(Updated 01/29/2021)
Security is often seen as a “cost center” for businesses. While it’s true that investments must be made in people, processes and technology in order to build a successful security program, it’s not true that security will never show a return on investment. In fact, done properly, security should save the business quite a bit of money. Even better, a strong security program with an insider threat component can also help drive revenue by demonstrating secure and compliant practices that allow the business to maintain their customer base and win new deals.
For this reason, security teams should develop a set of metrics that allow them to track and demonstrate ROI to leadership. This will help them secure budget and ensure the continued success of the overall security program.
Moreover, it’s in the best interest of security teams to apply the principle of continuous improvement to their work. By selecting appropriate metrics and tracking them diligently over time, teams can understand where there is room for improvement and focus their efforts on those. This ensures that the program gets better and more efficient over time, which can also help with budget justification and executive buy-in.
Today, we want to take a look at insider threat metrics specifically: Why you need to track them, and what value they can provide for the business. Then we’ll take a look at which metrics to track and how to do it.
Why You Need Insider Threat Metrics
Insider threats can be incredibly costly for businesses. In fact, according to Ponemon's Cost of Insider Threats study, the average annual cost of negligent insider threats is $3.81 million, and the cost of criminal insiders hits $2.99 million. The total average cost of insider threats each year hits $8.76 million. Few businesses can easily withstand these types of losses.
Insider threat metrics share commonalities with other types of security metrics, and there will be some overlap. However, there are some aspects of these metrics that will be unique because of the unique nature of insider threats. For example, while a security program in general might track the number of data breaches or phishing attacks, we recommend that insider threat programs focus on “incidents” more broadly, since the majority of insider threats are actually the result of accidents or negligence (64%). Additionally, insider threats are unique in that they can be dramatically impacted by internal user training, security awareness programs, and real-time user education. It’s a good idea to track how insider threats decrease over time to understand which prevention and mitigation tactics work best for your organization and thus where to focus future budget.
Which Insider Threat Metrics to Use
Now let’s get down to brass tacks. Exactly which insider threat metrics should your organization track? Below are the ones we recommend. While it may seem like a lot, most teams find that once they get into the swing of tracking these metrics, it’s a pretty natural part of their workflows. Moreover, the value added by tracking and reporting on these metrics can help teams secure the resources they need to be successful—a strong incentive. You may not need every single metric below, but many of these will be useful to the average organization:
Human Resources
- Staff:
- Number of dedicated insider threat personnel
- Number of partial insider threat personnel (half, quarter, or less time)
- Budget, based on compensation, for the above
- Training: Amount of time spent on security awareness and insider threat training (developing and executing training)
- Effectiveness of Training: Number of users who can pass a spot-check quiz about insider threats
Incidents
- Alerts: Number of alerts that corresponded to an actual incident vs. false positives (The goal should be to increase the proportion of accurate alerts.)
- Incidents: Number and type of incidents (Note that this metric is more useful than “breaches” or “attacks,” because it includes the full range of intentional and accidental insider threat incidents.)
- Number of accidental vs. intentional incidents
- You may also want to further categorize incidents, depending on your organization
- Time to Know/Time to Detect: Amount of time between incident and knowledge of it by the security team
- Cases Opened: Number and types of cases reviewed by the program
- Internal Requests for Information: Number and types of RFIs to organizational stakeholders
- Unauthorized Logins or Accesses: Number of times someone has accessed a system or file inappropriately
- Files Lost: Number of documents that left a secure environment
- Files Retrieved: Number of documents prevented from leaving a secure environment
Response
- Time to Respond: How long it takes to respond to a detected incident
- Internal Escalation and Triage: Number and types of cases escalated and triaged within the organization
- External Escalation and Triage: Number and types of referrals to external law enforcement agencies
- Risk Mitigation Actions: Number and type of risk mitigating actions
- Legal Fees: Retainers for legal counsel
Investigations
- Number of Investigations: Number and type of investigations completed
- Average Time to Complete: Track how long an investigation takes, and aim for an average reduction in investigative timelines
- Consultant Fees: If it’s necessary to bring in a third-party forensics team, there may be costs here
Costs
- Total Cost per Incident: Cost may include: discovery, investigation, and response to an incident. Also, fines and fees, data loss, customer loss, reputational damage and more.
- It can also be useful to track how much various types of incidents cost, as this can shed light on where to focus your prevention and mitigation resources going forward
- ROI: Compare the cost of insider threat program (tools, training and talent) to money saved by avoiding incidents (i.e. take a look at how much was spent on incidents prior to investments in insider threat protection and compare with how much money has been saved by avoiding incidents.)
- Customers Won: If possible, consider tracking the number of deals won that could not have been if the organization didn’t meet certain security or compliance practices (e.g. PCI, SOC 2, HIPAA, GDPR, etc.) Prospects may turn to a more mature firm if the company in question does not have an insider threat program or a mature detection and response program.
As you develop these metrics, it may be useful to benchmark yourself against industry averages where possible. The Ponemon Cost of an Insider Threat: Global study may be a useful starting point for some of the metrics above (particularly cost-focused ones.) The CA Insider Threat Report 2018 may also be useful in understanding where you stand in the maturity curve among other organizations when it comes to insider threat programs.
How to Use Insider Threat Metrics to Improve Over Time
All good teams are centered on continual improvement, and that should be true of your security program at large and your insider threat program more specifically. We recommend incorporating an iterative learning capability into the program. This can be accomplished by measuring performance over time using appropriate metrics like the ones described above. Note that this is not the same thing as simply conducting a post-mortem after an incident. The goal is to both learn from mistakes and amplify successes, using real data as the backbone. Regular measurement and reflection are the keys to success.
Two activities that are indispensable to building an iterative learning capability include:
- Reporting Metrics and Mechanisms—Design a reporting structure and determine a regular cadence. Identify a method to capture qualitative data such as: lessons learned, mistakes, successes, etc.
- Feedback Loops—Build a process for reviewing and analyzing program effectiveness. Create a process to incorporate changes to the program based on lessons learned and feedback.
Go Tell it On the Mountain: Sharing Your Insider Threat Metrics
With a strong continuous improvement process built into your insider threat program, it will be a natural next step to report to higher-ups about your successes. We recommend putting together an annual or quarterly briefing for the board of directors and/or the C-Suite. This could be a slide deck or similar presentation that reviews successes, measured against the metrics described above. The objective is to communicate to the leadership team the activities being undertaken to improve the organization’s insider threat stance, and ultimately to assure them of the ROI of the program and gain the resources you need for a continued healthy insider threat program.
What insider threat metrics does your team measure? We’d love to hear from you!