Businesses, such as financial institutions and the like, place a significant emphasis on preventing security related issues. Up until recently, most of the emphasis was placed on preventing external individuals (i.e., individuals not associated with or employed by the business) from comprising or otherwise exposing the business to security risks. However, historical data has shown that the vast majority of security risks for business, such as financial institutions or the like, are related to inside individuals (i.e., employees or the like).
For the most part, internal security emphasis has been limited to assessing hardware. This includes assessing hardware to determine vulnerabilities, open shares, out-of-date virus signatures, absence of critical services, compliances and the like. Such assessments identify hardware that is of a higher security risk so that preventive measures can be taken, such as further monitoring of the hardware or, in some instances, expunging the hardware from the business inventory. However, the need to assess employees has shown to provide an equal or even greater value to security risks, such as insider threat management, forensics and other types of investigations.
While security assessments, in the form of background checks, credit checks and the like, have been used by human resources (HR) departments and the like as a means of assessing the security risk posed by prospective employees, no such system exists to assess and/or track the security risk posed by employees once they have been hired. In this regard, the assessments made during the pre-hiring stage, such as background checks, credit checks and the like have little relevancy to the assessing the internal security risk once the individual becomes an employee. Moreover, the assessments made during pre-hiring stage tend to be intrusive, time-consuming and costly.
Therefore, a need exists to develop systems, apparatus, computer program products and the like that identify, track and manage security risks posed by employees. In this regard, the desired systems should provide for quantifying the security risk posed by employees, such that those employees that pose security risks can be readily identified and further measures taken to ensure the risk does not evolve into a threat. In addition, the desired system should be highly normalized to remove redundancies and/or dependencies, thus, resulting in a simple yet flexible approach to identifying and managing employees that pose a security risk. In this regard, the desired system should provide for assessing risk at any level within the business hierarchy, such as at a job title level, a business unit level or the like so that the quantification of risk is normalized across the chosen level of the business hierarchy. Moreover, the desired system should provide for distinguishing between the level of risk that is acceptable for a specific job title, job class, department or the like, and the level of risk that exceeds the acceptable level. Additionally, the desired system should be readily adaptable to support identification and tracking of any burgeoning security risks within the business.