Personnel Security Needs a Makeover

Organisations of all types and sizes face potentially serious problems from insider risk – the security risk arising from the harmful behaviour of trusted individuals. The putative solution is personnel security – the system of defensive measures by which organisations protect themselves against insider risk. However, the field of personnel security is struggling to do its job effectively, for several reasons, and needs refreshing. So, what would a reinvigorated Personnel Security 2.0 look like? There is ample scope for refreshment on many fronts, four of which are highlighted here.

A New Name: Insider Security

One reason why personnel security – the Cinderella of protective security – fails to attract the right attention among leaders and policymakers is the fusty and perplexing terminology. ‘Personnel security’ is easily confused with ‘personal security’, ‘people security’ and ‘human security’, all of which mean different things.

Personnel security is about protecting organisations from the harmful actions of trusted insiders, whereas personal security is about protecting individuals from threats to their physical and psychological well-being. There is little overlap between the two disciplines in terms of their methods. Personnel security is the province of vetting officers; personal security (also known as personal safety and security) is the province of close protection officers.

To add to the confusion, we also have ‘people security’, which can mean harnessing people to support security; for example, by enhancing workforce vigilance. Meanwhile, in the world of Human Resources (formerly known as Personnel), people security and human security mean something else again. Confused? You should be.

Then we have ‘vetting’, a tired and ambiguous term from the Cold War era. In government contexts, vetting is essentially synonymous with personnel security and encompasses the full panoply of defensive measures, both pre- and post-recruitment. More commonly, however, vetting refers only to pre-employment screening, which is just one component of personnel security. The vetting word should be retired.

A more compelling reason for ditching the name personnel security is that not all insiders are persons. Tasks that were once performed by humans are increasingly being done by intelligent machines. Consequently, organisations are facing an emerging security risk from AI insiders (as distinct from human insiders). Personnel security is obviously not the right label when dealing with non-human insiders.

A better name would be insider security. It says what it does, while avoiding the personnel/personal/people pooh-trap. More importantly, it makes sense both for human and AI insiders. Insider security should replace personnel security in the taxonomy of protective security specialisms, sitting alongside its cyber, physical, personal and technical security siblings. (Incidentally, we live in a cyber-centric world where personnel security is often mistakenly regarded as a sub-set of cyber security. It is no such thing.)

A Strategic Purpose: Building Trust

Culture eats strategy for breakfast, according to a popular dictum. Arguably, the opposite is true for personnel security, which is a discipline widely lacking in strategic thinking. The more traditional manifestations of personnel security consist of collections of policies and processes that have accumulated over time, with little by way of underpinning concepts, guiding principles or strategic goals. Security culture – the way people typically behave with regard to security – is a crucial element of any security regime. But it is hard to improve an organisation’s security culture without knowing what the security is intended to achieve – in other words, its strategic purpose.

The most obvious strategic purpose of personnel security is to stop bad things from happening by mitigating insider risk. There is, however, a more interesting option, which is to build trust.

Trust is the universal currency of insider risk. Insiders are people (or AIs) who have been trusted with access and betray that trust by behaving in potentially harmful ways, whether deliberately or unwittingly. The basic role of personnel security is to assess and maintain trustworthiness within the workforce. The right kind of personnel security would support a wider strategic goal of building high-trust organisations.

A high-trust organisation is one in which the organisation trusts its people, and vice versa, because they are judged to be trustworthy (in other words, the trust is based on more than blind faith). Building trust brings business benefits over and beyond reducing insider risk. High-trust organisations perform better, on average, than low-trust organisations: they are more innovative, more resilient, make faster decisions and waste less time and money on bureaucracy. They are also more agreeable places to work, making them better able to recruit and retain talent.

Personnel security can be perceived as intrusive and untrusting. Adopting a strategic purpose of building trust therefore requires careful communication. In 2023 NPSA (the UK national technical authority for physical and personnel security) changed the official definition of ‘insider’ to encompass literally everyone in the workforce. The previous definition applied the ‘insider’ label, with its negative connotations, only to the small minority of individuals who pose a heightened security risk. The new definition cannot be faulted on logic. However, using it incautiously in corporate communications might convey an unhelpful message that no one can be trusted.

Much Better Processes

The administrative processes that underpin personnel security, especially in government, have a well-deserved reputation for being slow, tortuous and off-putting. A 2023 report by the National Audit Office (NAO) was highly critical of UK Security Vetting (UKSV), the body that conducts national security vetting checks for most government departments. Clearances and renewals take months, impeding the delivery of public services. The NAO highlighted ageing IT systems and failed transformation programmes as among the root causes of UKSV’s sustained poor performance.

The easiest way to speed up such processes in any organisation would be to cut corners, thereby reducing their effectiveness. Nonetheless, any temptation to boost performance by sacrificing effectiveness should be strenuously resisted, notwithstanding the pressure to reduce backlogs. The answer lies in better processes, not diluted processes. ‘Better’ should mean more effective (better at detecting insider risk) and more efficient (faster and slicker).

A further weakness with traditional vetting processes is their reliance on snapshot assessments conducted at intervals of several years. In national security vetting, for example, Cabinet Office policy stipulates that Security Clearance need only be formally reviewed after ten years, and even the highest level (Developed Vetting) can run for seven years. In practice, backlogs often extend those timelines even further.

Clearances also rely heavily on spot-checking official records. The results are only as good as the records that are checked: an absence of evidence (no adverse traces) does not constitute proof of the individual’s past good behaviour, let alone their future trustworthiness. Moreover, the results are only valid up to the date on which the checks were made. A lot can happen in the following years.

Personnel security processes could be greatly improved by utilising better technology to run continuous evaluations of trustworthiness throughout the lifetime of each individual’s employment. This is easier said than done and remains largely aspirational. Nonetheless, continuous evaluation should be a high-priority goal for any organisation that takes insider risk seriously. Better training of people would also help.

The Right Data

The types of data that are needed to detect and monitor insider activity do not sit in one place within an organisation, and certainly not all within the personnel security function. Rather, they are typically distributed among several functions such as HR, cyber security, internal investigations, audit, legal and so on. A relatively painless way of amalgamating these different data sources, without having to re-engineer the entire organisation, is by convening a cross-functional insider risk working group with a clear mandate.

A knottier problem is identifying the right data to analyse and making sense of the results. It is relatively easy (at least in principle) to spot unequivocally transgressive behaviour on digital systems, such as a user illicitly exfiltrating sensitive data. Automated technology tools can be quite effective at detecting clear breaches of rules. However, not all insider activity takes place online. Depending on the organisation’s business, many of its people may spend little time working on digital systems, and their offline behaviour is largely invisible to the detection software.

Fortunately, other good detectors are available, in the form of people. Colleagues and managers are often the best (or only) detectors of insider risk. To perform this role, they must know what is expected of them and have trusted channels through which to report their concerns.

Finally, we need more research into the origins of insider risk and the effectiveness of personnel security measures. Some customs and practices have a remarkably thin evidence base. This is especially problematic when attempting to identify the leading risk indicators of insider risk, in line with the principle that prevention is better than cure. Catching insiders in the act of doing harm is fine, but it is better to nip the problem in the bud by detecting its early warning signs and taking pre-emptive action. Unfortunately, there is a shortage of solid evidence about which behaviours are valid leading indicators of insider risk. Some guides to personnel security present long lists of supposed behavioural risk indicators that appear to be based on little more than guesswork. Without more research, we will continue to have plenty of data, but not enough of the right data.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.