Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria
Overview • Insider threat and the role of Nuclear Security Culture (NSC) • IAEA NSC Model and assessment methodology • Selection of characteristics and culture indicators relevant to addressing insider threat • Conduct of NSC self-assessment focusing on insider threat • Conclusion: a systemic and comprehensive methodology in the context of overall organizational culture
Insider Threat: Definition • Insider is defined as one or more individuals with authorized access to nuclear facilities or nuclear material in transport who could attempt unauthorized removal or sabotage, or who could aid an external adversary to do so Source: Nuclear Security Recommendations on the Physical Protection of Nuclear Material and Nuclear Facilities” (INFCIRC/225/Rev.5) IAEA Nuclear Security Series No. 13, 2011 • Insider adversaries possess a unique set of attributes that give them advantages over outsiders, including: - Access: physical access, remote computer access, and access to or knowledge of sensitive information. - Authority: authority to conduct operations in the performance or their assigned duties and to direct other employees. - Knowledge: expert knowledge of the facility or its systems, including knowledge enabling to bypass or defeat dedicated physical protection elements.
Attitudes Toward Security Among Personnel They assume responsibility and regard Ownership security as their program They are willing to cooperate and go a Participation step beyond the requirements They follow the rules but often act like it Compliance is not their prob lem T hey don’t care one way or another about Apathy security They regard security as inherently Avoidance dangerous and harmful They willfully try to make security Subversion program break and commit malicious act s
Security Culture as a Tool to Address Insider Threat “…an absence of security culture , security awareness and trustworthiness programs may be favorable or conducive to insider threat attempts to perform malicious acts,” p.6 “Implementing a strong security awareness program for staff and contractors contributes to an ongoing security culture within the organization,” p.12 “…security awareness programs should be developed in a coordinated manner with safety awareness programs in order to establish effective and complementary safety and security culture ,” p.13 “…good relations among workers and between management and workers should be given due consideration and should be part of the security culture ,” p.13 Source: “Preventive and Protective Measures Against Insider Threat: Implementing Guide, IAEA Nuclear Security Series No. 8, 2008
IAEA Nuclear Security Series and Nuclear Security Culture Fundamentals Recommendations Implementing Guides Technical Guidance Draft Technical Guidance on NSC Self- Assessment to be released in 2017 Draft Technical Guidance on NSC Enhancement to be released in 2018-2019
IAEA Model of Nuclear Security Culture Goal: Effective Nuclear Security Management Behavior fosters systems are well more effective developed and nuclear security prioritize security Principles for Guiding Decisions and Behavior Beliefs and Attitudes • In September 2008, the IAEA released a guidance in its Nuclear Security Series (No.7) under the title “Nuclear Security Culture: Implementing Guide.” The guidance defines the concept, model, characteristics, and indicators of nuclear security culture while also describing the roles and responsibilities of institutions and individuals.
IAEA Model of Nuclear Security Culture GOAL: EFFECTIVE NUCLEAR SECURITY LEADERSHIP BEHAVIOR PERSONNEL BEHAVIOR MANAGEMENT SYSTEMS (a) Visible security policy (b) Clear roles and responsibilities (a) Expectations (a) Professional conduct (c) Performance measurement (d) Work environment (b) Use of authority (b) Personal accountability (e) Training and qualification (c) Decision making (c) Adherence to procedures (f) Work management (g) Information security (d) Management oversight (d) Teamwork and (h) Operation and maintenance (e) Involvement of staff (i) Continual determination of cooperation trustworthiness (f) Effective communications (e) Vigilance (j) Quality assurance (k) Change management (g) Improving performance (l) Feedback process (h) Motivation (m) Contingency plans and drills (n) Self-assessment (o) Interface with the regulatory (p) Coordination with off-site organizations (q) Record keeping • 30 observable characteristics are illustrated by culture indicators • Culture indicators are listed in relevant IAEA publications on nuclear security culture. • Users of security culture methodology can use indicators as they are, modify them or develop their own consistent with specific security requirements
Sample of Characteristic-Indicator Package Security policy is Staff members are reviewed and Regularly held familiar with the updated regularly management code of conduct with participation meetings through ongoing from senior adequately cover training and management significant security awareness A staff code of risks Processes are in sessions conduct exists, place to identify the which covers the mandatory (a) Visible needs of nuclear requirements security relating to security security policy Events related to the threat The security environment and its function has a potential impact on respected status nuclear security within the and nuclear organization as a security policy are whole adequately reported to all staff A Visible A nuclear security Security policy is established Policy for the organization, Others is posted in facilities (Manageme and offices, and is nt Systems) familiar to staff 9
Samples of Culture Indicators for Characteristics Relevant to Insider Threat Prevention and Protection Continuous Determination of Work Environment Adherence to Procedures Trustworthiness The process of background Management show that Personnel understand checks is periodically professional capabilities potential consequences reviewed and experience are the of noncompliance Screening processes are most valuable assets Instructions on security matched to the risks and Managers make are easy to follow threats associated with themselves approachable because they are clear, specific roles and and call for effective two- up to date, easily responsibilities way communication available and user Real or apparent failures of Dissenting views, diverse friendly the screening process are perspectives and robust Leaders lead by example appropriately investigated discussion are appreciated and — as is expected and adjudicated Security is considered a from all staff — adhere to Leaders provide support respectable career- policies and procedures and resources for effective enhancing profession in their personal conduct implementation of Performance-improvement The organization actively trustworthiness programs. processes encourage staff and systematically Staff is aware of and to offer innovate ideas monitors security understand the performance through importance of multiple means trustworthiness determination
Samples of Culture Indicators for Characteristics Relevant to Insider Threat Prevention and Protection (cont.) Training and Qualifications Vigilance Personal Accountability Training materials include Personnel notice and Personal accountability good practices and lessons question unusual behavior is clearly defined in learned from security and incidents and report appropriate policies and breaches them to management as procedures Training programs at the soon as possible using the Personnel consider organization address established procedures themselves responsible security-conscious behavior Personnel seek guidance for security at the as a key element of when they are unsure of organization professionalism the security significance Personnel understand Systems are in place to stemming from unusual how their specific tasks ensure procedures and events, observations or support the nuclear practices learned in training incidents security system are applied in practice Personnel are aware of a Behavior that enhances Security awareness training instructs all staff on proper potential insider threat security culture is workplace security as well and its consequences reinforced by peers as requirements for A policy prohibiting reporting security violations harassment and retaliation for raising nuclear security concerns is enforced
Steps for preventive and protective measures against potential insiders
IAEA Self-Assessment Methodology: Multi-Stage Process Stage 1 . Establish a Stage 6. Discuss Results, Submit Final Report, and Self-Assessment Help Development of an Team and Launch an Action Plan Outreach Campaign START: DECISION to carry Stage 2 . Draft a Self- Stage 5 . Develop out initial or subsequent Assessment Plan and the Three-Tiered self-assessment Prepare for its Outcome Model: Implementation Red, Yellow, and Green. Stage 3 . Start the Data Stage 4 . Analyse Data Collection Phase: and Consolidate Survey, Interview, Document Assessment Results Review, and Observation
Recommend
More recommend
