for Security Education
The principal goal of this program is to make
security education information more readily available in more convenient form. Employees
can use this Guide to quickly look up whatever security information they need or want,
whenever they need or want it, in the privacy of their own office. Security
professionals can use the Guide as an aid in preparing briefings or as a
source of articles for newsletters.
The advantage of the Guide, as compared with
a conventional briefing, is that it makes more comprehensive information available at the
employees' fingertips on demand. However, information is useful only if the employees
actually look at it and use it. This places an obligation upon us, as security educators,
to: 1) Make the Guide so useful, interesting, and easy to use that employees will want to
use it; and 2) Promote the Guide so that employees will know where to find
it and remember to use it.
The Guide supplements, but does not replace, the customary face-to-face briefings. Both approaches are needed for an
effective security education program. The advantage of the face-to-face briefing is that
it offers an opportunity for personal contact and discussion. Also, one can document that
an employee has been exposed to a briefing and can, therefore, be held accountable for
Security education programs for trusted
employees generally cover three main subject areas:
- Understanding of and compliance with security
rules and regulations.
- Understanding the magnitude and complexity of
the foreign threats that make these rules and regulations necessary.
- Understanding the nature of the insider threat
and how to mitigate it.
This Guide places greater emphasis on insider
threat issues and technical vulnerabilities than many other security education programs.
Insider betrayal and technical penetration are generally believed to be the two principal
sources of compromise of protected information. As used here, technical vulnerability
includes the interception of telecommunications, penetration and hacking of automated
information systems, and electronic eavesdropping.
All these threats have one thing in common.
They can be countered or mitigated by well-trained and motivated personnel who know how to
protect sensitive information and take appropriate precautions when they find
themselves in a higher-threat situation.
Goals for each of the three general subject
areas are identified below, along with links to the elements of this guide that contribute
to each goal.
With Security Rules and Regulations
Improve compliance with the rules and
regulations for protection of classified or sensitive-but-unclassified information.
Improve understanding of and
compliance with requirements for personnel to report certain aspects of their own
To Protected Information
Increase understanding of how
intelligence collectors work.
- Topics under the general heading of Getting Information Out of Honest People Like Me
discuss the whole gamut of approaches for obtaining information by means other than
recruitment of agents. These topics help employees recognize situations that create
vulnerabilities and provide information on countermeasures that individuals and
organizations can and should take.
Increase understanding of where the
threat is coming from.
- The diversity of the threat is summarized in
the introduction to Who's Doing What to
Whom. The Guide does not discuss specific countries conducting intelligence operations
against the United States as this is not considered appropriate for broad, unclassified
Increase understanding of types of
information that foreign collectors are seeking.
Motivate employees to maintain better
communications security, computer security, and security from eavesdropping.
and Other Technical Vulnerabilities has modules covering communications intercept, computer
security, and bugs and mikes. Providing a basic, non-technical understanding of how these
technical operations work makes it easier for people to imagine how vulnerable they really
Mitigating the Insider
Deal more effectively with the
personal problems that sometimes lead to wrongdoing.
- When destructive behavior occurs in the
workplace, investigators commonly find a situation in which a troubled employee felt boxed
in. The employee acted out of a sense of desperation, or a feeling that there was no other
way out. Understanding and Helping
with Personal Problems provides information on common personal problems and encourages
the use of available counseling programs. Timely counseling can help prevent personal
problems from becoming security problems.
Discourage betrayal by deglamorizing
espionage and emphasizing the likelihood of getting caught and punished.
- How Spies Are Caught is intended to
catch the attention of anyone who might be contemplating espionage.
- The Spy Stories are intended to convey
useful lessons. For example, the Lipka
case is about a man who was arrested 22 years after he stopped spying
for the Soviets. It points out that there is no statute of limitations on espionage, which
is an important message.
Help detect wrongdoing by encouraging
employee reporting and by providing specific direction on what employees are expected to
Promote a better understanding of the
factors that lead to insider betrayal.