- What challenges in vetting and monitoring personnel do corporations in the technology, pharmaceuticals, finance, and gaming industries face? What types of personnel present the highest risk of insider threat, and why? What motivates employee behaviors that put corporations at risk? What corporate strategies are used to mitigate risk?
- What corporate vetting and monitoring processes could be adapted to improve the efficiency and effectiveness of U.S. government vetting and monitoring? How do newer technology-based approaches (e.g., machine learning) factor into these processes?
The U.S. government's screening and vetting process seeks to ensure that those with access to classified or otherwise sensitive information, material, people, or property can be trusted. The authors of this report leverage interviews with human resources and security personnel in several corporate sectors (technology, pharmaceuticals, finance, and gaming) to derive insights for the U.S. government regarding potentially effective ways to screen and vet personnel and monitor personnel over time to decrease risk to U.S. national security and public trust.
Corporations in the sample exhibited considerable diversity in screening, vetting, and monitoring practices, much of which was industry-specific and some of which was related to corporate size and stage of growth. For example, smaller and newer corporations preferred less-structured, more-flexible and informal screening and vetting processes, with any malfeasance handled on a case-by-case basis. Larger organizations in established, highly regulated industries, such as finance and pharmaceuticals, tended to have more-structured processes, owing to the constant need to follow federal and state regulations. Overall, few corporations in the sample used artificial intelligence and machine learning automated-analysis approaches for prehire screening, vetting, or employee monitoring, and those that did indicated that extensive human management of these systems was necessary. Creative solutions to employee monitoring included the development of human intelligence networks and intelligence fusion capabilities.
- Proper triage of potential insider threats is challenging but critical. This triage involves sorting personnel and behaviors into those that require punitive action or removal versus those that can be addressed via support and counseling.
- To improve early threat detection, intelligence must be shared inside and outside the organization. Such intelligence sharing requires building relationships and trust across corporate functions and with outside agencies.
- A human in the loop is essential. Current approaches for threat detection involving artificial intelligence and machine learning require significant human involvement in calibrating and monitoring these systems.
- Taking a "whole of community" approach to identifying and mitigating threats helps share labor burden and improves effectiveness. The U.S. government may benefit from setting screening and vetting standards and relying on corporate capabilities to execute these standards.
Table of Contents
Overview of U.S. Government and Corporate Screening and Vetting Procedures
Corporate Sample and Methods
Findings from Corporate Interviews
Conclusions and Insights