Assessing Continuous Evaluation Approaches for Insider Threats

How Can the Security Posture of the U.S. Departments and Agencies Be Improved?

by David Luckey, David Stebbins, Rebeca Orrie, Erin Rebhan, Sunny D. Bhatt, Sina Beaghley

Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback86 pages $21.00 $16.80 20% Web Discount

Research Questions

  1. What capabilities exist to combat insider threats in government, industry, and academia?
  2. What aspects of CE are being implemented in these sectors to address insider threats?
  3. What are the costs and benefits of CE?
  4. What aspects of CE could be implemented in the federal government in the future?
  5. What are the potential cost savings stemming from implementing CE in the federal government?

The United States currently employs a periodic and aperiodic investigative and adjudicative security clearance process with origins in the Second World War. Information systems and data — e.g., financial, legal, travel — on individuals have improved dramatically since the creation of this process. This exploratory project examines various continuous evaluation (CE) approaches to detecting insider threats that are available to the U.S. government and assesses the relevance of these approaches to the challenges posed by such insider threats. The authors considered CE cost estimates, examined efficacy and best practices, and assessed some of the practicalities of employing CE.

This report defines CE as a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility. There are potential benefits from CE in effectiveness and cost over the current method of granting security clearances to personnel based on periodic reinvestigation and readjudication. While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period. While the process of CE would be new, the substance is not, and, thus, if executed properly, CE would be no more invasive than current processes.

Key Findings

The current investigation and adjudication process is time-consuming

  • There is a large backlog of investigations and periodic reinvestigations. As of 2018, there were approximately 416,000 unprocessed security clearance investigations and approximately 156,000 unprocessed periodic reinvestigations.
  • The Office of Personnel Management, the organization that has had primary security clearance investigating responsibility, has faced resource reductions.

There are limitations and challenges to using CE in the federal government

  • There is no commonly shared definition of insider threat across the government.
  • Neither CE nor insider threat has been defined in statute.
  • There are limited behavioral or technical data available to develop and deploy an effective and predictive CE monitoring tool.
  • There is no centralized or authorized facility to receive anonymous reporting streams for individuals in either cleared or uncleared populations.
  • There are privacy concerns for CE programs related to sharing personal or privileged individual data.

The cost over the long term for CE might be lower than the cost over the same period using current practices

  • While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period.

CE could be less invasive for the cleared population than current approaches

  • The substance of the data CE reviews is not new; only the frequency with which the data are reviewed is.

Recommendations

  • Establish a common definition of insider threat, such as "the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization or national security."
  • Establish a common definition of CE, such as "a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility."
  • Add negligence as a type of insider threat.
  • Conduct a thorough academic and scientific review of behavioral approaches predicting insider threat behavior before it occurs.
  • Increase the frequency of continuous monitoring efforts surrounding the period of an employee's termination in both public- and private-sector CE programs.
  • Create a real-time reporting mechanism to supplement any future security clearance approach, including one involving CE.
  • Study standards and establish authorities for access to all relevant nonfederal information that could inform the CE tool, such as local criminal records, mental health information, and significant financial activity.
  • Prioritize resources and clearance reviews that present the most urgent investigative and adjudicative issues.
  • Conduct a detailed cost-benefit analysis to determine projected programmatic costs.
  • Fully implement security clearance reciprocity and suitability/fitness reciprocity among U.S. government departments and agencies and merge the security clearance and suitability/fitness programs and processes to improve coordination and gain maximum vetting value from collected data across programs, departments, and agencies.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Insider Threat and Continuous Evaluation Defined

  • Chapter Three

    Background: Addressing Insider Threats

  • Chapter Four

    What Capabilities Exist to Combat Insider Threats?

  • Chapter Five

    How Is Continuous Evaluation Implemented Today?

  • Chapter Six

    Conclusion

This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Defense Research Institute (NDRI), a federally funded research and development center (FFRDC) sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the Intelligence Community.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.