A not-for-profit entity that is evolving Canada's capabilities in insider risk management by fostering an interdisciplinary approach aimed at accelerating research, training, education and building sustained community partnerships.
Updates
The 2026 Insider Risk Management Partnerships Summit will be hosted on September 21st and 22nd in Toronto, Ont.
Please visit the CITAM2026 page for more information. This event is part of Insider Risk Practitioner Alliance (IRPA) week (Sept. 14-22), including events in Washington D.C.
Why is an interdisciplinary, academic / private / public research initiative dedicated to insider threat and the risk mitigation research necessary?
The severity of attacks to Canadian organizations and critical infrastructure is increasing.
The underlying motivations that lead to these attacks are varied, meaning that risk management solutions must increasingly adopt a holistic and balanced approach, that consider mitigations from the cyber security, human resources legal, personnel security, physical security, and privacy disciplines.
Private and public institutions have unique approaches to insider risk management, and the academic environment provides an opportunity to foster dialogue, conduct critical inquiry, and promote applied research initiatives to manage the risk.
The CInRM CoE, in cooperation with the Office of Professional Training and Development at Carleton University’s Norman Paterson School of International Affairs (NPSIA PT&D), has developed training in insider risk management.
Certificates provide continuing professional education (CPE) credits that are recognized by international professional security organizations such as ASIS International.
The objective of this seminar is to introduce students to the concept of malicious insider threats, defined as “a current or former employee, contractor, or business partner…negatively affecting the confidentiality, integrity, availability” of an organization’s assets including its workforce, along with risk management theory and industry standards to control for—and mitigate—threats.
Insider risk management practitioners are not the only employees in the workplace that need to understand insider threats--mitigation is a shared responsibility.
Our workforce training initiatives are designed to assist organizations with activities, communications, and annual compliance initiatives related to the broad socialization of insider risk management.
Practitioners that have completed a minimum of three practical certificates in insider risk management can now take an examination to receive the Canadian Insider Risk Management Professional Certificate.
Following the completion of the online examination, practitioners will receive a digital CINRM | GRINC professional certificate and the option to register in a publicly accessible CINRM | GRINC online directory that will be hosted on the CInRM CoE's website.
For more information please register.
Subscribe for updates and follow us on LinkedIn.
The Operational Information Exchange (OIE) initiative is underway. This is an initiative to enhance partnerships with Canadian entities and promote the sharing of information. If your organization would like to join, please inquire for more details.
A Taskforce has been established to provide thought leadership and input on the establishment of the parameters for a secure, centralized, intake portal for anonymized incident reporting, and the sharing of aggregate details to a closed research community of academic, private, and public partners.
*Phase 1 industry consultations are complete. If your organization would like join a Phase 2 industry proof-of-concept pilot, please inquire.*
Rigorous research on insider risk mitigation based on real case studies with moderate to large sample sizes, do not generally exist--none exist in Canada.
If you are a Canadian organization that would like to receive the final results for benchmarking purposes, contact the C-InRM CoE today to learn how you may participate in the study.
***Data collection phase complete, thank-you to all organizations who supported the study--results to be published in the future***
Insights
...are based on original research with Canadian organizations
Community resources
...to create insider risk management programs
...to assess the capability and maturity of existing programs
...to respond to detected potential threats
...to apply strategic foresight based on the changing environment
A current understanding of how insider risks may be mitigated includes...
...in people focused insider risk programs...technology should be an enabler
...cultivating a positive workplace culture...
...increased employee awareness and training...
How likely are employees to report potential threats?
Our research indicates that there is confusion and uncertainty surrounding the issue of reporting concerns about a co-worker's behaviour that could identify them as an insider threat. Data from the study revealed that people are engaged about the topic and see it as important, but their comments suggest that the burden of reporting is too great within the workforce so a common choice is to do nothing as encapsulated by the quote, "the pull to do nothing would be strong".
People want to do the right thing, but not at own expense, there are more incentives to be complacent then being involved. Changing organizational culture can improve the situation.
Do organizations differentiate between risk controls required for malicious vs. unintentional insider threats?
Organizations required a clear definition in policy of insider threat
More awareness initiatives are required to mitigate the more likely unintentional threats
Technical controls have been more focused towards malicious threats
Insider risk security incidents now cost organizations an average of US$19.5M annually, up from $17.4M in 2024...