CYBER INSIDER RISK MITIGATION MATURITY MATRIX


By Chris Hurran, OBE, Senior Associate Fellow of the Institute for Security and Resilience Studies, UCL

Cyber security is increasingly recognised to be a people issue as much as a technical one. Boards now understand that their own employees may be the weak link in an organisation’s cyber defences. This article provides a self-assessment matrix to help organisations understand how effectively they are mitigating cyber insider risk and thus enable them to embark on a programme of improvement.

INTRODUCTION

Cyber Insiders – a Board Issue (Cyber Security Review, Summer 2014 edition) attracted considerable interest. For many readers the distinctions between cyber insiders who could be “witting or unwitting” and “malicious or non-malicious” were novel. Many had previously been unsighted on CPNI’s excellent insider threat research2 and the evidence that indicated the existence of nine factors at organisational level that enable insider acts to take place. Most readers accepted that the proposed “10 Steps to Cyber Insider Protection” were a valuable approach to addressing the organisational level factors which enable insider acts to take place.

Download full paper as a PDF: CYBER INSIDER RISK MITIGATION MATURITY MATRIX