In many countries there is some sort of screening in place as a preventive mitigation tool against the insider threat. A screening however, provides a picture of a person at a specific moment in time, based on the information that is gathered. Even though these screenings are conducted on a regular basis, it is still necessary to have some sort of follow up of these people who are working with sensitive material or sensitive information. A screening provides an overview of the past of someone, which we accept as an indication of behaviour in the future.
In Belgium, to have a concrete case, we have a security officer who will be responsible for demands of screenings and to follow up the people who are screened. It is however very difficult to have one person who is responsible for everyone in a facility. There should be a system in place where signs of changing of behaviour can be signalled in order to react.
In this setting it is important to define a baseline of behaviour. Without this baseline, you cannot define a change in behaviour. The difficulty is that every person is different and thus it is impossible to have a basic baseline and in cannot really be done by someone who is not in regular contact with the person him- or herself. It is therefore very important to identify the specific functions or people who are in the possibility to have this base of behaviour and can identify change.
During the international Symposium on Insider Threat Mitigation in March 2019 we have done an exercise on this topic. During this interactive session, we set out a specific profile and indicated a ‘baseline behaviour’. Based on indicated signs of changes in behaviour we challenged the group to think about when and how they would react.
During this exercise, with a sample of people working on insider threat, it was clear that it is a difficult balance on when to react. In general, one small difference in behaviour did not trigger any concrete reaction. Nevertheless when we put different small pieces of information together, most participants indicated they wanted to react. The different pieces of this new picture came from different parts of the facility: colleagues, HR service, line manager,… This is not information that is always brought together, which adds to the challenges of this subject. The reaction and the way it was conducted depends strongly on the legislative options and of the culture of the country, the company and the security culture.
In aftercare, it is a challenge to have concrete guidance, mainly because it depends so much on the legal possibilities and the culture. It is however clear that there needs to be some sort of system in order to follow up people who have been screened and that it needs to take into account different partners in the facility.
In this paper we would like to address these challenges and look and the different roles and responsibilities to report in an aftercare system.