Software Engineering Institute

Most organizations approach insider risk management with a command-and-control focus, putting pressure on employees to act in the interests of the organization. Positive deterrence reduces insider risk by complementing the command-and-control approach with better alignment of the mutual interests of the individual and the organization. Programs that embrace positive deterrence can unlock a greater potential to minimize insider risk and mitigate the negative perceptions employees often have of the command-and-control approach. In this article, we describe why and how insider risk management programs (IRMPs) can augment their command-and-control strategies with positive deterrence. We provide actionable guidance on how to combine positive deterrence with command-and-control, resulting in a balanced way to reduce insider risk. As a complement to command-and-control, positive deterrence creates a work environment that reinforces the bond between the organization and its workforce, contributing to the well-being of both.