The insider threat is recognised as one of the most challenging security threats to counter in any industry or organisation, including the civil nuclear industry. All industries suffer from this threat; the financial industry with insider trading, retail with ‘shrinkage’, aviation with ‘gun running’ and ‘drugs shipping’, and there are a myriad of other examples.
It is important for the nuclear industry to address as there can be multiple consequences; unacceptable radiological consequences from sabotage, materials out of regulatory control through theft, proliferation challenges through the loss of information and technology, lost revenue through disruption of operations, and loss of public confidence and reputational damage through leaking of information.
The unique opportunities that the Insider may be given through authorised access to facilities, vital or sensitive areas or assets, and their given roles and responsibilities allowing them to widen their sphere of influence and increase the opportunity for success.
This paper looks at what an insider is, their potential motivations through consideration of the Counterproductive Workplace Behaviour Model, access, opportunity and potential consequences of a successful attack. Case studies of insider incidents from the nuclear industry, government, other industries and the military will be used to identify common criteria that can be addressed by nuclear operators. It will conclude by looking at Mitigation in Practice.
Some high profile case studies, of theft and sabotage, will be assessed to determine common failures that can be addressed by operators.
The APEASE (Affordability, Practicability, Effectiveness and Cost-effectiveness, Acceptability, Side-effects/Safety, and Equity Considerations) criteria will be discussed as a business process for assessing the adequacy of proposed enhancement mitigation measures.
The paper will then look at how Dutyholders can implement Mitigation in Practice by presenting a schematic representation of protective measures (based on an approach modelled on the Cubic of Bautz) and a behavioural model known as COM-B (capability, opportunity, motivation and behaviour).
It concludes by detailing our major findings and recommendations to reduce the likelihood of insider threat.