Critical Path for Internal Risk Mitigation [The Critical Path]

Critical Path for Internal Risk Mitigation

We are living in a time of rapid evolution in internal risk management and prevention, yet most cybersecurity incidents are still analyzed after they have occurred. We learn from mistakes and improve security measures post-event, but vulnerability and uncertainty remain, often appearing suddenly — like a tsunami.

Eric Shaw and Laura Sellers shed light on this challenge with their research, describing the application of the Critical Path method to assess internal risks. Shaw, a psychologist specializing in insider risk profiles, identified common variables and behavioral patterns — both individual and organizational — that repeat across cases.

The Critical Path model highlights four main elements:

1. Personal predisposition
2. Stress factors
3. Changes in behavior
4. Organizational inefficiency

1. Personal Predisposition

Characteristics that increase insider risk include:

• Medical or psychiatric conditions affecting decision-making or self-control.
• Personality or social skill issues hindering adaptation to norms.
• Recurring difficulty following protocols.
• Social environments of risk (e.g., ties to competitors).
• Unusual travel patterns.
• Substance abuse, anxiety, or depression.
• History of offenses (theft, fraud, substance abuse).

Example from Kymatio’s research: Highly agreeable individuals can be more easily elicited due to their trust in others and eagerness to help — potentially leading to oversharing sensitive information. Identifying such profiles and applying tailored action plans can significantly reduce risk.

2. Stressors

Three main categories:

• Personal – life changes, family issues.
• Professional – poor performance evaluations, low morale, conflicts.
• Economic – financial hardship, a major driver in many insider incidents.

Research links professional stress directly to espionage cases. A 2010 study found that 78% of insider cases involving leaks to foreign governments had work-related stress factors.

3. Changes in Behavior

Before an insider incident, problematic behaviors are often observed:

• Non-compliance with policies.
• Declining work performance.
• Communication issues.
• Unusual work hours or distancing from the team.

4. Inefficient Organizational Response

Perhaps the most critical factor: organizations often fail to detect and act on warning signs.

• Risk assessment processes must be in place and well-communicated.
• Peer reporting mechanisms should exist for unusual behavior.
• Follow-up must be supportive, not punitive, to encourage openness and cooperation.

An inadequate response, combined with personal predispositions and stress factors, can create the perfect environment for an incident.

Key Insight

While the full Critical Path sequence doesn’t occur in every case, the accumulation of these factors over time increases the likelihood of harmful acts. However, only a small proportion of employees manifest all risk factors — most manage information responsibly and are valuable assets.

The challenge is identifying, measuring, and mitigating the risks without alienating the workforce.

Kymatio’s Approach

Standard cybersecurity programs often overlook human-generated risks, focusing on symptoms rather than causes.

Kymatio:

• Provides visibility into risk types, distribution, and evolution over time.
• Delivers personalized mitigation plans to target resources efficiently.
• Operates on stressors to reduce insider risk and turn employees into human firewalls.

Contact Kymatio to learn more about insider risk management.

If you are interested in the full research by Eric Shaw and Laura Sellers on the Critical Path, you can access it here.