I Know What You Did Last Shift: A New Study Examines Why Employees Don't Report Security Concerns about Coworkers and What Management Can Do
Wood, Suzanne, Security Management
While most U.S. government employees are careful in guarding the nation's secrets, some who have failed to do so have done great harm to national security. Dealing with this risk is the primary goal of the federal government's personnel security program. To help manage this risk, government security experts recently conducted research that produced information on how the risk may be reduced through better reporting by coworkers who observe risky behavior by an individual with a security clearance.
This analysis was reported in Improving Supervisor and Coworker Reporting of Information of Security Concern. The study was conducted by the Defense Personnel Security Research Center (PERSEREC) and has led to the center's development of a new reporting tool, Counterintelligence Reporting Essentials (CORE).
The study consisted of four interrelated steps. The first was to review policies and research related to supervisor and coworker reporting of security-relevant behavior; the second was to conduct an extensive literature review to learn about the willingness of people in general to report on colleagues; the third was to interview 45 security managers and management personnel at 20 DOD and non-DOD federal agencies to determine the frequency of reporting and to gather recommendations for improving reporting policy and its implementation; and the final step was to conduct six focus groups, three with supervisors and three with coworkers, at two military installations and one intelligence community agency. Participants in the focus groups described their reporting responsibilities, discussed their feelings about reporting, and offered recommendations to improve relevant policies and operations.
The study focused on the reporting of security-relevant behaviors. These behaviors fall into three categories: national security and counterintelligence issues, security rules, and behavioral problems. The first behaviors occur relatively rarely, involve evidence of contact with a foreign intelligence agency, and are clearly of security concern. The second involve violations of procedures that govern the protection of national secrets; these are serious but they may not always be criminal, given that they are sometimes caused by ignorance or carelessness. Last are suitability and reliability problems, such as excessive drinking or severe financial problems, that are rarely reported by coworkers or supervisors because they are so personal.
The following discussion of why people will or will not report on their colleagues is drawn from this PERSEREC study.
Failure to report. The study found many reasons why people are unwilling to report their colleagues. The major reason is that employees do not want to violate deeply entrenched cultural prohibitions against informing on colleagues and friends. Most Americans are brought up not to snitch or tattle. Also, before reporting, most employees in the workplace want to see a substantial connection between the behavior and national security. It is never quite clear to them, for example, why someone having a drinking problem is a security risk at work. In contrast, the study participants said that reporting security violations such as a colleague taking home classified material would not be a problem.
Participants felt that it would certainly be a breach of normal social rules to inform on colleagues' personal habits, such as gambling, drinking, or sexual promiscuity, actions that on the surface appear to them only loosely related to national security. These suitability and reliability problems, which a study participant called "the more private things," are almost never reported.
But the PERSEREC study found that social taboos about snitching and invading the privacy of coworkers were not the only barriers to reporting. Supervisors and coworkers also said they feared that if they reported people to security, they would lose control of the situation--that the security system would step in and end any hope of a manager being able to help the person directly. …