• Insight
  • 5 min read

Human Threat Intelligence

People Change Over Time − So Does the Human Threat Risk

Life is indeed full of surprises, twists, and turns. As life and time go by, not necessarily everything goes exactly according to plan. Life is an art of improvisation and adapting to new situations. Most would probably agree with this statement. Yet, despite that, not every organization conducts recurring security vetting for those already employed. Many are satisfied with doing security vetting only once. My previous article on hybrid warfare and hybrid threat indicated that the risk taken by not having a recurring routine in place is increasing – because the insider threat is developing over a long period. In times of gray zones and hybrid attacks, the silhouettes in the dark are becoming more difficult to see.

What Is Security Vetting Anyway?

Security vetting is a method. It’s the practice of making sure that you, as an employer, truly know the people working in your organization as employees or contractors. The method of security vetting exists because the risk of having disloyal people on the inside of your protective barriers is obviously too great. It’s intolerable. It’s so intolerable that if you’re engaged in activities important to the wellbeing of society – and are therefore deemed security sensitive – legislation points at you to conduct protective security measures in three arenas: cybersecurity (information and its carriers), physical security (surroundings,) and personnel security (people). Legislation and government guidelines regarding personnel security stipulate that the method of security vetting should be in place.

Since security vetting is a method, it’s obviously systematic and follows a procedure. The method investigates three personal attributes: 1) loyalty, 2) reliability, and 3) vulnerability. One and Two are personal properties – “who you are,” while Three is more of a question of what frictions of life you carry with you and how they might be exploited against you and your employer. A professionally conducted security vetting interview explores these attributes and establishes the level of risk taken upon an individual’s engagement, from “none” to “severe.”

Read More About Security Vetting Interview

What Does “Employee Life Cycle” Imply?

Security vetting is about gauging an individual’s place in life and constantly having a level of awareness about how that place in life affects and perhaps changes the individual’s (now colleague’s) loyalty, reliability, and vulnerability. “Employee Life Cycle” implies that the employee naturally goes through several stages during their time with the organization – and that security vetting should follow these phases. You’re hired, you’re a colleague, and you leave the job. Let’s focus on the time as a colleague.

Since it’s evident that life drives change, all our circumstances change over time. For most of us, the natural changes don’t affect our baseline stance regarding our view on ethics − what’s right or wrong and where our moral boundaries are drawn. We might grow and evolve as human beings, but our core values often stay the same and aren’t easily shifted.

Some life changes are more dramatic and have a more significant individual impact than others. There’s no template for when this will occur or the effect the impact will have since we’re all unique individuals. Some changes might push colleagues past the tipping point in a mix of voluntary and involuntary drivers; the sudden and unexpected financial difficulties that arose at home when the bank interest rates went over the top (which could be a concrete problem) or the emotional turmoil that erupted after a sudden bereavement (which could momentarily cloud your judgment).

Suddenly, we might feel cornered or believe there’s a reasonable way out of a troublesome situation by crossing a line that feels justified to cross just because of the situation at hand, even if our core values haven’t changed − even if that boundary was regarded as morally impossible to cross just the other day.

Being affected by life events doesn’t mean that you’ve turned bad. It means that you’re human and are living life. It means that you, as a colleague, deserve attention and regular follow-up by your employer. We find this natural from an HR perspective. Most organizations regard yearly one-on-ones between employer and first-line manager as an obvious thing, even morally compulsory when being a good employer. We should – and must – see it as equally obvious and morally compulsory from a security perspective by putting in place a system of recurring security vetting interviews at least yearly.

Remember the dual purpose of personnel security and security vetting – creating protection for the employer and employee alike, respecting and caring for both.

Key Takeaways

  • The timeline and routine for security vetting should adapt to and follow the natural “life cycle” of employment. It should be as natural to get to know the individual at the start as it is to follow your colleagues through life events by continuous and recurring security vetting on a yearly cycle.
  • Having a routine for recurring security vetting doesn’t mean you’re overly vigilant or have problems trusting people. It means you understand the impact of life shifts on security and respect the employee’s right to feel heard, seen, and protected.