Personnel Security –

Insider Threat Awareness

DC Ric Scott GCGI GCGI MSc MSyI

Counter Terrorism Security Advisor

© Crown Copyright

Learning Outcomes

To Provide you with:

An awareness of Personnel Security.

An awareness of the Insider Threat and of how to

mitigate it.

Awareness of CPNI products to counter the Insider

Threat and where to find them.

© Crown Copyright

Personnel Security – What is it?

“Personnel security is a system of policies and

procedures which seek to mitigate the risk of workers

(insiders) exploiting their legitimate access to an

organisation’s assets for unauthorised purposes”.

- CPNI

© Crown Copyright

Why is Personnel Security important?

Reduces vulnerability to the

insider threat.

Without it, effectiveness of

physical and information security

measures can be undermined.

Advances in physical and

information security measures

can make insiders more

attractive.

© Crown Copyright

The adoption of good personnel

security practices will help

organisations reduce the risk

posed by an insider.

© Crown Copyright

So what is an ‘Insider Threat’?

© Crown Copyright

Definition of an Insider…

“An insider is a person who exploits, or has the

intention to exploit, their legitimate access to an

organisation’s assets for unauthorised purposes”.

- CPNI

© Crown Copyright

An Insider

An insider could be a full time or part-time employee, a

contractor or even a business partner.

An insider could deliberately seek to join your organisation

to conduct an insider act, or may be triggered to act at

some point during their employment.

Employees may also

inadvertently trigger security

breaches through ignorance

of rules, or deliberate non-

compliance (due to pressure

of work).

© Crown Copyright

Types of insider

Volunteer/

self initiated

insider

Recruited/

Exploited

insider

Deliberate

insider

Unwitting/

unintentional

insider

Ex-employee

© Crown Copyright

What can you protect against?

Use of insiders by:

o Terrorist organisations.

o Foreign Intelligence

services.

o Commercial competitors.

Single-issue groups.

Organised crime groups

The media.

Disaffected employees

seeking revenge.

Reputational

Damage

Financial

Damage

Operational

Damage

© Crown Copyright

Insider activities …..

Facilitation of 3rd

party access to

sites/information

Direct sabotage

(electronic or

physical)

Theft of materials

or information

Financial &

process corruption

Unauthorised

disclosure of

information

© Crown Copyright

So why might an employee engage in

insider activity?

To support a cause.

For financial gain.

Loyalty to family, friends

or country.

For emotional gain

(recognition/kudos).

To enact direct revenge

upon/demonstrate

disapproval with an

organisation.

© Crown Copyright

Case study – Edward Devenney

• Royal Navy Petty Officer.

• More than 10 years service.

• Single.

• Communications specialist

with DV clearance (giving him

access to extremely sensitive

information).

© Crown Copyright

Case study – Edward Devenney

• Devenney served as a

member of the Royal Navy’s

Submarine service.

• Arrested by British

Intelligence in 2012 in a sting

operation, trying to sell UK

National Security secrets to

the Russian security

services.

© Crown Copyright

So who are CPNI?

CPNI is the government authority for protective security

advice to the UK national infrastructure.

Their role is to protect national security by helping to reduce

the vulnerability of the national infrastructure to terrorism

and other threats.

They are accountable to the Director General of MI5.

© Crown Copyright

How can they assist with Personnel

Security?

Personnel and People Security

Effective protective security requires the integration of:

Physical.

Personnel and people.

Cyber security measures.

There is almost always a human element (direct or indirect)

at a point of security failure.

Therefore CPNI provide a range of advice and tools

focusing on the personnel and people aspect.

© Crown Copyright

CPNI approach

The CPNI approach to good personnel and people security is

focussed on three main strands of activity around the people

element of protective security:

Reducing Insider risk - this strand helps organisations to

reduce the risk of an insider by undertaking good personnel

security practices.

Optimising people in security - this strand helps

organisations understand the importance of building a good

security culture and how to undertake staff behaviour change

campaigns.

Disrupting hostile reconnaissance – this strand looks at

how to mitigate the external people threat by understanding

the mind-set and activities of those undertaking attack

planning and hostile reconnaissance.

© Crown Copyright

Some examples of CPNI products...

The CPNI PerSec maturity

model has been designed to

specifically assess an

organisation’s personnel

security maturity. This is a

key factor, in addition to

physical and cyber security

measures, in strengthening

an organisation’s resilience

to insider and wider external

security threats.

Personnel Security Maturity Model

© Crown Copyright

Some examples of CPNI products...

The model is based on

comprehensive and robust

research into insider acts,

and extensive CPNI

experience in personnel

security mitigations (research

and development

programmes and close

working with the CNI and

overseas partners to test,

refine and embed personnel

security initiatives).

Personnel Security Maturity Model

© Crown Copyright

Personnel Security Maturity Model

The benefits of using the CPNI model are:

A starting point for developing a measurable personnel

security improvement programme using the CPNI tools

and guidance which are appropriate to the organisation's

current level of PerSec maturity.

A common and consistent benchmark for personnel

security performance across the critical national

infrastructure (CNI), which will enable individual

organisations to compare themselves with the rest of their

sector.

© Crown Copyright

Personnel Security Risk Assessment

Insider Risk Assessment

Understanding what security

risks your organisation faces

is essential for developing

appropriate and proportionate

security mitigation measures.

The risks that are identified

are then used to inform the

security mitigations that you

implement.

© Crown Copyright

Personnel Security Risk Assessment

CPNI has developed a risk

assessment model to help

organisations centre on the

insider threat.

The process focuses on

employees (their job roles),

their access to their

organisation’s critical assets,

risks that the job role poses to

the organisation and

sufficiency of the existing

counter-measures.

On Going Personnel Security

CPNI’s collection of on going

personnel security guidance

and tools can be used to help

an organisation develop and

plan effective practices for

countering the insider threat

and maintaining a motivated,

engaged and productive

workforce.

On Going Personnel Security

The application of good on

going personnel security

principles adds huge value

to physical and technical

security measures in a

cost effective manner,

promoting good leadership

and management and

maximising people as part

of the security solution.

© Crown Copyright

It’s OK to Say Education Programme

CPNI research and

partnership working has

frequently highlighted the

issue of under-reporting or a

lack of intervention by

employees when counter-

productive and/or unusual

behaviours are observed in

the workplace. Such

behaviours have often been

seen to be pre-cursors to

insider activity or welfare

issues.

© Crown Copyright

It’s OK to Say Education Programme

The materials provided as part of the ‘It’s OK to Say’

education programme are intended to support

organisations with educating staff on identifying and

reporting unusual or concerning workplace behaviours,

and in setting up mechanisms to promote the

appropriate intervention.

Education on these behaviours will help to build

resilience to insider risks and a stronger security

culture for the organisation and its people.

It’s OK to Say Education Programme

© Crown Copyright

CPNI products via their website ...

www.cpni.gov.uk

© Crown Copyright

Or….

To obtain more information on Personnel Security advice

and guidance:

Contact your CPNI sector adviser.

Contact your local CTSA.

Complete a general enquires form via the CPNI website

(under the contact page.)

www.cpni.gov.uk

© Crown Copyright

Questions

© Crown Copyright

CTSA Contact Details

DC Ric Scott

scdctsainverness@scotland.pnn.police.uk

01463 720 233

Counter Terrorism Hotline – 0800 789 321

© Crown Copyright