INSA releases insider threat white paper

As the U.S. government reforms its security clearance process, it must address the use of publicly available electronic information (PAEI)—specifically social media and commercially available databases—for personnel security determinations and insider threat purposes, according to a new white paper issued by the Arlington, VA-based Intelligence and National Security Alliance (INSA) on February 7.

The Use of Publicly Available Electronic Information for Insider Threat Monitoring, developed by the INSA Insider Threat Subcommittee, recommends the Director of National Intelligence, as the government’s Security Executive Agent, work with the Defense Department, which will assume government-wide investigation and adjudication responsibilities, to take several key steps, including:

  1. Determine what sources of publicly available information are relevant to security determinations;
  2. Develop a single legal interpretation of what PAEI, including social media data, may be collected and analyzed for personnel security purposes; and
  3. Establish policies for how PAEI, including social media data, may be used for security-related personnel determinations.

To do so, the government must determine what PAEI constructively informs a risk assessment, what types are appropriate to use, and how to use such data to make both initial and ongoing assessments.

“Organizations would be irresponsible to ignore publicly available data when assessing personnel security risks, but it’s neither productive nor desirable to collect every piece of information that might exist,” said Chuck Alsup, INSA president. “The DNI should lead a government effort to determine what data is relevant, how to interpret it, and how to balance security needs with employees’ reasonable expectations of privacy.  Private companies can then build on policies and standards set by the government to develop their own practices.”

Defined as information that is available to the public on an electronic platform such as a website, social media, or database (whether for a fee or not), PAEI can provide insights into an individual’s perceptions, plans, intentions, associations, and actions.  This data can help employers determine whether an employee poses a potential threat to themselves or the organization.  Criteria for evaluating social media may be particularly difficulty to establish, both because social media postings may not clearly indicate potential security risks and because social media monitoring by an employer may be seen as overly intrusive.

“Companies are struggling to develop strategies to leverage the significant value that public data provides to insider risk mitigation, particularly as the ‘borderless work environment’ expands,” says Val LeTellier, principal author of the report and member, INSA Insider Threat Subcommittee. “The report provides a framework of the most important factors to consider when developing culturally viable and operationally effective policies. To use PAEI effectively, government agencies and private firms need a single set of parameters for what data to use and how to evaluate it.”

Download a copy of the report at www.insaonline.org.

Source: INSA