This textbook analyses the origins and effects of insider risk, using multiple real-life case histories to illustrate the principles, and explains how to protect organisations against the risk.
Some of the most problematic risks confronting businesses and organisations of all types stem from the actions of insiders – individuals who betray trust by behaving in potentially harmful ways. Insiders cause material damage to their employers and society, and psychological harm to the colleagues and friends they betray. Even so, many organisations do not have a systematic understanding of the nature and origins of insider risk, and relatively few have a coherent and effective system of protective security measures to defend themselves against that risk. This book describes the environmental and psychological factors that predispose some individuals to become harmful insiders, and the most common pathways by which this happens. It considers how aspects of insider risk have been altered by shifts in society, including our increasing reliance on technology and changes in working patterns. The second half of the book sets out a practical systems-based approach to personnel security – the system of defensive measures used to protect against insider risk. It draws on the best available knowledge from industry and academic research, behavioural science, and practitioner experience to explain how to make personnel security effective at managing the risk while enabling the conduct of business.
This book will be essential reading for students of risk management, security, resilience, cyber security, behavioural science, HR, leadership, and business studies, and of great interest to security practitioners.
Introduction
PART ONE – UNDERSTANDING INSIDER RISK
1. What is insider risk?
2. Why does it matter?
3. Who are the insiders?
4. Why do they do it?
5. Trust, deception, and betrayal
PART TWO – PERSONNEL SECURITY
6. Personnel security principles
7. Pre-trust measures
8. In-trust measures
9. Foundations
10. Models and metrics
11. Barriers to success
Biography
Paul Martin, CBE, is Professor of Practice at Coventry University’s London-based Protective Security Lab, a Distinguished Fellow of the Royal United Services Institute for Defence and Security Studies (RUSI), an Honorary Principal Research Fellow at Imperial College London, a member of the UK Police Science Council, and an independent adviser to various UK government entities and private sector organisations. He has a PhD from the University of Cambridge and was a Harkness Fellow at Stanford University. He is a practitioner with more than 30 years of experience in the UK national security arena.
'Insider risk has become a big issue, particularly as we depend so much on digital networks. Paul Martin's clear, comprehensive and thoughtful book leads us through the subject with telling, real-world examples.'
Jonathan Evans, former Director General of MI5
'Few people understand the world of Insider Risk as well as Paul Martin. This deceptively simple book is rooted in serious professional expertise and his own academic study of behaviour and risk. It clearly explains the problem, and suggests effective approaches. There are home truths about lack of investment in personnel security at the expense of other types of risk, and, because this is about human behaviour, it encourages better understanding of what motivates people to become insiders. Each chapter ends with discussion points which enable deeper reflection and would be useful for any organisation to consider.'
Suzanne Raine, Visiting Professor, King’s College London, UK
'The book cleverly uses case studies as a way of reinforcing important points. The content is fully up to date and incorporates the most recent developments in this field. It challenges perception on insider motivations and the impact of different factors, and I found that some of its content has challenged my own thoughts on the matter. There are interesting insights into the psychology and personality traits behind insiders, and the author importantly provides potential solutions to the problem, as well as highlighting what the problem is itself. Trust and its relationship to Insider Risk makes interesting reading within the book. In Part 2, the author looks at potential solutions or mitigation responses to insider risk and the importance of adopting a systems approach. He also locates personnel security within a wider integrated approach to security, incorporating physical and cyber security. I particularly like the proactive approach he adopts when discussing how to address insider risk - 'Prevention is better than cure', rather than waiting for some form of insider activity to occur before responding to it. Importantly for Insider Risk practitioners, there is also a detailed chapter regarding detection and mitigation methods which can be applied, and models and metrics which can be used to assess insider risk. I found the book highly informative and extremely well researched. I would describe the author as a 'Simplifier', not a 'Complicator', as he has written the book in an easy to read and uncomplicated style, that makes it equally relevant for someone just coming into the field of Personnel Security and Insider Risk, as much as for the expert who has spent years working in this field of work.'
David BaMaung, Chair Special Interest Group Insider Risk, The Security Institute
'Insider Risk and Personnel Security by Paul Martin is excellent. It provides rigor and insights about the complexities involved in human nature, and will be useful as an antidote to war-story telling individuals who suggest that risk-related behavior and motivations fit neatly into well-bounded management tactics.'
Eric L. Lang, psychological, scientist and insider threat expert
'Paul Martin dives deep into ‘insider risk’, an often neglected area of security risk management, despite its prevalence as a critical key factor in many a case of espionage, cyber attack, fraud or thefts. At a time of rapid and unsettling changing, with war in Europe, ramping-up of geopolitical tensions, ever more sophisticated criminal acts and daily news of cyber attacks, I am sure we’ll keep seeing creative attempts to exploit human vulnerabilities at the heart of our organisations, systems and networks. [He/the author/Paul] neatly takes us on an ‘insiders’ journey, explaining who those people are (not just employees!), their behavioural traits and work/life contexts, what makes them tick, concepts of trust and betrayal, effective security responses, and everything you might trip over on the way. If ever there was a book that illustrates that security is a truly human challenge that needs more than technical solutions, this is it. The author brings a unique mix of academic rigour and practitioner realism to his writing, which is direct, clear and illustrated with frequent case studies. This book is an excellent source of insight and an easy, enjoyable read for leaders, practitioners, students and researchers alike. As a non-executive director on several boards, I recommend it to executive and non-executive Board colleagues. We need '‘insider risk'’ up there with cyber-risks in that reddest corner of the risk matrix!'
Fiona Strens, Professor of Practice, Security & Resilience, University of Strathclyde, UK
