Addressing the Human Factor: Insider Threats and Security Culture
Photo credit: Nuclear Regulatory Commission / flickr
Addressing the human factor is vital to strong nuclear security implementation. All known cases of fissile material theft have involved individuals with authorized access. Failing to control the human factor weakens all other security measures. Physical protection measures, control and accounting, and cybersecurity measures will be ineffective if an insider can bypass systems to steal material or sabotage a facility or assist someone else in doing so. Similarly, if alarm systems reveal a breach of a facility, they will be ineffective if the security culture is weak and guards fail to take those alarms seriously. Yet the human factor is one of the most difficult factors to control.
Insider Threat Prevention Remains Weak
Addressing insider threats requires regular personnel vetting, requirements to report suspicious behavior, and programs that build awareness among all personnel of the risks posed by insiders so that personnel can identify threats. Insider threat prevention continues to be one of the weakest areas in the Security and Control Measures category, with only 31% of countries with nuclear materials and/or nuclear facilities receiving a high score for the indicator, with 31% receiving a medium score, and with 39% receiving a low score.
Addition of Security Culture to the NTI Index
Security culture was introduced into the NTI Index framework in 2020 for the first time. Security culture requires security to be prioritized at all levels, from the regulator to the CEO of a nuclear energy company, from the staff at a facility to its security guards. This is a difficult concept to measure in an index. The new Security Culture indicator includes two new questions, as well as a third existing question that was moved from elsewhere in the Index.
- The first question asks whether the regulator mentions the phrase “security culture” in regulations or annual reports. Given the importance of security culture, the NTI Index took a strict approach for this question, only giving credit when security culture is referenced as a concept that is separate and distinct from safety culture. The Index does not give credit if a regulation merely states that references to safety culture include security culture. This is because failure of regulators to prioritize security culture sends a message to facilities that it is not a priority.
- The second question asks whether licensees or operators are required to conduct security culture self-assessments. Because security culture depends on what is happening at each facility, facilities also need to continuously assess the strength of their own security culture and take action to address weaknesses.
- The third question asks whether defined individuals are responsible for at least one aspect of security at a facility and whether they undergo additional training for that role. This question was included in previous editions of the Index, but was moved to the new Security Culture indicator.
The scores for this new indicator show that significant efforts are needed to strengthen recognition of the importance of security culture around the world: Only two countries receive a full score for the new Security Culture indicator (Finland and Ukraine), while 20% of countries receive a high score, 29% receive a medium score, 51% receive a low score, and 14% receive a zero.