We are living in a moment of great evolution in the management and prevention of internal risk, but we still analyze most of the cybersecurity incidents once they have occurred. We learn from mistakes and improve security measures after the event, but we know that vulnerability and uncertainty remain and can appear as if it were a tsunami.
Eric Shaw and Laura Sellers shed light on this environment with their research and describe the application of the Critical Path method to assess internal risks. The application in the field of cybersecurity by Shaw, a prestigious psychologist specializing in the analysis of internal risk profiles, determined that there are a series of common variables and patterns of behavior of an individual and organizational nature that are repeated throughout the cases analyzed.
In the analysis of the “Critical Path” the indicators act as alarms on which it is fundamental to focus in order to avoid a possible attack. This model has four main elements: personal predisposition, stress factors, changes in behavior and organizational inefficiency.
Let’s get to know these four elements in depth:
a) Personal predisposition
Personal characteristics that predispose to increased risk are:
- Existence of a medical or psychiatric disorder that may affect decision making .
- Personal characteristics that denote difficulties in adaptation, the lack of social skills that can make it difficult to adapt to social or organizational norms. It must be assessed whether there is recurrent behaviour in terms of difficulty in following the protocodes.
- Assess whether there may be a social environment of risk: for example, that relationships with competitors have been established.
- Unusual trips, which may be significant indicators.
Within the personal predispositions, it is possible to add: medical or psychiatric disorders that can make self-control difficult, problems to perceive reality, substance abuse, anxiety or depression. As well as personality or social skills problems which can cause situations of bullying, isolation etc…
In many cases it has become clear that suffering from bullying during childhood and difficulties in integration are predictors of high risk.
On the other hand, we find the commission of offences whose recent studies show that in cases of internal risk, 30% of them occurred in people who already had some kind of history and could have been arrested for theft, fraud, substance abuse, etc.
Finally, one of the factors that function as a personal predictor is the social environment of risk. This is a delicate variable as it occurs in a social context that can give rise to links with the competition. It is important to assess whether a person has contact with or belongs to a risk group before contracting, as this directly increases the risk for the organisation.
Risk groups can be very diverse and may or may not pose a threat to the organization depending on the core functions of the individuals.
Kymatio propose an approach focused on personality traits, based on their biological base. Our studies point out these significant variables of great relevance in the impact of the internal risk. For example: People with a high degree of cordiality can be easily elicited, as they tend to trust the people around them and in their eagerness to help they may come to share sensitive information. With proper identification of your profile and a plan of action adapted to your needs, risk will be significantly reduced.