1

A version of this article appeared in Homeland Security Today 11(4), 39-41 (June/July 2014),
http://www.nxtbook.com/nxtbooks/kmd/hst_20140607/#/40.


"#$ %&'()*+ ,-./ )0 1'2 34( 5&67()8$

Rogei u. }ohnston, Ph.B., CPP, Chiistophei N. Folk*, anu }on S. Wainei, Ph.B.
vulneiability Assessment Team
Aigonne National Laboiatoiy

9*8(42768)4*

Secuiity manageis, secuiity piactitioneis, anu oiganizations involveu in ciitical secuiity
applications often seem to have an iiiational feai of Non-0bjective, Non-Repiouucible, anu
Non-Quantitative (N0RQ) appioaches to analyzing secuiity. These N0RQ appioaches aie
subjective; uon't always piouuce consistent, pieuictable, oi iuentical iesults; anu can be
uifficult to measuie with metiics. While we woulu nevei aigue that 0RQ appioaches
(0bjective, Repiouucible, Quantitative) shoulu be abanuoneu, they simply aien't sufficient
alone foi pioviuing goou secuiity. Cieative, imaginative, pioactive analysis is also neeueu.

0RQ appioaches incluue such techniques as secuiity suiveys, secuiity auuits, thieat
assessments, the CARvER Nethou, the Belphi Nethou, anu EventFault Tiees. While these
piimaiily 0RQ techniques have meiit, they aie simply inauequate. They uo not usually
uncovei new secuiity vulneiabilities oi suggest counteimeasuies; get insiue the heaus of
the auveisaiies oi pieuict theii behavioi; oi ueal effectively with insiuei thieats, secuiity
cultuie, oiganizational behavioi, anu othei human factois that aie the key to effective
secuiity. In piactice, some of these techniques often confuse safety with secuiity, thieat
assessments with vulneiability assessments, compliance with secuiity, anu contiol with
secuiity. They often leau to ignoiing oi unuei-piotecting ceitain assets anu oiganizational
attiibutes. Ceitainly the supposeu iigoi, piecision, anu completeness often claimeu oi
implieu foi these 0RQ techniques aie illusionaiy. All this leaus to uefective secuiity.

The common iuea among secuiity manageis, engineeis, anu buieauciats that iisk
management foi secuiity can iely entiiely on 0RQ analysis is wiong. Effective iisk
management in any context has always iequiieu some uegiee of expeiience, subjective
juugment, synthesis, pieuiction, anu imagination.


:&38 ;0< .)+#8 1(')*

Scientific ieseaich has inuicateu that theie is a !"#$"#%& foi ceitain cognitive biain
functions to be suppoiteu moie stiongly on one hemispheie of the biain than the othei.
This is calleu biain lateialization. Typically (though theie is much vaiiability), the left
hemispheie is thought to be the majoi playei in language piocessing, mathematics,
_________________
* Cuiient auuiess: Bepaitment of Psychology, 0niveisity of Texas at Ailington

2
objective analysis, iule-following, anu logical ieasoning. The iight hemispheie is often
stiongei in attention, sounu piocessing, spatial manipulation, facial peiception, aitistic
ability, cieativity, intuition, piocessing of emotions, anu synthesis of iueas. In piactice, both
hemispheies aie heavily involveu in all majoi mental activity.

While populai psychology has gieatly exaggeiateu biain lateialization to the point of
uiscieuiting it, the concept still has some scientific valiuity if not oveistateu. Noie
impoitantly, it is useful metaphoi foi uiffeientiating between (so-calleu "left-biain
uominateu") thinking that is lineai, logical, objective, quantitative, anu ieuuctionist, anu
("iight biain uominateu") thinking that is imaginative, intuitive, anu holistic, anu also goou
at exploiting metaphoisanalogies, iuentifying connections between iueas, anu seeing "the
big pictuie".

In this aiticle, we ioughly equate N0RQ analysis with "iight biain uominateu" thinking,
anu 0RQ with "left biain uominateu" thinking.

In his 2uuS book, "A Whole New Ninu: Why Right-Biaineis Will Rule the Futuie", Baniel
B. Pink notes the ieluctance that many oiganizations anu "left biain uominateu" thinkeis
(foi example, engineeis) have in accepting iight-biain type thinking. (In oui expeiience
with many oiganizations anu secuiity piofessionals, "iiiational feai" might be a moie
accuiate teim than "ieluctance".) We ceitainly see a gieat ueal of iesistance to cieative
N0RQ analysis in physical secuiity anu nucleai safeguaius, especially foi ciitical
applications.

We believe one of the ieasons that vulneiability assessments (vAs), paiticulaily foi
physical secuiity anu nucleai safeguaius, aie often ignoieu oi glosseu ovei by secuiity
piofessionals, oiganizations, anu secuiity textbooks is that tiue vAs aie basically cieative
N0RQ exeicises in thinking like the bau guys. Wheieas assessing thieats (who might attack
with what iesouices), choosing what assets to piotect, anu ueciuing the secuiity iesouices
that will be fielueu can be hanuleuat least with some effectivenessusing 0RQ methous,
this is not tiue foi vAs

The common flaweu objections iaiseu about N0RQ secuiity appioaches typically fall into
these S categoiies:

Nyth 1: Ciitical secuiity applications aie too impoitant to be left to "flaky" cieative
analysis. Reality: Ciitical secuiity applications aie too impoitant #'! to utilize all the tools
available to us, especially poweiful (though aumitteuly unpieuictable) tools like N0RQ
analysis.

Nyth 2: Right biain thinking won't yielu the "iight" answei. Reality: Theie usually is no
one "iight" answei. Secuiity is a veiy uifficult optimization pioblem involving many
complex tiaue-offs anu value juugments, anu it usually has pioblematic metiics. Even if
theie weie one "iight" answei foi secuiity, theie is usually no way to piove it is the "iight"
answei. We neeu insteau to focus on getting a goou answei. N0RQ analysis can help us
with that.

S

Nyth S: Right biain thinking will leau to uisagieements anu contioveisies. Reality: That
is one of the stiengths of N0RQ secuiity analysis, not a weakness! Anything as impoitant
anu uifficult as secuiity, with all its complex tiaue-offs, human factois, anu value
juugments, ought to be contioveisial. Bisagieements help to claiify thinking. As ueneial
ueoige S. Patton saiu, "If eveiybouy is thinking alike, then nobouy is thinking."

Nyth 4: If I can't iepiouuce the iesults of oui secuiity analysis, they aie of no use.
Reality: Peihaps someuay we will unueistanu secuiity anu cieative analysis well enough
to be able to pioviue both effective (#$ iepiouucible iesults. In the meantime, it is
iiiesponsible not to take auvantage of N0RQ analysis (in conjunction with 0RQ analysis) to
help us impiove secuiity, even if N0RQ analysis is somewhat uneven anu unpieuictable.

Nyth S: All the vulneiabilities won't be founu with N0RQ analysis. Reality: 0RQ
techniques won't finu all the vulneiabilities, eithei, anu aie usually woise at it than N0RQ
methous. Noie to the point, it is not even possible to finu all the vulneiabilities foi a non-
tiivial secuiity uevice, system, oi piogiam, no mattei what techniques we use. Even if we
coulu somehow finu them all, it isn't geneially possible to piove that we have uone so.


=7((&*8 ,-./ >(4?@&A0

These myths often pievent N0RQ appioaches fiom being tiieu in the fiist place. When
N0RQ secuiity measuies ()" ueployeu, they aie often misleauingly uiesseu up to look like
0RQ techniques. They aie uone unuei the covei of semi-quantitative, pseuuo-scientific
nonsenselacking a soliu scientific basis, meaningful inuepenuent ieview, iigoious
analysis, anu effective metiics. The polygiaph is a classic example: a pseuuo-scientific,
semi-quantitative, sham-iigoi technique that a 2uu2 National Acauemy of Sciences stuuy
calleu a thieat to national secuiity. (See http:www.nap.euubooksuSu9u84S69html.)
Numeious spies, insiuei attackeis, anu muiueieis have successfully passeu polygiaphs,
often multiple times. Belief in the polygiaph as a measuie of *+!+)" behavioi is paiticulaily
uubious.

Anothei example of a questionable oi bauly executeu N0RQ technique baseu at least
paitially on sham-iigoi is behavioial scieening uone by Tianspoitation Secuiity
Auministiation (TSA) officials. Aftei spenuing ovei $1 billion to implement such
techniques at aiipoits, both the BBS Inspectoi ueneial anu the ueneial Accounting 0ffice
(uA0)in S sepaiate iepoitsslammeu behavioial scieening foi having no significant
scientific basis, failing to uetect a single teiioiist, anu lacking auequate tiaining, ciitical
analysis, anu meaningful metiics. Bespite these ciiticisms, the TSA has expanueu the
piogiam.

0ne of us (}ohnston) has attenueu multiple piesentations on behavioial obseivation
"case stuuies" at national anu inteinational secuiity confeiences. The piesentations
typically tuin out to be anecuotes anu "wai stoiies", not uiscussions about iigoious case
stuuies, analyses, oi metiics. The aigument that such iesults woulu be too sensitive to

4
uiscuss publicly, even if they existeu, is uisingenuous. The aigument that cops on the beat,
Isiaeli secuiity officials, anu otheis have long useu behavioial analysis (while tiue) is not a
justification foi implementing it in a haphazaiu, wasteful, amateuiish, pseuuo-scientific
mannei.

A thiiu example of a N0RQ technique with seiious pioblems is backgiounuintegiity
scieening of peisonnel. While secuiity cleaiances anu backgiounu checks have aiguably
offeieu impoitant secuiity benefits, they have consistently faileu to uetect spies anu insiuei
attackeis, incluuing Snowuen, Nanning, anu Ames. In a 2u1u papei in ,#*')-(!.'#
0')"#1.%1 (#$ 2"%+).!&, Pfleegei, et al. concluueu that "stuuies of espionage anu white collai
ciime have faileu to exhibit a coiielation between peisonal attiibutes anu malicious intent
to uo haim". Backgiounu checks aie often uiscusseu as if they weie a thoiough, foimalistic,
iigoious piocess, but in ieality they aie highly subjectiveanu coulu haiuly be otheiwise.

The common obsession with mental health in backgiounu checks seems especially
questionable, given that the vast majoiity of spies anu (non-violent) insiuei attackeis aie
not mentally ill. Nental health is moie appiopiiately a concein when pieventing
woikplace violence is the piimaiy concein.


=4*6@70)4*

Bottom line: We neeu to make moie use of N0RQ techniques foi planning anu analyzing
secuiity. We neeu to stop feaiing them. But when we uo ueploy N0RQ secuiity measuies,
they shoulu be caiefully stuuieu befoie ielying on them, oi spenuing massive sums of
money in ueploying them to the fielu. We also uon't neeu to pietenu that secuiity
measuies anu techniques that aie funuamentally N0RQ in natuie aie 0RQ.

Bespite theii iight-biain natuie, N0RQ secuiity measuies must still be implementeu in a
thoughtful, logical, iigoious, ieseaich-baseu mannei with plenty of inuepenuent, ciitical
ieviews anu meaningful evaluative metiics. "N0RQ" shoulu not mean the same thing as
"non-iigoious" oi "Secuiity Theatei".


B6C*4D@&2+A&*80

The views expiesseu in this aiticle aie those of the authois anu shoulu not necessaiily be
asciibeu to Aigonne National Laboiatoiy oi the 0niteu States Bepaitment of Eneigy.