Models and metrics

This chapter considers ways of assessing or measuring insider risk and personnel security. It considers how models and metrics can help to capture, assess, and communicate the severity of an organisation’s insider risk and the effectiveness of its personnel security defences. Personnel security systems can be assessed against models such as the simple threefold model described in Chapter 6 and the Personnel Security Maturity Model produced by UK government authorities. Most cyber security models pay scant attention to the human element and are not good tools for assessing personnel security. The complexity of insider risk makes it hard to measure with valid and reliable quantitative metrics. Various metrics are described that can be used to make meaningful assessments of the effectiveness, performance, and value of personnel security, the severity of insider risk, and the trustworthiness of individuals and organisations.