Corporate security manager identifies a potential insider threat in a line-up of white collar workers. Hacker or spy icon lights up purple. Cybersecurity and human resources challenge concept.

Risks of Traditional Security “Risk” Models

Imagine “securing” your company only to discover an employee took your crown jewels to a competitor. Millions of dollars in R&D lost, your reputation tarnished, and business goodwill suffers. Unfortunately, this is not an uncommon occurrence and one that occurs despite the billions of dollars spent on traditional security.

So why do these types of compromises continue to occur?

Misplaced Threat Focus & False Assumption

Traditional security focuses on external threats, yet many breaches succeed simply by exploiting basic security laws (unpatched software, factory server password settings, etc.) and the social engineering of insiders. Moreover, a significant amount of breaches is intentionally facilitated by trusted insiders themselves. So focusing only on the outside hacker misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes insider threats cannot be prevented. Most controls and resources are dedicated to detecting network threats only, which loses sight of the real problem – insider threats. As a result, the cycle of compromises and breaches continues.

Focus on Insider Threats

    • More than 2/3 of all security events are caused by insiders. Verizon DBIR (2016)
    • Employees are the most cited culprits of security incidents. PWC Global State of Information Security Survey (2015)
    • The great majority of intellectual property theft is committed by insiders. United States IP Comm. Report on Theft of American IP (2013)

Risk is Largely Misunderstood

Traditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with all three is they fail to properly combine the three essential components of risk – impact, threat, and vulnerability.

Hacker programing in technology enviroment with cyber icons and symbols

Properly Define Risk

True risk is the likelihood that a given asset can be compromised by an identified threat via a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your business. Stated another way, without a defined impact to an asset, there is no risk. Similarly, if there is no threat or vulnerability, there is also no risk to an asset. It is the combination of all three that define and capture the true risk posed to an asset.

Traditional Assessments – Wrong Questions & Wrong Problem

Traditionally, security managers have relied on NIST, COBIT, and ISOO frameworks for measuring “risk.” However, these frameworks only provide a way to assess network centric organizational risk, not insider risk. They are vulnerability models and do little to inform an organization about specific asset risks. Thus, a security manager seeking to protect critical assets will be left with many unanswered questions.

Apply an Asset-Focused Insider Risk Model

Effective security requires an effective security risk model that assesses and manages risk by focusing on insiders’ interaction with critical assets. All threats are not equal, nor are all vulnerabilities and assets. Effective risk management requires risk prioritization. First, assets must be properly identified and impacts determined. Second, specific threats and vulnerabilities related to each asset must be identified. Third, risks to each asset must be properly measured (Risk = Impact [Threat * Vulnerability]). Lastly, mitigation strategies are developed. Through this method, an organization can more effectively apply security measures in the most efficient and cost-effective manner leading to an enhanced security risk posture.

AUTHOR: SHAWN M. THOMPSON 

Shawn M. Thompson is a former contributor to Edwards and an expert in insider-threat strategy and security risk modeling. His work focuses on helping organizations understand how human behavior, asset value, and real-world vulnerabilities intersect to create risk and how modern, asset-focused approaches can strengthen overall security posture.

back to the blog

Discover Edwards Performance Solutions

Tailored Expertise. Comprehensive Support.

At Edwards, we bring together Performance Management, Organizational Resilience, Training and Development, and Cybersecurity Compliance to help teams work smarter, adapt faster, and build lasting success.

If you are ready for a partner who understands both the big picture and the real challenges that come with meaningful work, let us know how we can support you.

Let's Chat
Call 443.561.1334

This website uses cookies to support site functionality and improve user experience. By selecting Accept, you consent to the use of cookies in accordance with our Terms & Conditions and Privacy Policy. © Edwards Performance Solutions 2026

Accept & Close
Accept Only Essential