Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

Security Services: Plugging Hiring Holes

By Shelley A. Kirkpatrick Ph.D.
March 16, 2006
Treat a resume as an initial access control device. Certain U.S. industries have already been warned that “sleepers” could want jobs as they plan terrorist attacks.


You’ve protected your computer systems against hackers. You’ve improved the physical security of the perimeter of your building. You control entry into your building. But one point of access for intruders and terrorists still remains - the hiring process.

Insider threat is a recognized vulnerability that can negatively impact an organization’s people, physical assets, computer systems and proprietary information, thus threatening economic security, according to PriceWaterhouse Coopers’ Economic Crime Survey and Trends in Proprietary Information Loss. Insiders include anyone with legitimate access to physical or computer facilities, such as current and former employees, on-site contractors, vendors and temporary employees.

The threat of terrorism is usually perceived as a homeland security issue, although it also can affect a company’s economic security. “Ensuring security while protecting applicants’ and employees’ Constitutional rights constitutes a paradox for both human resources (HR) and security staff,” according to James Outtz, president of Outtz and Associates, a Washington, DC-based selection consulting firm.

One vulnerability has received little attention but relates to both insider threat and homeland security: the vulnerability of the hiring process to terrorists. Although insiders have carried out no major terrorist incident, several attempts have been made.

Key U.S. facilities were warned by the government in early 2003 to check for possible infiltrators among employees. Critical industries and key infrastructure and installations were warned to take steps to guard against potential terrorist attacks. Planning may begin months or years before an actual attack, according to the warning.



Employees, even those qualified for the job, can gain knowledge of facility layouts as well as ways to gain access or destroy sensitive enterprise data.

Hiring requirements

Employment laws focus on ensuring fair hiring practices rather than security. Typical current hiring requirements include the Federal I-9 employment eligibility form. Organizations often do not conduct background checks on lower level employees, although they have access to facilities and may have access to sensitive data.

Even with the increased scrutiny to obtain legal identification, such as driver’s licenses, passports or Social Security cards, it is still fairly easy to obtain fraudulent documents or to falsify job applications. In New Jersey, 40 felons were arrested for falsifying applications for security guard jobs, according to mid-2005 media reports.

Further, human resources, unlike security, typically doesn’t realize the security issues related to hiring. According to Amotz Brandes of Chameleon Associates, a security consulting firm, “Every HR manager should wear the hat of the aggressor for a few hours and simulate penetration into the organization in order to realize the magnitude of this problem.” This exercise will give HR managers insight into the aggressor’s perspective. However, personnel with expertise on specific aggressors, such as security staff should perform vulnerability assessments.



Warning signs

Possible indicators that may pinpoint an area for further investigation include:
  • The job applicant provides written recommendation letters and states that telephone contact cannot be made with his/her references. Providing the names of companies that are no longer in business – such as Compaq, PanAm or TowerAir – is a suspicion indicator, according to Brandes.
  • The job applicant has lived at his/her present address for a short time period.
  • Work history and education do not fit with the proposed job. Although common for foreign nationals to apply for U.S. jobs for which they are overqualified, the applicant should be asked to explain any incompatibility between qualifications and prospective job.
  • The applicant does not seem to care about the pay or the position and only seems interested in the accesses or work location, says Brandes.

Once hired, warning indicators may consist of requesting assignments where the employee can spend time alone (e.g., night shift), requesting frequent schedule changes, or serving as the sole reference for his/her friends who apply for jobs with the company.

Enterprises and the security and HR team need to put considerably more thought into their overall hiring approach. They may need to re-evaluate the hiring structure, according to Outtz. Companies select employees based on job-related factors that affect performance. But in today’s environment, additional factors, such as honesty and integrity, may have risen in importance from secondary to primary factors for certain positions.

Further, companies must revise their policies for how suspiciousness indicators are identified and dealt with. “The organization has an obligation to lay a foundation,” Outtz stated, “for ensuring that employees’ rights are not violated.” Brandes concurs, noting that “government/private cooperation in the field of screening is important.”

The focus should be on identifying suspicious behaviors, and then investigating them until they have been reasonably explained. Brandes stated that a predictive profiling approach has been used successfully to identify suspicion indicators based on known terrorist attack methods and observable behaviors. Then, the suspiciousness indicator is investigated until it is determined that it is not a threat. Any indicators that cannot be ruled out must be considered to be a threat. This approach, according to Brandes, will not violate Constitutional rights because it focuses on correlating observable behavior with known terrorist methods; it does not identify based on race, gender, or religious affiliation.



Side bar: The Dangerous Insider

Rather than plan an attack from the outside, placing members on the inside of a company has many advantages:
  • Learn the physical layout. To conduct surveillance from the inside of a physical facility, noting the layout and location of entrances, emergency exits, non-public areas, and building infrastructure. From a terrorist’s perspective, it is safer to photograph, videotape, or sketch layouts and structural designs as an insider.
  • Observe security procedures. Security procedures and routines also can be more easily observed, such as identification requirements for the public versus company employees, daily variations in crowds or security routines, and special event arrangements.
  • Prepare for and conduct an attack. To assist in perpetrating a terrorist operation, including carrying explosives or other weapons (or their components) into a building, providing vehicle access, or providing distractions. Depending on the structure of the terrorist cell, the terrorist insider could provide information to an attack team or could wear both a planning and operations hat.


Sidebar: Genetic Testing Next Hiring Step?

Not for some enterprises. But some other organizations, which see ever-rising healthcare costs, already are insisting that employees not smoke and are randomly testing for it.

The opportunity to improve life through genomics-driven personalized medicine and preventive care will only be realized fully if individual genetic privacy is protected, according to Harriet Pearson, vice president and chief privacy officer at IBM. That firm has expanded its human resources policies to become the first major corporation in the world to commit not to use or require genetic testing in making employment decisions. IBM has been a pioneer in ensuring that other human attributes such as race, gender, age, disability or sexual orientation are not used in employment decisions.

Privacy issues are a legitimate sensitivity when it comes to hiring practices, according to IBM’s Harriet Pearson.

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dr. Shelley A. Kirkpatrick is a principal analyst at the Homeland Security Institute (HSI). The views expressed in this article are her own and do not necessarily reflect HSI opinion or policy. Her main area of interest is indirect or remote assessment of behavior; she has developed and used methods for assessing behavior, the environment in which the behavior occurs and personal characteristics of adversaries. Dr. Kirkpatrick has recently joined Management Concepts in Vienna, Virginia, where she is the Director of Assessment Services.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Refining Insider Threat Profiles

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing