A not-for-profit entity that is evolving Canada's capabilities in insider risk management by fostering an interdisciplinary approach aimed at accelerating research, training, education and building sustained community partnerships.
Updates
Why is an interdisciplinary, academic / private / public research initiative dedicated to insider threat and the risk mitigation research necessary?
The severity of attacks to Canadian organizations and critical infrastructure is increasing.
The underlying motivations that lead to these attacks are varied, meaning that risk management solutions must increasingly adopt a holistic and balanced approach, that consider mitigations from the cyber security, human resources legal, personnel security, physical security, and privacy disciplines.
Private and public institutions have unique approaches to insider risk management, and the academic environment provides an opportunity to foster dialogue, conduct critical inquiry, and promote applied research initiatives to manage the risk.
The CInRM CoE, in cooperation with the Office of Professional Training and Development at Carleton University’s Norman Paterson School of International Affairs (NPSIA PT&D), has developed training in insider risk awareness.
Certificates provide continuing professional education (CPE) credits that are recognized by international professional security organizations such as ASIS International.
A Taskforce has been established to provide thought leadership and input on the establishment of the parameters for a secure, centralized, intake portal for anonymized incident reporting, and the sharing of aggregate details to a closed research community of academic, private, and public partners.
*Phase 1 industry consultations are complete. If your organization would like join a Phase 2 industry proof-of-concept pilot, please inquire by December 31, 2023.*
Rigorous research on insider risk mitigation based on real case studies with moderate to large sample sizes, do not generally exist--none exist in Canada.
If you are a Canadian organization that would like to receive the final results for benchmarking purposes, contact the C-InRM CoE today to learn how you may participate in the study.
***Data collection phase complete, thank-you to all organizations who supported the study--results to be published in the future***
Community of Practice
Subscribe for updates and follow us on LinkedIn.
*An Operational Information Exchange (OIE) pilot initiative is underway. This is an initiative to enhance partnerships with Canadian entities and promote the sharing of information. If your organization would like to join, please inquire for more details.*
Insights
...are based on original research with Canadian organizations
Community resources
...to create insider risk management programs
...to assess the capability and maturity of existing programs
...to respond to detected potential threats
...to apply strategic foresight based on the changing environment
A current understanding of how insider risks may be mitigated includes...
...in people focused insider risk programs...technology should be an enabler
...cultivating a positive workplace culture...
...increased employee awareness and training...
How likely are employees to report potential threats?
Our research indicates that there is confusion and uncertainty surrounding the issue of reporting concerns about a co-worker's behaviour that could identify them as an insider threat. Data from the study revealed that people are engaged about the topic and see it as important, but their comments suggest that the burden of reporting is too great within the workforce so a common choice is to do nothing as encapsulated by the quote, "the pull to do nothing would be strong".
People want to do the right thing, but not at own expense, there are more incentives to be complacent then being involved. Changing organizational culture can improve the situation.
Do organizations differentiate between risk controls required for malicious vs. unintentional insider threats?
Organizations required a clear definition in policy of insider threat
More awareness initiatives are required to mitigate the more likely unintentional threats
Technical controls have been more focused towards malicious threats
We Take Pride in Our Numbers
9
research initiatives focused on insider risk management, generating insights that can be applied to organizational policy and program enhancements
50+
graduate students instructed at Carleton University, Norman Paterson School of International Affairs (NPSIA) on insider risk, threat, and mitigation history, theory, policy, and program building...augmenting insider risk practitioners, leaders, and academic resources to meet the demands of the employment market
50+
Canadian private and public organizations supporting their employees' training on insider risk awareness in the practical certificate program offered in partnership with Carleton University, NPSIA, Professional Training and Development (PT&D)
100+
Canadian industry professionals in the private and public sectors instructed on Insider Risk Management - Foundations for Screening and Risk Factors, Investigations
∞
providing co-op and job opportunities in insider risk management for graduate students in partnership with Canadian organizations
Founding Partners¹
Federal Advisory Committee⁴
Identify the Threat and Mitigate
C-InRM CoE Steering Committee
"I look for partners in the private sector or the federal public service who have a research idea but don't have the capacity to implement it."
"Our hope and expectation with emerging collaboration is that it will grow into something bigger and broader in the coming years."
Professor Alex Wilner, Co-Chair of the CInRM CoE Steering Committee
Senior Infrastructure Protection and International Security Fellow Lina Tsakiris, Co-Chair of the CInRM CoE Steering Committee, collaborating with Prof. Wilner on a new academic partnership on insider risk that will focus on the Canadian security landscape.
<Excepts taken from Stories: Featured, Faculty of Public Affairs, Norman Paterson School of International Affairs, February 7, 2022>
C-InRM CoE Research POV
"The time is obviously right to be talking about and studying insider risk topics - everyone I've interviewed for our research, both expert and non-expert, has been engaged, passionate, and full of thoughtful ideas to consider to improve security culture in Canada."
Researcher
CInRM CoE
"I am delighted to have partnered with the Canadian Insider Risk Management Centre of Excellence for my 2021 Insider Risk for Canadian Financial Institutions Masters Capstone, and as a Researcher for a Technology Applications and Evolution for Insider Threat Detection project in 2022.
Alex, Lina and Victor’s expertise, insights and knowledge were extremely helpful in steering forward-looking and impactful insider risk research that can add significant organizational value.
I hope that my work with the C-InRM CoE is the beginning of a long partnership and I can continue to help the Centre of Excellence expand its high-quality insider risk research."
Researcher
CInRM CoE