Address the Human Factor through Insider Threat Prevention Measures and Efforts to Strengthen Security Culture
Countries do not have adequate measures in place to address the human factor of nuclear security. Weaknesses in insider threat prevention and security culture undermine security measures and can create new vulnerabilities.
- Among the countries assessed, 35% require robust personnel vetting that includes drug tests, background tests, and psychological checks. Only 27% of countries require two of these checks, 18% require only one, and 20% do not require any of these tests, even though they are vital to identifying potential insider threats.
- Only 55% of countries require that personnel vetting be conducted regularly, not just at the beginning of a person’s employment. Regular vetting can detect changes in an employee’s personal circumstances that might pose new threats. Only 22% of countries require tests to occur every two years or less, a regularity that enables facilities to rapidly detect new threats.
- Only 18% of countries require an insider threat awareness program to build awareness and provide staff with the tools to help identify insider threats.
- The phrase “security culture” is referenced in regulations or annual reports as a concept separate and distinct from safety culture in only 41% of countries with nuclear materials and/or facilities. Failure to prioritize security culture at the national level means it is less likely that nuclear facility operators will prioritize it.
- Only 16% of countries require security culture assessments, which would help operators understand their own weaknesses and how to address them.
Regulatory requirements and nuclear operators should address the human factor through comprehensive measures for insider threat prevention and efforts to strengthen security culture.
- Countries should improve measures to identify and mitigate insider threats. This requires more stringent and more frequent personnel vetting, as well as enhanced surveillance of sensitive areas and mandatory reporting of suspicious behavior.
- Nuclear facilities should be required to have insider threat awareness programs to enhance the ability to detect and response to insider threats. These programs build awareness among all personnel of the risks posed by insiders so that personnel can identify threats.
- Countries should put greater emphasis on security culture as distinct from safety culture in regulations and other regulatory documents and provide guidance to facilities to improve security culture. Regulators should set an example for nuclear facilities by prioritizing nuclear security culture at the national level.
- Security culture also depends on actions taken at facilities. Understanding security culture weaknesses at the facility is vital to strengthening security culture. Countries should require nuclear operators to conduct security culture assessments so that they can take into account weaknesses or other unique characteristics at the facility as they work to strengthen nuclear security. Nuclear facility operators should also continuously assess the strength of their own security culture and take action to address weaknesses.