to become spies. A secondary goal is to reduce the damage from information leaks following security violations. Personnel programs might be evaluated against a variety of criteria, including the number of undetected spies working in the agency and the potential damage each could do, the financial costs of the program itself, and the costs to individuals and society of careers interrupted or changed because of false positive test results. We note that, currently, postemployment polygraph screening often involves periodic testing at known intervals, a policy that is likely to be less effective than aperiodic testing at unanticipated intervals.

Policy analysis must consider some set of alternatives for dealing with the problem. One might consider three alternative programs: periodic screening that includes a polygraph test like the Test for Espionage and Sabotage (TES); no security screening or a lower cost interrogation without the polygraph; and an intense screening with replacements or supplements for the polygraph, such as more pencil-and-paper testing or more extensive background investigation of finances and activities. Any final assessment would have to define the programs precisely, including major differences that distinguish different programs.

Formal policy analysis would then predict the consequences of each alternative policy, perhaps by mathematical modeling, using parameters that represent the key factors affecting results. Different parts of the analysis might use different kinds of models. Game theory might be useful for modeling deterrent effects and the use of countermeasures, while standard statistical models might be used for estimating the number of spies caught in the next year. The analysis would set a time horizon within which effects will be counted and specify how long the programs are assumed to be in place. The effects of detecting spies would be immediate, but deterrece might have longer range effects. We first discuss three key parameters and then explain how the modeling might be performed. For simplicity, we consider only the goal of limiting the damage from espionage. (The analysis for other security violations is quite similar.)

The first parameter is p(a), the probability of a spy operating under screening policy a. If a is a tough screening policy that makes spying less attractive, p(a) would be lower than the probability given no rescreening. A second parameter is C(a), the annual costs of screening program a, which would normally be modeled as the sum of fixed costs, F(a), and a per-screen variable cost, V(a): C(a) = F(a) + N(a)V(a), with N(a) representing the number of employees screened under policy a per year. (Other, more subjective, costs are considered later as part of the evaluation of consequences.)

With tests that perfectly discriminate spies from others, the mathematics of prediction is simple and implies that one should only use the