The insider threat in cybersecurity, perceived risk vs. real risk.

Perceived and actual risk. Riesgo Percibido vs Real. Kymatio.

Experts in cybersecurity have been pointing out for some time that one of the main risks for companies, and probably the biggest threat to security, is not the cyberterrorists or the great vulnerabilities of the systems, but rather the employees themselves, the insiders. Insider is any person who, by the nature of their work, has access to systems, files and ultimately to information whether it is confidential, reserved or directly secret.

Multiple studies point to careless employees, negligence, overload, in general to the accidental internal threat, as the most common cause of incidents. This is in line with the independent data published by the Ponemon Institute in April 2018, suggesting that negligence caused 64% of all incidents of internal threats in the last 12 months.

Insiders are at the origin of most cybersecurity incidents (60% of cases involve an insider, IBM source). According to Accenture data, 70% of the companies indicate that their organizations have experienced an internal incident, of insider origin, in the last 12 months.

In the field of cybersecurity, which has a true holistic approach, it is understood as a fundamental part the attention to the insider threat. For this are key, both the improvement of the prediction with a better knowledge of risk and actions such as the launch and continued execution over time of preventive actions, which are essential to start the path of reducing the insider risk.

Without omitting the value of cross-cutting actions, the low effectiveness of awareness campaigns and other training or hardening actions demonstrate the importance of specific and personalized actions for each employee, always taking into account that circumstances change from a moment to other. It is necessary an approach that allows organizations to help in the identification, prioritization and execution of plans depending on the situation of each person, as well as the risk and impact criteria associated with their position.

Perceived risk vs Real risk.

In his article “Perceived and actual risk“, Jon Danielsson, Director of the Systemic Risk Center of the London Schools of Economics, demonstrates how the perceived risk (predicted by the models) and the real risk (the fundamental underlying risk) are correlated negatively. We speak of negative correlation when the relation between the variables is opposite (or inverse), in other words, when one variable changes, the other changes to the opposite value.

We accept that the perceived risk does not adequately represent the real risk, this circumstance makes it absolutely essential to adopt proactive positions while alerting us to the underestimation of the risk insider that is the prelude to the materialization of the internal incident. Going deeper into the argument “perceived vs. real risk”, Mr. Danielson points out that risk forecasting models underestimate the risk before a crisis and overestimate it later, so as a corollary we can confirm that the models are systematically incorrect.

What do we face by underestimating the insider risk?

The most valuable assets, from the data to the infrastructures, through operations or the results of the R&D&I activity are exposed. Without addressing the potential loss of confidence of investors, customers or employees, or reputational damage, we observed the reports on the cost of the incidents.

The studies of the Ponemon Institute show the average, not insignificant, figure of 5 million dollars for each security breach caused by insiders. The SANS Institute for its part accounts for approximately $ 400K the costs of research and remediation of each isolated incident.

Companies must demonstrate that they are diligent in preventing human risk. All available information shows that it is becoming increasingly critical and yet no measures beyond the general training materialize.

How to deal with the insider threat?

Among the measures of greater consensus that are being carried out to address the insider problem highlights the creation of the internal threat department, or if appropriate resources can not be available, the virtual implementation of this function supported by existing departments.

Relying on a cybersecurity partner for the creation of the Insider threat program can be the beginning of the road towards a highly diligent position regarding prevention.

Special importance is to share with employees the objective of achieving emotional salary, as a measure to achieve work peace and that should be part of the employer branding of the company.

6 Recommendations for insider risk prevention

Given the above, some recommendations that should be included in the solution to the problem insider will be:


  • Involve the workers on the insider problematic (Cybersecurity Posture).
  • Awareness and make them an involved part of the measures to be addressed.
  • Knowing their needs and the actual situation in their position to launch active support measures.


  • Create a specific department or develop an internal threat program.
  • Seek support from specialized partners. 
  • Work on significantly increasing the effectiveness of awareness and hardening plans. Properly select each set of measures to be applied for each person.

A decisive commitment is needed for data-based prevention, supported by prediction and focused on supporting the employee to obtain the required reduction in risk and advanced prevention of potential insider threats.

Discover more about insider risk prevention on the site
More information about the author:


  1. […] tempting to underinvest in the fight against the insider threat. In other articles we have analyzed the perceived risk against the real risk in relation to this temptation. It may be the case that the risk is not well understood and the […]

Comments are closed.