If you can’t measure insider risk, you can’t manage it

Organisations are pouring more and more resources into their cyber-security, building increasingly sophisticated programmes that are getting greater attention from senior leaders. And yet, data breaches continue to rise. For security leaders, this is creating a frustrating contradiction. 

 

On paper, things look like they’re improving. Alerts are being detected faster, technical systems are being better protected, and security programmes seem more mature than ever. But the picture looks very different when incidents are investigated, with leaders finding breaches are still starting in the same, familiar ways – a convincing phishing email, a reused password, or a hurried decision made under pressure. 

 

Most security leaders already know that incidents rarely start with cutting-edge techniques. The real challenge is gaining a clear, consistent view of how people actually behave day to day – especially in those moments where technology can’t step in and take control. 

 

You can measure behaviour – you just have to look for the data 

Attackers have adapted. They’re no longer just probing systems, they’re targeting people, whether that’s through phishing campaigns timed around busy work periods, messages imitating internal communication styles, or social engineering targeting employees who are likely to make quick decisions under pressure. 

 

The key to managing that behaviour is being able to measure it. While traditional security reporting focuses on technical indicators like security tool deployment and coverage, detection and response times, and compliance and maturity scores, it doesn’t reveal how people behave when technology can’t fully control the outcome. 

 

Behavioural risk reveals itself through patterns and trends, for example, repeated interaction with phishing simulations, weak or reused passwords, inconsistent use of multi-factor authentication, delays in applying security updates, or low reporting rates for suspicious emails. 

 

Taken in isolation these indicators may seem small, but collectively, they build the profile of an individual who, in a rushed moment, could put an entire company at risk. Tracking these behavioural signals allows security leaders to identify patterns across teams, roles, or locations, and intervene before minor issues become major incidents. 

 

The challenge isn’t a lack of data, but a lack of focus on capturing and using behavioural signals alongside technical ones. 

 

Turning behavioural insight into action 

Collecting this data is only the first step. What really matters is how it’s used. When behavioural insights are brought together, they can feed into a clearer, more dynamic view of human risk across the organisation, highlighting which teams or individuals represent the highest risk for insider attacks and need the most support. 

 

Using this data, the conversation shifts from reacting to incidents to asking better questions: 

• Which teams are most susceptible to targeted phishing? 
• Where does poor password hygiene still exist across the workforce? 
• Which departments delay updates when operational pressure increases? 
• When are employees most likely to bypass security controls? 

Armed with the right questions and the right insights to answer them makes it much easier for organisations to act early and in the right way. That might mean reinforcing good habits at the right time, offering simple and contextual guidance, or automatically assigning short, targeted training that helps people make better decisions in the flow of their work. 

 

Make your people risk invisible where it counts 

Attackers already know where the risk sits across your workforce. They know who is likely to click, who is likely to respond, and who is most vulnerable under pressure. 

 

Security leaders need that same level of visibility, but for a different purpose. By understanding behavioural risk and acting on it, they can reduce those signals before attackers get a chance to exploit them. 

 

The goal isn’t just to make risk visible internally — it’s to quietly reduce it over time, so that from the outside, it becomes much harder to detect and even harder to exploit.

 

---

 

Andy Fielder is Chief Technology Officer at MetaCompliance

 

Main image courtesy of iStockPhoto.com and champpixs