patrick.net

Vetting Against the Odds
Security Weekly JUNE 23, 2016 | 08:00 GMT Print Text Size

Without proper expert interpretation and follow-up, even rigorous screening methods such as psychometric tests and polygraphs can fail to give employers an accurate picture of a prospective or current employee's character and trustworthiness. (DIMA KOROTAYEV/Epsilon/Getty Images)
By Mike Parks

For law enforcement officials and the public at large, the investigation of Omar Mateen, the gunman behind the June 12 mass shooting in Orlando, has raised as many questions as it has answered. What were his motivations? What was the state of his mental health? How did it happen that the FBI, which twice investigated Mateen, did not have him under active surveillance at the time of the attack? And why was he still employed in good standing as an armed security officer with GS4, the world's largest security services provider?

The answer to this last question, at least, has already surfaced. By GS4's own account, Mateen underwent a pre-employment screening in 2007, including criminal background checks, credit checks and, according to one report, a psychometric test. The company reinvestigated Mateen for cause in 2013, around the same time that the FBI was looking into pro-jihadist statements he had made to a co-worker. Neither investigation revealed anything of concern for the company. If Mateen could pass through a relatively rigorous screening process, how can other companies ensure that they have adequately vetted their employees?

A Brief History of Modern Security Vetting

Security vetting in its modern form is a fairly recent development. Before World War II, no formal, structured process governed vettings, which relied instead on personal recommendations and, often, blind faith. But the war, and the associated risk of espionage, spurred a series of laws and presidential orders formalizing an information classification system and establishing standards of loyalty and character for prospective government employees. As the Cold War set in, vetting became increasingly robust. Even so, the process was focused primarily on weeding out candidates who might be amenable to approach by hostile intelligence services. Character, mental stability and sound judgment were secondary concerns, considered only insofar as they might make a person vulnerable to blackmail. That determination depended on the social values and mores of the day. Sexual orientation, adultery and membership in certain organizations were all potential disqualifiers at one time.

As societal norms changed, so did vetting standards. The U.S. government now repeats screenings of its employees at least every five years — more often if they work in intelligence agencies or raise suspicions. In May, the government widened the scope of its investigations to include current or prospective employees' social media activity.

Outside the federal government, however, employers have lagged in their screening procedures. In fact, even for high-level or security positions, most employee vetting in the private sector consists of a single, pre-employment records check. Meanwhile, globalization and advances in technology have made trade secrets more vulnerable than ever to espionage, and the threat of workplace violence — such as the San Bernardino attack — has grown. That danger will become only more substantial as terrorist groups at home and abroad continue to encourage attacks on soft targets.

An Imperfect System

Regardless of their differences, security-screening procedures in the public and private sectors alike fall far short of foolproof. Both processes suffer from an overreliance on three principles that, though not entirely misguided, are also not universally true.

First fallacy: The official record is complete and reliable.

Although examining criminal and other records is essential to assessing a person's trustworthiness, it is only one part of effective security vetting. In the absence of documented evidence that a candidate has broken laws or exhibited other unacceptable behaviors, employers too often assume that he or she can be trusted. But many people flout laws and ethical standards throughout their lives without detection. For instance, skilled criminals using computers can pursue a life of crime without leaving an easily followed trail. Moreover, in many countries, official records may be incomplete, inaccurate or missing entirely, posing a special challenge to multinational companies vetting local employees. When considering candidates for initial appointment to sensitive positions, vetting must go much further and deeper than the official written record.

Second fallacy: Past history is an accurate predictor of future behavior.

Security vetting has always relied on the idea that a person who has exhibited good character traits and has never run afoul of the law will stick to the straight and narrow going forward. But people change, and so do their circumstances. Mental illness, traumatic life events, deep debt, addiction and even career disappointments can change a person's character and behavior in unpredictable ways. Besides, there's a first time for every criminal. Even if an employee passes a rigorous security screening prior to hire, he or she could become dangerous.

Third fallacy: Experienced investigators are reliable judges of character and know when someone is lying.

Too often, even experienced investigators can fall short when it comes to judging a person's character. A psychopath subject to even the most robust security protocols can fly under the radar for decades. When speaking from sincere belief or pathological delusion, people can fool interviewers and, indeed, themselves. Years ago, I sat in on a polygraph in the Middle East conducted by a widely respected U.S. government professional who was attempting to verify threat information volunteered by a walk-in informant. Although we had good reason to doubt the informant's story, the detail and specificity of the supposed threats and the importance of the alleged targets prompted the government to take the extra precaution of performing a voluntary polygraph. For more than an hour, the polygrapher took the informant through every detail of his complicated story, and at no point did the machine indicate deception. Finally, the polygrapher turned it off and explained to the informant how important it was that he reveal his source, something he had refused to do throughout the process. The informant lowered his head and paused for a long moment, then looked the polygrapher in the eye and said, "The Prophet Mohammed told me these things." When the polygrapher turned the machine back on to verify this response, it once again registered no deception.

Tools of the Trade

With few exceptions, private employers are prohibited from subjecting candidates or employees to polygraph tests. But most polygraphers agree that the most valuable part of the test happens during the initial interview, before the polygraph machine is even turned on. A face-to-face interview by a psychologist or psychiatrist who specializes in employee vetting is likely just as effective as a polygraph, if not more so. Much like polygraphs, which indicate only whether a subject is uncomfortable with a question, psychometric tests require human interpretation to be of any value. Many believe that the Minnesota Multiphasic Personality Inventory (MMPI), a test widely used in candidate vetting, is sensitive to attempts at deception. But a brief online search turns up various tutorials on how to "beat" the test. Furthermore, people with the very personality types that such tests are designed to screen against are also those most likely to try, and succeed, to game the system. Without expert interpretation and follow-up interviews, psychometric tests are insufficient for evaluating a potential employee. In Mateen's case, this was apparently overlooked: The psychologist whose name appeared on the form as Mateen's MMPI administrator has denied any involvement in his vetting process.

Security vetting for employees in sensitive positions is more than a means to provide bureaucratic cover for employment decisions; it is an important part of protective intelligence for any institution. An effective screening investigation should be comprehensive, including human sources beyond a candidate's provided references, social media activity, face-to-face interviews by a trained psychologist and routine — ideally, randomly spaced — security updates. Ultimately, however, employers must remember that the best intelligence in the world is useless unless it is acted upon.

Send us your thoughts on this report.
Share