A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Insider threats are perhaps the most serious challenges that nuclear security systems face. All of the cases of theft of nuclear materials where the circumstances of the theft are known were perpetrated either by insiders or with the help of insiders; given that the other cases involve bulk material stolen covertly without anyone being aware the material was missing, there is every reason to believe that they were perpetrated by insiders as well. Similarly, disgruntled workers from inside nuclear facilities have perpetrated many of the known incidents of nuclear sabotage. The most recent example of which we are aware is the apparent insider sabotage of a diesel generator at the San Onofre nuclear plant in the United States in 2012; the most spectacular was an incident three decades ago in which an insider placed explosives directly on the steel pressure vessel head of a nuclear reactor and then detonated them.While many such incidents, including the two just mentioned, appear to have been intended to send a message to management, not to spread radioactivity, they highlight the immense dangers that could arise from insiders with more malevolent intent. As it turns out, insiders perpetrate a large fraction of thefts from heavily guarded non-nuclear facilities as well. Yet organizations often find it difficult to understandand protect against insider threats. Why is this the case?Part of the answer is that there are deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their nuclear facilities and operations. But another part of the answer is that those managing nuclear security often have limited information about incidents that have happened in other countries or in other industries, and the lessons that might be learned from them.The IAEA and the World Institute for Nuclear Security (WINS) produce"best practices" guides as a way of disseminating ideas and procedures that have been identified as leading to improved security. Both have produced guides on protecting against insider threats.5 But sometimes mistakes are even moreinstructive than successes.Here, we are presenting a kind of "worst practices" guide of serious mistakes made in the past regarding insider threats. While each situation is unique, and serious insider problems are relatively rare, the incidents we describe reflect issues that exist in many contexts and that every nuclear security manager should consider. Common organizational practices -- such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats -- can be seen in many past failures to protect against insider threats

Emergency Management Training for Transportation Agencies

State transportation agencies have a variety of responsibilities related to emergency management. Field personnel manage events--from day-to-day emergencies to disasters--using the Incident Command System (ICS) as their organizational basis. At the headquarters level, the Emergency Operations Center (EOC) coordinates the use of resources across the department and its districts, with other state departments and agencies, and through the federal Emergency Support Function 1. District-level EOCs coordinate with the department. In extreme events, the transportation department may only be able to deliver limited essential services in austere conditions, so a continuity of operations/ continuity of government plan (COOP/COG) is essential. This research applied the principles of andragogy to deliver ICS field level training, EOC training and COOP/COG training to state transportation agency’s staff in all districts and at headquarters. The data supports the need for adult-oriented methods in emergency management training

FEMA's Integration of Preparedness and Development of Robust Regional Offices

In October 2006, Congress enacted major legislation to reform the function and organization of the Federal Emergency Management Agency (FEMA) in response to the recognized failures in preparation for and response to Hurricane Katrina. The Post-Katrina Emergency Management Reform Act of 2006 (PKEMRA) focused national preparedness responsibilities within FEMA and directed additional resources and responsibilities to FEMA's ten regional offices. Directed by Congress, in October 2008 a National Academy Panel began an independent assessment of FEMA's integration of preparedness functions and progress in development of robust regional offices.Main FindingsOver the past three years, FEMA has taken significant steps in an effort to integrate preparedness and develop more robust regional offices. These efforts, undertaken by both the previous and current Administrations, are documented throughout this report and should be recognized and applauded. However, FEMA has yet to define specific goals and outcomes that would permit it, Congress or the public to determine when preparedness has been fully integrated into all aspects of FEMA's work and whether the development and ongoing operation of robust regional offices has been achieved. In the absence of well-defined, measurable outcome indicators, the National Academy Panel relied upon the assessments of FEMA leaders and staff, documentation provided by FEMA, and a review of secondary sources material to inform its findings and recommendations. Based upon this evidence, the Panel has concluded that, while progress has been made: (1) preparedness is not fully integrated across FEMA, (2) FEMA's regional offices do not yet have the capacity required to ensure the nation is fully prepared, (3) stakeholders are not yet full partners with FEMA in national preparedness, and (4) FEMA has ineffective internal business practices, particularly with regard to human resource management. The Panel made seven recommendations for FEMA:Establish a cross-organizational process, with participation from internal and external stakeholders, to develop a shared understanding of preparedness integrationEstablish a robust set of outcome metrics and standards for preparedness integration, as well as a system to monitor and evaluate progress on an ongoing basisWork to eliminate organizational barriers that are adversely impacting the full integration of preparedness across the agencyContinue to build regional office capacity and monitor implementation consistent with the Administrator's recent policy guidanceUndertake steps to improve the ongoing working relationship between headquarters and the regions in accord with Panel-identified principlesTake steps to improve stakeholder engagement and relationships at all levels in accord with Panel-identified principles; andStrengthen internal business practices, especially in the area of human capital planning

Improving disaster response evaluations : Supporting advances in disaster risk management through the enhancement of response evaluation usefulness

Future disasters or crises are difficult to predict and therefore hard to prepare for. However, while a specific event might not have happened, it can be simulated in an exercise. The evaluation of performance during such an exercise can provide important information regarding the current state of preparedness, and used to improve the response to future events. For this to happen, evaluation products must be perceived as useful by the end user. Unfortunately, it appears that this is not the case. Both evaluations and their products are rarely used to their full extent or, in extreme cases, are regarded as paper-pushing exercises.The first part of this research characterises current evaluation practice, both in the scientific literature and in Dutch practice, based on a scoping study, document and content analyses, and expert judgements. The findings highlight that despite a recent increase in research attention, few studies focus on disaster management exercise evaluation. It is unclear whether current evaluations achieve their purpose, or how they contribute to disaster preparedness. Both theory and practice tend to view, and present evaluations in isolation. This limited focus creates a fragmented field that lacks coherence and depth. Furthermore, most evaluation documentation fails to justify or discuss the rational underlying the selected methods, and their link to the overall purpose or context of the exercise. The process of collecting and analysing contextual, evidence-based data, and using it to reach conclusions and make recommendations lacks methodological transparency and rigour. Consequently, professionals lack reliable guidance when designing evaluations.Therefore, the second part of this research aimed to gain an insights into what make evaluations useful, and suggest improvements. In particular, it highlights the values associated with the methodology used to record and present evaluation outcomes to end users. The notion of an ‘evaluation description’ is introduced to support the identification of four components that are assumed to influence the usefulness of an evaluation: its purpose, object description, analysis and conclusion. Survey experiments identified that how these elements – notably, the analysis and/ or conclusions – are documented significantly influences the usefulness of the product. Furthermore, different components are more useful depending on the purpose of the report (for learning or accountability). Crisis management professionals expect the analysis to go beyond the object of the evaluation, and focus on the broader context. They expect a rigorous evaluation to provide them with evidence-based judgements that deliver actionable conclusions and support future learning.Overall, this research shows that the design and execution of evaluations should provide systematic, rigorous, evidence-based and actionable outcomes. It suggests some ways to manage both the process and the products of an evaluation to improve its usefulness. Finally, it underlines that it is not the evaluation itself that leads to improvement, but its use. Evaluation should, therefore, be seen as a means to an end

The Knowledge Application and Utilization Framework Applied to Defense COTS: A Research Synthesis for Outsourced Innovation

Purpose -- Militaries of developing nations face increasing budget pressures, high operations tempo, a blitzing pace of technology, and adversaries that often meet or beat government capabilities using commercial off-the-shelf (COTS) technologies. The adoption of COTS products into defense acquisitions has been offered to help meet these challenges by essentially outsourcing new product development and innovation. This research summarizes extant research to develop a framework for managing the innovative and knowledge flows. Design/Methodology/Approach – A literature review of 62 sources was conducted with the objectives of identifying antecedents (barriers and facilitators) and consequences of COTS adoption. Findings – The DoD COTS literature predominantly consists of industry case studies, and there’s a strong need for further academically rigorous study. Extant rigorous research implicates the importance of the role of knowledge management to government innovative thinking that relies heavily on commercial suppliers. Research Limitations/Implications – Extant academically rigorous studies tend to depend on measures derived from work in information systems research, relying on user satisfaction as the outcome. Our findings indicate that user satisfaction has no relationship to COTS success; technically complex governmental purchases may be too distant from users or may have socio-economic goals that supersede user satisfaction. The knowledge acquisition and utilization framework worked well to explain the innovative process in COTS. Practical Implications – Where past research in the commercial context found technological knowledge to outweigh market knowledge in terms of importance, our research found the opposite. Managers either in government or marketing to government should be aware of the importance of market knowledge for defense COTS innovation, especially for commercial companies that work as system integrators. Originality/Value – From the literature emerged a framework of COTS product usage and a scale to measure COTS product appropriateness that should help to guide COTS product adoption decisions and to help manage COTS product implementations ex post

Continuous Improvement Through Knowledge-Guided Analysis in Experience Feedback

Continuous improvement in industrial processes is increasingly a key element of competitiveness for industrial systems. The management of experience feedback in this framework is designed to build, analyze and facilitate the knowledge sharing among problem solving practitioners of an organization in order to improve processes and products achievement. During Problem Solving Processes, the intellectual investment of experts is often considerable and the opportunities for expert knowledge exploitation are numerous: decision making, problem solving under uncertainty, and expert configuration. In this paper, our contribution relates to the structuring of a cognitive experience feedback framework, which allows a flexible exploitation of expert knowledge during Problem Solving Processes and a reuse such collected experience. To that purpose, the proposed approach uses the general principles of root cause analysis for identifying the root causes of problems or events, the conceptual graphs formalism for the semantic conceptualization of the domain vocabulary and the Transferable Belief Model for the fusion of information from different sources. The underlying formal reasoning mechanisms (logic-based semantics) in conceptual graphs enable intelligent information retrieval for the effective exploitation of lessons learned from past projects. An example will illustrate the application of the proposed approach of experience feedback processes formalization in the transport industry sector

Maturing Defense Support of Civil Authorities and the Dual Status Commander Arrangement through the Lens of Process Improvement

The authors advocate the integration of process improvement methods into future Defense Support of Civil Authorities (DSCA) operations. They briefly discuss alternative process improvement strategies and their current state of employment in a variety of DoD programs. Methods discussed include Lean Six Sigma, Total Quality Management, and Capability Maturity Models, the utility of such methods is demonstrated, and the value in applying process improvement methods to DSCA operations is articulated. Three recommendations are given to demonstrate how a usable process maturity model can be built and employed for future operations. The monograph concludes by reaffirming the inherent utility of, and advocating for, process improvement techniques as a way to mature future DSCA operations using the dual status commander arrangement.https://press.armywarcollege.edu/monographs/1459/thumbnail.jp

Maturing Defense Support of Civil Authorities and the Dual Status Commander Arrangement through the Lens of Process Improvement

The authors advocate the integration of process improvement methods into future Defense Support of Civil Authorities (DSCA) operations. They briefly discuss alternative process improvement strategies and their current state of employment in a variety of DoD programs. Methods discussed include Lean Six Sigma, Total Quality Management, and Capability Maturity Models, the utility of such methods is demonstrated, and the value in applying process improvement methods to DSCA operations is articulated. Three recommendations are given to demonstrate how a usable process maturity model can be built and employed for future operations. The monograph concludes by reaffirming the inherent utility of, and advocating for, process improvement techniques as a way to mature future DSCA operations using the dual status commander arrangement.https://press.armywarcollege.edu/monographs/1459/thumbnail.jp

LEAN FIRE MANAGEMENT: A FOCUSED ANALYSIS OF THE INCIDENT COMMAND SYSTEM BASED ON TOYOTA PRODUCTION SYSTEM PRINCIPLES

A primary role of the Incident Command System is to learn from past incidents, as illustrated by its origins in the wildland firefighting community. Successful emergency response operations under the Incident Command System has prompted its nationwide spread, this promulgation critically relies on the system’s capability to stabilize and continuously improve various aspects of emergency response through effective organizational learning. The objective of this study is to evaluate the potential to apply fundamental principles of the Toyota Production System (Lean manufacturing) to improve learning effectiveness within the Incident Command System. An in-depth review of literature and training documents regarding both systems revealed common goals and functional similarities, including the importance of continuous improvement. While these similarities point to the validity of applying Lean principles to the Incident Command System, a focus on the systematic learning function of the Incident Command System culminated in the discovery of gaps in approaches proposed by the Incident Command System framework. As a result, recommendations are made for adjustments in systematic problem solving to adapt Lean principles of root cause analysis and emphasis on standardization of successful countermeasures to benefit the system. Future recommendations are also proposed based on the author’s understanding of the system

Mission Assurance: A Review of Continuity of Operations Guidance for Application to Cyber Incident Mission Impact Assessment (CIMIA)

Military organizations have embedded information technology (IT) into their core mission processes as a means to increase operational efficiency, improve decision-making quality, and shorten the sensor-to-shooter cycle. This IT-to-mission dependence can place the organizational mission at risk when an information incident (e.g., the loss or manipulation of a critical information resource) occurs. Non-military organizations typically address this type of IT risk through an introspective, enterprise-wide focused risk management program that continuously identifies, prioritizes, and documents risks so an economical set of control measures (e.g., people, processes, technology) can be selected to mitigate the risks to an acceptable level. The explicit valuation of information resources in terms of their ability to support the organizational mission objectives provides transparency and enables the creation of a continuity of operations plan and an incident recovery plan. While this type of planning has proven successful in static environments, military missions often involve dynamically changing, time-sensitive, complex, coordinated operations involving multiple organizational entities. As a consequence, risk mitigation efforts tend to be localized to each organizational entity making the enterprise-wide risk management approach to mission assurance infeasible. This thesis investigates the concept of mission assurance and presents a content analysis of existing continuity of operations elements within military and non-military guidance to assess the current policy landscape to highlight best practices and identify policy gaps in an effort to further enhance mission assurance by improving the timeliness and relevance of notification following an information incident