One of the most difficult challenges any organization faces is balancing risks: that is, having to accept risks in order to compete against external threats and adversaries — who are seeking to gain an advantage over their competitors using various tools and strategies — while trying to reduce risks of its own assets being compromised by potential “Insider Threats.” This challenge is particularly important for national security organizations, where their ability to find this balance can literally be the difference between life and death.
Insider Threat programs are only effective to the degree that they both reduce an organization’s risks of Insider Threat while also enhancing its performance and its competitive advantage. As the information age gives way to the network age, competitions are increasingly being defined and decided by interconnected human and technical networks. This balance may require moving from an Insider Threat mentality, which is focused on finding individual “bad actors,” to a paradigm of modeling and mitigating Insider Risk (MInR), which seeks to assign quantitative risks to a range of potential insider failure modes that can result in significant costs and damage to the organization. Accordingly, ARLIS has two immediate key objectives for its MInR efforts:
Objective 1: Shifting the Paradigm
ARLIS is seeking to help the USG move — culturally, technically, and operationally — beyond current “insider threat” models towards an “insider risk” paradigm. Insider threat frames the problem as one of categorization — someone is, or is not, a threat. This binary orientation tends to focus on the person as the source of threat and often ignores the wider context, implying that solutions are mainly about “neutralizing” threats. Further, this may limit those solutions as they often depend upon leveraging the very people who themselves are potentially being categorized as “threats.”
In contrast, an insider risk paradigm:
- invites nuance in terms of assigning degrees of risk, and does not fall into categorical thinking;
- is inherently dynamic, since assigning risk necessarily requires taking past behavior, current contexts, and risk forecasts into account;
- focuses on managing — versus eliminating — risk, since risk of any kind will rarely ever go to zero;
- forces one to think about the interaction of individual and contextual variables in quantitative terms, since risk exists at many levels; and
- acknowledges the need to have people be part of the solution in helping to reduce risk of any kind.
ARLIS is currently running an insider risk speaker series (IRiSS) to support shifting the paradigm.
Objective 2: Flipping the Script
To reduce risk without compromising performance and organizational competitive advantage, ARLIS is developing the concept of “Insider TRUST,” a shorthand for building and maintaining Trustworthy, Resilient and Useful Systems and Teams. Insider TRUST is focused on preventative, rather than reactive, factors and measures that can help identify and address risks and future failure modes, long before concerning behaviors or damaging events occur. Insider TRUST could help inform better risk-mitigation strategies and decisions by understanding and modeling the factors that can enhance trustworthiness and cohesion among individuals, organizations, and systems.
Trusted insiders and supportive organizational cultures can increase organizational security and resilience; the challenge is to quantify the degree to which those mitigate different kinds of Insider Risk.