RISK ASSESSMENT

FOR PERSONNEL SECURITY

A GUIDE
3RD EDITION
 Risk assessment for personnel security - a guide

Contents
Introduction 2

Overview 3

The organisation level risk assessment 8

Organisation level risk assessment case study 17

The group level risk assessment 20

Group level risk assessment case study 26

The individual level risk assessment 31

Glossary of terms 32

Annex A: List of insider threats 33

Annex B: Vulnerability scale 36

Annex C: Diagrams for use in risk workshops 40

Risk assessment for personnel security - a guide

Introduction
Centre for the Protection of National Infrastructure

The Centre for the Protection of National Infrastructure (CPNI) is the government authority that
provides advice on protecting the country’s essential services, facilities and networks from terrorism
and other threats.

The National Infrastructure

Nine different sectors form what is known as the national infrastructure. These provide the services
which support everyday life:

• Communications • Finance • Health

• Emergency Services • Food • Transport
• Energy • Government • Water

CPNI provides security guidance, training and research from a physical, information and personnel
security perspective. It aims specifically to reduce the vulnerabilities within these sectors, with
particular emphasis on the most critical elements. Loss or disruption to any of these could cause
severe economic or social consequences or even loss of life.

In addition to the nine sectors above, CPNI also provides similar advice to organisations engaged in
planning and running the London 2012 Olympics.

A CPNI survey in late 2006 showed that many CNI organisations do not adopt a structured approach
to personnel security. Very often, clear rationales for the use of particular personnel security measures
are lacking and resources are not targeted in a proportionate way. It is more common for physical and
electronic protective security measures to be applied on the basis of systematic risk assessments that
promote cost effective security.

Personnel security risk assessment focuses on employees, their access to the organisation’s assets, the
risks they could pose to the organisation and the sufficiency of countermeasures. It is the foundation of
the personnel security management process. It is also crucial in helping Security and Human Resource
managers communicate to senior managers the risks to which the organisation is exposed.

This guidance, which is illustrated using a fictional case study, aims to help Security and Human
Resource managers to:

• Conduct personnel security risk assessments in a way that balances pragmatism with
rigour
• Prioritise the insider risks to an organisation
• Identify appropriate countermeasures to mitigate against those risks
• Allocate personnel security resources in a way that is cost effective and commensurate
with the level of risk.

An electronic copy of this guidance is available on the CPNI website www.cpni.gov.uk.

2
 Risk assessment for personnel security - a guide

Overview
Personnel security

Personnel security is a system of policies and procedures, which seeks to manage the risk
of staff or contractors exploiting their legitimate access to an organisation’s assets or
premises for unauthorised purposes. Those who seek to exploit their legitimate access are
termed ‘insiders’.

For the purposes of this guidance, individuals who have legitimate access to an organisation’s assets,
but who are not staff or contractors – for example, postal delivery workers with temporary site
access – fall outside this definition of insiders.

There are many different measures that can be used in a programme of personnel security. Most of
them will fall into the following categories:

• Screening
Pre-Employment personnel o Pre-employment checks
security measures o Assessing insider potential
o National Security Vetting1

• Screening
o Pre-employment check updates
o Behavioural assessment
o National Security Vetting and National Security Vetting
Ongoing personnel aftercare
security measures • Access controls
• Promoting effective security culture
• Social Engineering
• Protective monitoring and intrusion detection
• Investigations

These measures are outlined within Personnel Security: Threats, Challenges and Measures.
Further details are also available in A Good Practice Guide on Pre-Employment Screening and
Ongoing Personnel Security: A Good Practice Guide. All of these publications can be found
online at www.cpni.gov.uk.

Risk management in personnel security

The use of appropriate personnel security measures can prevent or deter a wide variety of insider
attacks, from staff fraud through to the facilitation or conduct of a terrorist attack. However, these
measures can also be labour intensive and costly, and may result in delays to business processes
such as recruitment or staff transfers, so it is important that they are implemented in a way that
reflects the severity of the risk. Risk management provides a systematic basis for proportionate and
efficient personnel security.

1 National security vetting is significantly different to the other controls in this framework; it is a centrally provided service which applies only
to particular posts, where the need for vetting has been endorsed by the appropriate Government department.

3
Risk assessment for personnel security - a guide

Risk management is a continuous cycle of:

• Risk assessment - risks to the organisation are assessed in terms of the likelihood of an
undesirable event taking place, and the anticipated consequences

• Implementation - security measures are identified and implemented to reduce the likelihood
and impact of the undesirable event to an acceptable level

• Evaluation - the effectiveness of the countermeasures is assessed and any necessary

corrective action is identified.

The cyclical nature of the risk management process ensures that each time a risk assessment is
repeated, the implementation and evaluation phases are also reviewed. Much of the value of the risk
management process is derived from the systematic exploration of threats, opportunities and
countermeasures through engagement with the relevant parties. The discussions involved often
produce a level of insight and shared understanding that would not otherwise be achieved.

This document concentrates on risk assessment, the basis for the rest of the risk management
process. The guidance is not intended to be prescriptive. Security and human resources professionals
will naturally wish to use an approach that best meets the needs of their organisations, bearing in
mind the nature of the threat and the resources available to counter it.

The Risk Assessment process incorporates the Identify threats and Assess vulnerabilities stages
of the Risk Management Cycle.

4
 Risk assessment for personnel security - a guide

Risk assessment: an overview

In this context, risk is usually understood to be the product of two factors: the likelihood of an event
occurring, and the impact that the event would have. When each of these has been evaluated, they
are combined to provide an overall measure of risk.

Likelihood can be further broken down into three factors: intent, capability and opportunity. Intent is a
measure of the insider’s determination to carry out the attack, while capability is the degree to which
the insider possesses the skills, knowledge and resources to be successful in the attempt.
Opportunity is a combination of the access that an insider has to an organisation’s assets (by virtue of
their role or position), together with the vulnerability of the environment (for example, an environment
that is constantly supervised or monitored by CCTV cameras is less vulnerable to some insider threats
than an environment which is not subject to these controls).

Impact should be considered in terms of the value of the assets affected and any wider
consequences. For example, insider fraud can have both financial and reputational impacts.

Relative and absolute risk assessments

Some risk assessments involve quantitative measures that are absolute, while others use relative
judgements. An absolute risk assessment process evaluates an event’s likelihood in terms of
probability and its impact in terms of numerical measures such as financial cost, or a delay in service
delivery. By contrast, in relative risk assessments the likelihood and impact of the risks are simply
compared, so that the risks can be listed in rank order.

It is often impossible to produce absolute risk assessments because of the difficulties involved in
quantifying likelihood and impact. It is common to adopt semi-quantitative approaches that use scales
for likelihood and impact such as ‘Very low’ to ’Very high’. In these approaches, there is an
assumption that everyone involved with the assessment shares an understanding of terms like ’Very
high’. The assessors themselves must be able to place the events on the scales in a way that reflects
this understanding.

5
Risk assessment for personnel security - a guide

At the other end of the spectrum is an approach that makes no claims to assess the actual likelihood
or impact of an event. Relative risk assessments aspire simply to a meaningful ordering of the
likelihood, impact and hence risk of different events. This type of assessment will tell you which are the
highest risks to the organisation, which are the lowest, and the spread between. This is sufficient for
most personnel security risk assessment purposes.

Levels of risk assessment

There are three levels at which personnel security risk assessments can be conducted:

1. Organisation
2. Group
3. Individual.

The first examines and prioritises the types of insider threats that are of concern to the organisation as
a whole, the second focuses on groups of employees with differing levels of opportunity to commit
the threats, while the third deals with each employee on an individual basis.

Most practitioners will find it helpful to start with the simplest and highest level approach, the
organisation level risk assessment, which provides a useful overview of the threats facing the
organisation and an opportunity to review countermeasures in general. The group level assessment
will require a greater commitment of time and effort, but can yield significant insight into the groups of
employees that give most cause for concern and the proportionate application of countermeasures
within the organisation. The individual level assessment is the most labour intensive of all, looking at
every employee in turn to determine their combined opportunity and insider potential (i.e. threat and
susceptibility).

The levels of risk assessment that you use will depend on the threats faced by your organisation and
the nature of the workforce. It is important that you understand the way in which the three approaches
support different types of decision. For example, if the organisational risk assessment reveals that
there is a negligible threat to the organisation from an insider bringing a bomb into the building, this
may rule out the need for baggage checks on entry to the site. Alternatively, the group level
assessment could reveal that certain employees, due to their role in the organisation, have regular
access to highly confidential or sensitive information, and they may therefore require higher levels of
supervision in the office. If, at the individual level, a particular employee is considered to have high
insider potential and a high level of opportunity, then an individually tailored risk management plan
might be required.

Conducting personnel security risk assessments

Personnel security risk assessments are most effective when they are an integral part of a risk
management process. This helps to ensure that the assessment actually translates into action.

Best results are achieved when the assessment team comprises:

6
 Risk assessment for personnel security - a guide

• Staff from the human resources and security teams.

• Individuals with deep knowledge of particular employee roles (e.g. IT managers for IT
roles).
• A trusted external contact to provide an alternative perspective and challenge received
wisdom.

Some organisations have found that employees enjoy participating in discussions about the levels of
access associated with different posts and the specific actions that post-holders could carry out.
These organisations report that their assessments have benefited from this engagement in the
organisation and group level assessments.

The risk assessment process should be highly interactive, with significant use of structured group
discussions, or workshops. The value of these discussions can be enhanced significantly by a skilled
chair or facilitator and by the use of visual aids. Enlarged reproductions of the charts and tables at
Annex C, together with sticky notes or marker pens will help you to increase participation, obtain
information from participants and to capture that information effectively.

7
Risk assessment for personnel security - a guide

The organisation level risk assessment

The organisation level risk assessment identifies the range of insider threats that an organisation faces
and prioritises these in terms of their likelihood and impact. This simple relative risk assessment
delivers an agreed, shared understanding of the insider risks to an organisation. As such, it provides a
valuable foundation for the implementation of personnel security measures.

The results of the organisation level risk assessment should be recorded in a table with the following
column headings:

Insider threat Likelihood Assumptions Impact (1-5) Assumptions Risk priority Countermeasures
(1-5) (likelihood) (impact) (1-4)
Existing Sufficient? New

The table will be populated as the risk assessment progresses, step by step. At the end of the
process, the table will provide a record of the insider threats faced by your organisation.

Step one: Identify the potential insider threats

Step 1 Step 2 Step 3

Assumptions Assumptions
Insider threat Likelihood (1-5) Impact (1-5)
(likelihood) (impact)
e.g. Employee introduces a virus into the
key IT system
e.g. Employee brings an explosive device
into the building

The first step is to identify the insider threats that face your organisation, and to record them in the first
column of the table. You may find the list of insider threats at annex A helpful. Each threat should take
the form of an employee doing something that exploits their access to the organisation for
unauthorised purposes.

8
 Risk assessment for personnel security - a guide

It is essential that the threats are very carefully defined if the risk assessment is to produce useful
results. Consider the following points:

• Range

The threats that you define should include the full range of unauthorised insider activity facing the
organisation, including (but not limited to) physical attacks, abuse of intellectual property, and
unauthorised disclosure of sensitive information.

• Definition of an insider

Remember that an insider is somebody who exploits, or has the intention to exploit, their legitimate
access to an organisation’s assets for unauthorised purposes. It is easy to be distracted by thoughts
of accidental damage, or of what could be done by strangers passing your building. These issues
might warrant a separate risk assessment, but both fall outside the scope of this exercise.

• Level of detail

The threats should be defined at a level of detail that allows you to consider countermeasures for each
one. Very broad threat definitions such as ’bombs’ or ’leaks’ are insufficient, because they do not
contain enough information to make the responses meaningful. On the other hand, very narrow
definitions can result in a large, unmanageable number of insider threats from which the added
insight gained from each threat then becomes smaller.

Step two: Assess likelihood

Step 1 Step 2 Step 3

Assumptions Assumptions
Insider threat Likelihood (1-5) Impact (1-5)
(likelihood) (impact)
System
e.g. Employee introduces a virus into the administrator rights
2
key IT system required to
overcome protection
e.g. Employee brings an explosive device Device would be
1
into the building carried in a bag

Once the list of threats is complete and the definitions are clear, the next step is to consider how likely
it is that each threat will occur, and to record this under the ‘Likelihood’ heading in the table.

It is important to focus on likelihood alone - if you are familiar with risk assessment, you may be
tempted to consider other factors such as impact. In the CPNI’s experience, assessments of impact
and likelihood are most effective when they are done independently.

Rather than trying to predict probabilities with great precision, the aim of this part of the assessment is
to establish the relative likelihoods of the threats, ranging from 1 (least likely to occur) to 5 (most likely).

9
Risk assessment for personnel security - a guide

It may be helpful to take a look at the list of insider threats, make a rough assessment of which is
most likely to occur, and assign it a likelihood of 5; then identify the one that is least likely to occur,
and assign it a likelihood of 1. This will provide reference points and help with consistency when
evaluating the remaining threats on the same scale.

As you decide on a likelihood value for each new threat, the threats you have already assessed may
need to be shuffled up or down the scale, depending on whether they are more or less likely than the
new one. This reshuffling will continue until the relative likelihood of all the threats has been agreed.

In deciding the likelihood of each threat, it will be necessary to make some assumptions. For example,
if you use recruiting agencies, your assumptions about the agency’s compliance with its contractual
recruiting agencies will affect your judgments on the likelihood of an insider attack. This assumption,
and all others that influence the decision about likelihood, should be recorded in the ‘Assumptions
(likelihood)’ column of the table. This will be useful when considering countermeasures later, and it
increases the transparency of the risk assessment process.

Timescales are also important when thinking about likelihood. A threat may not occur within one year,
but could occur within three years. If any assumptions are being made with regard to timescales, they
should be applied consistently to all threats.

10
 Risk assessment for personnel security - a guide

Other points to bear in mind when considering likelihood include:

• How realistic is it that your organisation will be a target for this type of attack?
• Has your organisation been subject to this kind of attack before? This confirms the
relevance and feasibility of the threat but not necessarily the future likelihood. Equally, the
absence of a threat in the past does not mean that it will not happen in the future.
• What is the current security situation in your industry?
• Do your employees have the kind of expertise required to conduct the attack?
• How effective are your contingency plans and existing countermeasures?

Step three: Assess impact

Step 1 Step 2 Step 3

Assumptions Assumptions
Insider threat Likelihood (1-5) Impact (1-5)
(likelihood) (impact)
System
e.g. Employee introduces a virus into the administrator rights Loss of service for
2 2
key IT system required to 24 hours
overcome protection
e.g. Employee brings an explosive device Device would be
1 5 <50 deaths
into the building carried in a bag

Impact is assessed in a similar manner to likelihood, using a relative scale of 1 (lowest impact) to 5
(greatest impact).

Again, make a rough assessment of the insider threat with the lowest impact
(1) then assign 5 to the threat with the highest impact.

Although the scale is relative, it should be based on factors that are

meaningful to your organisation, such as:

• the number or importance of sites affected

• injuries or fatalities among employees or the public
• financial losses
• reputational damage
• time required for business to recover
• adequacy of contingency plans and existing countermeasures.

The assumptions that you make about these – and other – factors affecting the impact value should
be recorded in the ‘Assumptions (impact)’ column of the table.

As with likelihood, determining the impact value is an iterative process. The existing threats will need
to be reviewed and reshuffled each time a new threat is considered, until those involved agree on the
values assigned. At that point, the relative impact of each threat should be recorded under ‘Impact (1-
5)’ in the table.

11
Risk assessment for personnel security - a guide

Step four: Determine the risk priority

Step 1 Step 2 Step 3 Step 4

Assumptions Assumptions
Insider threat Likelihood (1-5) Impact (1-5) Risk priority
(likelihood) (impact)
System
administrator
e.g. Employee introduces a virus into the Loss of service
2 rights required 2 2
key IT system for 24 hours
to overcome
protection
e.g. Employee brings an explosive device Device would be
1 5 <50 deaths 4
into the building carried in a bag

The likelihood and impact values can now be used to determine the risk priority of each threat.

It may be tempting to do this by multiplying the likelihood and impact values for each threat, giving a
value that – if low – can be taken to indicate that the threat is of little concern, and – if high – as an
area where countermeasures should most urgently be directed. Unfortunately, this will produce a
similar numerical result for a threat with a low likelihood and high impact, as a threat with high
likelihood and low impact. Most organisations agree that this is not a sensible result.

The implementation of countermeasures is likely to be swayed more by either likelihood or impact,

and the degree to which this applies may even differ for individual threats. The next step is to transfer
the threats to a matrix combining the values you have assigned for likelihood and impact.

The risk matrix gives a picture of the risk assigned to each threat
as a result of the likelihood and impact assessments. This is an
important opportunity to look again at each threat and its
associated assumptions, to ensure that it appears in the right
place on the matrix, relative to the other threats.

It is easier to see in this format that a certain threat may have a

slightly greater impact than one that has been placed above it on
the matrix - or is less likely than one that appears to the left. In
these cases, the threats should be shuffled to a more realistic
position, although it would be unusual for any major alterations to
be necessary at this stage.

Note that, as the threats are repositioned in the matrix, you should record any new assumptions being
made about likelihood or impact, or alter the existing assumptions.

Once the positioning of the threats on the matrix is complete, they can be prioritised. The threats in
the top right corner of the chart, with the highest likelihood and the greatest impact, will need to be
urgently addressed (i.e. they are priority 1), while those in the bottom left corner, which have the
lowest likelihood and least impact, can be addressed as a lower priority (e.g. priority 4, on a 4 point
scale).

12
 Risk assessment for personnel security - a guide

In practice, a four point priority scale works well for most

organisations, but the scale can be designed to meet particular
needs. For instance, it might be more appropriate to use a three
point scale, if your organisation is used to a ‘traffic light’ system,
where red signifies an urgent issue, green indicates that there is
little to be worried about, and amber is between the two.

Alternatively, dividing the matrix into five or more priority areas will
provide greater precision, but may take longer to achieve and
result in too much detail for the number of threats involved. You
should always bear in mind that the assessment cannot be highly
precise; it is important that you do not seek to differentiate risks in
a way that assumes greater precision than is actually achievable.

The risk matrix gives a clear graphical representation of the

relative severity of the threats facing your organisation. Any
method for dividing the matrix is therefore valid, as long as it
provides clear priorities for action, which everyone involved in the
risk assessment can agree upon. A number of possible
prioritisation schemes are shown on the left.

Whatever scale you choose, there is usually no argument about

which sectors of the risk matrix should be identified as the highest
and lowest risk priorities. It is often much more difficult to prioritise
the other sectors. The answer depends on whether you consider
likelihood or impact to be the greater driver, and while it may
prove very difficult to decide, it is worth persevering because this
will help you to make decisions about directing your resources.

The prioritisation of threats Once agreed, the risk priority relating to each threat should be
is a flexible process inserted into the appropriate column in the risk assessment table.

13
Risk assessment for personnel security - a guide

Step five: Consider countermeasures

Note: This step is conducted in more detail during a group level risk assessment. If you intend to do a
group level assessment then you may not want to complete these steps of the organisation level
approach. However, a relatively quick consideration of countermeasures may be worth doing, even if
you subsequently increase the level of detail in a group assessment.

Step 5
Countermeasures
Existing Sufficient? New
• System can be suspended by individual
• Introduce a two person rule for
employees
Anti-virus protection suspending anti-virus protection
• Personal USB disks can be connected to
• Bar USB ports on computers
the organisation’s computers
• They are not conducted at night • Introduce random bag searches out of
Random bag searches conducted during
• Compliance with the random bag search hours
the day
system is not audited • Introduce a bag search audit process

Starting with the most urgent threat in risk priority 1, list in the ‘Existing’ column all countermeasures
currently in place that help to mitigate that threat.

As a primary check, look at each countermeasure in turn and decide whether or not it is working
sufficiently. For example, if one of your threats is that a bomb could be brought into your building, then
one of your countermeasures might be a system for X-ray screening bags at the front door. Questions
you might want to ask about this countermeasure include the following:

• Have your security staff had appropriate training to tell suspicious objects from innocent
items?
• What is the likely detection failure rate, based on your audits and tests?
• Is there a backup X-ray machine in case the main machine fails?

Use the ‘Sufficient?’ column to record any doubts and the ‘New’ column to list the steps required to
resolve them.

Finally, review all the countermeasures that you have listed in relation to the threat. Decide whether
they work well enough together to contain the risk at an acceptable level, by limiting either the
likelihood of the threat or its impact. Once again, record any doubts or gaps in the ‘Sufficient?’
column, and then use the knowledge of those involved, and the advice of experts, if necessary, to
determine what new countermeasures should be implemented. List the new countermeasures in the
‘New’ column. It is important to ensure that ownership of any new countermeasures is clarified at this
stage.

When you have reviewed the countermeasures for all threats in risk priority 1, repeat the process for
each of the lower priority threats until all of the threats and countermeasures have been evaluated and
the risk assessment is complete.

14
 Risk assessment for personnel security - a guide

Step six (optional): Creating an absolute scale for impact

For most organisations, this is an optional step, but it is useful if you need further justification or
quantification of the cost benefit of personnel security countermeasures.

Using the information recorded in the table, you will be able to review the impact values and
assumptions associated with each threat, and by reviewing the factors that have resulted in one threat
being assigned a higher or lower impact than another, extract the rules that drove the assessment of
impact.

In each case, ask what has caused the threat to be assigned an impact value of 1, 2, 3, 4 or 5? If it is
financial loss, then what exactly is the assumed loss? If it is human impact, then what loss of life or
how many casualties are involved? If the guiding factor is the damage to your organisation’s facilities,
find a way to quantify it.

If, for example, you have assigned an impact value of 5 to a threat which you assumed would incur a
loss of £500,000, and an impact value of 1 to a threat with an assumed loss of £10,000, you will be
able to use this information to derive an absolute scale for threats involving financial losses. Similarly, if
you have assumed that one threat will result in no casualties, while in assigning the impact for another
you have assumed ten fatalities, then you will have an absolute scale for threats where human life is at
risk. Note that the scales need not be linear; they can be exponential, or their values may vary
irregularly.

15
Risk assessment for personnel security - a guide

This is a difficult task, particularly if your impact assessments involve many assumptions. It may help
to start by reviewing all the threats that have a primarily financial loss, using these to create one
absolute impact scale, and then repeating the exercise for threats involving casualties or loss of life to
generate a second absolute impact scale. You can repeat this exercise as often as necessary,
generating a number of absolute scales for different types of impact, before finally placing them
alongside each other to obtain a combined scale of absolute impact. The benefit of this approach is
that it removes any requirement to attempt making judgements which equate injury and loss of life
with financial loss.

This step has an added benefit of checking the consistency of the judgments contained in your risk
assessment. As you review the reasoning behind your impact assessments, you may well decide that,
on reflection, some of them should be changed.

Next steps

Risk assessment includes the identify threats and assess vulnerabilities stages of the Risk
Management Cycle. The remaining two stages are implementation, which involves putting the new
countermeasures identified by the risk assessment into operation, and evaluation, during which the
effectiveness of the countermeasures is reviewed. The lists of assumptions made during the risk
assessment will prove particularly useful during this evaluation.

Depending on how much time has passed since the risk assessment, the evaluation stage should
also show that the threats identified have moved either further to the left of the risk matrix, indicating a
reduced likelihood, or further down the matrix, showing that the impact has been reduced as a result
of the countermeasures you have introduced. It is worth bearing in mind, however, that factors outside
your control, such as the current threat level, or economic, political and social issues, may also have
an influence. The same factors are likely to introduce new threats to be addressed in future risk
assessments.

If you are working with relative likelihood and impact scales (i.e. you do not complete Step 6), then
your ability to report reductions in risk is more limited. For instance, imagine that you introduce a new
control that reduces the likelihood of every threat in your assessment by the same amount. In this
case, none of them will move because their relative likelihoods would stay the same. This situation is
very unlikely and you will usually be able to record some movement in the relative likelihood or impact
of a risk due to your intervention. But, the use of independent scales for assessing opportunity and
impact does increase your ability to assess and communicate risk reduction in terms that are
meaningful to decision makers (for example, a reduction in anticipated absolute costs).

16
 Risk assessment for personnel security - a guide

Organisation level risk assessment case study:

Risk matrix

Threat No. Threat scenario

1 Employee brings a bomb into the building and it detonates
2 Employee passes information to a third party (facilitation of fraud)
3 Employee introduces a virus into the key IT system
Employee (acting alone) transfers a small amount of funds eg. <£10,000 to an
4
unauthorised account
Employee helps a third party gain access (obtaining commercially sensitive
5
information with a key logger device)
6 Employee attacks staff (with a knife)
7 Employee reveals the end of year results ahead of schedule (to the press)
Employee passes customer details to an individual associated with an extremist
8
organisation or organised crime
9 Employee helps a third party gain entry (brings bomb into the building)
10 Employee carries out a Denial of Service (DoS) attack on an IT system
Employee discloses security information, which leads to theft (eg. cash centre/cash in
11
transit)
12 Employee drives a bomb into the organisation’s underground car park
13 A group of employees (2+) colluding to authorise illegitimate payment

9 12

8 11

6 13, 7 5

10

17
Risk assessment for personnel security - a guide

Risk table

Threat Likelihood: Impact Risk

Threat scenario Likelihood Assumptions Impact Assumptions
No. Scale 1-5 Scale: 1-5 priority
Employee brings a bomb
- Random bag searches are
1 into the building and it 1 5 - < 50 deaths 4
conducted
detonates
- Information passed
includes credit card, bank - Facilitation of large level
account and customer fraud
Employee passes
details for multiple (> £100,000 loss)
2 information to a third party 4 3 2
customers - High impact on reputation
(facilitation of fraud)
- A large number of due to the number of
employees have the customer affected
opportunity
- Data corruption
- Virus protection - System down for 24
mechanisms in place hours
Employee introduces a
3 2 - Sys Admin rights required 2 - Operations are affected 3
virus in the key IT system
to circumvent virus - Some reputational
protection damage
- Back up systems in place
Employee (acting alone) - No counter-authorisation
transfers a small amount of requirements in place
4 4 1 - Loss of < £10,000 4
funds eg. <£10,000 to an - Many employees have the
unauthorised account opportunity
Employee helps a third
- Lack of vigilance and
party gain access
inadequate access controls
5 (obtaining commercially 3 3 - High reputational damage 2
- Significant commercial
sensitive information with a
espionage threat
‘key logger’ device)
- Historically, this threat has
only been external (i.e. not
Employee attacks fellow
6 1 from employees) 3 - Up to five people injured 4
staff with a knife
- Random bag search (not
personal search)
- Restricted personnel know
Employee reveals end of - High reputational damage
the information
7 year results ahead of 2 3 - Dent in shareholder value 3
- Limited precedent (not
schedule (to the press) but a short-lived problem
happened in years)
Employee passes - Employee unaware of the
- Revealed to press/ public
customer details to an nature of the organisation
- Customers targeted,
8 individual associated with 3 they are passing information 4 2
possibly killed
an extremist organisation to, and the severity of their
- High reputational damage
or organised crime disclosure
- Few people have the
- Same as other person
Employee helps a third expertise to construct an
borne improvised explosive
9 party gain entry (brings 1 improvised explosive device 5 4
devices (PBIEDs), i.e. < 50
bomb into the building) (IED)
dead
- No precedent
- Lack of technical
- System down for 24
knowledge
hours
- Historically an external
Employee carries out a - Reputational impact
threat
10 Denial of Service (DoS) 2 2 - Minimal loss of 3
- Technical information
attack on an IT system customers
available to enable this to be
- Loss of customer
carried out
confidence
- Back up services

18
 Risk assessment for personnel security - a guide

Threat Likelihood: Impact Risk

Threat scenario Likelihood Assumptions Impact Assumptions
No. Scale 1-5 Scale: 1-5 priority
Employee discloses
- Precedent - ≥ £1,000,000 loss
security information (which
11 4 - Clear evidence of threat 4 - Nobody injured 1
leads to theft, e.g. cash
- Easy to do - High reputational damage
centre/cash in transit)
- ≤ 200 people killed or
injured
- Access to car park
Employee drives a bomb - Major structural damage
- Random vehicle searches
12 into the organisation’s 2 5 resulting in the building 3
- Ineffective search
underground car park being out of use long term
procedures
and possible relocation of
premises

Group of employees (2+)

- > £100,000 loss
13 colluding to authorise 2 - Dual authorisation required 3 3
- High reputational damage
illegitimate payment

19
Risk assessment for personnel security - a guide

The group level risk assessment

The group level risk assessment provides a lot more insight into the management of personnel
security risks within your organisation. In particular, this assessment shows how countermeasures
should be applied to particular roles; it does not assume that measures are applied blanket-fashion
across the whole organisation.

The assessment takes as its starting point the threats identified during the organisation’s level
assessment. Consideration is then given to the groups of employees that have the greatest
opportunity to carry them out, concentrating mainly on levels of access to the organisation’s assets,
including information, materials, systems, buildings and people.

As with the organisation’s risk assessment level, the group level should be carried out by a team
comprising primarily human resources and security managers, with contributions as appropriate from
other experts.

The results of the group level risk assessment should be recorded in a table with the following column
headings:

Insider threats in Group with high Vulnerability Countermeasures

Reasons Access
priority order opportunity assessment Existing Sufficient? New

As with the organisation’s level risk assessment, the table will be populated as each step of the risk
assessment is completed, providing a record of the groups of employees in your organisation best
placed to carry out the threats, the factors that provide them with that level of opportunity, and the
countermeasures required.

20
 Risk assessment for personnel security - a guide

Step one: Identify and prioritise the insider threats

Step 1

Insider threats
in priority order

Employee reveals commercially

sensitive information

The assessment should begin by identifying and prioritising the insider threats facing the organisation,
as described in the organisation level risk assessment, and listing them in the first column of the group
level risk assessment table in risk priority order.

Step two: Perform initial identification of groups with the most opportunity

Step 1 Step 2

Insider threats
Group with high opportunity
in priority order

Senior managers
Employee reveals commercially
sensitive information
IT administrators

The purpose of this step is to identify the subset of employees on which the risk assessment should
concentrate. The assessment should be relatively quick; a more detailed assessment will follow in
subsequent stages.

The approach is to look at each threat in turn, and determine which groups of employees in your
organisation have the greatest opportunity to carry it out. You should base these judgements on:

1. The extent to which the employees, routinely or potentially, have access to the assets
under threat.
2. The vulnerability of the environment to an attack by an employee.

When deciding which groups have opportunity to carry out threats, it is likely that the groupings will to
some extent reflect job roles within the organisation. For example, if the threat under consideration
concerns the compromise of IT systems, then one group of employees with high opportunity is likely
to be the IT Systems Administrators, due to their unsupervised systems access and high level
passwords. However, some groupings will not correlate quite so directly to organisational job titles, so
it is important to think about all employees carefully, and not be constrained by job titles. Depending
on the degree of detail that you wish to pursue, you may find that this stage of the assessment
becomes a significant research and analysis exercise, involving the collation of information about the
organisation’s employees and the roles that they perform. A series of interviews with managers or
supervisors may be helpful.

21
Risk assessment for personnel security - a guide

Once you have established which groups have the greatest opportunity, you should record these in
the risk assessment table.

Recording the size of the groups

It is useful to make a note of the approximate size of the group – again, this may require some
research to establish and the involvement of Human Resources (HR) will be essential. It is reasonable
for some groups to be quite small, but if a group is very large, it may mean that there is room to be
more precise in how the opportunity of that group is defined.

• Large groups and likelihood

A very large group may affect the likelihood (decided during the organisation level risk assessment) of
the threat under consideration. For example, the likelihood that an insider will corrupt a central
database might increase if you now find that a very large group of employees has the opportunity to
do so. If this is the case, it is worth amending the risk matrix.

• Large groups and impact

A very large group may also affect the impact of a threat. For example, the theft by an employee of a
laptop computer may have a low impact on the organisation, but the cumulative effect of a large
group of employees doing the same thing may have a significantly greater impact. Once again, it is
worth reviewing the organisation level risk assessment to see if this should be reflected in the risk
matrix. Generally, it is more likely that your countermeasures will change as a result of increased
impact than as a result of increased likelihood.

Step three: Record the nature of the opportunity

Step 1 Step 2 Step 3

Insider threats
Group with high opportunity Reasons
in priority order
• Senior managers see the
greatest volumes of
Senior managers
commercially sensitive
information
Employee reveals commercially
sensitive information • IT administrators could gain
unauthorised access using
IT administrators their IT skills, although it
would be hard to achieve
undetected

In the ‘Reasons’ column, record the factors that give the groups a high level of opportunity to carry
out the threat under consideration. These reasons will have been discussed in Step 2 but it is
important to record them.

The points listed here will help drive the countermeasures that need to be considered to mitigate the
threat, so it is important to include enough detail. It would be possible for the reasons in every case to

22
 Risk assessment for personnel security - a guide

be ‘knowledge and access’, but this will not provide enough information for meaningful
countermeasures to be implemented.

Step four: Score opportunity

Step 1 Step 2 Step 3 Step 4

Insider threats Vulnerability
Group with high opportunity Reasons Access
in priority order assessment
• Senior managers see the
greatest volumes of
Senior managers H H
commercially sensitive
information
Employee reveals commercially
sensitive information • IT administrators could gain
unauthorised access using
IT administrators their IT skills, although it M M
would be hard to achieve
undetected

In this step, access and vulnerability are assessed more systematically, and scored using standardised
scales for easy comparison. The scores are then used to provide an overall measure of opportunity to
carry out a threat.

When considering the access of your employees, you will need to decide the extent to which,
routinely or potentially, employees in the organisation have access to specific assets. We suggest that
you use the simple scale that follows.

Access score (H,M,L) Definition

High Regular access that is consistent with the role
Medium Occasional access
Low Opportunistic access

For the vulnerability assessment, we recommend that you use the vulnerability assessment table at
Annex B. Please note that this table is designed to support assessments of overall vulnerability for an
organisation; not all of the vulnerability dimensions that it presents will be relevant for assessing the
vulnerability of the workplace. Consequently, you will need to decide which dimensions to consider,
before using the scales to make your assessments. We recommend that you judge the vulnerability of
the workplace on a High, Medium, Low scale.

At this stage your employee groups will have been assessed for their access and the vulnerability of
their working environments. You now need to combine these scores to produce overall measures of
opportunity. We suggest that opportunity is scored on a 1-5 scale.

23
Risk assessment for personnel security - a guide

You will need to decide how you want to translate the access and vulnerability scores into opportunity
scores. We suggest that you draw a matrix like the one below and then decide where to place the
numbers 1, 2, 3, 4, and 5 based on the combinations of access and vulnerability. The matrix below
presents one possible scoring scheme.

The opportunity score

associated with each
combination of access and
vulnerability is shown in each
cell.

The scores provide a useful summary of the assessment and help you to rank employee roles in terms
of opportunity to carry out specific threats. These scores can also be plotted on a graph against the
impact of the threats - see below. The threat-group combinations appearing in the top right hand
corner of the chart will be those posing the greatest overall risk to your organisation.

e.g. IT administrator sabotages

central database

24
 Risk assessment for personnel security - a guide

Step five: Consider countermeasures

Step 3 Step 4 Step 5

Countermeasures
Group with high
Threat
opportunity Existing Sufficient? New

• Firewall will not detect

transmission of • Upgrade the firewall to
• Confidentiality
protectively marked block transmission of
agreements
documents protectively marked
Senior managers • Protective marking
• Security staff tend to documents
Employee reveals scheme
conduct fewer bag • Audit compliance with
commercially sensitive • Numbered copies
searches for senior the bag search policy
information managers
• The computer audit • Introduce a live alert
system will record but and warning system
IT administrators Computer audit
not prevent to flag unauthorised
unauthorised access information access

As with the organisation level risk assessment, start by listing in the ‘Existing’ column all
countermeasures currently in place that help to prevent the groups from carrying out the threat under
consideration.

Then, look at each countermeasure in turn and decide whether or not it is working sufficiently. If your
threat is defined as “Insider introduces virus into primary computer system” and the group with the
most opportunity is your IT agency staff, then your existing countermeasures may include the pre-
employment screening processes you have specified in the contract between your company and the
IT recruitment agency. But without an additional process – auditing the implementation of that
screening – it is unlikely that the contract alone will be a sufficient countermeasure.

Use the ‘Sufficient?’ column to record doubts about any gaps in the countermeasures and the ‘New’
column to list the steps required to resolve them.

Finally, review all the countermeasures that you have listed in relation to the group having greatest
opportunity, and decide whether they work sufficiently well together to limit opportunity and so
maintain the risk at an acceptable level. Once again, record any doubts in the ‘Sufficient?’ column,
and then use the knowledge of the group, and the advice of relevant experts if necessary, to
determine what new countermeasures should be implemented. List these in the ‘New’ column.

When you have decided which groups have high opportunity to carry out the threats in risk priority 1,
and addressed the issue of countermeasures in each case, repeat the exercise for all remaining risk
priorities.

If the time available for the group level risk assessment is limited, you may choose to tackle only the
threats in the higher risk priorities, but it is important to remember that there may be some factors that
only becomes evident during the group level risk assessment – such as very large group size – which
affects the prioritisation of threats, and may be missed if the assessment is not completed.

25
Risk assessment for personnel security - a guide

Group level risk assessment case study:

Assessment of opportunity for selected insider risks

At the group level address the threats in your highest priority areas first. The table below looks at a
selection of threat examples from a range of priority areas.

Risk Priority Which groups have high Access Vulnerability

Insider Threat Reasons
Area opportunity? (H,M,L) (H,M,L)
- These employees are well
Security employees placed to identify security
H M
(management) [15] vulnerabilities that can be
Employee discloses exploited
security information 1
(11) - These employees are well
Security employees (operational) placed to identify security
M M
[15] vulnerabilities that can be
exploited
- Access to information; limited
Employee reveals Senior management [20] circulation; existing contacts in H M
end of year results media
3
ahead of schedule
(to the press) (7) Printing (select group) (internal/ - Access to information that is not
H H
external) [25] widely available
- IT staff have the skills and the
Employee carries
IT staff [100] opportunity.
out a Denial of
3 Ex-IT staff in the last two years - Knowledge of system M L
Service (DoS) attack
[75] - Knowledge of systems’
on an IT system (10)
vulnerabilities
- These IT staff have the skills and
the opportunity (their Sys Admin
IT staff (with appropriate access
Employee introduces rights give them the ability to
and admin rights) [30]
a virus in the key IT 3 suspend the virus protection H M
IT contractors [10]
system (3) mechanisms).
Ex IT staff in the last 2 years [75]
- Knowledge of systems’
vulnerabilities
All staff have significant
opportunity but the following
- They work out-of-hours, when
employee roles have greater
Employee brings a security checks are less frequent.
opportunity than most: M M
bomb into the - Bag searches are made on a
4 Contractors, IT engineers,
building and it random sample.
Maintenance staff, Cleaning
detonates. (1) staff [total: 300]
- Opportunity to bypass security
Security guards [30] M H
measures

26
 Risk assessment for personnel security - a guide

Assessment of countermeasures

Assessment of opportunity for selected insider risks

Threat scenario Group COUNTERMEASURES

Existing Sufficient? New
Employee discloses Security employees - Security employees are - Poor control over - Refresh training on
security information (11) (management) subject to criminal record access to sensitive ‘need to know’
check security information - Rotate personnel in key
- Some access controls security positions
- Security culture varies - Introduce security
across the organisation culture self-assessment
across the organisation
Security employees - Security employees are - Refresh training on
(operational) subject to criminal record ‘need to know’
check - Rotate personnel in key
- Some access controls security positions
- Security culture varies - Introduce security
across the organisation culture self-assessment
across the organisation
Employee brings a bomb Contractors, IT Random bag searches - Variable standards - Random bag searches
into the building and it engineers, maintenance (daytime) - Changed with alert at night
detonates. (1) staff, cleaning staff Lesser pre-employment status - Explosives screening
screening checks for - Contractor screening - Annual refresher training
contractors insufficient - Checks that are
consistent with those for
permanent staff with the
same access levels
Security guards Random bag searches - Variable standards - Introduce new audit
(daytime) - Changed with alert system for random bag
status searches to increase
- Some security guards compliance for security
can bypass friends on guards
duty without checks
Employee reveals end of Senior management - Documents are - No restrictions on - Encryption of sensitive
year results ahead of numbered and on limited printing off emails or corporate information to
schedule to the Press (7) distribution sending them to an mitigate the risk of
- Audit trail of emails. external address external communication
- Use of protective by email
marking - Limit disaffected
- Clear desk/need- employees’ access to
to-know policy sensitive corporate
information
- Promote an effective
security culture
- Prohibit cameras or
mobile phones within the
building
Printing - Confidentiality - Low compliance with - Enforce clear desk
agreement in place clear desk policy. policy
- Documents are - No restrictions on - Reinforce security
numbered and on limited printing off emails or aspects of the contract
distribution sending them to an with the printer
- Use of protective external address. - Encryption of sensitive
marking corporate information to
- Clear desk/Need-to- mitigate the risk of
know policy external communication
by email

27
Risk assessment for personnel security - a guide

Threat scenario Group COUNTERMEASURES

Existing Sufficient? New
Employee carries out a IT staff - CCTV - CCTV does not give - Introduce a rule
Denial of Service (DoS) - Supervision and natural effective coverage of whereby no employee
attack on an IT system surveillance by some key locations can be in the IT Server
(10) colleagues - No annual security room unaccompanied.
- Back up system in appraisals or whistle- - Introduce a system to
place blowing systems to flag allow employees to raise
concerns concerns about co-
workers
Ex-IT staff Automatic removal of IT Staff directory not Brief staff on the need to
privileges on return of updated immediately, extend personnel security
staff ID card increasing potential for to ex-IT personnel.
social engineering Automate the process
attacks. whereby staff details are
removed from the staff
database when they
return their staff ID badge
Employee introduces a IT staff (with appropriate - Anti-virus software - Anti-virus software may - Require counter-
virus in to the key IT access and admin rights) - Software alerts from be turned off by an authorisation before anti-
system (3) outside employee with Sys admin virus software can be
- Virus checking policies rights suspended
- CCTV - Auditing is retrospective - Restrict the use of
and does not provide communication devices
timely alerts and (e.g. USB sticks or CD
warnings ROMs)
- Live monitoring of IT
systems and warning of
irregular activity
IT contractors (with - Anti-virus software - IT contractors - Ensure that any IT
admin rights) - Software alerts from sometimes employed contractor employed
outside prior to completion of prior to completion of
- Virus checking policies pre-employment pre-employment checks
- CCTV screening checks is accompanied at all
- Anti-virus software may times.
be turned off by an - Require counter-
employee with Sys admin authorisation before anti-
rights virus software can be
- Auditing is retrospective suspended
and does not provide - Restrict the use of
timely alerts and communication devices
warnings (e.g. USB sticks or CD
ROMs)
- Live monitoring of IT
systems and warning of
irregular activity

28
 Risk assessment for personnel security - a guide

1. Security employee (operational) discloses security information

2. Security guard brings a bomb into the building

3. A member of the senior management reveals the end of year results ahead of schedule

4. A printing department employee reveals the end of year results ahead of schedule

5. A member of the IT staff carries out a Denial of Service (DoS) attack on the IT system

6. An IT contractor introduces a virus in the key IT system

29
Risk assessment for personnel security - a guide

Producing risk scores for employee roles

The group level approach starts with the insider threats to the organisation and then assesses the
opportunity that employees have to commit those acts. The relationships between job roles and
threats are therefore considered in detail. One major benefit of this is that countermeasures can be
applied to job roles in a way that takes into account the types of threat that different employees might
pose. However, the approach is very qualitative and makes no attempt to quantify the level of risk
presented by particular job roles.

It is possible to conduct a more quantitative approach, instead of, or alongside the approach
described above. This entails scoring the opportunity provided by a given job role and also the impact
that could be achieved by an employee in that role. By combining these scores you can arrive at an
overall assessment of the level of risk associated with a job role. The benefit of this approach is that
job roles can be prioritised on the basis of these scores and countermeasures can be linked to
thresholds in the scoring system. For instance, you might decide that any role scoring in the top ten
warrants a criminal record check.

Many practitioners will find the results of this approach presentationally appealing and it can provide a
relatively simple framework for decision making. However, there are two drawbacks:

1. It does not encourage detailed consideration of insider threats and the way in which the
opportunity for these threats varies between roles. The impact that could be achieved in a
given job role is usually based on an assumption as to the reasonable worst-case threat.
For instance, it might be assumed that the reasonable worst-case threat posed by a
financial controller is fraud, in which case the opportunity for the controller to facilitate, say
a physical attack, would not be considered. The allocation of countermeasures is less
precise and comprehensive using this approach.

2. In order to score opportunity and impact it is necessary to devise numerical scales that
apply to the full range of job roles and threats under consideration. This is a significant
challenge.

30
 Risk assessment for personnel security - a guide

The individual level risk assessment

At the individual level, personnel security risk assessment seeks to examine the insider potential (i.e.
malicious and susceptibility) of individual employees. Individual risk is the combination of an
assessment of insider potential and the level of opportunity which exists for that individual, based on
their role and access.

The process of carrying out an individual level risk assessment is considerably more complex than at
the organisational or group level, most notably because it is technically much more difficult to assess
intent and susceptibility and as yet there is no agreed or tried and tested method of doing this. In
addition, seeking to conduct individual risk assessments across an organisation will be substantially
more resource intensive. For these reasons, it is likely that relatively few organisations will employ this
approach, although some may use individual level assessment for the small proportion of employees
that fall in the highest risk group(s) or as a means of assessing the risk posed by an employee of
concern.

CPNI is currently working on research into the behaviours and vulnerabilities associated with insider
activity. The ultimate aim of this research is to assist with decision making with regards the insider risk
at an individual level.

31
Risk assessment for personnel security - a guide

Glossary of terms

Asset Any element, service, function or event that supports the Critical National
Infrastructure. Assets can be physical entities such as people or equipment
and non-physical entities such as networks and systems.
Critical National Those key assets of the national infrastructure, the failure or loss of which
Infrastructure (CNI) could cause severe economic or social damage and/or large scale loss of
life. The national infrastructure is the underlying framework of facilities,
systems, sites and networks necessary for the functioning of the United
Kingdom and the delivery of the essential services upon which the UK
relies.
Impact The level of negative effect upon the UK’s public health and safety, its
economy, the essential services upon which it relies, public and
commercial confidence, and the functioning of government, that can be
expected to arise directly or indirectly if an asset is damaged, destroyed or
disrupted by a terrorist attack or other malicious incident. The degree to
which there are alternatives to the asset (i.e. the resilience of the CNI) will
affect the level of impact.
Insider An employee or contractor who seeks to exploit their legitimate access to
an organisation for unauthorised purposes.
Insider opportunity The feasibility of an employee conducting an insider attack on the basis of
the access afforded by their organisational role and the vulnerability of the
working environment.
Motivation A combination of proven intent to attack and the attractiveness of the
target in meeting the aspirations and aims of the adversary.
Personnel security A system of policies and procedures, which seeks to manage the risk of
staff or contractors exploiting their legitimate access to an organisation’s
assets or premises for unauthorised purposes.
Risk The potential for loss, damage, disruption, death or injury, following an
assessment of:
• the likelihood (the combination of threat and vulnerability) that a
malicious attack will occur affecting an asset; and
• the impact of the malicious attack
Threat The assessment of a terrorist or other malicious attacker’s motivation and
capability to attack an asset. The manifestation of the threat could take the
form of one or more attacks or attempted attacks, either concurrent or
simultaneous.
Vulnerability Vulnerability is a characteristic of, or flaw in, an asset’s design, location,
protective security measures, process, or operation that renders it
susceptible to, or offers the opportunity for, disruption or destruction,
incapacitation, or exploitation by terrorists or other malicious actors. These
characteristics may be found in infrastructure on which the asset is
dependent.

32
 Risk assessment for personnel security - a guide

Annex A – List of insider threats

This list is not intended to be exhaustive, but may be useful in generating discussion of threats
relevant to the organisation.

ACCESS TO INFORMATION
Theft of information / intelligence
Disclose sensitive information
Disclose sensitive information to specific parties
Disclose sensitive information to the public
Existing data
Sabotage organisation data - falsify
Sabotage organisation data - destroy / remove
Misuse of information
Distribution to unauthorised eyes inside / outside the organisation

ACCESS TO IT SYSTEMS
Disclose IT system details
Disclose IT systems used and their capabilities to specific parties
Disclose source
Disclose the organisation’s confidential sources to specific parties
Hack IT systems
Hack in to IT systems to copy information stored for further use
Hack in to IT systems to monitor use
Sabotage existing systems / data
Sabotage of existing systems - affect systems e.g. with viruses
Sabotage of existing systems - destroy systems
Sabotage of existing data - falsify
Sabotage of existing data - destroy / remove (e.g. with USB stick)
Bug telephone systems
Bug telephone systems to monitor use
Bug telephone systems to eavesdrop
Misuse of systems
Facilitating access of a third party to an IT system [record assumed impact in impact assumptions
column]

33
Risk assessment for personnel security - a guide

Access forthcoming systems and developments

Access forthcoming systems and developments - destroy
Access forthcoming systems and developments - sabotage
Access forthcoming systems and developments - disclose to the public
Access forthcoming systems and developments - disclose to specific parties

ACCESS TO SITES, BUILDINGS, MATERIALS AND MECHANICAL SYSTEMS

Facilitate access of a third party to the building
Facilitate access of a third party to areas of the building e.g. through Fire Exits [record assumed
impact in impact assumptions column]
Forge security passes
Give security pass to others
Facilitate access of a third party to information
Facilitate access of a third party to information [record assumed impact in impact assumptions
column]
Theft of goods / materials
Theft/distribution of harmful materials (e.g. radiological material/weapons)
Theft and distribution of non-harmful materials (e.g. passports, driving licences, clean criminal records
certificates).
Sabotage of goods / materials / building
Sabotage access points - to create weak areas
Sabotage storage facilities - to disrupt working practice
Sabotage storage facilities - to allow others access
Sabotage air conditioning units - to disrupt working practice
Sabotage air conditioning units - to cause casualties
Sabotage food and drink - to cause casualties
Sabotage walkways / lifts etc - to cause casualties
Sabotage post delivery system - to disrupt working practice
Disclose information about the premises and security systems
Disclose information about the building e.g. weaknesses (to specific parties)
Disclose information about the building e.g. weaknesses (to the public)
Disclose information about the security systems and measures in place (to the public)
Disclose information about the security systems and measures in place (to specific parties)
Direct attack on the building (e.g. explosives)
Direct attack on mechanical systems

34
 Risk assessment for personnel security - a guide

Physical destruction of systems / files

Physically destroy systems (e.g. IT centre)
Physically destroy files (e.g. by fire)
Access to developed / developing technology
Access to developed / developing technology - destroy
Access to developed / developing technology - sabotage
Access to developed / developing technology - disclose to specific parties
Access to developed / developing technology - disclose to the public
Use of recording devices
Bring in and use recording devices / scanners / phreaking devices - disclosure of information

ACCESS TO PERSONNEL
Disclose sensitive information
Disclose info gathered verbally through informal discussion - to the public
Disclose info gathered verbally through informal discussion - to specific parties
Disclose information from potentially sensitive meetings - to the public
Disclose information from potentially sensitive meetings - to specific parties
Persuade others to gather / pass information (short term)
Build specific relationships with an aim to acquire specific knowledge (long term)
Force individuals to gather / pass information
Force individuals to gather / pass information under duress
Force individuals to gather / pass information through bribery
Recruitment of others – commercial espionage
Attack / threaten individuals / groups of personnel
Physically attack individuals
Physically attack groups of personnel
Conduct a mass casualty attack on employees
Violate the liberty of individuals / groups (e.g. hostage taking)
Threaten personnel

35
Risk assessment for personnel security - a guide

Annex B – Vulnerability scale

A vulnerability scale for protective security risk assessments is presented overleaf. The scale is
normally accompanied by a scoring system. However, this method provides scores of overall
vulnerability for an organisation. For personnel security, the relevance of the different dimensions of
vulnerability will vary depending on the nature of the role and the organisation. Consequently, the scale
is offered without the scoring system and we suggest that you use it qualitatively to inform your
judgements about the vulnerability of the workplace.

36
 Risk assessment for personnel security - a guide

Physical vulnerability

A B C D E F
Type of physical Nature of site & Construction of CBR – Perimeter Extent of Security &
vulnerability perimeter building (mainly vulnerability to security control over screening of
(mainly related related to ingress & systems (e.g. building – visitors, mail,
Fields A-F to vehicle vehicle threats) spread of CBR access control, public access & deliveries etc
threats) materials intruder shared
detection and occupancy
CCTV systems)
Potential • Single layer • Building • Accessible air • Systems • Multiple • Visitor
indicators of perimeter (e.g. design Intakes installed and/ entrances - reception
HIGH external skin of susceptible to • Exterior shell or operated in people and/or within body of
vulnerability building) progressive of building an ad hoc vehicles building
• Proximity to collapse or relatively manner, • Building for • Poor staff
(Indicators likely public roads lack of permeable: without clear which public awareness re
to be supported • High structural windows often concept of use access is postal threats
by little evidence vulnerability to redundancy open or poorly • Inconsistent essential • Post-room in
of strong security vehicle borne • Heritage fitting; poor application, • Multiple heart of
governance, threats (e.g. buildings – design of obvious gaps occupancy building
policy and traversable planning entrances in coverage • Many and • Mail opened at
procedures) adjoining land), restrictions • Single layer frequent desks without
uncontrolled may limit and weak visitors screening
access and possible perimeter • Un-zoned, i.e. • Ad hoc visitors
insufficient or enhancements • Proximity to unrestricted and deliveries
permeable • Significant use public ways movement accepted
physical of glass • Critical within building without
standoff • Exposed key components question
measures structural located near
• Critical elements perimeter
components
located near
perimeter (i.e.
minimal stand-
off protection)
Medium
Potential • Multi-layer • Building • Inaccessible • Robust • Building • Clear concept
indicators of perimeter design not air intakes systems controlled by of operation;
LOW • Significant susceptible to • Good HV AC providing occupying all screening
Vulnerability stand-off progressive (Heating, capability that organisation systems meet
between collapse ventilation & reflects • Unrestricted clear
(Indicators likely exterior of • Glazing and air-conditioning concept of use access limited requirements
to be supported perimeter and cladding system) • Security staff to staff and • Staff involved
by clear evidence critical systems system design, seen as key trusted in screening
of strong security components of specifically e.g. zoned, element of contractors trained and
governance, site/building designed to with overall • Visitors by well motivated
policy and • Additional withstand blast advantageous perimeter appointment • All visitors
procedures) crash-proof and minimise pressure security only; screened at
measures (e.g. fragmentation gradients, system sponsored and site perimeter;
bollards, traffic limiting spread • Multi-layered escorted by mail and
restrictions) of perimeter and staff; photo id deliveries
keeping contaminants entrance checked screened off-
unscreened • Building arrangements • Building zoned site.
vehicles at a relatively Full height to restrict • Visitors &
distance; such impermeable: robust entry movement deliveries
continuous e.g. windows barrier always
measures sealed shut expected
designed with • Good staff
a clear control awareness re
strategy postal threats

37
Risk assessment for personnel security - a guide

Personnel vulnerability

A B C D E F

Type of Personnel Pre- Security culture Monitoring and Investigation Governance of

personnel security risk employment assessment of practices and personnel
vulnerability assessment screening employees disciplinary security
and audit procedures
Fields A-F
Potential • A lack of • Pre-employment • Good • Formalised • Disciplinary • HR and
indicators of routine screening protective monitoring and procedures are Security
HIGH personnel practices are security is a assessment not departments
vulnerability security risk ad hoc. low priority for procedures are appropriate for do not
assessment - • Pre-employment management absent or ad the full range collaborate
poor screening for and staff. hoc of insider effectively and
understanding contractors and • Poor • Behavioural threats there is
of which roles overseas staff appreciation of assessment (including confusion
create the are particular the threats to either absent threats to about the
greatest weaknesses the or is not national division of their
exposure to • There is no organisation. evidence security) responsibilities
risk across the effective • Personnel based • Investigative for personnel
organisation. auditing of security is not • Procedures fail practices do security
• Personnel those pre- viewed as the to identify not enable • There are no
security employment responsibility insider threats effective legal clear lines of
measures are screening of all staff (including defence of accountability
not always checks • A lack of threats to dismissal for personnel
applied performed by effective national decisions that security
proportionately third parties. communication security) in a are taken to
• No regular • There is no mechanisms timely fashion appeal
auditing of explicit by which staff or produce an
personnel risk-based can raise unacceptable
security, justification for security number of
measures the use of concerns false positives
against role national • A lack of
requirements security vetting effective
and standards checks, which briefing on
are carried out security
in isolation not practices
as part of a
managed
personnel
security regime.
Medium
Potential • Personnel • Standards are • Protective • Computer • Investigative/ • HR and
indicators of security risk documented, security is a very audit systems, disciplinary Security
LOW assessment is understood high priority for regular (e.g. procedures are collaborate
vulnerability routine and and, where management annual) staff robust, very closely,
integrated necessary, and staff security appropriate for but with a
within a risk mandated • Security is seen appraisals, the range of clear division
management through as the whistle- potential of
process regulations responsibility of blowing insider threats, responsibility
• The assessment • Practice is all staff systems and and enshrined • There is a
considers the consistent with • Staff are vigilant behavioural in formal and clearly
opportunity of these • Staff have a assessment fully identifiable
employee standards good techniques are communicated senior
groups to across the understanding all used to policies responsible
commit threats organisation of the security detect • Arrangements owner for
and the impacts • Employees risks to the suspicious or allow the personnel
that these and organisation anomalous organisation to security
threats would contractors do • Security culture employee defend itself
have not commence is assessed behaviour robustly in
• Personnel work prior to using validated response to
security successful tools and legal appeals
practices are completion of weaknesses are from staff who
regularly all checks (or addressed are dismissed
audited for they are through targeted
compliance with escorted at all communications
requirements times)
per role

38
 Risk assessment for personnel security - a guide

Electronic vulnerability

A B C D E F

Type of Information Risk Technical Technical System System’s

Electronic Security management control policies control acquisition, physical
vulnerability management & procedures development & environment,
audit maintenance outsourcing
Fields A-F and off-shoring
Potential • Information • Information • Lack of • Lack of • Security issues • Critical
indicators of security not risks not coherent adequate are not systems
HIGH discussed at assessed, or policies or lack procedures, included in the development
vulnerability board level, assessed only of awareness with ineffective acquisition, and/or
and no within the IT of policies audit, such as: development operation are
(Indicators likely method of department such as: - Client security, and outsourced
to be supported reporting to • No - Client security, including maintenance and/or off-
by little evidence board level management including laptops, process shored with no
of strong security • No security structure for laptops, remote access • No change security issues
governance, policy management remote access - Network control in the contract
policy and • No of information - Network security, processes • Outsource/off-
procedures) management security risks security, including shore issues
system for IT • No Business including access control, not included in
generally or Continuity access control, user risk
information Management user management, assessments
security in (BCM) management, network or audits
particular • No Information network services, IDS • Critical
• Audit of IT Asset services, IDS and pen tests systems have
systems is Inventory and pen tests • Anti-virus poor physical
inadequate • Anti-virus software security
software • System
• System patching
patching
Medium
Potential • Board level • Corporate risk • Policies are • Procedures • Security issues • No critical
indicators of ownership of management coherent and are dealt with at systems are
LOW Information system integrated comprehensive all stages outsourced
vulnerability Security includes • All staff are • Effectiveness • Change • All critical
• IS policy information aware of the is audited control systems have
(Indicators likely implements security risks policies to the regularly processes good physical
to be supported board strategy and reports to extent that • Security operating security
by clear evidence within industry Board level they need to incidents are effectively
of strong security standards • Up to date be investigated
governance, • IT systems Information • Breaches of and remedial
policy and managed to Asset policy are action taken
procedures) industry Inventory investigated
standards (e.g. forms the and remedial
ITIL) basis for threat action taken
• Critical assessment
systems and BCM
certified to • Comprehensive
27001 and well
rehearsed
BCM plans

39
Risk assessment for personnel security - a guide

Annex C: Diagrams for use in risk workshops

The following diagrams and tables can be copied, enlarged and printed onto laminates for use in
brainstorm sessions.

40
Disclaimer
Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise,
does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors
expressed within this document shall not be used for advertising or product endorsement purposes.

To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or
consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill)
incurred by any person and howsoever caused arising from or connected with any error or omission in this document or
from any person acting, omitting to act or refraining form acting upon, or otherwise using, the information contained in this
document or its references. You should make your own judgement as regards use of this document and seek independent
professional advice on your particular circumstances.

March 2009