Scenario 3 - Insider threats and research theft

Disclaimer: This scenario is not comprehensive of all risks and best practices. This case study represents a certain scenario for general application of research security principles and can be used as a resource for training, exercises and presentation, etc. The names, events and other details of this scenario are created for educational purposes and do not represent any particular event.

Scenario 3

Fictional scenario

  • Dipna, a Canadian researcher, is mandated to sponsor three PhD students at her Canadian post-secondary institution.
  • In order to facilitate the work schedule of the students, she grants them 24/7 access to the research building and the lab. In order to keep track of the work done and manage information, Dipna implemented a sign-in system for the lab.
  • Dipna returned to work late one evening and noticed a student in the lab accessing research data and notes on a lab computer not relevant to the work they were involved in. The information had been left unsecured by another team member. Dipna did not directly engage the student in the moment believing they may have had a legitimate reason to access the files, and not desiring an unnecessary confrontation.
  • Dipna later decided to report the activity but when checking the lab computer and sign-in sheet, she could not find any evidence of access at that time other than what she saw.

Risks in this scenario

Caption text
Risky practices Possible consequences
Allowing unrestricted access to a research building and sensitive data
  • Unlimited access to a lab or research building opens a research project to unnecessary risks, particularly at night or other odd times of the day when a lab may be unmonitored.
  • The installation of unauthorized/back-end software or the installation of physical data-stealing devices could compromise the integrity of a lab and research institution.
  • Possible forfeiture of economic, personal or commercial gains achieved by a research project through data-theft.
  • If confidential information from a third-party was involved, the entire collaboration or funding agreement could be in jeopardy.
  • If the data was supplied by an industry partner under an agreement, then the theft of important data may result in consequences per the agreement.
Not challenging someone breaching security processes or restricting security after unauthorized access or suspicious activity
  • The student may be operating in good faith and consulting documents for legitimate purposes but should be informed of the appropriate processes for accessing data outside of their area of research.
  • If it becomes public knowledge that sensitive information was misappropriated by the student, the institution could face a crisis of confidence with its stakeholders, including private sector firms and other collaborators.
  • If information that was classified or related to controlled goods was compromised, the institution could face compliance measures by the Government of Canada.
  • The student could be an insider motivated to gain data or knowledge for other purposes, including for personal or commercial benefit, or for the benefit of a foreign government, military or state actor that could pose a risk to national security. By going unchallenged, the individual may become emboldened to continue their activities.
  • Without being confronted when they are discovered, an insider may be able to cover their activities and make it much more difficult to officially suspect them of any wrongdoing or investigate their activities.
  • Theft of research or data could lead to it being reproduced and prevent the researcher from publishing or benefitting from their work. It may also violate funding agreements or requirements.

Risk mitigation

Best practices checklist – Researchers

When recruiting students or staff to a research project:

  • DO thoroughly assess the background of potential additions to your research team, including a review of their current affiliations.
  • DO create and maintain a record keeping system for access to your lab or research building such as a sign-in log.
  • DO inform the research team of the typical hours of operation and to inform others if they plan to work outside of these hours. Team members should be briefed on all restrictions and requirements related to the research project and their related work products. An oversight framework, including a process for the identification of potential breaches, is recommended.
  • DO record the time and involved parties in any suspicious activity. Hold open conversations and deal with issues as soon as possible. If it is a serious concern, alert the relevant institution officials.
  • DON’T allow unrestricted access to research spaces, sensitive data and equipment.
  • DON’T leave sensitive information or materials out where they can be accessed by anyone with access to the space. Digital files should be encrypted and password protected and accessible only to those with clearance. Physical items should be kept in a secure storage medium such as a locked cabinet or sample freezer or even a secure office.
  • DON’T escalate a situation or accuse someone suspected of suspicious activity. The research team member may be operating in good faith and consulting documents of a colleague to legitimately inform the team's research when the other individual was unreachable. The member may also be an agent of a foreign state under duress to comply or otherwise be coerced. If suspicious activity is noted, remove clearance and access of the person from the lab and notify the relevant security services.

Best practices checklist – Post-secondary institutions

  • DO provide guidance and resources on physical security for researchers. Keep campus security services updated on trends or buildings that are at a higher risk of security breaches.
  • DO assess and proactively deal with possible security breaches or information theft. Quickly responding to possible breaches provides the best opportunity to find evidence and conduct an investigation.

Additional resources

Date modified: