Assessing Continuous Evaluation Approaches for Insider Threats

How Can the Security Posture of the U.S. Departments and Agencies Be Improved?

David Luckey, David Stebbins, Rebeca Orrie, Erin Rebhan, Sunny D. Bhatt, Sina Beaghley

ResearchPublished Aug 5, 2019

The United States currently employs a periodic and aperiodic investigative and adjudicative security clearance process with origins in the Second World War. Information systems and data — e.g., financial, legal, travel — on individuals have improved dramatically since the creation of this process. This exploratory project examines various continuous evaluation (CE) approaches to detecting insider threats that are available to the U.S. government and assesses the relevance of these approaches to the challenges posed by such insider threats. The authors considered CE cost estimates, examined efficacy and best practices, and assessed some of the practicalities of employing CE.

This report defines CE as a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility. There are potential benefits from CE in effectiveness and cost over the current method of granting security clearances to personnel based on periodic reinvestigation and readjudication. While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period. While the process of CE would be new, the substance is not, and, thus, if executed properly, CE would be no more invasive than current processes.

Key Findings

The current investigation and adjudication process is time-consuming

  • There is a large backlog of investigations and periodic reinvestigations. As of 2018, there were approximately 416,000 unprocessed security clearance investigations and approximately 156,000 unprocessed periodic reinvestigations.
  • The Office of Personnel Management, the organization that has had primary security clearance investigating responsibility, has faced resource reductions.

There are limitations and challenges to using CE in the federal government

  • There is no commonly shared definition of insider threat across the government.
  • Neither CE nor insider threat has been defined in statute.
  • There are limited behavioral or technical data available to develop and deploy an effective and predictive CE monitoring tool.
  • There is no centralized or authorized facility to receive anonymous reporting streams for individuals in either cleared or uncleared populations.
  • There are privacy concerns for CE programs related to sharing personal or privileged individual data.

The cost over the long term for CE might be lower than the cost over the same period using current practices

  • While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period.

CE could be less invasive for the cleared population than current approaches

  • The substance of the data CE reviews is not new; only the frequency with which the data are reviewed is.

Recommendations

  • Establish a common definition of insider threat, such as "the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization or national security."
  • Establish a common definition of CE, such as "a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility."
  • Add negligence as a type of insider threat.
  • Conduct a thorough academic and scientific review of behavioral approaches predicting insider threat behavior before it occurs.
  • Increase the frequency of continuous monitoring efforts surrounding the period of an employee's termination in both public- and private-sector CE programs.
  • Create a real-time reporting mechanism to supplement any future security clearance approach, including one involving CE.
  • Study standards and establish authorities for access to all relevant nonfederal information that could inform the CE tool, such as local criminal records, mental health information, and significant financial activity.
  • Prioritize resources and clearance reviews that present the most urgent investigative and adjudicative issues.
  • Conduct a detailed cost-benefit analysis to determine projected programmatic costs.
  • Fully implement security clearance reciprocity and suitability/fitness reciprocity among U.S. government departments and agencies and merge the security clearance and suitability/fitness programs and processes to improve coordination and gain maximum vetting value from collected data across programs, departments, and agencies.

Order a Print Copy

Format
Paperback
Page count
86 pages
List Price
$21.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2019
  • Print Format: Paperback
  • Paperback Pages: 86
  • Paperback Price: $21.00
  • Paperback ISBN/EAN: 978-1-9774-0194-6
  • DOI: https://doi.org/10.7249/RR2684
  • Document Number: RR-2684-OSD

Citation

RAND Style Manual
Luckey, David, David Stebbins, Rebeca Orrie, Erin Rebhan, Sunny D. Bhatt, and Sina Beaghley, Assessing Continuous Evaluation Approaches for Insider Threats: How Can the Security Posture of the U.S. Departments and Agencies Be Improved? RAND Corporation, RR-2684-OSD, 2019. As of September 20, 2024: https://www.rand.org/pubs/research_reports/RR2684.html
Chicago Manual of Style
Luckey, David, David Stebbins, Rebeca Orrie, Erin Rebhan, Sunny D. Bhatt, and Sina Beaghley, Assessing Continuous Evaluation Approaches for Insider Threats: How Can the Security Posture of the U.S. Departments and Agencies Be Improved? Santa Monica, CA: RAND Corporation, 2019. https://www.rand.org/pubs/research_reports/RR2684.html. Also available in print form.
BibTeX RIS

This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Defense Research Institute (NDRI), a federally funded research and development center (FFRDC) sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the Intelligence Community.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.