Professional Documents
Culture Documents
Florin BUȘTIUC
Abstract
An individual may be authorised to have access to classified information taking into account
characteristics as loyalty, trustworthiness and reliability. So, there are criteria for assessing eligibility for a
personnel security clearance which are , introduced as incompatibility elements (mainly) in Government
Decision no. 585/2002- The National Standards on the Protection of Classified Information in Romania, but
these have a shape that suggests a synthetic approach, and there are no detailed and / or explained correlations
with those characteristics and factors such as vulnerabilities, threats and risks. Thus, it is appropriate to study
the international acts and US experience in the field, in order to build a comprehensive vision of human behavior
from a security perspective.
Keywords: vulnerabilities, threats, risks, personnel security, eligibility, elements of incompatibility
loyalty
reliability
trustworthiness
INTEGRITY
honesty
correctness
discretion
4
continued access to classified information without constituting an unacceptable risk to security (C-
M(2002)49, art.11)”4;
- “The following paragraphs contain the principal criteria for assessing the loyalty,
trustworthiness and reliability of an individual in order for him to be granted and to retain a PSC.
These paragraphs consider aspects of character and circumstances which may give rise to potential
security concerns (Directiva AC/35-D/2000-REV7 / 2013, art.7)”;
- “Personnel security clearance procedures shall be designed to determine whether an
individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to
access EUCI (UE, art.7)”
Moreover, a definition of security clearance resides out of the NATO approach, which is a
process by means of which loyalty, trustworthiness and reliability are identified and evaluated, as
relevant behavioral/character indicators for protection of information; by means of these traits
another condition was introduced, namely that the person may present an acceptable security risk
(the US practice motivates that it is reasonable to assume that there is no „perfect individual” from
the point of view of security requirements).
At the moment, we consider that it is suitable to try to clarify (and connect) the terms of
vulnerability, threat, risk, therefore we selected the following definitions:
- vulnerability - “a weakness, an attribute, or lack of control that would allow or facilitate a
threat actuation against classified information or supporting services and resources” (C-
M(2002)49)”;
- threat - “The potential for compromise, loss or theft of classified information or supporting
services and resources. A threat may be defined by its source, motivation or result, it may be
deliberate or accidental, violent or surreptitious, external or internal (C-M(2002)49)”; “The
intention and capability of an adversary to undertake actions that would be detrimental to the
interests of the U.S.” (https://fas.org/irp/dni/icd/ics-700-1.pdf).
- risk - “the likelihood of a vulnerability being successfully exploited by a threat, leading to a
compromise of confidentiality, integrity and/or availability and damage being sustained” (C-
M(2002)49)”; “The probability of loss from an attack, or adverse incident. It is a function of threat
(adversaries' capabilities, intentions and opportunities) and vulnerability... Risk may be quantified
and expressed in terms such as cost in loss of life, dollars, resources, programmatic impact, etc” (ICS
700-1/2008).
Thus, starting with the main significances, in relation to the field of protection of the
personnel we propose the following conceptualisations:
Vulnerabilities – they are negative subjective psychological and behavioral characteristics, on
the base of which a person was/is/can be determined to get involved in
unauthorized/illegal/illegitimate acts of collecting, transmitting, destroying, altering information,
respectively can intentionally or unintentionally compromise information from the point of view of
confidentiality, integrity and/or availability5.
“…Vulnerabilities are a concern because of the threat which is constantly posed to national
security by foreign nations and by dishonest citizens” (Department of Defense, 2000, p. 24).
4 The idea according to which a person can be a security risk was also found in C-M(55)15(Final), where art. 14 mentioned - „Persons
who are considered to be security risks or those abut whose loyalty or trustworthiness there is reasonable doubt, should be excluded
or removed from positions where they might endanger security”
5 According to Government Decision No. 585/2002, confidentiality means “to ensure access to classified information only based on
the security clearance, in compliance with the secrecy level of the information accessed and the permission resulted from the
enforcement of the need-to-know principle”; integrity derives from “interdiction to change - by deleting or adding - or to destroy
classified information without authorization”; availability is characterized by: “to ensure the conditions necessary to find and easily
use classified information, whenever necessary, with the strict observance of its confidentiality conditions and integrity”
5
Areas of the potential vulnerability are: allegiance to the state, foreign influence, foreign
preference, sexual behavior, personal conduct, financial considerations, alcohol consumption, drug
involvement, psychological conditions, criminal conduct, handling protected information, outside
activities.
Threats – they are persons or entities (informative structures, organized crime groups,
terrorist groups etc) which, by means of intentions and capabilities (both current and future) reveal
the purpose of unauthorized/illegal/illegitimate accessing of classified information, or/and persons
which support the respective activities through actions/lack of actions, directly/indirectly,
intentionally/unintentionally. Considering the person, threats appear in their relational
environment, situations and circumstances.
Risk – considering the idea according to which „the person is to represent an acceptable
security risk”, we therefore define risk as the probability / potential consequence that, according to
the existence of certain vulnerabilities or/and threats, the person may be involved in unauthorized /
illegal/illigitimate acts6 of collecting, transmitting, destroying, altering information, respectively the
person may compromise classified information through actions/lack of actions, directly / indirectly,
intentionally / unintentionally, thus generating prejudices for the national security and defense
(implicitly for the institution in question). The risk relates to the following principle which governs
security clearance – „May one reasonably assume that vulnerabilities and current / previous threats
and the conditions through which they manifest / manifested will negatively influence the protection of
classified information?”
In this point we might say that vulnerabilities and threats relevant for security are integrated
in elements of incompatibility / evaluation criteria of eligibility, which in fact represents concrete
situations to judge if a person is „an acceptable security risk” (Figure No. 2).
From a personal point of view, the act of evaluation does not involve a separate analysis to
establish whether there is integrity, vulnerabilities, threats, risks, elements of incompatibility.
Elements include vulnerabilities and / or threats which explain „the absence of integrity”, and the
fact that after evaluation one concludes that there are elements of incompatibility implicitly means
that there are security risks involved. Therefore evaluation is finally reduced to establishing the
application/non application of elements, the use of all these concepts having in fact the purpose of
defining a general theoretical/conceptual framework of personnel security.
6 As characteristics of specific activities such as espionage, fraud, theft, sabotage, facilitation of third party access, unauthorised
disclosure of sensitive information
6
elements of incompatibility
acceptable
threats
security
risk
A A
acceptable
C INTEGRITY C
security
risk
C C
E E
S S
S vulnerabilities S
elements of incompatibility
Conclusion
For personnel security, it is a necessity to describe concepts such as vulnerability, threat and
risk, so that theoretical and practical tools characterized by an integrative vision to be available to
the specialists, with positive effects in understanding, interpreting and evaluating human acts and
behaviors from a security perspective. So, the incompatibility elements involve vulnerabilities,
threats, risks and are logically developed out of the primary requirements of security, namely the
existence of traits such as loyalty, trustworthiness and reliability (integrity) and based on this
reason we can consider them as „the personality’s hard core”, from the point of view of security.
Moreover, by referring to these, we also mention that a logical possibility (as „back-up” plan) can be
created, that in case when in the daily practice a new situation appears which is not at all described
by the incompatibility element, one can be able to take the pragmatic decision not to grant access to
classified information in order to protect (national) security.
Bibliografie
8
6. William, H. Henderson (2011). Security Clearance Manual. How to reduce the time it
takes to get your government clearance, California, Last Post Publishing
7. Department of Defense-SUA (2000). Personnnel Security Program. Lessons (material
owned by the author)
8. LAW no. 182 of 12 th April 2002 on the protection of classified information ,
http://www.orniss.ro/ro/legislatie_1.html, accessed: July 2016
9. GOVERNMENT DECISION no. 353/2002 on Norms on the Protection of NATO Classified
Information in Romania, disponibil la http://www.orniss.ro/ro/legislatie_1.html,
accessed: July 2016
10. GOVERNMENT DECISION no. 585/2002 - The National Standards on the Protection of Classified
Information in Romania, disponibil la http://www.orniss.ro/ro/legislatie_1.html,
accessed: July 2016
11. Official Journal of the European Union L 274/1 din 15.10.2013 - DECISIONS COUNCIL
DECISION of 23 September 2013 on the security rules for protecting EU classified
information (2013/488/EU), http://www.consilium. europa. Eu / en / general-
secretariat/corporate-policies/classified -information/, accessed: August 2016
12. C-M(55)15(Final) - SECURITY WITHIN THE NORTH ATLANTIC TREATY ORGANIZATION
(NATO), 1955, https://www.utanrikisraduneyti.is/ media/Varnarmal /
Security_Regulations_-_C-M_55_15_Final .pdf.pdf, accessed: May 2016
13. DOCUMENT C-M(2002)49 SECURITY WITHIN THE NORTH ATLANTIC TREATY
ORGANIZATION (NATO), 2002, http://cryptome.org/nato-cm2002-49.htm, accessed:
April 2016
14. AC/35-D/2000-REV7-DIRECTIVE on PERSONNEL SECURITY (7 January 2013),
http://www.jftc.nato.int/images/stories/PDFs/AC-35-D-2000-REV7 %20Directive
%20on%20 Personal%20 Security.pdf, accessed: April 2016
15. AAP-6 NATO Glossary of Terms and Definitions, https://nso.nato.int
/nso/zPublic/ap/aap6/AAP-6.pdf, accessed: April 2016
16. SUA-Intelligence Community Policy Guidance Number 704.2, october 2008 - Personnel
Security Adjudicative Guidelines for Determining Eligibility for Access to Sensitive
Compartmented Information and Other Controlled Access Program Information,
https://fas.org/irp/dni/icd/icpg704-2.pdf, accessed: April 2016
17. SUA-Intelligence Community Standard number 700-1/2008. Glossary of Security
Terms, Definitions, and Acronyms, https://fas.org/irp/dni/icd/ics-700-1.pdf, accessed:
July 2016
18. Adjudicative Desk Reference (editions 1999, 2014), http://www.dhra.mil/
perserec/products.html, accessed: July 2016
19. http://www.oxforddictionaries.com/definition/english/integrity, accessed: July 2016