People, Not Just Systems
The Security of Critical Infrastructure (SOCI) Act has reshaped the regulatory landscape, but many organisations still overlook the most human element of all: the Personnel Hazard. This article explains why people, culture and behavioural controls matter just as much as cyber and physical safeguards.
The Human Blind Spot in Australia's Critical Infrastructure Framework
The Security of Critical Infrastructure (SOCI) Act has reshaped the regulatory landscape, but many organisations still overlook the most human element of all: the Personnel Hazard. While cyber uplift has received significant attention following the 2021-2022 amendments, the requirement to manage insider-related risks remains the least understood and least operationalised obligation under the Rules. Yet it is the one hazard type that intersects with every other hazard class: cyber, physical, operational, supply chain and even natural hazards through human error or negligence.
Key takeaways
- Personnel hazards are broader than pre-employment vetting and background checks.
- The SOCI framework expects ongoing suitability, governance and escalation controls.
- Insider risk overlaps with cyber, physical, operational and supply chain risk.
- Culture, reporting pathways and behavioural monitoring matter as much as technology.
- Boards need visibility into personnel hazard maturity, not just policy compliance.
Understanding the SOCI Act's Human Dimension
Under Part 2A of the SOCI Act, every responsible entity must maintain a Critical Infrastructure Risk Management Program (CIRMP) addressing four hazard categories:
- Personnel hazards
- Cyber and information security
- Physical and natural hazards
- Supply chain risks
Most organisations gravitate to cyber controls because they are tangible and technology-driven, but the Personnel Hazard is broader and more nuanced than many initially realise. Personnel hazards include:
- Insider misuse or unauthorised access
- Negligence, complacency or human error
- Coercion, manipulation or exploitation of staff
- Compromised staff with divided loyalties or external pressures
Human behaviour can disrupt essential services as easily as a cyber-attack and, in many cases, it is the root cause of one.
The Overlooked Gap: Culture and Behaviour
Many organisations assume they can meet their personnel hazard obligations through background checks or pre-employment vetting alone. However, the CIRMP Rules (LIN 23/006) require much more:
- Ongoing suitability assessments for critical roles
- Mechanisms to identify and manage behavioural risks
- Governance and escalation pathways for insider threats
- Documentation of responses and decision-making
- Testing and continuous improvement
Pre-employment checks identify who you let in the door; they do not tell you what happens after they are inside. Insider risk is dynamic. People change. Circumstances shift. Financial stress, burnout, conflict, misconduct, privilege misuse or access creep all typically occur after hiring, not before. This is why a CIRMP needs to integrate culture, leadership, training, reporting pathways and behavioural monitoring, not just pre-employment checks signed off.
Integrating the CPIR with CIRMP Obligations
In a previous article, we explored the Critical Pathway to Insider Risk (CPIR), a behavioural model showing how insider incidents evolve in predictable stages. Aligning the CPIR with CIRMP requirements gives organisations a practical, human-centred framework to fulfil their Personnel Hazard obligations. Below is a refined breakdown linking CPIR stages to CIRMP responses and examples.
Why This Matters: Complacency Creates Vulnerability
Critical infrastructure organisations face mounting pressure from:
- Heightened geopolitical tension
- Hybrid cyber-human threat actors
- Employee burnout and turnover
- Increased regulatory oversight
- Expanding attack surfaces through technology and outsourcing
Despite this, personnel hazard controls remain the least mature area of most CIRMPs. Common gaps include:
- No central owner for insider risk
- Siloed HR-Security-IT operations
- No behavioural escalation framework
- Minimal board-level visibility
- Lack of trusted reporting channels
- No cultural measurement or trust metrics
- Over-reliance on technology without human context
This gap is exactly where threat actors operate, whether malicious insiders, manipulated staff or accidental risk caused by vulnerable employees.
How Core Integrity Helps
Core Integrity bridges the gap between SOCI compliance and real-world behavioural risk management by helping organisations:
- Embed personnel hazard controls directly into the CIRMP
- Build cross-functional workflows between HR, Security, IT, Legal and Risk
- Train leaders to recognise behavioural indicators early
- Establish psychologically safe reporting pathways
- Implement case management and documentation frameworks aligned with CISC expectations
- Deliver board-ready reporting on personnel hazard maturity, incidents and controls
We turn regulatory requirements into practical, operational and cultural safeguards.
The Payoff: Moving Beyond Compliance to Culture
Organisations that treat personnel hazards as a cultural and behavioural issue, not just a compliance exercise, achieve:
- Stronger regulatory assurance
- Faster incident detection and more proportionate response
- Improved cross-functional visibility
- Greater workforce trust and safer reporting
- Reduced likelihood of insider misuse or data loss
- Better resilience across the entire organisation
When people feel supported, trusted and accountable, insider risk decreases and organisational integrity increases.
FAQ
What is the personnel hazard under SOCI?
The personnel hazard is the human risk category within the SOCI framework. It covers insider misuse, negligence, coercion, divided loyalties and other behaviour-related risks that can affect critical infrastructure.
Why are background checks not enough?
Background checks only show who you let in the door. They do not show what happens after someone is inside, which is why organisations also need ongoing suitability assessments, behavioural controls and escalation pathways.
How does CPIR help with CIRMP obligations?
CPIR gives organisations a practical behavioural model for understanding how insider incidents develop. When aligned with CIRMP, it helps leaders move from a narrow compliance focus to a more human-centred risk management approach.
What should a mature personnel hazard program include?
A mature program should include governance, reporting pathways, behavioural monitoring, documentation, cross-functional workflows and board-level visibility. It should also connect culture and leadership to practical controls.