Goals for Security Education

The principal goal of this program is to make security education information more readily available in more convenient form.  Employees can use this Guide to quickly look up whatever security information they need or want, whenever they need or want it, in the privacy of their own office.  Security professionals can use the Guide as an aid in preparing briefings or as a source of articles for newsletters. 

The advantage of the Guide, as compared with a conventional briefing, is that it makes more comprehensive information available at the employees' fingertips on demand.  However, information is useful only if the employees actually look at it and use it.  This places an obligation upon us, as security educators, to: 1) Make the Guide so useful, interesting, and easy to use that employees will want to use it; and 2) Promote the Guide so that employees will know where to find it and remember to use it.

The Guide supplements, but does not replace, the customary face-to-face briefings.  Both approaches are needed for an effective security education program.  The advantage of the face-to-face briefing is that it offers an opportunity for personal contact and discussion.  Also, one can document that an employee has been exposed to a briefing and can, therefore, be held accountable for compliance.

Security education programs for trusted employees generally cover three main subject areas:

• Understanding of and compliance with security rules and regulations.

• Understanding the magnitude and complexity of the foreign threats that make these rules and regulations necessary.

• Understanding the nature of the insider threat and how to mitigate it.

This Guide places greater emphasis on insider threat issues and technical vulnerabilities than many other security education programs.  Insider betrayal and technical penetration are generally believed to be the two principal sources of compromise of protected information.  As used here, technical vulnerability includes the interception of telecommunications, penetration and hacking of automated information systems, and electronic eavesdropping.

All these threats have one thing in common.  They can be countered or mitigated by well-trained and motivated personnel who know how to protect sensitive information and take appropriate precautions when they find themselves in a higher-threat situation.

Goals for each of the three general subject areas are identified below, along with links to the elements of this guide that contribute to each goal.

Understanding and Compliance
With Security Rules and Regulations

Improve compliance with the rules and regulations for protection of classified or sensitive-but-unclassified information.

• Optimal compliance requires more than general awareness of the rules.  It requires knowledge of how to comply plus ability to quickly look up the specifics of regulations that one might not remember.  Modules on Protecting Classified Information and Protecting Sensitive Unclassified Information set out the rules.  The modules on Foreign Threats to Protected Information and Computer and Other Technical Vulnerabilities provide the justification and motivation for complying with security rules and regulations that otherwise may seem tedious, pointless, or time-consuming.

Improve understanding of and compliance with requirements for personnel to report certain aspects of their own activities.

• What Is Expected of Me? identifies the possible developments in one's own life that an employee or military service member is responsible for reporting to the security office.  It has extensive discussion of Reporting Foreign Contacts and Outside Activities, and of reporting indicators of Foreign Intelligence Activities, including Anomalies that seem to indicate foreign knowledge of U.S. classified information.

Understanding Threats
To Protected Information

Increase understanding of how intelligence collectors work.

• Topics under the general heading of Getting Information Out of Honest People Like Me discuss the whole gamut of approaches for obtaining information by means other than recruitment of agents.  These topics help employees recognize situations that create vulnerabilities and provide information on countermeasures that individuals and organizations can and should take.

• Many Americans not trained in intelligence methods do not recognize when they are being assessed for potential recruitment as agents.  How Do I know When I'm Being Targeted and Assessed? describes intelligence recruitment methodology.

• Risks During Foreign Travel discusses how to avoid becoming an intelligence, criminal, or terrorist target when traveling abroad.  Using the Internet Securely discusses how to avoid becoming a target while participating in Internet newsgroups or chat rooms.

Increase understanding of where the threat is coming from.

• The diversity of the threat is summarized in the introduction to Who's Doing What to Whom.  The Guide does not discuss specific countries conducting intelligence operations against the United States, as this is not considered appropriate for broad, unclassified distribution.

Increase understanding of types of information that foreign collectors are seeking. 

• The targets of intelligence collection are more diverse than ever before.  Any information that could be used to the detriment of your organization is a potential target.  Who's Doing What to Whom gives an overview along with specific topics on Economic and Industrial Espionage, Illegal Technology Transfer, National Security Threat List, and the Militarily Critical Technologies List.

Motivate employees to maintain better communications security, computer security, and security from eavesdropping.

• Computer and Other Technical Vulnerabilities has modules covering communications intercept, computer security, and bugs and mikes.  Providing a basic, non-technical understanding of how these technical operations work makes it easier for people to imagine how vulnerable they really are.

Mitigating the Insider Threat

Deal more effectively with the personal problems that sometimes lead to wrongdoing.

• When destructive behavior occurs in the workplace, investigators commonly find a situation in which a troubled employee felt boxed in.  The employee acted out of a sense of desperation or a feeling that there was no other way out.  Understanding and Helping with Personal Problems provides information on common personal problems and encourages the use of available counseling programs.  Timely counseling can help prevent personal problems from becoming security problems.

• Reporting Unreliable, Improper, or Suspicious Behavior encourages early identification and reporting of problematic behaviors so that they can be dealt with before rather than after they spin out of control.

Discourage betrayal by deglamorizing espionage and emphasizing the likelihood of getting caught and punished.

• How Spies Are Caught is intended to catch the attention of anyone who might be contemplating espionage.

• The Spy Stories are intended to convey useful lessons.  For example, the Lipka case is about a man who was arrested 22 years after he stopped spying for the Soviets.  It points out that there is no statute of limitations on espionage, which is an important message.

Help detect wrongdoing by encouraging employee reporting and by providing specific direction on what employees are expected to report.

• The module on Reporting Unreliable, Improper and Suspicious Behavior has sections on Counterintelligence Indicators, Counterterrorism Indicators, Security and Suitability Issues, and Preventing Violence that tell employees what should be reported. No Good Excuses for Not Reporting and People Who Made a Difference are designed to motivate increased reporting.

Promote a better understanding of the factors that lead to insider betrayal.

• This is a principal purpose of the Treason 101 module.  Exploring the Mind of the Spy discusses some psychological and character attributes often found in spies.  The Insider Threat to Information Systems identifies unique aspects of information system professionals that contribute to special risks among this group.  Espionage by the Numbers is a statistical analysis of espionage offenders.  The Insider Espionage Threat looks at the necessary conditions that must exist before espionage occurs and how these are influenced by changes in U.S. society.

IMPLEMENTATION PACKAGE HOME           EMPLOYEES GUIDE HOME