In this blog, Kris discusses approaches to the suitability assessment of critical (and non-critical) workers, that is central to the Critical Infrastructure Risk Management Program, and the role suitability plays in managing insider risk.
There’s suitability, and then there’s suitability
One of the key features of the Security of Critical Infrastructure Act (SOCI) 2018 is the requirement for entities responsible for critical infrastructure assets to identify and manage the personnel risks relating to those assets.
As we know, one of the major risks to critical infrastructure entities is that posed by ‘insiders’. In essence, an insider is any current or former employee or contractor who has legitimate or indirect access to any part of your business.
In short, if you have people, you have risk.[1]
Insider risk can turn into an insider threat when an insider, or a group of insiders, either intends to (malicious), or is likely to (unintentionally) cause harm or loss to the organisation. When the insider threat is a critical worker, that is, someone whose role could cause significant damage to a critical infrastructure asset, then the harm can be disastrous.
So, an important feature of any approach to managing personnel hazards like insider risk is to reduce the likelihood that an insider will turn from a risk into a threat. One way of reducing that likelihood is ensuring that your workers are suitable to work in the organisation in the first place.
The concept of suitability is a central to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (Rules). Specifically, critical workers are only permitted access to critical components of assets once they have been assessed as suitable to have such access. However, because this legislation is principles-based, suitability is not proscribed nor defined in the Rules. It is up to each individual entity to decide how best to assess and manage the personnel risks workers pose.[2]
A well-known framework for understanding insider risk is the Critical Pathway to Insider Risk (CPIR).[3] Based on a review of insider risk case studies, the CPIR sets out the ‘pathway’ that is known to have been followed by a large number of disgruntled insiders who engage in insider events. The pathway components include: Personal Predispositions, Stressors, Concerning Behaviours, Problematic Organisational Responses, and Operational Plans for betrayal. [4]
The first component of the pathway, Personal Predispositions, has practical implications for workforce screening and it is a helpful tool for guiding suitability-related considerations. Personal Predispositions are the underlying vulnerabilities that are known to be linked to insider risk. They include psychological issues that impair judgment as well as past behaviour and social connections that contain risk.
Broadly speaking, we can approach suitability in two (complementary) ways. The first is the verification and validation of the claims made by the job applicant to questions such as: Is this critical worker who they say they are? Do they actually have the qualifications and experience they told us they do? Can the background information they provided about their employment, legal, financial history and the like be verified? Do they hold the appropriate legal requirements to work in Australia? These questions tend to reflect eligibility requirements and they fall within the bounds of the minimum background check requirement for critical workers as set out in the Rules.
The second approach to suitability seeks answers to a different set of questions. It is less about verification and more about whether the person is ‘psychologically suitable’ for a particular workplace. For example, does this critical worker share the values of the organisation? Are they aligned with its mission? Are they connected to the organisation in a way that will make them want to protect it and its reputation? Or, do they have a propensity to hold, and act on, a grudge or grievance?
Both approaches are important, but they will yield different results when applied to the mitigation of insider risk.
When considering the approach that is the most appropriate for your organisation, the guidance provided by the Australian Standard on Workforce Screening AS 4811:2022 is helpful. According to this Standard, a risk management process should inform the development of the workforce screening program and the level of screening conducted on a candidate should be commensurate with the level of risk posed by the particular role.[5]
There is a wide range of screening options open to SOCI entities to assure their workforce, critical and non-critical alike. These options range from relatively straightforward background checks, through to enhanced vetting checks, and comprehensive psychological assessments (what might be considered a ‘gold standard’). Each entity will have different requirements depending on their current recruitment or screening practices, the specific requirements associated with the relevant sector, their tolerance for risk, their capacity to mitigate and manage risks on an ongoing basis and their resourcing. It may be that different approaches need to be taken for different workers. The first approach might be adequate for non-critical workers where the stakes are lower and where compromise would cause minimal damage. Its adequacy might be limited for critical workers where the stakes are considerably higher.
Once suitability is assessed decisions can be made about whether the risk is acceptable and/or whether and how it should be managed over time.
All that said, it is important to remember that the insider’s vulnerabilities are but one piece of the insider risk puzzle. Screening is important but there are many other important pieces such as the organisational culture including its security culture, its stance toward employee wellbeing and the competency of its response to workplace or security issues.
[1] National Protective Security Authority, NPSA Changes to Insider Risk Definitions, Newsletter May 2023
[2] Critical Infrastructure Risk Management Program: Managing personnel hazards handout. February 2023
[3] Shaw & Sellars (2015), Application of the Critical-path Method to Evaluate Insider Risks. Studies in Intelligence Vol 59, No. 2 (Extracts, June 2015)
[4] Eric Shaw, PhD (2023), The Psychology of Insider Risk: Detection, Investigation and Case Management. CRC Press: Boca Raton, FL
[5] Australian Standard AS 4811:2022 Workforce screening