Faced with possible threats — whether from disgruntled insiders with access to hazardous agents or from outsiders such as computer hackers or animal rights extremists — research institutions must develop security measures that do not compromise the creativity and risk-taking that is at the heart of a research environment.
That is the message of a new report on personnel security programs from AAAS, the FBI, the Association of American Universities, and the Association of Public Land-grant Universities.
"The key is to develop programs that focus on minimizing and effectively mitigating the threat without limiting creativity and unconventional thinking, or creating a risk-averse environment that might be detrimental to scientific advancement," the report says.
It highlights sound personnel security practices currently being used by institutions, discusses some gaps in existing programs, and lists 19 case studies describing real personnel security situations, including a Minnesota lab technician who gave co-workers pastries laced with Shigella bacteria and a New Hampshire radiology technician who intentionally infected more than 40 surgical patients with Hepatitis C. Both technicians received long prison terms.
The report grew out of a meeting last August at AAAS for research, policy, and security specialists, one of a series of such meetings sponsored by the FBI's Weapons of Mass Destruction Directorate. The meetings focus in particular on identifying and reducing security challenges involving biological research.
Each institution must carefully craft its security approaches to fit its own facilities and potential threats, the report says, and the concerns will vary in the defense sector, academia, and the corporate world. Institutions that conduct research with animals have been targeted by groups such as the Animal Liberation Front, for example, and institutions that do defense-related studies may need to increase staff awareness of those who might seek access to restricted materials or information.
Since the anthrax mailings in 2001, which killed five people, there has been considerable attention to beefing up biosecurity in both public and private sector institutions. In 2009, the National Science Advisory Board for Biosecurity (NSABB) published its recommendations on personnel reliability after more than two years of consultation with security experts. It concluded that strong institutional and laboratory management is essential for the development of a "culture of responsibility, integrity, trust, and effective biosecurity."
The 2012 revision of the U.S. Select Agents and Toxins Regulations required institutions to have personnel security programs for vetting and continuously monitoring personnel having or seeking access to thirteen pathogens and toxins classified as significant public safety and security risks.
Criminal background checks, fingerprinting, behavioral and psychological assessments, access restrictions to prevent inadvertent sharing of information or materials, and monitoring for alcohol or substance abuse are among the measures institutions can use to help evaluate whether new or existing employees should have access to potentially harmful biological materials or sensitive information.
Security procedures can vary according to the specific needs of an institution and existing legal boundaries, the new report says, but it adds: "In general, programs include suitability based on educational and work verification, competency, criminal background check, and medical evaluation. The medical evaluation may include a psychological assessment to determine whether the person might have criminal or otherwise harmful behavioral tendencies."
It also notes that "the incorporation of scientific responsibility — scientists who are ethically sound and conduct themselves in socially conscious manner — is arguably an important component of personnel suitability or reliability programs."
For example, it says scientists who accept money to republish scientific articles with joint affiliations or overstate their results to attract funding might be susceptible to individuals or groups who pay for information or laboratory materials. Also, though not a violation of integrity, "not informing relevant institutional officials about foreign collaborators might increase the risk that information, materials, or technologies could be inappropriately taken," according to the report.
A focus on scientific responsibility "has long been a part of personnel security programs in the defense sector," the report says, as has the use of behavioral and psychological evaluations. The report cautions that use of psychological assessments can be problematic, however. "Specific psychological disorders, with the exception of certain personality disorders, have not been definitively correlated with increased risk of a specific type of threat," it says. "With no scientific evidence, the characteristics with which to screen individuals are not known."
In the end, it says, "Personnel security programs need to reinforce mutual responsibility and a 'culture of caring' that promote a positive research environment." And the government must be willing to provide the resources needed to properly evaluate personnel and raise awareness about the potential consequences of security breaches.
"Without these resources, administrators and responsible officials struggle to identify the most relevant information on which to base their evaluations," the report says. "If not developed carefully, these programs could inadvertently cause a decrease in qualified and capable staff who can conduct research involving sensitive materials or research animals, or drive scientists to become security risks themselves."