SAN ANTONIO — The two factors to think about before developing a program to protect against insider threats is your risk appetite and risk tolerance, says an expert.

What are the firm’s critical assets and “what is it you’re trying to protect?” asked Michael G. Gelles, managing director at Deloitte L.L.P. in Arlington, Virginia, speaking at a session on avoiding insider threats Tuesday at the Risk & Insurance Management Society’s annual conference in San Antonio.

Risk tolerance “is an even more difficult question,” said Mr. Gelles. “That’s where we have the biggest conversations.” There has to be a “clear balance between having too little security and too much ... If there’s

too much, it can impede a business’s productivity” and have a dramatic impact on growth, “so that becomes very critical,” Mr. Gelles said.

One of the emphases in developing a program should be on prevention, said Mr. Gelles. An appropriately designed program “can really prevent a lot of the behaviors” that lead to problems caused by ignorant or complacent insiders, he said.

Another issue is vetting employees. “How are you thinking about vetting?” he asked. “How many of you do periodic vetting?”

Many individuals come into an organization and go through background investigations, “but can still be there 15 years later, and they’ll never have another background investigation,” Mr. Gelles said, referring to how people may change over the years.

Another factor to consider is mitigating the risk of departing employees, Mr. Gelles said.

People who leave an organization often take information with them with the attitude of “I wrote that, I designed that” and “it’s mine,” he said. “It’s a very interesting sort of cultural issue.”

Furthermore, he said, “what do you do to train your managers to be attentive to people?” Some organizations, he said, may have ethical hotlines, but what is done to proactively protect data so it does not get away?

Another factor to consider is information security controls.

“Everything goes back to risk appetite,” Mr. Gelles said. How many controls should be put on a workforce in terms of what they can do? Some organizations, for instance, prevent any use of personal computers for work-related business.

Also speaking at the session was Michal Gnatek, enterprise risk manager for McLean, Virginia-based Mitre Corp., who said he reports to his organization’s chief risk officer.

“The risk manager is in a unique and beneficial position” to pull all the stakeholders in a program together, he said, whether it is human resources, legal or finance. “Those groups feel more comfortable going up to the risk management level” and using a risk framework that an entire organization can adhere to, he said.

Joshua Massey, department head of strategic program protection and theta management at Mitre, said it is important that firms understand their vulnerabilities around employees, including loopholes and blind spots.

He also discussed defining who the insider is. There is no one-size-fits-all approach, he said, and you must understand the culture of an organization to determine “how expansive or restrictive you want to be” with the status of subcontractors, vendors and consultants.