Critical Path for Internal Risk Mitigation [The Critical Path]


We are living in a moment of great evolution in the management and prevention of internal risk, but we still analyze most of the cybersecurity incidents once they have occurred. We learn from mistakes and improve security measures after the event, but we know that vulnerability and uncertainty remain and can appear  as if it were a tsunami.

Eric Shaw and Laura Sellers shed light on this environment with their research and describe the application of the Critical Path method to assess internal risks. The application in the field of cybersecurity by Shaw, a prestigious psychologist specializing in the analysis of internal risk profiles, determined that there are a series of common variables and patterns of behavior of an individual and organizational nature that are repeated throughout the cases analyzed. 

In the analysis of the “Critical Path” the indicators act as alarms on which it is fundamental to focus in order to avoid a possible attack. This model has four main elements: personal predisposition, stress factors, changes in behavior and organizational inefficiency.

Kymatio Mara Aznar -Critical Path_En_EN

Let’s get to know these four elements in depth:

a)  Personal predisposition

Personal characteristics that predispose to increased risk are:

      • Existence of a medical or psychiatric disorder that may affect decision making .
      • Personal characteristics that denote difficulties in adaptation, the lack of social skills that can make it difficult to adapt to social or organizational norms. It must be assessed whether there is recurrent behaviour in terms of difficulty in following the protocodes.
      • Assess whether there may be a social environment of risk: for example, that relationships with competitors have been established.
      • Unusual trips, which may be significant indicators.

Within the personal predispositions, it is possible to add: medical or psychiatric disorders that can make self-control difficult, problems to perceive reality, substance abuse, anxiety or depression. As well as personality or social skills problems which can cause situations of bullying, isolation etc… 

In many cases it has become clear that suffering from bullying during childhood and difficulties in integration are predictors of high risk. 

On the other hand, we find the commission of offences whose recent studies show that in cases of internal risk, 30% of them occurred in people who already had some kind of history and could have been arrested for theft, fraud, substance abuse, etc. 

Finally, one of the factors that function as a personal predictor is the social environment of risk. This is a delicate variable as it occurs in a social context that can give rise to links with the competition. It is important to assess whether a person has contact with or belongs to a risk group before contracting, as this directly increases the risk for the organisation.

Risk groups can be very diverse and may or may not pose a threat to the organization depending on the core functions of the individuals. 

Kymatio propose an approach focused on personality traits, based on their biological base. Our studies point out these significant variables of great relevance in the impact of the internal risk. For example: People with a high degree of cordiality can be easily elicited, as they tend to trust the people around them and in their eagerness to help they may come to share sensitive information. With proper identification of your profile and a plan of action adapted to your needs, risk will be significantly reduced.

b)   Stressors   We can classify the factors into  
  • Personal 
  • Professional 
  • Economic
Personal stress factors cause changes that also involve effort and energy expenditure to adapt to them. It is common for all of us to be stressed from time to time, but research shows that there is a greater impact on those who have personal predispositions that are vulnerable to stress and are therefore susceptible to following the steps of the critical path.  According to the studies there seems to be a direct connection between professional stressors and cases of espionage. Thus, in 2010, a study revealed that in 78% of the cases of insiders where information had been leaked to foreign governments, there were stress factors behind it related to poor performance evaluation, very low work climate or interpersonal problems with people in their team. Economic stressors are the main motivation behind the increase in internal risk cases. They cause borderline situations where the person loses focus of the consequence and opts for the more or less immediate benefit. In the literature there are numerous real cases associated with this factor.
c)   Changes in behavior  It has been demonstrated that before an act related to internal risk occurs, it is preceded by problematic behaviour observed by members of the team, such as: failure to comply with policies or procedures, lack of professional performance, etc.   At-risk behaviors can also be considered, such as communication problems between peers, whether in person, online, on social media or others. As well as unusual behaviours in terms of their day-to-day life, time of entry and exit, taking distance from your team members.
d)    Inefficient organizational response The last and perhaps the greatest element to be improved is the inefficiency of response by organizations. There is still a long way to go in detecting and planning action corresponding to the different elements mentioned above. Paying special attention to the predisposing variables helps greatly in the prevention of internal risk. It is essential to establish processes for evaluating risk and that employees are fully aware of them, and to involve the people who are part of the organization At this point it is also interesting to establish mechanisms in which the team members themselves can alert the organization to any unusual behavior, since on many occasions colleagues are aware of the state of mind of the people at greatest risk.  Once a possible problem has been detected, it is key that the person does not feel intimidated and that if interviews are carried out with the person, it is always from the approach to help and in the interest of improvement. Based on this approach, we can know that an inadequate organizational response added to personal predispositions and stress factors generate the perfect environment for an employee to be the focus of an incident Although the sequence marked by the Critical Path is not fulfilled in 100% of the cases, it is necessary to pay attention to the variables that can serve us as predictors since the probability or risk that people who belong to the company participate in acts that are harmful to the organization, increases with the accumulation of the factors already mentioned, especially if they are continued over time. However, the number of employees who manifest all these factors represents a very small proportion in relation to the total number of people who belong to the organization.  From Kymatio we join this vision and take into account that there are people who can not only be agents that produce incidents, but also valuable assets that manage information, which is the majority. People have vulnerabilities and are exposed to threats. Therefore, the challenge lies in identifying, measuring and mitigating the identified risks. It is essential to understand the interrelationships of all these processes, their most critical and vulnerable points in order to operate on the stressors that increase risk. Among the most common characteristics that influence the critical path of internal risk are emotional vulnerability, low self-esteem, unmet needs, lack of identity, impulsiveness and difficulty in adapting to change. These variables are common to risk. The truth is that standard cybersecurity programs often do not address a significant part of the risk, especially that generated by employees. Current tools are mostly reactive and technology-centric, focusing on the symptoms and leaving aside the causes. It is a priority to know that, even if they gather all the variables that can cause a person to commit a security incident, if the organization has the necessary mitigation and response measures, they can achieve that the person does not participate in an incident, but acts as a human firewall. In Kymatio we provide the necessary tools to deal with internal risks of human origin, providing visibility by knowing the types of risks, their distribution and their evolution over time. We are efficient in risk mitigation by providing personalized and directed plans, which help to an efficient use of technology where and how it is needed. Contact Kymatio to know more. If you are interested in knowing more details about the research of the authors Erick Shaw and Laura Sellers on the critical path route You can access here