Although agencies and departments are still setting up their programs, some employees already are being urged to watch co-workers for indicators that include stress, divorce and financial problems.
When asked about the ineffectiveness of behavior profiling, Barlow said the policy does not mandate that employees report behavior indicators.
It simply educates employees about basic activities or behavior that might suggest a person is up to improper activity, he said.
These do not require special talents. If you see someone reading classified documents they should not be reading, especially if this happens multiple times and the person appears nervous that you saw him, that is activity that is suspicious and should be reported, Barlow said. The insider threat team then looks at the surrounding facts and draws the conclusions about the activity.
Departments and agencies, however, are given leeway to go beyond the White Houses basic requirements, prompting the Defense Department in its strategy to mandate that workers with clearances must recognize the potential harm caused by unauthorized disclosures and be aware of the penalties they could face. It equates unauthorized disclosures of classified information to aiding the enemies of the United States.
All departments and agencies involved in the program must closely track their employees online activities. The information gathered by monitoring, the administration documents say, could be used against them in criminal, security, or administrative proceedings. Experts who research such efforts say suspicious behaviors include accessing information that someone doesnt need or isnt authorized to see or downloading materials onto removable storage devices like thumb drives when such devices are restricted or prohibited.
If you normally print 20 documents a week, well, what happens if the next week or the following week you have to print 50 documents or 100 documents? That could be at variance from your normal activity that could be identified and might be investigated, said Randy Trzeciak, acting manager of the Computer Emergency Response Team Insider Threat Center at Carnegie Mellon Universitys Software Engineering Institute.
Weve come up with patterns that we believe organizations might be able to consider when determining when someone might be progressing down the path to harm the organization, said Trzeciak, whose organization has analyzed more than 800 cases and works with the government and private sector on cyber security.
But research and other programs that rely on profiling show it remains unproven, could make employees more resistant to reporting violations and might lead to spurious allegations.
The Pentagon, U.S. intelligence agencies and the Department of Homeland Security have spent tens of millions of dollars on an array of research projects. Yet after several decades, they still havent developed a list of behaviors they can use to definitively identify the tiny fraction of workers who might some day violate national security laws.
We are back to the needle-in-a-haystack problem, said Fienberg, the Carnegie Mellon professor.
We have not found any silver bullets, said Deanna Caputo, principal behavioral psychologist at MITRE Corp., a nonprofit company working on insider threat efforts for U.S. defense, intelligence and law enforcement agencies. We dont have actually any really good profiles or pictures of a bad guy, a good guy gone bad or even the bad guy walking in to do bad things from the very beginning.