The Critical Pathway to Insider Risk
A Practical Framework for Australian Organisations
Introduction
Most insider incidents don’t begin with malicious intent, they begin with pressure. Financial stress, workload fatigue, interpersonal conflict, or perceived injustice can gradually push even trusted employees toward risky decisions.
This article examines the Critical Pathway to Insider Risk (CPIR), a behavioural model developed by Shaw and Sellers (2015) for the U.S. Intelligence Community, and explains how it applies to Australian organisations across public, private, and critical infrastructure sectors. By integrating insights from the Attorney-General’s Countering the Insider Threat (2023), the Protective Security Policy Framework (PSPF), and Core Integrity’s applied experience, we demonstrate how the CPIR provides a practical blueprint for early detection, early intervention, and ethical management of people-related risks.
The aim is simple: help organisations identify, understand, and disrupt insider risk long before compliance obligations or investigations are triggered.
Understanding the Critical Pathway to Insider Risk (CPIR)
Research by Shaw & Sellers (2015) found that insider acts evolve through a predictable and observable series of stages. Insider misconduct is rarely spontaneous, it develops through a pathway of personal, social, organisational, and behavioural factors.
Key stages of the pathway
Key Insight
“The pathway to insider risk is both predictable and interruptible provided organisations can detect and intervene early.”
Shaw & Sellers (2015)
Nearly all insider offenders display concerning behaviours within 90 days of the incident, and 78% experience at least one major workplace stressor beforehand. These are clear opportunities for organisations to act.
Why traditional controls often fall short
Many organisations rely heavily on technical controls such as DLP, SIEM, IAM, and UEBA. These are essential but insufficient on their own.
Technology captures actions, not intent
According to the 2024 DTEX i³ Insider Risk Report, nearly 80% of insider incidents arise from non-malicious behaviours such as negligence, burnout, or misunderstanding policy. These human factors remain invisible unless combined with behavioural, cultural, and people analytics.
Common pitfalls
- Treating insider risk as purely a cybersecurity issue.
- HR, Cyber, Risk, and Integrity teams operating in silos.
- Lack of behavioural analytics or trust indicators.
- Deploying surveillance that is poorly explained, eroding employee trust; the strongest insider-risk control of all.
Building a Human-Centred Insider Risk Program
A modern Insider Risk Program (IRP)must go beyond compliance and detection. It must integrate behavioural science, governance, culture, and ethical technology to create an environment where risks are understood — and people feel safe to speak up early.
Core actions for leaders
Human-centred programs don’t eliminate risk, they reduce surprise and increase the organisation’s capacity to respond safely, proportionately, and ethically.
Embedding the model in Australian compliance contexts
For critical infrastructure entities, the SOCI Act (2018) and CIRMP Rules (LIN 23/006) require organisations to manage Personnel Hazards as part of their Critical Infrastructure Risk Management Program. The CPIR provides a behavioural map that aligns closely with this requirement.
Integration points for Australian organisations
- Protective Security Alignment: Embed CPIR principles into physical security frameworks, ensuring personnel, physical, and information security work cohesively.
- Enterprise Risk Integration: Position insider risk within the Enterprise Risk Management (ERM) framework, including risk appetite, reporting, and heatmaps.
- Human & Cultural Integration: Link HR, Security, Integrity, and Risk functions through shared governance, behavioural indicators, and structured escalation pathways.
Regardless of sector, the challenge is the same: Trying to build a continuous loop between people, process, and technology to detect, deter, and respond to insider risk.
How Core Integrity supports organisations
Core Integrity helps organisations operationalise the CPIR and meet regulatory, governance, and cultural expectations through a measurable, human-centric insider risk framework.
We support clients to:
- Implement systems to identify behavioural and human risk early, before harm occurs.
- Ensure responses are ethical, proportionate, and psychologically safe.
- Build trusted, resilient workplace cultures that reduce misconduct and improve detection.
- Develop metrics and reporting that give boards and regulators confidence your program is working.
Key Insight
“Insider risk isn’t a cybersecurity issue, it’s a people issue. And people risk must be managed with integrity”.
References: Shaw, E. & Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks. CIA. | Lenzenweger, M. & Shaw, E. (2022). The Critical Pathway to Insider Risk: Brief Overview and Future Directions. | Attorney-General’s Department (2023). Countering the Insider Threat – A Guide for Australian Government. | Department of Home Affairs (2023). Security of Critical Infrastructure (CIRMP Rules) – LIN 23/006. | DTEX i³ (2024). Insider Risk Investigations Report. | Securonix (2024). Insider Threat Report.
Take the Insider Risk Health Check
Many organisations don’t know where they stand until an incident occurs. The Core Integrity Insider Risk Health Check provides a confidential, evidence-based assessment of your organisation’s readiness across governance, people, culture, and technology.
The Health Check measures:
- Leadership and culture indicators of trust, fairness, and psychological safety.
- Effectiveness of HR–Cyber–Risk collaboration.
- Alignment with SOCI, PSPF, and best-practice frameworks.
- Detection and response maturity (MTTD/MTTR).
You’ll receive a link to your tailored results detailing:
- The current state of your insider risk program.
- Gaps against best practice and CIRMP obligations (where applicable).
- A prioritised roadmap to strengthen resilience and reduce exposure.
Take the Insider Risk Health Check to benchmark your current maturity and begin building a trusted, compliant, and human-centred insider risk program.
