance program. You’re building resilience. You’re protecting growth.
And you’re doing it with a framework that scales as you do.
So don’t wait for the “oh crap” moment. Start building your secure workforce risk program now.
Your investors, your board, and your future self will thank you.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
You can’t fix insider fraud or sabotage with firewalls alone—these are people problems, not just process problems, so you need to consider perpetrator motive in your control design.
Behavioural science and criminological theory offer practical ways to design smarter, cheaper, and more effective controls.
Mapping threat types to motivations is the secret sauce to stopping expensive mistakes—before they hit your bottom line.
Why this matters to your business
If you think trade secrets theft, sabotage, or internal fraud is something that happens to “other companies,” let me burst that bubble. These threats are not random—they’re often deeply personal. And they’re expensive. The Association of Certified Fraud Examiners (ACFE) estimates that internal fraud alone costs businesses 5% of annual revenue. For a $100M business, that’s a $5M hole—every year.
And that’s just the financial side. The reputational cost? The loss of trust with investors or research partners? The delay to your product launch because someone leaked your IP to a competitor? That stuff doesn’t show up on a balance sheet… until it does.
So how do we stop it?
Let’s talk motive (yes, like in crime dramas)
We often forget security and fraud actors have different motivations. Some actors are in it for profit. Others want revenge, power, or validation. If you treat all threats the same—say, by rolling out the same boring training module to every department—you’re wasting money and creating a false sense of security.
This first table helps you step back and align your controls to the actual psychology of your adversary.
How to use this: When assessing security risks, we often fail to ask “What is the likely motive”. If your AI is being stolen by an employee, that’s an insider threat, not a problem with cyber criminals. The control response (culture, access rights, change monitoring) needs to reflect that nuance.
Behavioural theory helps at every risk stage
Here’s the bit I wish someone had told me 10 years ago: criminological theories don’t just help you after something goes wrong—they help you design better systems from the start. I use these theories for risk indentification, design risk treatments, and frame executive dialogue.
Table 2: How Behavioural Theory Supercharges Risk Management
Risk Stage
How Theories Help
Risk Identification
Reveal root causes and hidden risk signals
Control Design
Tailor controls to motivations (not just compliance)
Risk Assessment
Improve likelihood and impact estimates
Monitoring & Review
Spot early warning signs and behavioural red flags
Training & Awareness
Shift from checkbox compliance to ethical behaviour reinforcement
How to use this: When you’re building your next fraud control or insider risk program, don’t start with a control library—start with questions. What kinds of pressures might lead someone to rationalise stealing research data? Where are the opportunities? Who might feel disengaged or unfairly treated? These insights help you focus resources where they’ll have the most impact—without overengineering.
Choosing the right theory for the job
Criminological theory might sound academic, but it’s just a lens—a way to make better sense of why risks materialise. I often get asked, “Which theory should I use?”. The answer is: it depends, which is helpful-unhelpful. Here’s a guide I use in consulting to help organisations focus their resources.
Table 3: Best-Fit Theories for Common Security Risks
How to use this: Say your business is about to enter a new research partnership with a university or foreign lab. You’re worried about losing your IP or trade secrets. Start by applying MICE Theory to understand potential risks on the other side: Are their staff well-paid? Are there ideological risks? How vulnerable is your business partner or their employees to coercion or bribery? Then combine that with Crime Opportunity Theory to assess access and controls.
You don’t need to become a criminologist—but bringing these concepts into boardroom discussions will make your risk strategies more intelligent and effective.
What you should do next
Reassess your threat profiles – If your risk registers don’t account for behavioural motivations, rewrite them.
Train your teams on motive-driven threats – Stop relying on bland compliance modules. Teach managers how to spot early red flags.
Map controls to theories, not hunches – Don’t throw money at controls that don’t match the motive. Use behavioural theory to guide investment.
Get smarter about culture – Your culture is your first control. Build fairness, transparency, and connection before a bad day turns into a $10M incident.
One final (uncomfortable) truth
You can’t patch human vulnerability like you patch software. Your best firewall is a culture that understands why people do the wrong thing—and a strategy that uses that insight to get ahead of the next crisis.
So, if you’re ready to move beyond checkbox security and build a behavioural-led risk strategy, let’s talk. I’ve got frameworks, models, and a whole lot of lessons learned the hard way.
Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.
Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.
A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.
SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).
In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.
The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:
(a) the individual is an employee, intern, contractor or subcontractor of theresponsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);
(b) the absence or compromise of the individual:
(i) would prevent the proper function of the asset; or
(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;
(c) the individual has access to, or control and management of, a critical component of the asset
Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.
Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.
What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?
Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.
Section 9 Personnel hazards
(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:
(a) to identify the entity’s critical workers; and
(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and
(c) as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:
(i) arising from malicious or negligent employees or contractors; and
(ii) arising from the off-boarding process for outgoing employees and contractors.
Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.
The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.
Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:
Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
Employees (or employees of a critical supplier) fail the AusCheck process
Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.
Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.
Department of Home Affairs (2023). Critical Infrastructure in Legislative Information and Reforms, www.homeaffairs.gov.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.
Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.
We need to recognise that suppliers also pose trusted insider risks
Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:
Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
Outsourced IT managed services
Managed data centres
Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
Outsourced Clinical Trials Managers
Distribution Centres for order fulfilment
Repackaging and relabelling services
Recruitment, accounting, audit, consulting and law firms and insurance brokers
Corporate catering, cleaning services
Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.
Existing practices often fail to properly assess supplier-insider risks
Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.
Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.
The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.
Suppliers should be contracted to implement your Workforce Screening program
Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.
It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:
Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them
Workforce Screening should be incorporated into ongoing Supplier Assurance
Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.
Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline(standard) to ensure supplier practices correspond to your inherent risks and risk appetite.
Standards Australia (2022). AS4811:2022 Workforce Screening, published 4 March 2022, www.standards.org.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:
Microsoft Purview Insider Risk Management
Microsoft Purview Data Loss Prevention
Microsoft Purview Data Lifecycle and Records Management
Microsoft Purview eDiscovery
Various legal holds, auditing and compliance tools, and,
Microsoft Purview Information Protection
These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.
Microsoft (2022). Microsoft Purview – Solution Catalogue
Remember: technology is not the first or only step!
I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.
A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.
Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.
Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:
Trade Secrets
Personally identifiable information (PII)
Confidential business information (pricing, customer lists, strategies, etc)
Research data (eg pre-patent, draft papers), and,
Government classified information
Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:
Is your sensitive information stored outside of a Microsoft 365 environment?
Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?
If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.
What features does Microsoft Purview Information Protection offer?
In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:
Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.
I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.
Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.
Perhaps most importantly, I strongly recommend you already have an Information Protection Program either operating or the framework development well underway before you procure or implement any technology solution. Pleasingly, so does Microsoft!
Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.
Operationalising your Information Protection Program
All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.
Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.
Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Trusted Insiders – employees, contractors, suppliers and business partners – are the ideal threat vector given their legitimate access and inside knowledge, yet many businesses are immature in the way they manage these risks.
A 2007 CPNI survey found many organisations don’t employ a structured approach to Personnel security, leading to development of guidance material on Personnel Security Risk Assessments (PSRA) to change the status quo. My experience is this dial hasn’t really shifted in Australia since the survey was published. The PRSA forms the basis of a structured, risk-based approach to managing insider risk.
What is a Personnel Security Risk Assessment?
The PSRA enables business to focus its limited prevention, detection and response resources to those areas, and position numbers (roles), of highest risk. In high security organisations, this often translates to low risk staff not being exposed to intrusive background investigations and ongoing monitoring in comparison to staff in high risk roles.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
The PSRA also informs design of an organisational vetting standards (i.e. what background checks are performed given the risk). This ensures employees are not subjected to intrusive checks and expenses incurred by the business for no real purpose.
Under the CPNI methodology, there are three types of PSRA:
Organisational PSRA – identifies enterprise level threats and risks, including the main risk types. Organisational PSRAs lack sufficient detail to identify business unit specific risks and corresponding internal controls.
Group PSRA – focused at the Business Unit level (or lower) or alternately specific functional groups (e.g. finance, engineering, ICT, senior executives).
Individual PSRA – focuses on the risk a specific individual poses, typically managed through vetting (employment screening / background investigations) and Continuous Monitoring / Continuous Evaluation (CM/CE).
The remainder of this article focuses on Organisational and Group PSRAs.
How do you complete a PSRA?
The PSRA follows the ISO31000 methodology, as follows:
Step 1 – Scoping
As with any risk assessment, scoping is probably the most important step as it can inadvertantly exclude material risks. When scoping, I ask questions such as:
What is the organisation’s strategy?
What are the critical assets (or core business activities) requiring protection?
What regulatory or ‘social licence to operate’ considerations are there?
What does the threat landscape look like (determined by the threat assessment)?
Understanding these factors allows the PSRA to be properly scoped.
Step 2 – Risk Identification
Risk Identification involves identifying sources of risk involving employees, contractors and other trusted insiders. Not every risk is applicable to every organisation, so there is an element of qualifying suggested risks whilst building the risk register.
Common categories of Personnel Security risk include:
Once identified, the risk assessment process can begin. This involves determining the Consequence and Likelihood of any risk materialising (i.e. a ‘risk event’). This formula results in the determination of a risk rating. It is customary to provide two risk ratings – inherent and residual – reflecting ratings without and with internal control coverage.
Adequate control coverage has the effect of reducing either the consequence or likelihood of a risk event occurring, whilst inadequate or ineffective control coverage has the opposite effect.
Step 4 – Risk Evaluation
Risk Evaluation involves determining whether the risk rating assigned to a given risk lies within the organisation’s risk tolerance (‘risk appetite’). This is a topic in itself which I will cover later, however for any risk treatment there are four options:
Accept the risk
Reject the risk (i.e. don’t do something)
Transfer the risk (e.g. to a supplier, insurer)
Treat the risk
Step 5 – Risk Treatment
Risk treatment requires evaluating the specific situation to determine how you can change a situation to reduce or modify the risk. Ways to treat personnel security risks include:
Implementing additional controls such as vetting, user activity monitoring or management oversight
Business process redesign to increase transparency or reduce the need for high level account privileges
Policy changes, including implementing and enforcing compliance via IT systems
Use of analytics for insider threat detection
Implementing and communicating internal reporting programs for staff who identify suspicious acticity
Cultural change and security awareness training
Risk treatment plans should be incorporated into programs, frameworks, policies, systems or business processes to ensure they are implemented effectively.
Step 6 – Communication and Consultation
Communicating throughout any risk assessment process is critical, as is engaging with stakeholders including management and relevant business functions (e.g. HR, Legal, Security, Risk, etc) when completing the risk assessement, evaluation and treatement process. Employee representatives are another critical stakeholder group to ensure their privacy is respected.
Step 7 – Monitoring and Review
The last step in the PSRA process is to ensure the assessment is periodically updated, ideally through an annual or biannual refresh depending on the extent of change in your organisation. The longer personnel security risks go unrecognised, the greater the vulnerability.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.
Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.
Definition: Critical Assets A ‘Critical Asset‘ is an asset which the organisation has a high level of dependence on; that is, without that critical asset the organisation may not be able to perform or function.
Paul Curwell (2022)
Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
High Risk Roles: What are they and why are they important?
High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.
High and Low Risk Roles Defined
High Risk Roles – those which confer privileged access to Critical Assets (including information) or decision-making rights Low Risk Roles – those which confer normal access to Critical Assets, information or decision-making rights (i.e., non-privileged).
Paul Curwell (2022)
The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.
In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.
What are some examples of privileged access which make a position ‘high risk’?
An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:
Positions with unchecked access to the organisation’s critical assets (i.e. the organisation’s ‘crown jewels’)
Positions conferring higher Delegations of Authority (e.g. financial delegations)
Roles conferring access to valuable stock, merchandise or assets (particularly those which are of high value and easily moved)
Roles conferring other privileged access or decision making rights
Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).
As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:
1. Personnel Security Risk Assessment (PSRA)
The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.
This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:
See my article here for more detail on Personnel Security Risk Assessment process.
2. Identify your High Risk Roles
This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.
In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.
3. Apply enhanced vetting to individuals occupying High Risk Roles
Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).
To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.
4. Conduct periodic ICT User Access Reviews
This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.
Restricting Administrative Privileges is one of Australia’s Essential 8 Strategies to Mitigate Cyber Security Incidents, as published by the Australian Cyber Security Centre, which recommends revalidation at least every 12 months and that privileged user account access is automatically suspended after 45 days of inactivity.
Australian Cyber SEcurity Centre (2022)
5. Apply continuous monitoring for users in high risk roles
Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).
In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.
Spooner, D., Silowash, G., Costa, D., Albrethsen, M. (2018). Navigating the Insider Threat Tool Landscape: Low cost technical solutions to jump-start and Insider Threat Program, June 2018, Software Engineering Institute, Carnegie Mellon University, https://resources.sei.cmu.edu/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
What is the critical-path in relation to insider risks?
The ‘critical-path method’ (critical path approach) is a decision science method developed in the 1960’s for process management (Levy, Thompson, Wiest, 1963). In 2015, Shaw and Sellers applied this method to historical trusted insider cases and identified a pattern of behaviours which ‘troubled employees’ typically traverse before materialising as a malicious insider risk within their organisation.
This research paper was written after a period of hightened malicious insider activity in the USA, including Edward Snowden, Bradley (Chelsea) Manning, Robert Hansen and Nidal Hasan. Shaw and Seller’s research identified four key steps down the ‘critical-path’ to becoming an insider threat, as follows:
Personal Predispositions: Hostile insider acts were found to be perpetrated by people with a range of specific predispositions
Personal, Professional and Financial Stressors: Individuals with these predispositions become more ‘at risk’ when they also experience life stressors which can push them further along the critical path;
Presence of ‘concerning behaviours’: Individuals may then exhibit problematic behaviours, such as violating internal policies or laws, or workplace misconduct
Problematic ‘organisational’ (employer) responses to those concerning behaviours: When the preceding events are not adequately addressed by the employer (either by a direct manager or the overall organisational response fails), concerning behaviours may progress to a hostile, destructive or malicious act.
Shaw and Sellers note that only a small percentage of employees will exhibit multiple risk factors at any given time, and that of this population, only a few will become malicious and engage in hostile or destructive acts. Shaw and Sellers also found a correlation between when an insider risk event actually transpires and periods of intense stress in that perpetrator’s life.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
The ability to identify these risk factors early means managers may be able to help affected employees before they cross a red line and commit a hostile or destructive act from which there is no coming back – but only if a level of organisational trust exists and if co-workers / employees are aware of the signs. The research by Shaw and Sellers is summarised in the following figure, which has been overlaid against the typical ’employee lifecycle’ for context:
The ‘critical path’ in relation to the employee lifecycle (Paul Curwell, 2020)
Shaw and Sellers found the likelihood of someone becoming an insider risk increases with the accumulation of individual risk factors, making early identification a priority which should help inform decisions by people managers within an organisation.
The critical path should help inform people-management decisions
Over the past decade, the focus of emotional and mental health and well-being has grown in western society (as highlighted by COVID 19). On the supply side, tight labour markets have focussed the attention of managers towards maintaining employee engagement and retention. Society’s increasing openness to discussing mental health issues, including stress and anxiety, is helping provide a mechanism for earlier awareness of behavioural conditions which could trigger an employee or contractor to progress down the critical path and become a malicious insider.
Consequently, there are now various supports and interventions in the workplace and in society to help employees with personal predispositions who are experiencing life stressors. Examples of workplace assistance programs include:
Employee Assistance Programs – providing access to workplace psychological and counselling services
Financial counselling – for individuals who are over-extended in terms of credit or are struggling financially (this may include support restructuring personal debt to avoid bankruptcy)
Addiction-focused peer support and counselling – such as Gamblers Anonymous or Narcotics Anonymous
I’m sure that for some people, the increasing acceptance and willingness of society to be open to listening to colleagues who may be struggling helps to relieve the pressure somewhat, whereas historically these individuals may have been forced to suffer in silence.
The importance of these programs is that employees feel they are adequately supported, and that they are confident that if they self report an issue they will not be vilified, disadvantaged long term, or even fired for doing so. This concept is referred to by the CDSE as ‘organisational trust‘, which is a two-way street: Employers and managers must be able to trust their workforce, but workers must also be able to trust that management and the organisation will do the right thing by them.
The role of continuous monitoring (insider risk detection) systems and the critical path
Preceding paragraphs discussed the three main steps in the critical path, being personal predispositions, life stressors and concerning behaviors. Some of these may be visible to colleagues, such as an employee who is visibly angry. However, other indicators, such as accessing sensitive information, office access at odd hours, declining performance and engagement, may not be visible on the surface as ‘signs’ to co-workers.
Continous monitoring and evaluation tools, otherwise known as Insider Risk (Threat) Detection or Workforce Intelligence systems, are advanced analytics based solutions which integrate a variety of virtual (ICT), physical (e.g. access control badge data, shift rosters, employee performance reporting) and contextual information (e.g. employee is in a high risk role, information access is sensitive and not required in ordinary course of duty) in one central location.
Behavioural Analytics is typically marketed as a core component of software solutions on the market, although the way in which the behavioural analytics actually works may be a ‘black box’ with some vendors. These analytics tools are typically programmed to identify one or more indicators on the critical path, and generate ‘alerts’ or automated system notifications in response to an individual displaying the programmed indicators.
Most systems use some sort of identity masking, at least in the early stages of alert review and disposition, so that employees cannot be unncessarily targeted or vilified – at least until there is sufficient material evidence that suggests a problem which is sufficient to initate an investigation under the employer’s workplace policies.
Continous monitoring systems require configuring for your organisation’s context
Importantly, as with any analytics-based intelligence or detection system, the system itself is only as good as what it is programmed to detect. Shaw and Sellers (2015) have this to say in relation to the blanket application of the Critical-Path Approach to every type of insider threat:
We do not suggest that this framework is a substitute for more specific risk evaluation methods, such as scales used for assessing violence risk, IP theft risk, or other specific insider activities. We suggest that the critical-path approach be used to detect the presence of general risk and the more specific scales be used to assess specific risk scenarios.
Shaw and Sellers (2015), Application of the Critical-Path Method to Evaluate Insider Risks
This highlights the importance of ensuring your system is properly tuned to your organisation’s inherent risks, and could require multiple detection models, each of which focuses on a specific risk (e.g. sabotage, workplace violence). Models or rules used by these systems must be tuned to the organisation’s specific threats and risks, and configured in a way that reflects the organisation’s unique operating context.
The ‘garbage in, garbage out’ principle applies here: If your organisation only uses simple out of the box rules or detection models provided by the software vendor, it is unlikely these will detect the really critical risks to your business. Continous monitoring and evaluation for insider risks is an area which is developing quite rapidly, and is influenced by the convergence of cybersecurity with protective security and integrity more generally. I will discuss these continuous monitoring and evaluation concepts in more detail in future posts.
Further Reading
Centre for Development of Security Excellence [CDSE], (2022). Maximizing Organizational Trust, Defense Personnel and Security Research Center (PERSEREC), U.S. Government
Shaw, E. and Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence Vol 59, No. 2 (June 2015), pp. 1-8, accessible here.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
