In October – November 2025, I was invited to speak to groups on matters relating to Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act). I presented to representatives of the Australian superannuation industry, the Victorian transport industry sector, a cyber security conference, a critical infrastructure sector national conference, and a Department of Premier and Cabinet. For all but one of these presentations, the request was for me to address the topic of insider threat. I often use the image above, a Pink Floyd album cover, to make a point about the ‘whole person’. One of the meanings attributed to this image is that people are often afraid to show their whole self at work for fear of getting burned. That ‘whole person’ idea is relevant to personnel security, especially to understanding the insider threat.
Having worked in the SOCI Act domain since 2022, the topic of insider threat has emerged, for me, as the most vexing risk mitigation for SOCI entities. Whilst the terms ‘insider threat’ and ‘insider threat program’ do not appear in the SOCI legislation, the requirement to manage the security-relevant behaviours and performance of people in the workplace – employees, contractors, suppliers, volunteers, consultants – means that any of these people fit the definition of insider threat and so an insider threat program is the appropriate tool for mitigation. For over 40 years, beginning in the 1980s, I worked in an array of organisations where managing insider threat was part of the day to day, was ingrained in the workforce, but managing the risk of insider threat is not the norm for the vast array of SOCI entities.
When I talk about insider threat, I am often confronted with a wall of dismay and rejection. There are cries of “are you saying our people are threats” or “the unions will never accept it” or “using the term insider threat will alienate our people”. When exploring the personnel security threats of foreign interference and espionage, activities that an insider threat program would seek to identify, a normal retort is that any approach to people based on country of origin or race would be racist and so simply unthinkable. And even if an approach was made, then it is likely the person approached would take offence, take personal leave, and sue the enterprise. I find in these discussions that many people are not able to conceive of, or willing to consider, the counterpoint – the consequences and harms that may accrue from unchecked insider threat activity.
Australia’s society and workplaces are now prone to people asserting their individual ‘rights’ – real or imagined. People are encouraged to determine their own ‘facts’, as distinct from understanding empirical facts. People seem less likely to be held to account – to take responsibility or bear consequences for their actions, instead blaming others.
We have lost sight of the growing threats, and likely consequences, that are attacking Australia today. Those threats encompass hostile foreign governments and their intelligence services, organised crime, issue-motivated groups, terrorists, self-centred individuals living their lives through the lens of victimhood. All of these are opposed to Australia’s national interest, seeking to tear down Australia’s society and economy, seeking to harm people. All the while these threat actors are chipping away at Australia, every day. Over the last few years, the Australian Security Intelligence Organisation (ASIO) and other credible sources have made clear these threats are not theoretical – they exist. Australia has seen these threats cause harm. So, if the threat is real, how realistic is Australia’s effort to protect itself by deterring, detecting, and thwarting threats to its people and national interest?
In terms of personnel security, as expressed in the mitigation of insider threat, all the cries that such a program is inimical to a person’s ‘rights’ are a canard, a deception, a ‘look over here’ distraction aimed to thwart legitimate and necessary security investigation and mitigate risk. All nation states attacking Australia will play the ‘race card’ to deflect their hostile activities knowing that Australian society, and much of its polity, is susceptible to such race-based distractions.
It is impossible to disassociate a person’s workplace behaviour from the security of the entity that employs them. It is commonplace and expected that employees and contractors are penalised, even sacked, if they have committed fraud, bullied, made unwanted sexual advances, engage in racist behaviour. So, we do act against people who engage in aberrant workplace behaviour. People’s behaviour reflects the ‘whole person’ operating in the workplace.
And so it is with security, especially with an insider threat program. We are examining the ‘whole person’ in the pre-employment screening, employment, and post-employment phases of the employment cycle. In looking at the ‘whole person’ we are identifying all their features which could be relevant to security. That examination is objective, seeking to identify the unique set of empirical facts and predispositions that the person brings. Security examination is not judgemental about issues such as race, ethnicity, sexual identity, financial circumstances, political affiliations, and so forth; however, each needs to be considered in terms of the risk these features of the ‘whole person’ could pose in the workplace.
I see the ultimate objective of personnel security as to grow and nourish a trusted workforce. The employer makes clear the behaviour that is expected and behaviour that is not acceptable. The people in that workforce will be trusted with access to the entity’s assets to undertake the tasks they were employed to do. However, this trusted access also enables people to damage, degrade, or steal those assets: to cause harm. Where is the balance between an individual’s ‘rights’ and the ‘rights’ of the employer, the rights of workplace colleagues, of customers, of stakeholders, and the Australian society which all can be harmed by a trusted insider becoming an insider threat?
For example, in the case of people of Chinese ethnicity, even if their family has lived in Australia for decades, we know that the Chinese Communist Party (CCP) is hostile to Australia, that it undertakes espionage against Australia and its allies, that it has positioned to degrade or sabotage critical infrastructure at a time of its choosing, that it conducts cyber-attacks against Australia, it undertakes foreign interference, and that Chinese law obliges Chinese companies and the global Chinese diaspora to meet the CCP’s intelligence demands and may coerce people to do so.
From a security perspective, it would be remiss not to take into account the ‘whole person’ when assessing a person of Chinese ethnicity. To say this approach is racist – defined as showing prejudice, discrimination against, or antagonism – towards the person is a deception, a canard. If the person has nothing to hide then, if they want the job, they will agree to participate in the security assessment process and not engage in faux offence. Also, by engaging a person of Chinese ethnicity, you are alerting them to the risk of coercion they may face – the insider threat program equips them to be alert to such a threat to them and gives them a path to seeking assistance if they are approached.
There are many communities in Australia that may be subject to foreign interference – to coercion from agents of an adversary state to cause harm to Australian people and entities. The Chinese community is the most obvious and prevalent, but people with heritage and cultural affiliations from other countries also need to be assessed, assisted, and protected.
When I am asked if an insider threat program is legal, invades people’s privacy, is racist, or discriminatory in any way, I offer the following response. An effective and appropriate insider threat program looks at the ‘whole person’ – every person is treated within the same framework to explore the unique features that they bring to the assessment. An insider threat program should be the most egalitarian process a person endures in the workplace setting – it is not based on subjective assessed merit, it is not influenced by DEI quotas, or set with any bias. It identifies the empirical facts, explores how the person presents these, tells their story, and indicates the ‘whole person’ they are likely to bring into the workplace. That is the person the entity must decide that it will choose to trust.
The key concept here is ‘trust but verify’. All your stakeholders are trusting that you, through an insider threat program, will come to understand a person in the workplace so that all stakeholders’ individual and collective rights are best served and the risk of harm is minimised through understanding employee and contractor behaviour.
The author of this article, Timothy Slattery, served in Australia’s army, intelligence and national security community for 37 years. Tim has operational and policy experience across defence, intelligence, law enforcement and protective security domains, including with Five Eyes partners. Tim retired from Australian federal government service in 2019, joining the consulting community in 2020 with focus on insider threat and broader personnel security issues across government, critical infrastructure and private sector clients. In 2024, Tim co-founded Pentagram Advisory to better focus his efforts to promote understanding and mitigation of insider threats.
