• United States




Cyber-profiling: Benefits and Pitfalls

Mar 08, 20095 mins
Business ContinuityData and Information SecurityIT Leadership

Vetting employees via traditional background checks is a good practice for minimizing insider risk.  It prevents unknowingly hiring a convicted–or soon to be convicted–cybercriminal, like Mahalo did when they employed John Kenneth Schiefer.  However, non-traditional vetting practices are emerging, which take advantage of the increasing number of job candidates building Internet personas.  These practices are collectively called cyber-profiling or cyber-vetting.  Growing along with cyber-profiling is a change in how organizations vet employees, with both positive business and potentially negative social consequences.

What is cyber-profiling?

Today’s workers spend a great deal of time on the Internet, visiting and contributing to social networking sites.  Facebook, Twitter, MySpace, LinkedIn, and many other services allow people to communicate with others, while recording information a potential employer can use to assess character, cultural fit and other attitudes and characteristics.  Organizations use content on social network sites to understand whether a job candidate may present a risk to the business if hired.  Examples include:

  • The candidate harbors potentially inflammatory views about race, religion, or other sensitive social domains.  For example, an employer in the United Kingdom opted not to interview a man because he “…declared in his [MySpace] personal profile that he was against religion and anyone who believed in it” (Berkelaar, p. 9). 
  • The candidate participates in off-work activities which might cause embarrassment for the organization.
  • The candidate’s views on one or more topics indicate he or she would not be a good “cultural” fit for the organization or for the team supervised by the hiring manager.
  • The candidate’s participation in activist or political action groups might pose a threat because the business is involved in activities which conflict with the agendas of those groups.
  • Discussions about the candidate might cause doubt about his or her character in general.

The number of organizations using social networks for employee screening varies by country.  Research indicates 20 percent of organizations in the United Kingdom use cyber-profiling with up to 77 percent cyber-profiling in the United States (Berkelaar, p. 8).


Vetting is an important part of ensuring employees handling sensitive information or managing critical systems present as low a risk to the business as is reasonable and appropriate.  It is also important in today’s world of Internet business assessments, by both the informed and the uninformed, that each employee reflects the values of an organization, whether acting on behalf of the business or during personal time.  Further, with insiders responsible for 70 to 80 percent of all organization security incidents, an organization should do everything it can to hire only those individuals it believes trustworthy.  However, traditional background checks are often not enough.

A background check provides information about a candidate’s involvement in criminal investigations, civil action, or financial problems.  What it doesn’t report about a candidate, especially one who has a clean history, is information about his or her general character and behavior.  According to Berkelaar,

Cyber-vetting presumably enables organizations to look for red flags indicating potential incompatibility with the organization or position.  As a result, organizations ostensibly can screen applicants more comprehensively before an interview is even scheduled, saving time and money (p. 3-4).

Something as simple as a Google search can provide pages of information about individuals active on the Web or who associate with friends who are.


Trying to understand a person’s character by looking at his or her online persona is not without issues.  For example, many social networkers create digital identities which are completely different from their actual personality or belief system.  The reasons for this are many, including trying to fit in with a group or simple experimentation.  However, most employers believe there is no separation between the “real” person and the digital one.

Most employers were not convinced that prospective employees “could make a clean break between their Facebook personas and professional comportment” (Brock, 2007) suggesting employers are evaluating potential employees using a traditional Western perception of a singular, unified identity (Eisenberg, 2001) (Berkelaar, p. 4).

This means employers tend to use whatever they find on the Internet about a person, whether the information is vetted or not, whether the intent or agenda of the person posting the information is known and evaluated.  Such oversights can result in passing over perfectly suitable prospects during the hiring process, and unfairly tagging a person as “unfit.”

The final word

There is a place for cyber-profiling in the hiring process.  However, I believe it is only one color in the palette when painting a picture of a candidate as an employee.  Without other colors, the resulting portrait falls far short of reflecting reality. 

Unless social network searches turn up clear issues not open to interpretation, hiring managers should use cyber-profiling to craft candidate-specific interview questions.  This approach can still save time by screening questionable prospects via telephone.  It also provides an opportunity for a candidate to explain what the manager found or to clarify that he or she is not the person associated with problematic information during the Internet search.  After all, how many John Smiths or Amy Browns are there in the United States?

Works Cited

Berkelaar, B. L. , 2008-05-22 “Cyber-vetting (Potential) Employees: An Emerging Area of Study for Organizational Communication” Paper presented at the annual meeting of the International Communication Association, TBA, Montreal, Quebec, Canada Online . 2009-03-08 from


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.