Stephanie Jaros, Director of Research for the U.S. Department of Defense’s (DoD) counter-insider threat program, talks to Security about her journey through security and her work with insider threats. She talks about the integration of the human and behavioral sciences into DoD’s program, the Threat Lab, as well as the importance of identifying and addressing insider threats — as well as the criticality of the timeline.Security magazine: Could you tell me a bit about your journey into security and what led you to your current position in the field?
Jaros: The theme of my career I think is best summarized by, ‘I don't know where I'm going, but I always seem to get there.’ I had been studying sociology of sex and gender and I attended a career fair during graduate school for government employment. I was really interested in health and policy jobs, but we had all put our resumes into a resume bank so the people who attended the job fair could see them. One day, I got a call from a representative from U.S. Customs and Border Protection [CBP]. [The recruiter] had seen my resume, saw my research experience and invited me to interview at the career fair. You never want to turn down an opportunity to interview, to practice your skills, to meet new people, but I have to be honest: I did not know what CBP did. In fact, I mistook it for TSA, but I wasn’t about to tell her that on the phone.
I was able to begin my government career at a small research unit within CBP’s office of Internal Affairs that was dedicated to studying the pathway from an employee’s idea to their corrupt activity. At CBP, the corruption we were interested in studying and ultimately helping to prevent was misuse of position — particularly at the borders among agents or officers who would accept bribes or let in people, drugs, weapons, money, [and] things like that. Then in 2011, after Executive Order 13587 was signed, all government agencies had to have an insider threat program and CBP posted a job for an insider threat program coordinator.
I was excited to move into the insider threat space. Eventually, I moved to Northrop Grumman so I could work for the Defense Personnel and Security Research Center or PERSEREC. I started as a contractor and then moved back into government — which I had not expected to do — as a PERSEREC government civilian because I knew the job would be dedicated to the insider threat research portfolio. I had met DoD’s counter-insider threat program director, Dr. Brad Millick, and his then-Chief of Staff, Ms. Doris Gobin, and we had a fantastic discussion about their vision for DoD’s enterprise-level program: where they wanted it to go and how they wanted the social and behavioral sciences to be one of the foundations for their program. I responded to Dr. Millick’s statement [about building] this program, named it the Threat Lab, and I’ve been doing it ever since.
Security magazine: In your line of work, you specifically deal with insider threats. Could you tell me a bit about what insider threats are and how one might identify them?
Jaros: It really depends on where you sit — your type of agency, your type of organization — and how you define the phrase “insider threat.” In line with Executive Order 13587 that I mentioned, which was published in 2011 in response to the WikiLeaks case, government agencies had to create these programs to protect their classified assets. This meant that only people with eligibility for a national security clearance would be within the scope of these programs and the focus would mainly be on protecting our electronic assets from unauthorized removal and transmission. Over time, these programs — particularly in DoD and in some other agencies — [have] expanded, and the reason for that is because we have recognized the risks associated with losing our unclassified assets. We’ve also been reminded all too often of the harm that is caused by workplace violence incidents.
Today, [in 2021], we are working to create a more comprehensive counter-insider threat program that goes beyond detection to include both prevention and mitigation strategies, [while] also [fulfilling] our requirement to incorporate privacy and civil liberties protections for the workforce. This is really where our opportunity to integrate the social and behavioral sciences [comes] in, when we’re talking about prevention and mitigation, because as I mentioned when I got my job at CBP, we know that there are intervention points along a person’s pathway.
This critical pathway from idea to action, whether we’re talking about espionage, corruption, or even workplace violence — it’s not the same pathway but along the way, it could be described as such. Rather than wait for one of these high-impact, low-frequency events to occur, we want to work with people to understand their situations [and] help them return to being productive, healthy members of our workforce. That means that we want to take advantage of those intervention opportunities along the way.
Security magazine: Going back to identifying insider threats — are there levels of urgency when it comes to addressing certain threats?
Jaros: There’s certainly those situations in which there’s an immediate risk of harm to self or others — particularly in the threat of violence. Those you want to address right away, but I don’t quite think that’s what you’re asking. This idea of whether or not smaller concerns can lead to bigger problems; we’ve all seen the data about the financial cost of cybercrime and we know the cost in the private sector of stolen intellectual property. Insider threat professionals do have an opportunity to reduce these costs and mitigate these losses. Whenever I see another workplace shooting, I am reminded of just how important our work is.
We know from our research that people rarely join an organization with the intent to do harm — the cases do happen, but they are rare. Instead, individual and environmental factors contribute to their decision to carry out harm. We know that there are known or knowable behaviors that happen along the way, so [I believe] it is our responsibility to build programs, help people and organizations recognize report, and respond to the concerning behaviors that precede these events before they can turn into something that has such a high impact [or] a long recovery time. It’s important to prioritize, but it [is] also extremely important to put resources toward early mitigation and prevention.
Security magazine: What do you think makes for an effective counter-insider threat program and are there some methods — such as training employees or using technology — to help detect these threats early on?
Jaros: One of the most important things we tell our stakeholders, particularly leaders in the organizations we work with, is that absent leadership buy-in and commitment from high-level executives in and out of government will not get your program off the ground. That is the number one requirement for creating and sustaining a comprehensive counter-insider threat program. Beyond that, another way for organizations to fall short pretty quickly is to not have a reporting structure that is robust, trusted, [and] transparent.Helping people do something when they see something is incredibly important and for an insider threat program. We want to transmit [that] message to our workforces. It’s not enough to say something to your friend or colleague if you see concerning behavior. It’s not enough to create a hotline number or an email account that never gets checked, or that people don’t understand and trust that there is a human being receiving those messages.
Insider threat programs [should be] personal. They need to educate the workforce about these reporting processes. Make people know that there are, in fact, competent professionals who receive and process these reports. We don’t often think about who the best messenger is for our program. We hire analysts, investigators, [and] psychologists, but that person who is on the front lines of training, who is delivering the message to the general workforce, who is speaking with leaders — it’s incredibly important to get the right person in that role so that they can properly message [others] and represent the program.
It’s important to tell people in the workforce what they can expect when they contact the counter-insider threat program. It’s important to explain to people why and how they’ll receive updates to their report and in many cases, updates — [especially] specific updates — aren’t allowed because we want to protect individuals’ privacy. We can, however, at the very least acknowledge that the person’s report has come through, explain to the workforce about confidentiality and why we can't give them the details, and [let them know] how their report will be stored [and if] their name [will] be used. It’s not just the confidentiality of the person who’s a person of concern, but it’s also the person who reported. Giving people as much information as possible is really important to build the credibility of the program.
I always tell people, and this is more difficult during COVID, but when and if possible, make these training connections and outreach briefings in-person. Make yourself available for additional questions one-on-one after you’ve talked with large groups. When I was at U.S. Customs and Border Protection, I used to deliver what was then called the “integrity briefing” during their new employee orientation program and after every single session, I would spend some time just waiting around and it never failed. At least one or two people would come up to me and they would ask questions about concerns that they had witnessed.
Building those relationships is incredibly important because then [in] six months or a year if they see something, have a concern, or just have a question, they’ll be more comfortable calling you. So connecting with people personally and helping them navigate the reporting process — it really is a critical piece of an effective counter-insider threat program.
Listen to this episode of Security’s The Security Podcasts now:
The above transcript has been edited for clarity.