Documente Academic
Documente Profesional
Documente Cultură
Introduction
Ever since the September 11 attacks on New York, and the attacks on the USS Cole
and the Limburg tanker, international organisations such as the International
Maritime Organisation (IMO) and the European Commission (EC) have been greatly
concerned with supply chain security and issued several items of legislation to
enhance security (e.g. IMO, 2003; EC, 2005).
This paper reports on the latest initiative by the EC to increase security at European
ports even further. It will be shown how the project undertook the development of a
comprehensive model that analyses risks, evaluates the effectiveness of risk control
measures and helps provide guidance to users on how to improve port security.
Following an explanation of the core concepts of this model, a description of the
project methodology is given and a description of how the initial draft of the model
was arrived at.
The interim results are presented afterwards, showing how Risk was calculated for
different threats and presenting aspects of the model that go beyond traditional risk
modelling. A discussion of the results follows.
Background
The “Security UPgrade for PORTs” (SUPPORT; SEC-2009-3.2.1-242112) Project is
an EC-funded project which aims to raise the current level of port security across
European ports. The project intends to identify security measures that could on the
one hand satisfy evolving international regulations and standards while at the same
time efficiently supporting the complexity of the port environment by enhancing the
flow rate of goods and people through the port. In the context of the SUPPORT
project, safety and security are regarded as completely separate topics. SUPPORT
concerns itself with antagonistic threat actors, who intend to cause harm to a port‟s
assets, customers, its operations and reputation. Issues of safety (e.g. accident
management) are not considered.
The graphical representation of these factors provides audiences with a quick and
insightful understanding of a number of risks that may contribute to causing loss
events. It also highlights what controls have been put in place and what other
controls could be put into place in order to avoid such events from occurring. Figure 1
below describes an example of such a Bow-Tie diagram.
The above figure also shows how controls that reduce probability or impact of a risk
can be grouped into different categories, such as Technical or Managerial. This
provides a useful management tool that can highlight quickly where within the
security organisation investment or change is required, whether it‟s procedures,
technology or organisational policies.
Bow-Tie analysis can be used for both qualitative and quantitative risk assessments
in complex situations. Nordgård (2008) describes a case where Bow-Tie diagrams
were applied in the Energy industry to calculate residual risk levels for various
scenarios. Jacinto and Silva (2010) applied some quantitative techniques to enhance
their qualitative risk assessment to study accidents at a ship yard. We adopted a
similar approach (see “Methodology”), but combined it with qualitative data using
techniques from Enterprise Architecture to create a mixed qualitative/quantitative risk
assessment for European ports.
Enterprise Architecture
Enterprise Architecture (EA) is defined by Lankhorst (2009) as “a coherent whole of
principles, methods, and models that are used in the design and realisation of an
enterprise‟s organisational structure, business processes, information systems, and
infrastructure” (Lankhorst, 2009; p. 3). Schekkerman (2004) extends this definition by
stating that “EA…acts as a collaboration force between aspects of business
planning…business operations…organisation structures, processes…information
systems…and the enabling technological infrastructure of the business”
(Schekkerman, 2004; p. 13) and “provides a mechanism that enables communication
about the essential elements and functioning of the enterprise” (ibid., p. 14). It has
also been called “a blueprint of the organisation, which serves as a starting point for
analysis, design and decision making” (Steen et. al., 2004). According to Winter and
Fischer (2006), EA uses a mechanism of hierarchical layering to structure and
separate the various different data that can be used to describe an organisation.
As can be seen from this list, EA has the potential to allow organisations to change
and adapt much faster, more accurately and with less disruption than otherwise
possible. Brown (2004) refers to a case study which compared two public sector
organisations undertaking IT investment, with one following traditional development
methods, and the other utilising its deployed EA. Due to the available information in
the EA, the latter organisation spent just $3.5M in development, compared to the
former‟s spent of $42M. This discrepancy is explained through the fact that the EA
already contained a lot of information about how the new systems were meant to run,
existing infrastructure (incl. systems, code lines, data dictionaries and databases)
and the ability to use the EA to plan a future state. In other words, the more
expensive case had to undertake several phases of requirements analysis and
design where the EA provided the answer from its memory.
As Zachman (1997) has identified that “CEOs declare that the biggest challenge
facing the modern Enterprise is „change‟”, the possibilities and opportunities that EA
offers are very attractive for organisations.
Methodology
The research followed the Design Science methodology (e.g. Hevner et. al., 2004;
March and Smith, 1995), which is an iterative research methodology aimed at
inducing change in an organisation through the development and introduction of
artefacts which, according to March and Smith (1995), can be models, instantiations,
constructs and methods which must be capable of serving “human purposes” (March
and Smith, 1995). Being a Pragmatist research methodology (Cole et. al., 2005), the
quality and efficacy of the produced artefacts will be shown through their applicability
and appropriateness to the users‟ needs.
The project developed, using the Bow-Tie technique, a total of 21 Loss Events which
cover both crime and terrorism. These Loss Events were arrived at through three
focus groups meetings and a number of individual face-to-face reviews with a group
of highly experienced security experts, including a Port Facility Security Officer
(PFSO) of a large Passenger and Ferry Terminal, a former Port Security Officer with
over 30 years of experience, a PFSO for a Container Terminal and several currently
serving private security company experts who have extensive maritime/port security
experience. The focus groups were guided by a risk management consultant. With
the exception of two people, everyone at the focus group was ISO 28000 trained.
The aim of the focus groups was to build up a picture of what they considered
constituted a realistic depiction of current threats faced by modern European ports,
and to identify for a port with a theoretical unlimited security budget all available risk
control factors. In other words, this group of people built up a reference model of
threats, risks, consequences and risk control factors that could be considered as a
„state of the art‟ reference model against which other ports could measure their
performance.
Interim Results
The completed Bow-Tie diagrams were created in the EA modelling tool “MooD”1.
We implemented the standard Bow-Tie notation of placing threats and vulnerabilities
to the left of a central loss event, with preventive controls providing barriers to some
or all the threats (i.e. measures to reduce probability of that threat or vulnerability
being successfully exploited). Similarly, we placed consequences and consequence
controls (i.e. measures to reduce impact) to the right hand side of the central loss
event. Early on, we realised that it would be overly complicated to replicate
accurately the various consequences that different disparate events such as terrorist
attacks and petty thefts can have. We therefore decided to have six specific types of
consequences, with each having an impact factor of 0-5. The following table shows
what these consequences are and the impact factor for each.
1
http://www.tsorg.com/
Impact People Environment Asset Value Reputation Disruption of
(€ Million) Port
0 No health No effect Nil No Impact None
effect/
injury
1 Slight health Slight effect 0.01 – 0.1 Slight Impact Slight
effect/injury (rapid on-site clean- Disruption
up)
2 Minor health Minor effect (short 0.1 – 1 Limited Impact Some
effect/injury term Disruption,
within facility affecting
boundary) mainly
one terminal
3 Major health Localised effect (long 1 – 10 Considerable Considerable
effect/injury term within facility Impact Disruption,
boundary) affecting
Neighbouring
terminals
4 Single fatality Major effect/damage 10 – 100 Major national Major
or multiple long term or extensive impact disruption,
permanent affecting
injuries multiple
terminals and
waterways
5 Multiple Massive effect/ >100 Major Massive
fatalities damage international disruption,
long term and impact affecting entire
extensive port area
Table 1: Consequences and their Impact values
The one consequence not represented in that table is the “Follow-On Consequence”;
this object captures the fact that some Loss Events are merely precursor to other
types of Loss Events. Examples are a diversionary riot being created to hide other
criminal activity, or the theft of data that could result in further economic loss. The
Follow-On consequence obtains an Impact factor that is determined by the overall
risk value of the Loss Events it causes. We were able to identify several of these.
Each control factor was given a value between 0 (highly effective) and 1 (not
effective at all) and thus acted as a multiplier increasing or decreasing the probability
or impact of a threat or consequence. For each Loss Event, Probability and Impact
were assigned to Threats and Consequences respectively, a control factor was
assigned to each risk control measure using expert opinion, and the tool then
automatically calculated a Total Risk Value for a particular Loss Event. This was
achieved through a combination of expert input at the focus groups and the face-to-
face reviews, and a study of literature on similar events in the past.
The figure of Total Risk Value was later expanded to include a „minimum‟ and
„maximum‟ Total Risk Value, which represents a Worst-case, best case and most
likely scenario of a particular Loss Event occurring. The mathematical relationship
could therefore be expressed as the total Risk per Loss Event (R), consolidated
Threat Probability and Impact values (P,M), derived from all individual Threats (ti),
Consequences (ci) and Preventative and Consequence Control Factors (fi and gi)
associated with that loss event.
Figure 2: Bow Tie Diagram in MooD, showing variable definitions.
Three calculations for Total Risk were employed based on average (RA), minimum
(Rmin) and maximum (Rmax) weighted probability and impact values. The average risk
calculation derives a risk estimate that balances all threats and impacts. The
minimum and maximum calculations take best-case and worst-case views of risk
respectively; the minimum sets the total risk to the minimum weighted Threat
Probability and Impact values, while the maximum uses the maximum weighted
Threat Probability and Impact values. The precise calculations used are:
I ,J M ,N
i, j f i t j m, n g m c n
i 1, j 1
R A P, M
m 1, n 1
I ,J
, M ,N
i, j m, n
i 1 , j 1 m 1, n 1
where J is the total number of threats, N is the total number of Consequences, I and
M are the total number of preventative and consequence controls respectively. The
function (i,j) equal one where the threat/consequence and control are connected
and zero otherwise.
Together, these values RA, Rmin and Rmax give an indicative risk range.
The tool was thus able to quickly calculate a range of Risk Values for the Loss
Events identified by the expert focus group. The complete results for Loss Events are
captured in the following table:
Loss Event Best case Average case Worst case
Impa Probabilit Impa Probabilit Impa Probabilit
Label
ct y ct y ct y
Attack on hazardous goods
within 2,0 0,8 3,4 2,6 5,0 4,0
port area
Attack with car bomb 2,0 0,9 3,4 2,4 4,5 4,0
Availability of Port Data is
0,0 0,2 1,0 1,3 5,0 4,0
compromised
Blind Passengers get on
board 0,0 0,4 1,7 1,1 5,0 4,0
successfully
Bomb Threat against
Ship/Port 3,5 3,5 4,5 3,9 5,0 4,0
Facility
Co-ordinated bombing of port
0,9 1,2 2,5 2,4 4,5 4,0
infrastructure
Confidentiality of Port Data is
0,0 0,5 1,2 1,9 5,0 4,5
compromised
Contamination of cruise ship 0,8 1,2 2,2 2,5 4,5 5,0
Demonstrations leading to
Riots, 0,6 0,2 1,5 1,7 2,7 4,5
disrupt port activity
Direct Attack on Oil Terminal
0,9 0,8 2,2 1,8 4,5 4,5
and its Infrastructure
Dirty bomb attack 1,2 0,6 2,6 1,1 5,0 3,0
Disruption of Port Waterways
to 1,5 0,4 2,7 2,0 4,5 4,0
impede Port Operations
Drugs smuggled through port 0,0 0,9 0,6 1,9 3,0 3,5
External Electrical Power to
0,3 1,2 1,5 1,5 5,0 1,8
Port is Cut
Illegal Immigrants/Trafficked
Humans pass through the 0,0 1,2 2,3 2,8 4,0 4,0
port
Integrity of Port Data is
1,0 0,3 2,4 2,1 4,0 5,0
compromised
LNG/LPG carrier attacked in
2,0 0,0 3,1 1,3 4,5 3,2
port
Successful attempt at Arson 0,9 1,2 2,0 2,1 4,5 4,0
Theft of container with high
value 2,0 1,0 2,4 2,5 3,0 5,0
goods
Theft of low value goods from
0,9 1,2 1,3 2,5 2,0 4,5
port buildings and pax
Economic loss suffered due
2,5 1,2 3,3 2,1 4,5 5,0
to crime
Mean value 1,1 0,9 2,3 2,1 4,3 4,1
Table 2: Identified Loss Events and their various Risk Values
These results must be considered with the caveat that the Risk Values all represent a
hypothetical „Model Port‟, which combines features of all European Ports, and which
has a theoretical unlimited Security Budget.
This information will later help users identify what they need to do to implement a
control factor effectively, in what cost band that factor is likely to fall, who the
responsible actor is and at what ISPS security level this control should be
implemented.
At the time of writing, the developed model had not yet received the full scrutiny by
port stakeholders, as initial meetings were focused on more general topics of the
project as a whole. Nevertheless, some feedback from respondents had been
received already. Notable feedback included:
These meetings also kick-started discussions on the most effective „baseline‟ for risk
control factors to be implemented; whilst some larger ports favoured a formal
implementation of ISO 28000, smaller ports were concerned that such a system
might be cost prohibitive, especially as smaller ports noted that they are much more
concerned with economic rather than terrorist threats.
Discussion
Whilst the use of Bow-Tie diagrams is well established in literature, our particular
implementation is, as far as we can ascertain, fairly novel because we manage to not
only capture Risk information in a purely graphical manner, but we also capture a lot
of contextual information „behind‟ the model which gives more meaning to the
numbers involved. For instance, the „Best Practice‟ section for risk control factors
gives guidance that a PFSO could use to enhance a particular security factor at a
facility to a level of effectiveness more closer to what our panel of experts deem „best
practice‟. In other words, the output can be thought of as a dynamic and interactive
tool that can guide a user to identify the best aspects of security to invest in. We have
started undertaking such an analysis at an elementary level but it is too soon to be
able to report on the results yet. This is possible because the tool allows for dynamic
input of values into the model (for example, a user could log in and change the
probability, impact and control factor values in a particular loss event model and view
the results on the total risk value immediately). Therefore, this model can be used for
what-if scenario analysis and cost-benefit analysis.
Concerning the numbers within the model, especially those for control factor values
and Probability, these must be understood as theoretical ideals. They do not
represent any one specific port. This poses a particular problem for the types of
threats faced by ports. Not all ports are situated in a country that is understood to be
a target for political or religious extremists; not all attackers use the same tactics.
Also, no port has an unlimited security budget. In order to account for these important
differences between theory and practice, the developed model shall remain a
reference model only, a theoretical ideal that ports should strive for. The section on
“Future Research” will outline how the model will be perused further.
Attentive readers will have noticed that the maximum and minimum risk values for
worst and best case scenarios respectively are not based on a mathematical model
of probability, but merely on the calculation of multiplying probability or impact with
the best/worst risk control factor in a given Loss Event. The reason for this lies in the
fact that no accurate security statistics are available. Were accurate details available,
i.e. details of total flow of customers/goods, number of inspections, number of
incidents, estimated number of non-detection etc., then an accurate model could be
created that captures accurate risk control factor values and an accurate model for
calculating Rmax and Rmin. However, this information is not available and therefore
the numbers were based on expert opinion. This, in turn, makes it impossible to
develop a detailed model for best/worst case scenarios so a decision was made to
handle this aspect fairly simplistically for the time being until this reference model can
be refined. Furthermore, feedback from the initial stakeholder workshops shows that
businesses do not seem to understand the effect of the numerical value of these risk
control factors. It is very difficult to highlight to them how a split of 10% physical
search, 90% document search can be translated into a search effectiveness value of
0.2 for example (the stakeholders seemed to understand Impact and Probability,
though). This is particularly relevant because the effectiveness of the risk control
factors are what truly determines the overall risk control factor values, so further
research needs to focus on refining these control values using more empirical
means.
It is interested to note that when one looks at Table 2 and the risk values calculated
for the various Loss Events, then it becomes apparent that the total Risk Values
(regardless of whether the best/worst/average cases are being considered) are not
that different from each other. In other words, there is very little spread between the
Loss Event with the lowest and highest risk values. This is exacerbated when one
considered a graphical representation of the data spread as per the following figure:
3
Disruption of port waterways
Dirty bomb attack
Impact
0
0 1 2 3 4 5
Probability index
As can be seen, the Loss Events are clustered together in one big homogenous
group. A similar picture is seen for the best and worst case Risk Values. A traditional
Risk Assessment would have anticipated seeing a roughly linear line from the bottom
left to the top right corner of the Figure, showing a comprehensive set of Risks.
However, Figure 6 shows the results expected by the project – the project considers
itself with those risks that European ports should be particularly concerned about,
and not necessarily well prepared for. Therefore, the expert focus groups (and the
initial feedback from stakeholders) have managed to capture a number of Risks that
are similar and don‟t vary much between each other, which is the expected outcome
if one were to investigate the most pressing security issues in individual facilities for
example. Figure 6 thus validates the project‟s approach by showing that the identified
Loss Events are roughly similar in their anticipated probability and impact.
Future Research
To account for the issue that the developed reference model is built as a theoretically
ideal model with only little empirical data, there are plans to re-built several
instantiations of the developed risk model on the basis of the specific local conditions
of the participating ports. In other words, there will be a complete model for each
participating port, capturing the as-is conditions of the threats and their probability
being faced, the available risk control factors and values, and the consequences and
their impact specific to that port. This will allow for a detailed gap-analysis between
the reality of these ports, and the theoretical ideal that security experts have helped
construct.
The “Best Practice” description of risk control factors (see Figure 5) will be expanded,
so that procedural control factors will be described through a Business Process
Modelling notation, providing a clear graphical overview over how such a procedure
should be implemented. This will be in addition to the textual description provided
already. The expectation is that the completed model, including the local
instantiations, will thus provide a comprehensive tool that can show a future user
(e.g. Port Authority, PFSO) where and how to upgrade specific aspects of their
security.
We also intend to add a field on the legal requirements and guidelines; specifically,
maritime legislation, such as the ISPS code (IMO, 2003) and the EC‟s port security
directive (EC, 2005), put certain requirements and demands on PFSO‟s and Port
Authorities. These typically influence the types of threats that Ports must be ready to
face, a set of minimum security standards and specific requirements against specific
technology. This is especially true when looking at other voluntary schemes, such as
AEO (EC, 2010) and C-TPAT (CBP, 2004), which will also be considered and added
to our model. This will show users the legal requirements they must comply with, and
requirements of voluntary schemes that they may wish to comply with.
Finally, the “cost” field will be greatly expanded on the basis of more data gathered
from the ports. A “low/medium/high” cost grading for security upgrades is not very
useful, especially when applied to a reference model that is not comparable to a real
port. Therefore, as more data is gathered from the ports, the individual port model
instantiations will be expanded in such a manner that the control factors‟ cost
information reflects the actual situation within a real port. In other words, if Port X of a
specific size with a certain amount of security technology already implemented wants
to upgrade its security measures to reflect the theoretical risk control value
developed in the reference model, then Port X‟s expenditure is likely to be different to
Port Y‟s expenditure, with a different size and different amount of security. This will
make the model interesting to the relevant PFSO‟s and Port Authorities as the model
can then be used as a dynamic and interactive simulation tool that could help them
with cost-benefit and what-if analysis to determine the best investment options and
the true cost of upgrading security, and effectiveness of such upgrades.
Conclusions
The comprehensive model being gradually built and enhanced has a lot of potential
to help Port Authorities and PFSO‟s plan, prepare and undertake security upgrades
to their facilities and infrastructure. It combines an analysis of Risk, identifies
measures that could be used to reduce that risk, provides effectiveness values for
measures that could control risk, guidance on how to implement these, and
references to legislation that a Port Facility must oblige with. Future users can
therefore use this model for various purposes: cost-benefit analysis, upgrade
planning, audits, what-if scenario analysis and even as a training tool.
The model is implemented in an EA tool and the way it has been implemented in it
permits a user to fully exploit the potential benefits of an EA as a whole. The model
will eventually be released with guidance that will show how to add non-security
aspects to the model, so that an EA can be built up and maintained.
How does this work affect European Port Security though? By bringing together the
opinions of security experts and current users, users and experts can learn from
each other about what represents current threats and whether existing measures are
sufficient to cover these. The model being developed will help reduce the barriers to
upgrading security as it clearly identifies security gaps and legal requirements that
must be met, thus it becomes a helpful tool that users can use to effectively upgrade
security where it is necessary and effective to do so. It also visualises the most
severe threats faced by European ports, leading to better understanding of risk and
the enhanced security that could be gained from simple changes to processes and
procedure.
Acknowledgments
The SUPPORT project is funded by the EC‟s 7th Framework Programme. We also
would like to thank all project partners for their support in helping to gather and
develop elements of the information presented herein.
References
Boster, M., Simon, L., and Thomas, R. (2000). “Getting the most from your enterprise
architecture.” IT Professional 2 (4): 43-51.
Cole, R., Purao, S., Rossi, M. And Sein, M.K. (2005). “Being proactive: Where action
research meets design research.” Proceedings of the 16th International Conference
on IS (ICIS), Las Vegas, USA: 325-335.
US Customs & Border Protection (2004). “Securing the Global Supply Chain.
Customs-Trade Partnership against Terrorism.” Retrieved from
http://www.cbp.gov/linkhandler/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_stra
tegicplan.ctt/ctpat_strategicplan.pdf on 03/02/2011.
Gifford, M., Giltert, S. and Bernes, I. (2003). “Bow-Tie Analysis.” Equipment Safety
Assurance Symposium (ESAS), 2003.
Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004) “Design Science in IS
Research”, MIS Quarterly 28(1):75-105.
International Maritime Organisation (2003). “The International Ship and Port Facility
Security Code.” IMO Publications.
McConnell, P. and Davies, M. (2004). “Safety first – scenario analysis under Basel
II.” Retrieved from http://www.continuitycentral.com/feature0338.htm on 02/02/2011.
Steen, M.W.A., Akehurst, D.H., ter Doest, H.W.L. and Lankhorst, M. M. (2004).
“Supporting Viewpoint-Oriented Enterprise Architecture.” Eighth IEEE International
Enterprise Distributed Object Computing Conference: pp. 201-211.
Trbojevic, V.M. and Carr, B.J. (2000). “Risk based methodology for safety
improvements in ports.” Journal of Hazardous Materials 71: pp. 467-480.
Zachman, J.A. (1997). “Enterprise Architecture: The Issue of the Century.” Database
Programming and Design Magazine, Issue March 1997.