Corporate Knowledge for Government Decisionmakers

Insights on Screening, Vetting, and Monitoring Processes

by Ryan Andrew Brown, Douglas Yeung, Diana Gehlhaus, Kathryn O'Connor

Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback76 pages $19.00 $15.20 20% Web Discount

Research Questions

  1. What challenges in vetting and monitoring personnel do corporations in the technology, pharmaceuticals, finance, and gaming industries face? What types of personnel present the highest risk of insider threat, and why? What motivates employee behaviors that put corporations at risk? What corporate strategies are used to mitigate risk?
  2. What corporate vetting and monitoring processes could be adapted to improve the efficiency and effectiveness of U.S. government vetting and monitoring? How do newer technology-based approaches (e.g., machine learning) factor into these processes?

The U.S. government's screening and vetting process seeks to ensure that those with access to classified or otherwise sensitive information, material, people, or property can be trusted. The authors of this report leverage interviews with human resources and security personnel in several corporate sectors (technology, pharmaceuticals, finance, and gaming) to derive insights for the U.S. government regarding potentially effective ways to screen and vet personnel and monitor personnel over time to decrease risk to U.S. national security and public trust.

Corporations in the sample exhibited considerable diversity in screening, vetting, and monitoring practices, much of which was industry-specific and some of which was related to corporate size and stage of growth. For example, smaller and newer corporations preferred less-structured, more-flexible and informal screening and vetting processes, with any malfeasance handled on a case-by-case basis. Larger organizations in established, highly regulated industries, such as finance and pharmaceuticals, tended to have more-structured processes, owing to the constant need to follow federal and state regulations. Overall, few corporations in the sample used artificial intelligence and machine learning automated-analysis approaches for prehire screening, vetting, or employee monitoring, and those that did indicated that extensive human management of these systems was necessary. Creative solutions to employee monitoring included the development of human intelligence networks and intelligence fusion capabilities.

Key Findings

  • Proper triage of potential insider threats is challenging but critical. This triage involves sorting personnel and behaviors into those that require punitive action or removal versus those that can be addressed via support and counseling.
  • To improve early threat detection, intelligence must be shared inside and outside the organization. Such intelligence sharing requires building relationships and trust across corporate functions and with outside agencies.
  • A human in the loop is essential. Current approaches for threat detection involving artificial intelligence and machine learning require significant human involvement in calibrating and monitoring these systems.
  • Taking a "whole of community" approach to identifying and mitigating threats helps share labor burden and improves effectiveness. The U.S. government may benefit from setting screening and vetting standards and relying on corporate capabilities to execute these standards.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Overview of U.S. Government and Corporate Screening and Vetting Procedures

  • Chapter Three

    Corporate Sample and Methods

  • Chapter Four

    Findings from Corporate Interviews

  • Chapter Five

    Conclusions and Insights

  • Appendix A

    Interview Codes

This research was sponsored by the Security, Suitability, and Credentialing Performance Accountability Council Program Management Office and conducted within the Cyber and Intelligence Policy Center of the RAND National Security Research Division (NSRD), which operates the National Defense Research Institute (NDRI).

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.