I’m pleased to report that my thought piece on insider risk indicator decay has been accepted for publication in the MIROR journal, published by West Point Press. Look for a link to the article here when it is published in MIROR’s Professional Commentary section in the upcoming Summer 2025 issue.
The article titled "When an Insider Threat is No Longer an Insider Threat: A Look at Risk Decay" discusses the complexity and importance of identifying and managing insider threats and explains that insider risk indicators have varying weights or values that help security analysts assess the likelihood of an employee becoming an insider threat. For example, signs of disgruntlement may indicate a higher potential for data theft or sabotage but not for phishing victimization. These risk values can be reduced through protective factors, such as organizational interventions to help troubled employees.
The concept of decay - such as an almost-ripe banana gong black after a week out on the kitchen counter - is familiar to most people. Similarly, the impact of a potential risk indicator on a risk analyst's assessment can attenuate over time.
The article discusses the key concept of risk decay – the idea that the relevance or contribution of an insider risk indicator may diminish over time. The impact of a risk indicator may decrease due to the passage of time, or because of positive interventions by the organization. Different indicators have different decay rates, with some indicators, like technical authentication failures, decaying quickly, while others, like abusive behavior, decaying slowly.
The article also addresses the challenges of estimating decay rates, which can be labor-intensive. Organizations may be tempted to treat all indicators as static to avoid missing potential threats, but this approach can lead to false positives and alienate employees.
Research on the decay of risk indicators shows varying rates for different types of indicators. Personality traits tend to have low decay rates, while technical indicators have higher decay rates. However, exceptions exist, such as the introduction of malicious code, which has little decay.
In summary, the article emphasizes the importance of understanding and incorporating insider risk indicator decay in threat assessments to avoid costly mistakes and improve the accuracy of identifying insider threats. Further research is needed to refine decay parameters and explore factors that diminish the impact of risk indicators.
