Transcription
Nuclear Security Culture As a Tool toAddress Insider ThreatDr. Igor KhripunovatThe IAEA International Conference on Physical Protection,13-17 November 2017, Vienna, Austria
Overview Insider threat and the role of Nuclear Security Culture (NSC) IAEA NSC Model and assessment methodology Selection of characteristics and culture indicators relevant toaddressing insider threat Conduct of NSC self-assessment focusing on insider threat Conclusion: a systemic and comprehensive methodology in thecontext of overall organizational culture
Insider Threat: Definition Insider is defined as one or more individuals with authorized access tonuclear facilities or nuclear material in transport who could attemptunauthorized removal or sabotage, or who could aid an external adversaryto do soSource: Nuclear Security Recommendations on the Physical Protection of Nuclear Material and Nuclear Facilities”(INFCIRC/225/Rev.5) IAEA Nuclear Security Series No. 13, 2011 Insider adversaries possess a unique set of attributes that give themadvantages over outsiders, including:- Access: physical access, remote computer access, and access to orknowledge of sensitive information.- Authority: authority to conduct operations in the performance or theirassigned duties and to direct other employees.- Knowledge: expert knowledge of the facility or its systems, includingknowledge enabling to bypass or defeat dedicated physical protectionelements.
Attitudes Toward Security hyAvoidanceSubversionThey assume responsibility and regardsecurity as their programThey are willing to cooperate and go astep beyond the requirementsThey follow the rules but often act like itis not their problemThey don’t care one way or another aboutsecurityThey regard security as inherentlydangerous and harmfulThey willfully try to make securityprogram break and commit malicious acts
Security Culture as a Tool to AddressInsider Threat“ an absence of security culture, security awareness and trustworthiness programsmay be favorable or conducive to insider threat attempts to perform malicious acts,”p.6“Implementing a strong security awareness program for staff and contractorscontributes to an ongoing security culture within the organization,” p.12“ security awareness programs should be developed in a coordinated manner withsafety awareness programs in order to establish effective and complementarysafety and security culture,” p.13“ good relations among workers and between management and workers should begiven due consideration and should be part of the security culture,” p.13Source: “Preventive and Protective MeasuresAgainst Insider Threat: Implementing Guide,IAEA Nuclear Security Series No. 8, 2008
IAEA Nuclear Security Series andNuclear Security CultureFundamentalsRecommendationsImplementing GuidesTechnical GuidanceDraft TechnicalGuidance on NSC SelfAssessment to bereleased in 2017Draft TechnicalGuidance on NSCEnhancement to bereleased in 2018-2019
IAEA Model of Nuclear Security CultureGoal: Effective Nuclear SecurityManagementsystems are welldeveloped andprioritize securityBehavior fostersmore effectivenuclear securityPrinciples for Guiding Decisions and BehaviorBeliefs and Attitudes In September 2008, the IAEA released a guidance in its Nuclear Security Series(No.7) under the title “Nuclear Security Culture: Implementing Guide.” Theguidance defines the concept, model, characteristics, and indicators of nuclearsecurity culture while also describing the roles and responsibilities ofinstitutions and individuals.
IAEA Model of Nuclear Security CultureGOAL: EFFECTIVE NUCLEAR SECURITYLEADERSHIP BEHAVIORPERSONNEL BEHAVIORMANAGEMENT SYSTEMS(a)(b)(c)(d)(e)(f)(g)(h)(i)Visible security policyClear roles and responsibilitiesPerformance measurementWork environmentTraining and qualificationWork managementInformation securityOperation and maintenanceContinual determination oftrustworthinessQuality assuranceChange managementFeedback processContingency plans and drillsSelf-assessmentInterface with the regulatoryCoordination with off-site organizationsRecord keeping(a)(b)(c)(d)(e)(f)(g)(h)ExpectationsUse of authorityDecision makingManagement oversightInvolvement of staffEffective communicationsImproving performanceMotivation 30 observable characteristics are illustrated by culture indicatorsCulture indicators are listed in relevant IAEA publications on nuclear security culture.Users of security culture methodology can use indicators as they are, modify them ordevelop their own consistent with specific security ofessional conductPersonal accountabilityAdherence to proceduresTeamwork andcooperation(e) Vigilance
Sample of Characteristic-Indicator PackageA staff code ofconduct exists,which covers theneeds of nuclearsecurityStaff members arefamiliar with thecode of conductthrough ongoingtraining andawarenesssessionsSecurity policy isreviewed andupdated regularlywith participationfrom seniormanagement(a) Visiblesecurity policy9Processes are inplace to identify themandatoryrequirementsrelating to securityEvents related tothe threatenvironment and itspotential impact onnuclear securityand nuclearsecurity policy areadequately reportedto all staffThe securityfunction has arespected statuswithin theorganization as awholeA nuclear securitypolicy is establishedfor the organization,is posted in facilitiesand offices, and isfamiliar to staffRegularly heldmanagementmeetingsadequately coversignificant securityrisksA VisibleSecurityPolicy(Management Systems)Others
Samples of Culture Indicators for CharacteristicsRelevant to Insider Threat Prevention and ProtectionContinuous Determination ofTrustworthiness The process of backgroundchecks is periodicallyreviewed Screening processes arematched to the risks andthreats associated withspecific roles andresponsibilities Real or apparent failures ofthe screening process areappropriately investigatedand adjudicated Leaders provide supportand resources for effectiveimplementation oftrustworthiness programs. Staff is aware of andunderstand theimportance oftrustworthinessdeterminationWork Environment Management show thatprofessional capabilitiesand experience are themost valuable assetsManagers makethemselves approachableand call for effective twoway communicationDissenting views, diverseperspectives and robustdiscussion are appreciatedSecurity is considered arespectable careerenhancing professionPerformance-improvementprocesses encourage staffto offer innovate ideasAdherence to Procedures Personnel understandpotential consequencesof noncomplianceInstructions on securityare easy to followbecause they are clear,up to date, easilyavailable and userfriendlyLeaders lead by exampleand—as is expectedfrom all staff—adhere topolicies and proceduresin their personal conductThe organization activelyand systematicallymonitors securityperformance throughmultiple means
Samples of Culture Indicators for Characteristics Relevant toInsider Threat Prevention and Protection (cont.)Training and Qualifications Training materials includegood practices and lessonslearned from securitybreachesTraining programs at theorganization addresssecurity-conscious behavioras a key element ofprofessionalismSystems are in place toensure procedures andpractices learned in trainingare applied in practiceSecurity awareness traininginstructs all staff on properworkplace security as wellas requirements forreporting security violationsVigilance Personnel notice andquestion unusual behaviorand incidents and reportthem to management assoon as possible using theestablished proceduresPersonnel seek guidancewhen they are unsure ofthe security significancestemming from unusualevents, observations orincidentsPersonnel are aware of apotential insider threatand its consequencesA policy prohibitingharassment and retaliationfor raising nuclear securityconcerns is enforcedPersonal Accountability Personal accountabilityis clearly defined inappropriate policies andproceduresPersonnel considerthemselves responsiblefor security at theorganizationPersonnel understandhow their specific taskssupport the nuclearsecurity systemBehavior that enhancessecurity culture isreinforced by peers
Steps for preventive and protective measuresagainst potential insiders
IAEA Self-Assessment Methodology:Multi-Stage ProcessStage 1. Establish aSelf-AssessmentTeam and Launch anOutreach CampaignStage 2. Draft a SelfAssessment Plan andPrepare for itsImplementationStage 6. Discuss Results,Submit Final Report, andHelp Development of anAction PlanSTART: DECISION to carryout initial or subsequentself-assessmentStage 3. Start the DataCollection Phase:Survey, Interview, DocumentReview, and ObservationStage 5. Developthe Three-TieredOutcome Model:Red, Yellow, and Green.Stage 4. Analyse Dataand ConsolidateAssessment Results
Conclusion The value of security culture self-assessment as a tool to address insiderthreat is in its systemic and comprehensive nature in the context of overallorganizational culture A wide campaign to promote security culture and its assessment is applicableto the entire workforce and can potentially deter malicious acts:- Relevant information and skills regarding threats and increased visibility of security(briefings, training, general meetings, social media, special events, others)- Leadership involvement and personnel commitments- Regularly held self-assessments and discussion of final reports- Enhancement plans as an integral part of overall management policy- Effective supplement to conventional classroom training. Like other methods, this approach is far from being perfect, but it ismultifunctional and can effectively support other currently applied methodsand compensate for their possible limitations.
Thank you foryour attention!Questions?
Overview Insider threat and the role of Nuclear Security Culture (NSC) IAEA NSC Model and assessment methodology Selection of characteristics and culture indicators relevant to addressing insider threat Conduct of NSC self-assessment focusing on insider threat Conclusion: a systemic and comprehensive methodology in the context of overall organizational culture
