Barriers to success

This final chapter looks at a range of common obstacles to understanding and managing insider risk. These barriers to success include a shortage of subject matter experts, unclear governance, inadequate understanding of insider risk, inadequate sharing of information, not treating insider risk as a distinct risk in its own right, concerns about privacy and confidentiality, lack of meaningful metrics, not learning from experience, and a cyber-centric approach to protective security. Four other obstacles are considered in more detail – namely, lack of systems thinking, cognitive biases (such as optimism bias and groupthink), shortage of empirical evidence, and unsuitable methodology (such as inappropriate risk metrics and excessive use of project and programme management methodology).