Skip to main content
Article

Insider Cyber Risk Assessment (ICRA)

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

January 10, 2020

An enterprise-wide assessment of your people-centric cyber risk profile giving you the information and tools to reduce the likelihood, frequency and impacts of people-related security incidents.

Your employees play a key role in organisational cyber security. Our research (WTW 2017 Cyber Risk Survey Report 1) shows that over two thirds of reported cyber incidents continue to be directly attributed to the actions of people or, in other words, the insider threat.

Akin with many businesses, your focus and investment is likely to be directed at protecting your technical security environment. But given that your current expenditure can be undermined if the actions and attitudes of your workforce are contributing towards heightened cyber risk, maybe it is time to revisit your priorities.

The inclusion of an assessment of your insider threat, performed alongside and in conjunction with other traditional cyber risk management activities (Figure 1, below), is - key to comprehensively understanding your cyber risk profile –knowledge of your strengths, weaknesses and areas in need of attention.

What is the Insider Cyber Risk Assessment (ICRA)?

The ICRA leverages traditional employee engagement methodologies to probe an employees’ awareness and understanding of cyber risk, their own attitudes and behaviours as well as the emphasis that their organisation

places (or not) on addressing cyber risk. By assessing which aspects of a company’s workforce are working to increase or decrease the likelihood and frequency of a cyber incident, the ICRA will give your organisation a firm understanding of your insider threat. It also provides focused recommendations to assist in mitigating and managing the associated risk(s) as well as supporting positive behavioural change across all levels of the organisation.

How does the Assessment work?

Every level of your organisation is assessed within FOUR key respondent groups (Figure 2 below). How the assessment is structured and delivered is entirely flexible depending on your precise business requirement; this could be as a web-based survey via our Cyber Risk Profile Diagnostic (CRPD) platform or through in-person, consultant-led interviews/workshops. The ICRA is designed to provide an assessment of your insider cyber threat in line with our custom framework. This focuses on the analysis of individual’s responses to questioning within six key categories. These outputs form the basis of our targeted recommendations and support the creation of a ‘fit-for-purpose’ people-centric cyber strategy and insider threat management program.

In designing the delivery methodology, we have been conscious to limit any operational impacts to your business and your teams whilst maximising the value and impact of the assessment outputs.

The Benefits?

The ICRA delivers key actionable and measurable benefits.

Each of the benefits below will provide your organisation with a greater understanding of your insider cyber threat profile. Used together, they provide a powerful engine for positively identifying and managing insider cyber risk.

  • Identify areas of people cyber risk. Key groups or functions representing your greatest cyber risk are identified, allowing for the objective allocation and prioritization of security budget and delivery of high impact fixes
  • Highlights high risk cyber-security attitudes and behaviours across your organisation. The traits of your risk culture are mapped and assessed against our custom framework
  • Prioritises cyber risk improvement recommendations by benchmarking your insider threat profile against companies that are consistently strong cyber-security performers, breached companies, as well as industry peers
  • Allows stakeholders to quantify cyber risk in financial and monetary terms, aiding the selection of effective risk transfer options
  • Develops a people-centric cyber strategy to support positive behavioural change.

Traditional Cyber Risk Management and Assessment Activities


  • 1. Senior Leadership / C-Suite


  • 2. Function – Middle Management


  • 3. Information Security / Technology


  • 4. General Workforce

Footnote
  1. https://www.willistowerswatson.com/en-GB/insights/2017/07/decode-cyber-brief-driving-a-cyber-savvy-culture-to-combat-cyber-threats
Author

Product Director - Cyber Risk Solutions

Contact Us