Skip Navigation

The Risk of Applying Traditional Security “Risk” Models

By: Shawn M. Thompson, Esq.

Imagine spending millions of dollars on “securing” your company only to discover that an employee took your crown jewels to a competitor. The impacts are devastating. Millions of dollars in R&D lost, reputation is tarnished, and your business goodwill suffers. This is, unfortunately, not an uncommon occurrence and one that occurs despite the billions of dollars spent on traditional security. So why do these types of compromises continue to occur?

Misplaced Threat Focus and False Assumption

Traditional security focuses on external threats yet many breaches succeed simply by exploiting basic security laws (unpatched software, factory server password settings, etc.) and the social engineering of insiders. Moreover, a significant amount of breaches are intentionally facilitated by trusted insiders themselves. Thus, focusing only on the outside hacker misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes that insider threats cannot be prevented. As such, most controls and resources are dedicated to detecting network threats only, which loses sight of the real problem – insider threats. As a result, the cycle of compromises and breaches continues.

Solution #1 – Focus on Insider Threats

  • Over two-thirds of all security events are caused by insiders. Verizon DBIR (2017)
  • “Employees are the most cited culprits of security incidents.” PWC Global State of Information Security Survey (2016)
  • The great majority of intellectual property theft is committed by insiders. United States IP Comm. Report on Theft of American IP (2015)

Risk is Largely Misunderstood

Traditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with all three is that they fail to properly combine the three essential components of risk – impact, threat, and vulnerability.

Solution #2 – Properly Define Risk

True risk is the likelihood that a given asset can be compromised by an identified threat via a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your business. Stated another way, without a defined impact to an asset, there is no risk. Similarly, if there is no threat or vulnerability there is also no risk to an asset. It is the combination of all three that define and capture the true risk posed to an asset.

Traditional Assessments – Wrong Questions and Wrong Problem

Traditionally, security managers have relied on NIST, COBIT, and ISOO frameworks for measuring “risk.” These frameworks, however, only provide a way to assess network centric organizational risk not insider risk. They are vulnerability models and do little to inform an organization about specific asset risks. Thus, a security manager seeking to protect critical assets will be left with many unanswered questions.

Solution #3 – Apply an Asset-Focused Insider Risk Model

Effective security requires an effective security risk model that assesses and manages risk by focusing on insiders’ interaction with critical assets. All threats are not equal, nor are all vulnerabilities and assets. Effective risk management requires risk prioritization. First, assets must be properly identified and impacts determined. Second, specific threats and vulnerabilities related to each asset must be identified. Third, risks to each asset must be properly measured (Risk = Impact [Threat * Vulnerability]). Lastly, mitigation strategies are developed. Through this method, an organization can more effectively apply security measures in the most efficient and cost-effective manner leading to an enhanced security risk posture.


Insider Threat Management Group, LLC | itmg.co | 410-874-3712 | shawn@itmg.co

This entry was posted on Saturday, August 12th, 2017 at 3:05 am. Both comments and pings are currently closed.